[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





     THE IT ROADMAP: AN OVERVIEW OF HOMELAND SECURITY'S ENTERPRISE 
                              ARCHITECTURE

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 8, 2003

                               __________

                           Serial No. 108-129

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

92-900              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, 
NATHAN DEAL, Georgia                     Maryland
CANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of 
TIM MURPHY, Pennsylvania                 Columbia
MICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee
JOHN R. CARTER, Texas                CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota                 ------
MARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont 
                                         (Independent)

                       Peter Sirh, Staff Director
                 Melissa Wojciak, Deputy Staff Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
              Philip M. Schiliro, Minority Staff Director

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 DIANE E. WATSON, California
TIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                 Scott Klein, Professional Staff Member
                      Ursula Wojciechowski, Clerk
           David McMillen, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on October 8, 2003..................................     1
Statement of:
    Cooper, Steven I., Chief Information Officer, U.S. Department 
      of Homeland Security.......................................    17
    Evans, Karen S., Administrator of E-Government and 
      Information Technology, Office of Management and Budget....     9
Letters, statements, etc., submitted for the record by:
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     8
    Cooper, Steven I., Chief Information Officer, U.S. Department 
      of Homeland Security, prepared statement of................    20
    Evans, Karen S., Administrator of E-Government and 
      Information Technology, Office of Management and Budget, 
      prepared statement of......................................    12
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     4

 
     THE IT ROADMAP: AN OVERVIEW OF HOMELAND SECURITY'S ENTERPRISE 
                              ARCHITECTURE

                              ----------                              


                       WEDNESDAY, OCTOBER 8, 2003

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:40 a.m., in 
room 2247, Rayburn House Office Building, Hon. Adam Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam, Murphy, and Clay.
    Staff present: Scott Klein, professional staff member; Bob 
Dix, staff director; Ursula Wojciechowski, clerk; John Hambel, 
counsel; David McMillen, minority professional staff member; 
and Teresa Coufal, minority assistant clerk.
    Mr. Murphy [presiding]. Good morning. As you can tell, I'm 
not Mr. Putnam. His flight is delayed. He'll be here soon and 
I'll be starting off for him. A quorum being present, this 
hearing of the Subcommittee on Technology, Information Policy, 
Intergovernment Relations and the Census will come to order.
    Good morning and welcome to today's hearing on a very 
important information technology initiative: The Department of 
Homeland Security's Enterprise Architecture. This morning the 
subcommittee will be examining the Department's release of its 
first enterprise architecture as well as how it aligns with the 
overall Federal Enterprise Architecture and E-Government 
strategy.
    Less than a year ago, on November 25, 2002, President Bush 
launched this enterprise architecture development process by 
signing into law the bill that combined part or all of 22 
Federal agencies into one Cabinet-level umbrella known as the 
Department of Homeland Security. As you may be aware, this 
consolidation is the largest reorganization of the Federal 
bureaucracy since our Defense Department and intelligence 
agencies were restructured over a half century ago.
    In addition to the challenges of consolidating and 
integrating the masses of disparate information technology 
systems to allow 22 agencies to function as a cohesive 
organization, the Department quickly discovered it had a 
critical and enhanced role to secure, analyze, and share 
important information across traditional agency boundary lines, 
including intergovernmentally.
    To achieve the Department's core mission, the need to 
interface and become interoperable with systems internally and 
externally quickly became a top priority. The Department 
inherited a collection of legacy systems for a variety of 
missions, from securing our borders to providing intelligence 
data identifying subjects of interest. Clearly the challenge 
was, and continues to be, an enormous exercise in collaboration 
that requires cooperation throughout the entire organization.
    In assessing the huge task it faced, the Department of 
Homeland Security discovered it operated more than 1,000 
servers and approximately 700 different applications, including 
more than 300 applications performing some variety of back-
office operations. Nearly 50 of those disparate applications 
have been functioning to prevent and respond to terrorist 
events.
    As we have seen during congressional debate and at 
hearings, the Department has faced tremendous challenges to 
become interoperable in unifying multiple field structures; 
blending the cultures of each agency and some 180,000 
employees; standardizing data to improve information sharing; 
and integrating both existing applications and IT. Needless to 
say, building an effective Department from 22 separate entities 
will require sustained leadership from both IT and other top 
managers to ensure the transformation of a diverse collection 
of agencies, programs, and missions into an integrated 
organization. Quite frankly, some have expected this 
transformation to simply occur overnight and fail to fully 
appreciate the magnitude of the effort required to achieve the 
integrated functionality necessary to operate in a 
collaborative manner. The IT challenge is only part of the 
equation, however; the success of that component is critical to 
the ultimate success of the transformation itself.
    The challenges that face the Department are both real and 
difficult, in fact, leading the General Accounting Office to 
designate the administration of the Department as a high-risk 
area. Foremost among those challenges is the Department's 
development and implementation of a coherent enterprise 
architecture to support its mission. Even the President's own 
homeland security strategy identifies, among other things, the 
need for an enterprise architecture as a necessary component to 
achieving the goal of the Department's systems interoperating 
effectively and efficiently.
    As I am confident our witnesses will convey today, an 
enterprise architecture is a very important step because it 
will help identify shortcomings and opportunities in current 
homeland security-related operations and systems, such as 
duplicative, inconsistent, or missing information.
    I also understand that as part of its enterprise 
development efforts, the Department has established working 
groups comprising State and local CIOs to ensure that it 
understands and represents their business processes and 
strategies relevant to homeland security. In addition, I 
understand that OMB, in its examination of DHS's overall IT 
program, an effort to identify redundant activities that might 
be candidates for consolidation and integration through the IT 
budget submission process, has taken an initial first step to 
evaluate DHS's component systems.
    Given the climate that exists in our world today and the 
eminent danger that confronts our Nation, there are justifiably 
huge expectations for the Department of Homeland Security. Many 
folks are insisting upon results, and today we will examine a 
significant step forward in producing those results. 
Truthfully, it is a remarkable achievement that we are here 
today, in such a short period of time by virtually anyone's 
measure, to unveil this critical information technology 
milestone at the Department of Homeland Security.
    This subcommittee has held 15 hearings during the 108th 
Congress focused on e-government, integration and consolidation 
of governmentwide functional IT systems, information privacy 
and cyber security. Development of an effective enterprise 
architecture at the Department will provide a detailed roadmap 
to address nearly all of the important IT issues examined this 
year by the subcommittee, including how DHS will configure its 
IT in such functions as grants management, geospatial 
information, HR and financial management systems, smart cards 
and biometrics, records management and the handling of 
personally identifiable information by government.
    In addition, this subcommittee's oversight activities on 
cyber security have made it abundantly clear that developing 
and adhering to an enterprise architecture is the most 
effective method of integrating information security solutions 
over the long term. Congress recognized the importance of EA in 
assessing risk and achieving secure systems through passage of 
the Federal Information Security Management Act, which requires 
agencies to consider security throughout the life cycle of a 
system. Consistent with today's architecture release, we will 
continue to press for cyber security solutions at the initial 
stages of systems development versus attempting to attach 
expensive, disparate solutions to the old processes and systems 
as an afterthought.
    Finally, on a broader scope, the subcommittee will review 
how this initial Department of Homeland Security roadmap aligns 
with the overall Federal Enterprise Architecture and E-
Government Strategy managed by the Office of Management and 
Budget. Accordingly, we are very pleased to be joined today by 
the distinguished CIO from DHS, Mr. Steve Cooper, and we 
welcome the brand new administrator for Information Technology 
and E-Government, Karen Evans, for her very first appearance at 
a congressional oversight hearing in her new position.
    I now yield to the gentleman from Missouri, the ranking 
member, Mr. Clay, for any opening remarks that he may wish to 
make.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T2900.001
    
    [GRAPHIC] [TIFF OMITTED] T2900.002
    
    [GRAPHIC] [TIFF OMITTED] T2900.003
    
    Mr. Clay. Thank you, Mr. Chairman, and thank you for 
calling this hearing. I also thank the witnesses for appearing 
before us today. Unfortunately, this morning is full of 
competing opportunities. The full Committee on Government 
Reform is downstairs holding a hearing on rebuilding Iraq, and 
I apologize for not being able to give this hearing my 
undivided attention.
    It wasn't that long ago that information policy in the 
Federal Government was about buying computers. People talked 
about information resource management, but what they really 
meant was buying computers and computer software. Congress 
believed that information policy was about getting the right 
information to decisionmakers at the time they had to make a 
decision. That concept was a part of the last rewrite of the 
Paperwork Reduction Act which was written in the early 1990's. 
These competing concepts have come together and been named 
enterprise architecture.
    Unfortunately, it took a few billion dollar mistakes at the 
IRS and the FAA before the executive agencies got it. When you 
strip away all of the jargon, the process of developing an 
enterprise architecture is about mapping the way an 
organization communicates and making sure those communications 
are timely and effective.
    Congress put together 22 agencies from nearly every 
Department in the government to create the Department of 
Homeland Security. The managers of the Department now have the 
task of making those agencies work together as a cohesive 
whole.
    The enterprise architecture is designed to be a roadmap for 
how that will happen. Like most maps, there are a variety of 
ways of getting from A to B. Some routes are more direct than 
others. Some are more expensive and some more educational. What 
really matters is how the Department chooses the route it will 
take. Implementing this transformation is about communication 
and cooperation. If the individuals and agencies within the 
Department lose sight of those goals, the process will fail and 
the Department will fail in its mission to protect the American 
public.
    If this transformation becomes bogged down in selecting 
which personnel system will be used or which payroll system or 
whether it runs on PCs or Sun Microstations, the process will 
fail.
    I look forward to our discussion today, and I hope our 
witnesses will proceed with a minimum of jargon. Thank you, Mr. 
Chairman.
    Mr. Murphy. Thank you, Mr. Clay.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T2900.004
    
    Mr. Murphy. I too hopefully will understand half of what is 
said. I will rely on you to understand the other half. Thank 
you for your leadership in this subcommittee.
    I ask now that the witnesses rise to be sworn in.
    [Witnesses sworn.]
    Mr. Murphy. Let the record show that both witnesses 
responded in the affirmative.
    I'd like to start by introducing our first witness for her 
5-minute opening statement, Karen Evans. On September 3, 2003, 
Karen S. Evans was appointed by President Bush to be 
Administrator of the Office of Electronic Government and 
Information Technology at the Office of Management and Budget. 
Ms. Evans replaces our good friend Mark Forman, and I 
understand she began as Administrator on Monday; and to her 
great fortune, 48 hours later she's testifying before Congress. 
I hope you've had time to prepare.
    Prior to joining OMB this week, Ms. Evans was Chief 
Information Officer at the Department of Energy and served as a 
vice chairman at the CIO Council, the principal forum for 
agency CIOs to develop IT recommendations. Previously she 
served at the Department of Justice as Assistant and Division 
Director for Information Systems Management.
    Ms. Evans, thank you for agreeing to serve in this 
important post. We are grateful for the work you're going to be 
doing, and we look forward to working closely with you and your 
staff. Welcome, and I yield 5 minutes for your opening 
statement.

STATEMENT OF KAREN S. EVANS, ADMINISTRATOR OF E-GOVERNMENT AND 
    INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET

    Ms. Evans. Good morning, Mr. Chairman, Ranking Member Clay, 
and members of the committee. It is my pleasure to be here 
during my first week as the new administrator of the Office of 
Electronic Government and Information Technology at OMB. Thank 
you for the opportunity to discuss with the committee the steps 
the administration has undertaken and will continue to take to 
improve Federal IT management, particularly as it relates to 
our homeland security mission.
    Mr. Chairman, I know that under your leadership, this 
committee has been a forerunner in Congress on a number of 
critical IT issues such as enterprise architecture, e-
government and IT security. I look forward to working with you 
and the committee to make progress on our shared priorities. My 
remarks will focus primarily on the administration's Federal 
Enterprise Architecture [FEA] efforts as well as OMB's role in 
assisting the Department of Homeland Security in their 
enterprise architecture [EA] work.
    The development and implementation of the FEA is a key step 
toward achieving significant governmentwide improvement in the 
management of Federal IT resources. The FEA gives agencies a 
new way to describe, analyze, and improve how the Federal 
Government serves its citizens. By looking at the government's 
many lines of business, the citizen groups it serves, and the 
underlying tools and technologies, agencies will be better able 
to leverage resources while improving service delivery.
    We will be able to identify opportunities to eliminate 
redundant investments while improving integration of resources 
and information sharing across Federal agencies with State and 
local governments.
    This business focus framework will assist Federal agencies, 
OMB, and the Congress in improving the performance of the 
government. The outcome of our FEA efforts will be more 
citizen-centered, customer-focused government that maximizes 
technology investments to better achieve mission outcomes.
    The FEA also directly supports the development of 
individual agency's EAs by providing a framework for agencies 
to align their performance, business, data application and 
technology layers to the FEA.
    OMB has leveraged both traditional management and budget 
processes to ensure that the FEA is directly linked to and 
informed by each agency's EA and agency's IT investments. Each 
agency's EA must describe how they meet their missions through 
the use of people, business processes, data and technology, 
while each major IT investment request must detail how the 
investment is aligned with and supports the FEA and the agency 
EA.
    While it is essential for each agency to develop and 
implement an EA, nowhere is this more critical than for the 
Department of Homeland Security. Achieving effective homeland 
security will require IT investments that guarantee realtime 
information sharing to improve response time and 
decisionmaking. To meet these goals and assist in overcoming 
information sharing barriers, we require wise IT investments 
that support homeland security missions, enhance productivity 
and improve information sharing while providing for security 
and privacy.
    In his proposal for creating the Department over a year 
ago, the President highlighted the use of EA techniques. The 
President stated that the development of a single EA for the 
Department would result in elimination of duplicative and 
poorly coordinated systems that are prevalent in government 
today, and that we must fund homeland security missions based 
on an overall assessment of requirements rather than a tendency 
to find all good ideas beneficial to a separate unit's 
individual needs even if similar systems are already in place 
elsewhere.
    The merging of 22 previously separate agencies has resulted 
in DHS inheriting many redundant and overlapping IT systems and 
processes, nearly all designed to address individual programs. 
Both the FEA and the Department's EA will be instrumental in 
identifying opportunities for both reducing existing 
duplication and preventing new redundant investments.
    Throughout the fiscal year 2005 budget process, OMB will 
work with the Department to eliminate redundant and 
nonintegrated operations systems and processes for both IT 
infrastructure and mission areas. DHS's EA is indispensable to 
achieving these results.
    However, to be an effective tool, the EA must reflect 
organizational decisions made by the Department's leaderships 
and be used by the entire Department and particular senior 
officials in mission and management in making all resource 
decisions.
    Tough but necessary investment decisions must be made on 
which systems and processes remain, which will be consolidated 
and which are eliminated.
    OMB will continue to oversee DHS's efforts to implement 
their EA, consolidate their IT investments and support and 
shepherd E-gov initiatives through both management and budget 
processes. Through the budget process OMB will assess all DHS 
major IT investments with a strong focus on planned integration 
and consolidation of overlapping systems.
    Additionally, through the President's Management Agenda, 
under the expanding electronic government score card, OMB will 
assess on a quarterly basis the Department's progress in their 
EA development and implementation as well as their IT 
consolidation activities.
    The administration will continue to work collaboratively 
across Federal agencies with Congress, State, and local 
governments and the private sector to strengthen information 
sharing in support of homeland security efforts. Both the FEA 
and DHS's EA are vital tools necessary to improve the 
management and performance of our homeland security missions. 
While we recognize the significant challenges facing DHS in 
consolidating the cultural and resource legacies of 22 
component agencies, we fully expect that DHS leadership will 
continue to build an integrated and interoperable structure.
    To ensure we successfully meet this goal, OMB will work 
with DHS leadership to ensure that their EA efforts, their 
integration of business processes and consolidation and 
elimination of redundant IT investments remains a top priority 
and is addressed in a timely manner.
    I look forward to working with the committee on our shared 
goals of improving the Federal Government's management of all 
its IT resources, including those related to homeland security. 
Thank you.
    Mr. Murphy. Thank you, Ms. Evans.
    [The prepared statement of Ms. Evans follows:]

    [GRAPHIC] [TIFF OMITTED] T2900.005
    
    [GRAPHIC] [TIFF OMITTED] T2900.006
    
    [GRAPHIC] [TIFF OMITTED] T2900.007
    
    [GRAPHIC] [TIFF OMITTED] T2900.008
    
    [GRAPHIC] [TIFF OMITTED] T2900.009
    
    Mr. Murphy. Our second witness this morning is Steven I. 
Cooper, Chief Information Officer of the U.S. Department of 
Homeland Security. Prior to being appointed by the President to 
be the first CIO at the Department, Mr. Cooper served at the 
White House as a Special Assistant to the President for 
Homeland Security.
    Prior to Federal service, Mr. Cooper spent 20 years in the 
private sector, most recently as a CIO at Corning in New York. 
Previously he served as Director of IT for Eli Lilly & Co. in 
Indianapolis. He also held key IT management positions with 
CSC, Maxima, and CACI.
    Mr. Cooper, you certainly have been given a monumental 
task, and I know Members of Congress are looking forward to 
your candid views on this subject and the Department of 
Homeland Security. You may proceed.

STATEMENT OF STEVEN I. COOPER, CHIEF INFORMATION OFFICER, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Mr. Cooper. Thank you. Mr. Murphy and members of the 
subcommittee, I'm very pleased to appear before the 
subcommittee today. I want to thank the chairman and members of 
the subcommittee for giving me the opportunity to talk about 
the Department of Homeland Security's enterprise architecture 
efforts and initiative. I'm very pleased to announce to you 
that we have completed the first version of our target 
enterprise architecture and are already beginning to implement 
the objectives of our enterprise architecture transition 
strategy.
    The enterprise architecture will help DHS align information 
technology investments with its mission and business needs, 
help us improve data sharing and interoperability with its many 
information sharing partners and stakeholders that include 
other Federal agencies, State and local tribal governments and 
particularly the private sector responsible for our critical 
infrastructure.
    In my previous testimony, I discussed the vision and 
strategy of DHS and how that strategy must be supported by a 
disciplined capital planning and investment control process 
that is guided by a business-driven enterprise architecture.
    Our strategy identified major initiatives, such as 
information integration across the Federal, State and local 
government, private industries and citizens, common standards 
for electronic information sharing and integration, improved 
communications capability and interoperability and reliable 
public health information capability and sharing.
    The enterprise architecture captures this strategy and 
describes a target information management infrastructure that 
will be dramatically different from the one we have today, one 
that will provide timely, accurate, useful, and actionable 
information to all individuals who require it all the time.
    We have accomplished something we believe to be truly 
unique in the Federal Government. We have designed and 
delivered a comprehensive and immediately useful target 
enterprise architecture in less than 4 months. Our enterprise 
architecture is enabling us to make decisions now about our 
information technology investments, even as we continue the 
hard work of developing greater detail, reaching deeper to find 
more opportunities for consolidation and are beginning to 
develop new and improved mission support capabilities enabled 
by information technology.
    Now I'd like to kind of take everything we've done and see 
if I can summarize it in easy to understand jargon in less than 
a couple minutes.
    Mr. Murphy. Please.
    Mr. Cooper. First let me share some of the things that we 
found. First of all, we have inherited a ton of stuff. Most of 
it is categorized in some manner within the legacy organization 
that developed it.
    At that time everything was developed for the mission and 
capability of that specific legacy entity. For example, legacy 
Customs, legacy Immigration and Naturalization Service, Federal 
Emergency Management Administration and so forth.
    What we have to do and what we have already begun doing--
and we have our first release--is to basically step back and 
now take a look in the context of the Department of Homeland 
Security, how do all the parts and pieces fit together.
    The diagram that you have on your left, which isn't quite 
the eye test that you have on the right--and we'll get copies 
of these to the committee members--but on the left you 
effectively have a diagrammatic representation of the 
strategies, goals and objectives of the Department. We refer to 
it as our value chain, the same as you would find in any 
private sector corporation. It represents what we have to 
accomplish to secure the homeland and protect the lives and 
secure 286 million Americans. It's that simple.
    On the right, that single diagram which we labeled a 
sequencing diagram effectively represents all the work that 
we've done in this first release. Let me try to verbally 
describe what you see up there. First and foremost, the value 
chain in that left-hand diagram is represented across the 
center--the rough center of the diagram left to right. So those 
kind of blue-turning-to-gray rectangles are the mission, goals, 
and objectives of the Department. I'll give you an easy 
example. We talk about preventing incidents, disseminating 
information, preparing for incidents. God forbid something 
should happen, we have to respond to that incident and we have 
to recover from that incident. At the highest level, that's the 
goal of the Department related to terrorism.
    If we then begin to break that down, what we find is a 
lower-level category that aligns with that mission that we've 
labeled threat identification and management, to give you one 
example for illustrative purposes here.
    Below that horizontal grouping of rectangles the little 
teeny tiny print that none of us can read are basically all of 
the projects and initiatives that we found underway in the 
Department at this time.
    Now, what you can visually see is some of the columns have 
a whole bunch of projects, and some of them have very few or 
none. The first thing that that tells us is where we've got a 
whole bunch of them, they're basically in the same mission area 
and may provide an opportunity for integration and 
consolidation.
    Collectively, those projects represent somewhere on the 
order of about $2 billion in fiscal year 2004. So we're talking 
a pretty sizable capital investment.
    Our work then, if I continue the example of threat 
identification and management, I'm going to read these quickly, 
but you'll get the idea, OK, and some of these names you will 
recognize. CAPS 2, U.S. VISIT, SEVS, which is the Student 
Exchange and Visitor System, electronic surveillance system, 
FORCE, IDENT consolidated intelligence system, numerical 
integer intelligence system, cyber warning information, 
national warning system. You get the idea.
    There are about 16 major initiatives in this threat 
identification and management column, and one of our first 
orders of business is to understand how do they integrate, how 
do they overlap, if they overlap, and what can we do to both 
successfully deliver the mission capability represented by 
these applications but at the same time be respectful of the 
fact they represent a huge investment of taxpayer dollars. We 
don't want to be wasteful. We want to ensure homeland security, 
and we may have opportunities to both consolidate, deliver 
mission-capable, deliver accurate, useful and timely 
information and save money. That's our objective. We repeat 
that across every one of those columns. There's a significant 
amount of work to do.
    The pink stars or the lavender stars represent what we 
believe to be quick hits. Those are things we believe we could 
do very quickly, meaning within about a 6-month timeframe, to 
accomplish delivering mission capability, doing no harm to 
current mission capability in each of our inherited legacy 
environments, and at the same time begin some of the 
consolidation activity, integration activity.
    At this point in time let me stop, and I think Karen and I 
would both be delighted to answer questions of the committee.
    [The prepared statement of Mr. Cooper follows:]

    [GRAPHIC] [TIFF OMITTED] T2900.010
    
    [GRAPHIC] [TIFF OMITTED] T2900.011
    
    [GRAPHIC] [TIFF OMITTED] T2900.012
    
    [GRAPHIC] [TIFF OMITTED] T2900.013
    
    [GRAPHIC] [TIFF OMITTED] T2900.014
    
    [GRAPHIC] [TIFF OMITTED] T2900.015
    
    [GRAPHIC] [TIFF OMITTED] T2900.016
    
    [GRAPHIC] [TIFF OMITTED] T2900.017
    
    [GRAPHIC] [TIFF OMITTED] T2900.018
    
    [GRAPHIC] [TIFF OMITTED] T2900.019
    
    [GRAPHIC] [TIFF OMITTED] T2900.020
    
    [GRAPHIC] [TIFF OMITTED] T2900.021
    
    Mr. Murphy. Thank you both for your testimony. This shows a 
very complex system that needs to be smoothly integrated, 
because where there's all that complexity, there's also a lot 
of places that there are chinks in the armor, so to speak, that 
we make sure we resolve so no one sees those as vulnerable 
positions.
    Mr. Cooper, let me begin by questioning you at the bottom 
line. How will the enterprise architecture that you discuss 
contribute to the achievement of the overall mission of the 
Department of Homeland Security?
    Mr. Cooper. First and foremost, as I mentioned, the 
enterprise architecture captures and represents all of our 
mission capability. One of the first things that we recognize 
is that we have to basically understand what we have today 
before we can add new mission capability from an information 
technology enablement perspective.
    So the first immediate value is we know what we have, we 
know what we need to rationalize and stabilize from an 
infrastructure perspective, meaning we've got to have a stable 
platform before we can launch new capability. From that stable 
platform, which we anticipate will probably take us about 12 to 
24 months, the good news is that we deliver value along the 
way, so it's not an all-or-nothing proposition, but it will 
take us about 12 to 24 months to completely stabilize our 
infrastructure.
    We then can launch new mission capability along the way, 
but we can rapidly speed up, we can make wiser investments of 
how we want to achieve new capability. We can understand where 
we are lacking support for some of our mission capability. We 
can identify that immediately, as I mentioned, by showing 
basically the white space in our enterprise architecture.
    Mr. Murphy. As a followup there, when you talk about things 
you can do within the first 6 months, are those things you can 
do within the first 6 months because they are relatively more 
simple to change or because those are high priorities?
    Mr. Cooper. Both.
    Mr. Murphy. Let me followup by asking you to describe for 
this subcommittee how a comprehensive architecture will produce 
a Department that is more efficient, productive and cost 
effective. I think you're talking about $2 billion worth of 
programs here.
    Mr. Cooper. Exactly. You had already mentioned in fact in 
your opening remarks that we've identified, for example, over 
300 information technology solutions and applications that are 
what we call back-office in nature. They represent the 
functions around human resources, finance, budgeting, 
procurement acquisition capability.
    While I can't argue that necessarily one or two is the 
right answer, I can tell you 300 is not the right answer. All 
right.
    So one of the things that we can immediately do, and we 
have now identified these, we can immediately begin to stop or 
not continue some of the redundant applications, guided by the 
principle of doing no harm. We need to make informed decisions 
about where we stop, and we will do that. We'll do it conjoint 
with OMB. We'll do it with this committee and with Congress as 
appropriate. But we can begin to move from many, in this case 
300, down to some sizable, manageable number. That enables us 
to take the savings that we will achieve in this integration 
and consolidation and apply that to other areas of need. The 
idea would be hopefully that our efforts do not cost additional 
money, but rather we are able to redirect where we invest.
    Mr. Murphy. Let me followup with that. You're going to 
integrate 22 agencies through all this. So I mean, what is the 
real effect going to be on DHS in accomplishing its overall 
mission of utilizing your enterprise architecture here, getting 
these 22 agencies together?
    Mr. Cooper. Let me give a couple more specific examples in 
the mission area. The principle that we're after is basically 
to simplify our environment. OK. We want to make things less 
complex, but at the same time deliver mission capability.
    In the mission space we've already identified areas of 
opportunity. One I shared with you around threat identification 
and management. Another one that we've begun to do work in is 
identity credentialing. We have several applications underway 
that deal with the identification of people and how they are 
documented, how that documentation is then authenticated.
    By first identifying all these different initiatives, we 
can take a look at where they overlap, we can begin to bring 
multiple project teams that began in their legacy environments, 
meaning the Coast Guard had different initiatives underway, the 
Secret Service had different initiatives underway, legacy 
Customs, legacy INS, all had appropriate to their mission 
initiatives underway. By bringing those teams together and by 
having them work with one another, we accomplish a couple very 
important things.
    First of all, we rapidly integrate the actual functionality 
to deliver mission capability of the Department. We now have 
people with expert skills in this area or other areas working 
so that we speed up the process by which 190,000 people begin 
to know who to talk to and who to collaborate with inside the 
Department. Extremely important and extremely valuable for us 
to do that as quickly as we can.
    The second thing, we begin to leverage that expertise. Each 
one of those experts brings their expertise and their 
perspective from the objective that they previously operated 
in, their previous operating environment. By sharing we benefit 
as a Department because now we have a broader perspective.
    The United States benefits because we now are bringing many 
experts to bear on common problems, and we can do it faster. 
Hopefully we can do it less expensively, and we can achieve a 
result that is basically greater than the sum of the parts.
    Collaboration, knowledge management, identity 
credentialing, intelligence information, integrated case 
management are all other examples of areas of activity that 
we're bringing collective project teams and initiatives 
together.
    Mr. Murphy. You were talking about the legacy and what 
appears to be redundancy, but are these functions that 
different from one another, or are they going to want to 
preserve some of their turf on how they handle this?
    Mr. Cooper. Well, let me answer in two parts. First of all, 
from a process and functionality standpoint, there is overlap. 
Let's take something like the identification of people who 
might be a threat to the United States. We can do the same 
thing with the identification of cargo, in tracking cargo 
before it reaches our ports of entry. Secretary Ridge has 
announced that is our Smart Border Initiative.
    In both of those cases there clearly are aspects of each of 
those processes that we want to retain within the inherited 
legacy environment, but there are also aspects that we 
absolutely want to share.
    Now, the second part of the question about are there 
cultural objectives to overcome, candidly I would tell you, 
yes, there are. We have some parts of the Department that have 
a 200-year-plus very rich history and legacy of tradition and 
honor and service to America. We don't want to do away with 
that. We don't want it to disappear. This is about change. This 
is about organizational change. This is about people 
understanding how do I continue to have a valued role in a new 
working environment, which is now the Department of Homeland 
Security. That's tough. It requires each of the individuals 
involved to understand how they have to contribute in a new 
role. It does require some very hard work with regard to 
organizational entities and how those entities cooperate and 
work together.
    Mr. Murphy. So how confident are you that the content of 
this whole EA program has sufficient depth and scope to address 
the intended purposes here?
    Mr. Cooper. At the moment it does not have sufficient 
depth. What we explained and what I shared in my testimony back 
in the April timeframe was that we will continue--this is a 
living, breathing type of initiative. It's dynamic. We will 
continue, and have already begun on effective release of two of 
our enterprise architecture. That is, to continue the work that 
has begun and now push it both down in level of detail and fill 
in some of the gaps, some of the white space that you see that 
we weren't able to address adequately in our initial 4 months.
    I am very confident that the process of enterprise 
architecture as defined by OMB and as now applied by DHS will 
deliver all of the level of detail granularity, understanding, 
business goals, business-driven linkage that we will need. It 
will take us a little bit more time to fully populate the 
enterprise architecture, but the important message is we are 
using our enterprise architecture now to make decisions about 
IT investment. We will continue to do that, as it becomes more 
robust.
    Mr. Murphy. Ms. Evans, I know it's Wednesday and you pretty 
much have to grasp the entire program you've inherited Monday, 
but actually I wonder if you could also comment on OMB's 
perception of this. How and when do you think you'll have a 
grasp of the sufficient scope and depth of this EA program from 
OMB's perspective?
    Ms. Evans. Well, the only perspective--and a preliminary 
review of the Department of Homeland Security's EA efforts, we 
believe is really very encouraging. We are pleased that they 
have identified a current state enterprise architecture as well 
as a target state and a transition plan. We are also very 
encouraged with the clear linkage that they have to the Federal 
Enterprise Architecture efforts as well as their commitment to 
a component-based approach for application and integration.
    What we will be evaluating as we go forward are the 
investment decisions that they are now making, and it will be 
reflected in the President's budget for the fiscal year 2005 
budget.
    Mr. Murphy. One thing that certainly struck us with this 
new Department is it's not the same kind of discussions held 
back in the 1790's when forming departments to begin with, but 
part of where we are now is we're looking at evaluation metrics 
and how one will put some things in place to evaluate what is 
going on.
    Mr. Cooper, what is being put in place?
    Mr. Cooper. We use two high-level metrics, kind of from the 
startup of the Department, because obviously we hadn't had a 
chance to get together. We hadn't had a chance to get guidance 
from the Secretary and business leadership yet, but we 
immediately put two metrics in place. One was speed to market 
or cycle time. OK. We set that as a metric, because we felt 
that it held value almost across every business process of the 
Department. If there are activities that we can do, if we can 
take out nonvalue-added work in our business processes to 
reduce the time, for example, that critical information, 
homeland security-sensitive information gets from its source to 
sworn law enforcement officers as an example, then in fact we 
are moving to increase the security of the United States.
    The second metric that we have applied thus far is the 
quality of the information that's used wherever it's used 
throughout the Department. By focusing on cycle time, speed, 
and quality of information----
    Mr. Murphy. Those are the metrics you're using?
    Mr. Cooper. Those are the two metrics that we're using 
right now, OK. We felt that immediately added value. What we 
intend to do and what we've begun now, as we now continue the 
in-depth work and based upon the data that we've gathered thus 
far, we now can begin to actually attach specific performance 
metrics to each of the mission areas of the Department.
    So, for example, if we look at the cargo area, we can 
actually now begin to use the information gathered to determine 
an easy one: how many containers that we believe might hold 
risk are inspected. OK. Today that percentage is not very high. 
It isn't that we want to move to 100 percent inspection, but we 
want to move to 100 percent of those where we believe there is 
sufficient risk or the informed information we have leads us to 
believe that we ought to inspect that container.
    Mr. Murphy. Are you talking about imported containers?
    Mr. Cooper. Yes. In that example, imported containers.
    Mr. Murphy. But what about packages shipped within this 
country as well?
    Mr. Cooper. Again, as appropriate, what we would want to do 
is use the enterprise architecture information that we gather--
remember, the information is gathered from subject matter 
experts in all of our business areas. This isn't an IT 
activity, an information technology activity. It's a business-
driven activity. So by participation of the business experts in 
each of the component areas, they are the folks who then in a 
facilitated manner can determine here are the performance 
metrics that we want to use.
    One of the questions that we have in the Department that 
we're working toward is how do you measure the success of the 
Department--is it as simple as no terrorist incidents, or is it 
more complex--so that we understand kind of the correlation and 
cause effect of the activities taken by the Department to 
prevent any type of incident. We believe it's the latter.
    Mr. Murphy. Are you working with private business in the 
same aspect too? Are we talking about just intragovernment 
agencies here? You talked about 22 agencies. Let's look at 
packaging from the shipping companies from the Postal Service, 
UPS, FedEx, coordinating with those efforts as well.
    Mr. Cooper. Absolutely. Now, in that particular example 
that you gave, we have a major initiative underway that you may 
be aware of called ACE. If I translate the acronym, it's 
basically the former Customs modernization effort which is now 
Customs and Border Protection. That initiative we are working 
directly with private industry. In fact, there is a supporting 
network, the trade support network, that is comprised--I 
believe its membership at any given point in time represents 
about 150 private sector entities and associations. They 
actually work directly with Customs and Border Protection to 
determine requirements, and those requirements then move 
through a release management process. They are vetted both 
internally by the Department and with our industry partners to 
determine the priority, the sequencing, cost, business 
advantage, that type of thing, such that they then drive 
additional capability that appear in subsequent releases in our 
modernization effort.
    We are doing a similar type of thing in many areas of the 
Department. We recognize the responsibility that the Department 
has to both partner with and draw upon the private sector, for 
we view them as stakeholders, we view them as customers, we 
also view them as important suppliers of a lot of the solution 
sets that we need to put in place.
    Mr. Murphy. For both of you, can you give some immediate 
uses, benefits? And when can we expect to see some concrete 
results as a result of this whole transition?
    Ms. Evans. As it relates to DHS, this particular effort?
    Mr. Cooper. Oh, I shouldn't have put you on the spot, 
should I?
    Ms. Evans. That's OK. I would like to say that as I move 
forward, given that this is my 3rd day, the way that we're 
moving forward with this so that you can--and I'd like to come 
and really speak more specifically to this--is that we intend 
to evaluate DHS going forward through the budget process and 
ensure that they continue on that progress through the score 
card initiative that OMB has, the President's management agenda 
score card. But we're working with DHS, just as we work with 
all the agencies, so that they really can realize the 
potentials and the results of their efforts as they move 
forward and make those decisions using the enterprise 
architecture.
    Mr. Cooper. Let me give you one example that's not quite as 
glamorous, that's not quite as sexy as some of the things that 
we get involved in, but it's critically important, and it deals 
with records management and document management. OK. One of the 
things that we have recognized--and with headquarters when we 
stood up a new headquarters, there was nothing, there was no 
legacy anything that we inherited. Our enterprise architecture 
helped us identify existing records management capability, 
existing document capability that we could immediately draw 
upon and begin to apply at the headquarters level. So while not 
very glamorous, it's a very real example where rather than 
going out and reinventing the wheel and rather than reaching 
out and saying, oh, we have this need in a vacuum, we'll just 
go ahead and move forward in this direction, we actually use 
the enterprise architecture to draw upon expertise and 
understanding what we already had available inside the 
Department.
    Mr. Murphy. I yield to Mr. Clay for some questions.
    Mr. Clay. Thank you, Mr. Chairman.
    Mr. Cooper, this enterprise architecture document is quite 
lengthy. At the same time it does not address what many experts 
say is the most important variable in any merger: agency 
culture. The culture at the Secret Service and in the former 
Federal Emergency Management Agency could hardly be more 
different. How will you address these cultural differences in 
implementing this enterprise architecture plan?
    Mr. Cooper. One of the things the Secretary has clearly 
stated is that we want to respect and retain the cultures and 
the traditions of the entities that now comprise the Department 
of Homeland Security. The value of our enterprise architecture 
in one sense is that it actually is an objective way to take 
some of the emotion out of some of the cultural aspects of how 
we come at things. Each of us brings our own perspective to 
bear on any type of problem or any type of challenge that all 
of us face in our professional careers or within our roles and 
responsibilities.
    The enterprise architecture being devoid of a motion 
actually can objectively document here's the process that we 
are trying to deal with or trying to automate or trying to 
improve. Everybody can see it. Everybody can see themselves and 
their perspective in our documentation of that process.
    Second, we clearly document this is the information that is 
needed, both as input to that process and perhaps produced by 
any particular process within the Department. All right. We can 
agree factually on what information is needed, what information 
comes out, what information flows through the process, who 
needs to receive that information, when do they need to receive 
it, in what form do they need to receive it. All right.
    By kind of breaking this down step by step, we don't 
eliminate or negate culture, but we allow all of us to have a 
common frame of reference with which we can bring the best that 
all of us have to bear on the appropriate problem.
    We then can step back and again in the same objective 
manner collectively reach consensus around, now, how do we want 
to automate the process and the delivery of information.
    Mr. Clay. All right. And in practice that's working.
    Mr. Cooper. In practice we're underway.
    Mr. Clay. Let me ask you, it's my understanding that this 
is just version 1 of the architecture and that you expect to 
develop subsequent versions in the future. What does this 
version represent, and what will it allow you to do?
    Mr. Cooper. OK. This version represents--think of it this 
way. We're starting top down, meaning we started with the 
National Strategy for Homeland Security. It's pretty high 
level. It's a pretty macrotype of strategy. We're trying now to 
push the level of detail down in terms of functional 
responsibility, in terms of business processes that carry out 
the mission, in terms of the information that supports all of 
these business processes; but I've given some very real 
examples that we have begun to identify even in this first 
release. So there are things that we can do, documentation 
management being one. OK. Those little pink stars, which even I 
admit I can't read from here at the table, but if I got up and 
ran around there, so those pink stars represent about a dozen 
very real opportunities that we can act on right now.
    Now, the banding which most of you can see, the darker blue 
at the bottom, represents about a 6 to 12-month timeframe. That 
lighter green as you move up the chart represents about a year 
to 2 years, and then that lightest color at the very top 
represents about a 2-plus-year timeframe. OK. And you'll see 
those little colored boxes out there.
    So even in this first pass, even in just the 4 months of 
work, we actually have begun a roadmap that says here are the 
things that we can do in each of these timeframes to add real 
value in the respective timeframes.
    Mr. Clay. What will--that takes me to the next question. 
What will version 2 add to this architecture? When will we see 
it, and what will version 2 allow you to do that cannot be done 
within this version?
    Mr. Cooper. OK. What we don't have here is all of the level 
of detail about how the processes actually operate and some of 
the lower level details, meaning some of the activities and 
tasks of how the processes are actually carried out. That will 
come in subsequent releases, meaning we'll continue to 
populate, we'll add more detail.
    That work becomes more tedious, it's a little bit more 
time-consuming, so we don't--the first 4 months we kind of--
think of it this way. We went kind of about an inch deep and a 
mile wide. All right. Now subsequent releases, we start going 
deeper and deeper and deeper. So the breadth of each release 
may be less, but it's greater detail. That enables us to 
actually understand in more detail and make more definitive 
decisions about how information actually fits together; where, 
for example, might we source once in the entire Department 
information about employees for human resources purposes, 
information about cargo for use by all business processes that 
must use cargo information. OK. Visa information, for example, 
we might with this additional detail--we could determine how do 
we source it once, meaning capture it once, reuse it many times 
across the Department.
    Mr. Clay. Thank you for your response.
    Ms. Evans, one of your stellar achievements at the 
Department of Energy was the contract with Oracle that 
incorporated security into the software contract. I'm 
interested to learn of your plans to expand this program. Do 
you expect this to become a feature of the Smart Buy Program?
    Ms. Evans. First, I'm very proud to speak about that 
particular effort at energy. What we really did was leverage 
our business requirements and work that into the contract so 
that we could ensure that what we needed to do at the 
Department really move forward to ensure our cyber posture. It 
is my intention to bring that feature where it is applicable to 
the smart buy activities. It was applicable in this particular 
case given this type of software and the applications that the 
Department was doing to incorporate that into the contract. Not 
necessarily all efforts that will be going through the smart 
buy would necessarily need to have that type of feature, but it 
is my intention to ensure that feature in support of the 
national cyber security strategy is incorporated into the smart 
buy activity.
    Mr. Clay. Wonderful. Wonderful. Let me also ask you, as the 
Federal CIO you face many of the same problems that Mr. Cooper 
faces, but your job of defining a common mission is even 
greater than that faced by Mr. Cooper. Creating common 
enterprise architectures across the Federal Government is a 
formidable task.
    Do you have any recommendation for Mr. Cooper as he tackles 
this task at the Homeland Security Department?
    Ms. Evans. And that is the big question.
    Mr. Clay. I realize you're new here but----
    Ms. Evans. That's OK, and actually I really believe that as 
my esteemed colleague moves forward and as I move forward with 
my role changing, that the enterprise architecture--and you 
really did hit on the issue, which is it really does facilitate 
communications on all levels throughout all management in 
government, and that this effort really is about leadership 
with partnership. And so I really am approaching this going 
forward as it's a partnership between the agencies, with 
Congress, with private industry, State and local government, 
and so that we can provide that so that the result of the 
architecture efforts and the resulting investment decisions 
will really benefit the country as a whole. And I make that 
recommendation to Mr. Cooper as I do all my fellow CIOs.
    Mr. Clay. Thank you for that response.
    And thank you, Mr. Chairman, and so good to see you.
    Mr. Putnam [presiding]. Thank you, sir. It is good to be 
here. The airline gods have been working against me all day. 
Got a baby due at home and fog at National Airport. So between 
that I have been to Richmond and back and refueled and all that 
fun stuff.
    And I want to apologize to the two of you for being late. I 
am glad we are able to move forward.
    Ms. Evans, I want to take the opportunity to welcome you to 
your new position and thank you for your time and attention to 
this subcommittee. Your predecessor, Mr. Forman, was a frequent 
flyer with our subcommittee, and we have reason to believe that 
you will be as open and accessible and available as he was; and 
we are delighted to see you in that role and look forward to 
working with you in the future.
    And, Mr. Cooper, we don't envy the position you have of 
assimilating all of the different systems and agencies and 
cultures that you face. And we look forward to being partners 
in that effort to bring about the change that I think everyone 
in Congress envisioned when supporting the creation of the new 
department, and work together to make that a seamless 
transition for the best interests of homeland security and the 
taxpayer.
    If I may, I will continue with some of the questioning that 
Mr. Clay and Mr. Murphy have begun. Ms. Evans, I am curious how 
OMB, how aggressively you intend to enforce compliance with the 
Federal Enterprise Architecture. That is an area that certainly 
is a responsibility that is on your shoulders. And some is on 
Congress' shoulders to stand by this and be tough, but I would 
like to hear your thoughts on your ways to enforce compliance.
    Ms. Evans. Well, it is the intention of OMB and through the 
budget guidance that was issued this year to the agencies to 
align their architecture efforts with the FEA. That is our 
intention through the management processes and the budget 
processes that exist that we will assist the departments in 
ensuring that alignment is there and that the architecture is 
used for business investment decisions.
    Mr. Putnam. Have any discussions taken place within the 
agency about holding up spending and working with the 
appropriators to make sure that is not bypassed?
    Ms. Evans. Since this is my 3rd day, I would like to take 
that one back to find out specifically what the details are. 
Because I do know there are ongoing efforts within OMB, but I 
would like to get back to you about exploring that opportunity 
of how we can partner and be able to ensure that these 
investments, especially where DHS is concerned, are made 
wisely.
    Mr. Putnam. I appreciate that, and that is a discussion we 
need to have because it is important that somebody be the bad 
cop; and it's important that the communication take place with 
Congress to make sure there is not an end run, and we don't 
undermine your efforts on one hand or allow somebody to back-
door those efforts. And I'll take that answer as the answer to 
my next question also, which was, how are we going to 
incorporate each individual agency's enterprise architecture 
into the overall plan and link that into their IT budget 
submissions?
    So if you would like to elaborate on that, you can.
    Ms. Evans. Primarily, it will be using the existing 
processes that are in place by managing the management 
processes we have in place and the budget process. Progress 
guidance and--is issued through the budget process. However, 
ensuring that progress is made is happening through the 
quarterly scorecard reviews that each agency has through the 
President's management agenda, more specifically the expanding 
E-Government Initiative. There are specific milestones that we 
do work with each agency to ensure that they make that progress 
and that they are aligned.
    Mr. Putnam. Well, it is important to make sure that the 
existing management processes are enforced, but I think 
personally, based on the information we've collected from 
previous hearings, that there may be additional processes 
required, because there have been some breakdowns in the 
current processes that didn't work. If you look at the smart 
card programs or some of the other things that we are trying to 
tear down, stovepipes on the left hand, and the right hand is 
building them back up. And that's a discussion that will be 
ongoing, without a doubt.
    In July, we held a hearing to review the efficiencies 
associated with consolidating and integrating the functional 
business systems, particularly HR, finance data, criminal 
investigations and so forth. And you have mentioned, each of 
you, in your testimony some quick-hit IT investments that you 
plan to pursue.
    Could you expand on that? And I will begin with Mr. Cooper.
    Mr. Cooper. We can. One of the things that our enterprise 
architecture, even our early work in this Release 1, helped us 
to begin to understand was that in some critical mission 
areas--and I mentioned this before you joined us, so let me 
quickly repeat these key category areas.
    These are labels. These are just working labels inside the 
Department that help us categorize things, but we talked about 
a family of applications related to identity credentialing. We 
talked about a family of applications and issues relating to 
risk and threat assessment.
    Another family related to intelligence information: how we 
gather and produce information, intelligence products, use them 
within the Department, move appropriate level of secure, 
classified and unclassified information out to the various 
stakeholders and constituents that need that information; 
integrated case management, collaboration, knowledge 
management, information presentation, data visualization, those 
types of things.
    Those are all families we identified as areas of 
opportunity for consolidation, potential areas, OK? We are not 
automatically saying that everything becomes one, but by using 
our enterprise architecture and linking it to our investment 
process, we were able this year, even in the short period of 
time of the standard for the Department, we have actually 
written and submitted to OMB consolidated exhibit 300's.
    Rather than having, for example, 20-some independent 
projects and/or applications move forward, each with its own 
business case and justification to OMB, we wrapped them 
together and said, wait a minute, these are all the same 
family; let's write a consolidated business case, let OMB know 
that our intention is not to violate any rules or regulations 
or laws or anything, but our intention is to look at these 
holistically and ask OMB, help us do this. OK?
    The same request would come to this committee and to the 
appropriate committees of Congress to say, hey, look, allow us 
the opportunity to take this type of look.
    One of the challenges in doing this is that many of the 
initiatives that are under way are--the funding is appropriated 
independently. So we need to cooperate, we need to collaborate 
to do the right thing. It's going to take all of us working 
together to appropriately integrate and consolidate.
    Mr. Putnam. But before we go to Ms. Evans on that, do you 
have the flexibility that you need? In a herd of horses, DHS is 
clearly a zebra. I mean, you are a new creature, recently 
developed by the Congress, trying to amalgamate all these 
different agencies, different systems, different legacy 
systems, different HR systems, different applications.
    Do you have the ability in the existing statutory framework 
and OMB or internal executive branch framework to do the things 
you need to do, to move people around, move resources around to 
assimilate those systems?
    Mr. Cooper. Thus far, I believe we do. Understand, of 
course, we're doing it as I give you the answer, and we are 
continuing to learn.
    I think what we would ask, certainly, is if you'll allow us 
a little bit of continued learning time. We believe that we 
have all of the appropriate statutory authority necessary to 
accomplish the mission, goals and objectives of the Department. 
If you'll allow us a little bit more learning time as we apply 
them because, remember, this is now the first full fiscal year 
that we have headed in as a department. It's the first fiscal 
year we have had a little bit of input into a full budget 
process, if you will, and even that was kind of constrained and 
allow us to come back and offer guidance from that learning 
over the next several months, I think that might be more 
helpful. But thus far, we believe we are under way and we 
believe we may be able to accomplish everything we need to 
accomplish thus far.
    Mr. Putnam. That's certainly a reasonable request, but just 
understand that you're operating on a narrow margin, 
considering the nature of your mission and Congress' very 
strong desire to see a seamless transition that is as short as 
possible with everybody pulling in the same direction. And from 
the IT side, there's probably an awful lot of people in the 
government who would like to see you fail to amalgamate all 
these systems and that you'll eliminate all of their excuses 
for not being able to do it. Because if DHS can pull it off, 
there's no reason why everybody can't really make this thing 
work.
    Ms. Evans.
    Ms. Evans. My predecessor did previously brief on lines of 
business opportunities. And so, as you asked about some quick 
hits in there, the work continued on the lines of business 
analysis, and it continues on for four specific lines of 
business, which is criminal investigations, public health, 
financial management and human resources. The one quick hit 
that was identified through the analysis dealt with data 
statistics, and that effort has moved over to the Smart Buy 
Initiative, where it was identified we could truly leverage the 
buying power of our agencies that are involved in statistical 
analysis and move forward to get a quick hit as far as 
realizing benefits of purchasing statistical packages for those 
groups.
    As far as the other four initiatives, I'd be happy to 
followup with the committee and provide additional detail on 
the current status as it moves through and completes through 
the budget process this year.
    Mr. Putnam. That would be very helpful.
    You're probably familiar that I sent a letter to GSA about 
an opportunity to realize some immediate savings in the 
relicensure of software. Could you give us a status report on 
where that is?
    Ms. Evans. We are currently, based on the letter that you 
sent, relooking at the opportunities so we can move forward; 
and I am in the process right now of looking at opportunities 
that GSA has provided in response to your letter. And, again, I 
would be glad to come back and talk to you in further detail 
about what actions will be taken so we can realize the benefits 
of the Smart Buy program.
    Mr. Putnam. Absolutely. I think it has tremendous 
potential.
    Mr. Cooper, who is the person in the Department actually 
responsible for holding the business owners accountable for 
implementing the business transaction strategy?
    Mr. Cooper. I think it is a shared responsibility. I have 
direct responsibility for ensuring that we develop and use 
departmental enterprise architecture. I need help, quite 
candidly, from all of the senior leadership of the Department. 
The enterprise architecture, as I stated previously, is not an 
information technology initiative, it is a business initiative; 
and therefore, I need the help and support of the Secretary, 
the Under Secretaries, the appropriate agency and bureau heads 
in order for all of us to be successful in this endeavor. But I 
am the person who is held accountable.
    Mr. Putnam. Ms. Evans, coming from the Department of 
Energy, the last zebra to lose its stripes, what lessons 
learned from DOE can be applied to the newest department in 
government?
    Ms. Evans. There are a lot of opportunities in that I think 
that the management team and the partnership moving forward is 
really key. And based on my new role, I know DHS is committed 
to the mission overall. The enterprise architecture was truly 
an effort that we really used.
    Again, it is leadership with partnership. It's not 
necessarily leadership through ownership of any of these types 
of things, but it is really leadership through partnership. As 
you use the enterprise architecture and you move through the 
steps, it really does, as my esteemed colleague pointed out, 
remove the emotion from the situation where people really are 
committed to making good sound investment business decisions 
and ensuring that the dollars are invested wisely; and the 
architecture provides a method for that communication to occur.
    That really is what happened within the Department, and I 
would say that I had a wonderful Secretary and Deputy Secretary 
who were committed to the President's management agenda and 
really realizing the full benefits of what can be achieved 
through proper, sound information technology investments.
    Mr. Putnam. Mr. Cooper, how often do the highest level IT 
persons in each of the 20-some-odd agencies that have merged 
into DHS get together and swap ideas and communicate?
    Mr. Cooper. We do that formally on a weekly basis. I 
established the Department of Homeland Security CIO Council 
almost a year ago, even before the Department was established, 
even though it wasn't called the DHS Security Council at the 
time. We have been meeting on a weekly basis for that period of 
time.
    That council is comprised of the CIOs of each of the 
component agencies that came into the Department where there 
was a named CIO. We didn't exclude anybody--small, large didn't 
matter; everybody is a member. We have augmented that with some 
additional key senior leadership in IT.
    We use that group in a couple of different ways. First of 
all, we absolutely meet to share. Our whole goal is to create a 
single information technology-coordinated function in support 
of the mission of the Department of Homeland Security, and I'd 
argue that we are, in fact, well under way in achieving that 
type of goal and collaboration.
    Second, that same council, reconvened in a formal manner, 
becomes the first-level review process of our capital planning 
and investment review process for the Department. So for all 
information technology investments, we're the first step. So 
that initiative will come before us and we meet then as the 
enterprise architecture board, same membership, to pass and 
enforce compliance with the enterprise architecture.
    Mr. Putnam. As you know, this subcommittee has done an 
awful lot on cyber security. If you would, please comment on 
how security is addressed in DHS-EA.
    Mr. Cooper. You'll actually see it. If you get up close 
enough to this thing, you will see the appropriate parts of the 
information security.
    But in addition to evolving it as an integral part of all 
appropriate business processes, particularly with regard to our 
classified host of processes and information, we have a formal 
information security program headed by our chief information 
security officer, Robert West, inside the Department. He has 
already established an information security advisory board that 
is comprised of the information system security officers and 
information security managers of every component of the 
Department, including the smaller agencies that didn't--that 
got that from their parent departments. They actually now have 
designated DHS individuals inside the Department.
    They meet on a regular basis, usually not lengthier than 
monthly, to not only address all information security policy 
issues, the compliance thereof, any type of reporting, such as 
FISMA, that we have recently completed our report out to you 
and to OMB; but they also serve to coordinate all of the 
processes that look at building--as we have mentioned, both 
Karen and I, building information security into all of our 
initiatives, not kind of pasting it on or tacking it on after 
the fact.
    Mr. Putnam. Ms. Evans, perhaps you would like to comment on 
the role of security in the Federal Enterprise Architecture.
    Ms. Evans. And I would be happy to do that, sir.
    Cyber security, right now, through the work of the Federal 
CIO council on the architecture subcommittee, there is an 
effort under way that is specifically dealing with cyber 
security to ensure that it is integrated throughout the models 
that are being produced that support the Federal Enterprise 
Architecture.
    So it is not going to be a separate entity or a separate 
model unto itself, but each model comprised and rolled up into 
the Federal Enterprise Architecture will have a cyber security 
element to ensure that every decision, everything that we go 
forward with that cyber security is adequately addressed to 
ensure the cyber posture for the Nation.
    Mr. Putnam. Thank you.
    We have had our share of worms and viruses this year. And 
my understanding is that 90 percent of the Federal Government 
is a single operating system, the same one. And so while we 
talk about not building more stovepipes on the one hand, there 
is this concept out there of monoculture, of a particular 
vulnerability that wipes out the entire enterprise. And I am 
curious how we work through those issues with regard to the 
Federal Enterprise Architecture. Knowing the vulnerabilities 
that are out there, knowing that it could be exacerbated by 
having the vast majority of the Federal enterprise on the same 
operating system, how do we guard against these worms and 
viruses and issues that will only grow worse and more rapid as 
time goes by?
    Ms. Evans. When we look at that and look at the worms and 
viruses that are going forward, it really comes down to 
configuration management and how each entity moves forward and 
deals with configuration management. And as OMB moves forward 
and works with each department and agency, most of these 
situations, when you look at them--and I can speak--I will step 
back into my DOE role, when we did the analysis in the past 
year of things that occurred within the Department. They were 
all related to, if we had patched in a timely and appropriate 
manner, that we would have avoided that situation.
    So this really does come down to being able to ensure that 
patches are applied in a timely manner and that good 
configuration management processes are in place within each 
department.
    Mr. Putnam. And how quickly is information on the latest 
patch disseminated throughout the Federal Government right down 
to local case work type--the local Social Security offices 
around the country and USDA offices and bases around the world? 
How quickly can we get the word out and have reason to expect 
and hold people accountable for applying that patch?
    Ms. Evans. I would say currently--I still sit in as the 
vice chair of the CIO Council, so I am aware that my 
predecessor has also briefed on that particular area. But we 
have moved through the Federal CIO Council to put procedures in 
place so the dissemination of that information happens very 
quickly through cooperation, and also with the efforts of 
FedCIRC over at DHS; so that then there is a process that's in 
place within each department that then makes sure that 
information gets disseminated to all the appropriate sources 
for the patching.
    As far as how quickly that occurs within each agency, I 
would be glad to go back and get more information on that and 
brief the committee; because OMB did collect that information 
from each agency, and so I would be glad to discuss that with 
you in further detail.
    Mr. Putnam. Since you have it, yes, I would be very 
interested in knowing to what extent enterprise-wide we're 
actually applying the patches that are available. I mean, 
undoubtedly it's just like business or home users or anything 
else, people don't want to fool with it, they don't think they 
need to, they don't think it applies to them, they don't think 
that they'll get it, they don't feel like stopping what they're 
doing to do it. All the same human issues that go into the 
private sector apply to government and perhaps even more so.
    So it would make sense the same reluctance that exists in 
the private sector would exist in the government, and I would 
be curious to know how effectively we have ingrained the 
importance of adequate patch management and rapid response to 
that.
    If you would, though, comment on the fact that is such a 
high percentage of a single operating system. Is that a 
concern? Is that a nonissue? Elaborate on that if you would.
    Mr. Cooper. Can I jump in?
    Mr. Putnam. Certainly.
    Mr. Cooper. I think for us--let me answer it this way.
    For us, when we took a quick look across the inherited 
components of the Department, particularly in kind of a desktop 
space, what we saw was that about 80 percent of our inherited 
environments were a single vendor. It was a very easy business 
decision from an economic standpoint to say, OK, in that space, 
for the time being, let's go with what we have.
    The costs of changing would have been prohibitive. It also 
would have led to very serious concerns about the abilities to 
sustain mission capability from day one.
    However, having said that, we are paying a lot of attention 
to the security vulnerabilities of that particular operating 
system environment. We are, within the Department of Homeland 
Security, very actively encouraging a heterogenous environment, 
particularly in our mission application space as opposed to 
desktop type of space. So as we have mission-critical 
applications, we are taking a look at what is the environment 
we want to put that particular application or application 
hosting in. We do have a lot of inherited environments that are 
not that same particular vendor; and we will not only continue 
to support, but probably expand some of that capability in a 
Unix environment or a Linux environment because we think that 
is highly appropriate to what we are trying to accomplish in 
the Department.
    We want to do no harm to mission capability. We want to do 
it in an effective and economic way. And we want to do it so if 
we need to migrate, we are migrating in a way that is cost 
effective, rapid, and again, does not harm the delivery of 
mission capability.
    Mr. Putnam. That's a very helpful response. I have no 
hidden agenda in the question. I am the guy that just wrote a 
letter to GSA demanding to know why they are not standardizing 
this stuff. I just recognize that there's a line where the 
economic incentives of a common vendor and common applications 
are superseded by security concerns, and that's an art and not 
a science, and that's why we pay you the big bucks to decide 
where that line is, but I am not being critical of any vendor 
at all. As long as human beings are going to be designing and 
developing this stuff, there will be problems.
    But there is certainly a vast opportunity in the Federal 
Government for nonmission-critical desktop applications and 
things where there are tremendous cost savings to be realized 
and certain niche components in agencies like yours where you 
want redundancy. And so I think that's perfectly appropriate.
    Ms. Evans. I would like to say, sir, that even if it is a 
single operating system, any type of approach as we go 
forward--and I would really like to get back to configuration, 
it is a risk-based approach that all of us take in moving 
forward and assessing the risk; how quickly and how can we 
apply resources to ensure that things are properly patched.
    Technology does exist where, regardless of what the 
operating system is, you can automate the application of the 
patch and then move forward.
    So as we move forward to whether it's standards-based or a 
single type of operating system or the known operating systems 
that we are managing in our environments, technology exists so 
that we can look at how we can apply our resources the best way 
that we can, automate the things that can be automated, such as 
patch management, and then allow those resources that we have, 
the scarce resources that we have that are doing these daily 
operations to really be focused on the high-level, mission-
critical operations and ensuring that those are adequately 
secure as we move forward.
    Mr. Cooper. If I may add one additional thought, and I 
don't mean this to be as controversial as it may end up 
sounding.
    Mr. Putnam. Choose carefully. There are a lot of pens and 
pads in the room.
    Mr. Cooper. But, I mean, this in a constructive way.
    Patch management is something that we have to do because of 
what we're dealt. We have entered into conversations with this 
particular company that none of us are naming and had some very 
serious and candid conversations about, Look, realistically you 
have to improve the quality of your product relating to 
information security. It's that simple.
    Karen is absolutely right. We have invested a significant 
amount of time and energy and people's, you know, resources and 
expertise and everything in configuration management, in patch 
management. But I also argue that we could lessen the need for 
that if we worked cooperatively and collaboratively with some 
of our major vendors to produce quality product that doesn't 
have quite so many vulnerabilities in it.
    Mr. Putnam. Well said. And certainly the purchasing power 
of the Federal Government would be a powerful incentive to 
improve the quality of any particular vendor's given product. 
As long as we are willing to buy products that are not to the 
standard that they should be, people will continue to sell 
those to us.
    Both of you have been down in the trenches and have seen 
the Federal Government's IT enterprises at the field level, and 
you understand, certainly better than anyone on this 
subcommittee without a doubt, the real-world cultural 
differences.
    As you have assumed these new major positions of 
responsibility, what are your thoughts on ways to break down 
those barriers and really have effective information sharing, 
effective cross-agency coordination and cooperation?
    Mr. Cooper. I think, from my perspective, one of the 
biggest challenges is kind of--I guess it's communication, 
meaning getting the right folks in one room at one time to have 
the type of conversation that really then almost always enables 
us to reach the type of collaborative decisions we need to 
make. And I'm not sure that's anybody's fault.
    Right now in the Department we have so much coming at us, 
we're literally trying to change the tires on the car while 
it's moving 70 miles an hour. We're still staffing, meaning 
we're still trying to hire folks into some of our authorized 
positions, things like that. So getting quality time with some 
of the key people to address many of the challenges of 
information sharing is difficult. I mean, it is a very real 
challenge. It's not because anybody is trying to do the wrong 
thing.
    When we are able to do that, we're actually able to reach 
consensus and move forward rather quickly. But doing that first 
within the Department of Homeland Security, then doing it among 
and between the Department and other Federal agencies, then 
doing it with each of our stakeholders--it's a numbers game.
    There are 56 States and territories. We have a State 
homeland security coordinator in each of the 56 States and 
territories. That one is easy, and we have regular 
conversations with those folks a couple times a week. But if we 
then try to reach out and collaborate around information 
sharing with, for example, counties, there are 33,000 counties.
    I don't know how to do it, I admit. I don't know how to get 
exactly the right representation. How do we collectively pull 
all these folks together?
    There are 89,000 municipalities at the local level. Now 
layer on top of that the five major sectors of the emergency 
responder community or the first responder community. Our 
struggle is, how do you get the right people together to have 
the discussion.
    Mr. Putnam. Well, you've done an outstanding job of laying 
out the challenge, but I would just respond to that by saying 
the primary purpose in your Department's creation was 
information sharing. I mean, all the functions of the 
Department of Homeland Security were already there, but it was 
a breakdown in information sharing that allows bad guys to fly 
in on airliners and allows bad guys to cross the border and 
allows bad guys to smuggle bad things in the bottoms of ships. 
So I view your role in the Department of Homeland Security as 
being the most critical. That was the reason why I voted to 
create it.
    We are not going to save any money in the near future. We 
hope to in the long run, but it's going to cost us more in the 
short run to merge all this stuff together. It was the fact 
that one file wasn't being transferred from one desktop to 
another desktop. It was the fact that people in one border 
guard station weren't talking to the one right next to them, 
and they were wearing separate uniforms at the same time. It 
was that information sharing, I think, that led the Congress to 
make that leap. And so it's vitally important.
    I know that both of you have other engagements and need to 
leave very shortly, and I can't hold it against you since I was 
an hour and a half late getting here myself. I will give you 
the opportunity at this point in the meeting to express 
whatever is on your mind, and you think is important to go in 
the record and for the subcommittee to hear.
    And as you embark on your 3rd day on the job, we'll give 
you a few more moments to collect your thoughts and go with Mr. 
Cooper first and let him respond, and then we'll go to you, Ms. 
Evans.
    Mr. Cooper. Thank you very much for the opportunity to join 
you today. And I would welcome the opportunity to come back and 
continue the dialog. I think that's very, very important.
    The key message that I want to deliver is that, in a very 
short period of time, we have developed our first release of an 
enterprise architecture for the Department of Homeland 
Security, and we are using it. So in spite of some of the 
challenges and things I shared with you, we are really doing 
real things on the ground.
    We are making progress in the information sharing arena. We 
have connected between States and local governments and that 
type of thing that previously we had no connection. And we are 
sharing information on a daily basis.
    We need to expand that. We need to buildupon it. We're not 
where we all want to be, but there is very positive news and a 
lot of it is linked to what we are learning and continuing to 
learn, developing our enterprise architecture.
    I also would like to thank some of the folks that have 
joined me today and would like to introduce them by name to the 
committee, because they really are the key people who have led 
a significant amount of the effort that I've been just the 
spokesperson for here this morning. Sitting behind me, George 
Brundage, Charles Thomas, Amy Wheelock and two other 
individuals who weren't able to join us, Katherine Santana and 
Ron Williams, really form kind of the core team that guided a 
whole host of other individuals too lengthy to name across the 
Department and have achieved Release 1 of our enterprise 
architecture.
    Mr. Putnam. Thank you very much. And I do want to note that 
DHS produced the first EA in 4 months.
    Mr. Cooper. That's correct.
    Mr. Putnam. And I don't think that can be overstated. It's 
very impressive, and it's a testament to your hard work and 
folks on your team, and a lot of the other departments can 
derive some lessons from that accomplishment.
    Ms. Evans.
    Ms. Evans. I too would like to thank you for the 
opportunity to be here today.
    I would like to state that I will plan to continue the work 
of my predecessor. I believe that he started many great things 
here in the government to be able to move us forward to achieve 
things and to really achieve value for the government and the 
American citizen.
    So I really would plan to drive toward the full utilization 
of the President's E-Government Initiative and progressing the 
work of the enterprise architectures within the agency, as well 
as the Federal Enterprise Architecture through the work of the 
CIO Council, and ensuring that the CIO Council remains a forum 
for discussion and for agencies as we move forward; and then 
continue to work to institutionalize the work he started within 
the management processes that are available to us, and continue 
to work with the subcommittee as we move forward, ensuring 
things such as IT security, privacy, planning, implementation 
and evaluation of all these IT investments for the agencies.
    Mr. Putnam. Thank you very much. And I want to thank both 
of you for your hard work and for your commitment to public 
service. Obviously, you bring a tremendous expertise in 
coordinating our IT blueprint toward eliminating those 
stovepipes that we talked so much about, reducing redundancies 
where it's appropriate and making systems more secure and maybe 
even saving us a buck or two. It is a complicated issue that 
will not be solved overnight, and I speak for the entire 
subcommittee in saying you have our support in working through 
this process.
    I hope that you will not burn out and cash out but keep the 
faith and keep plugging away because it's certainly an 
important yet difficult task.
    In the event that there are some questions from the 
subcommittee that we were not able to get to, I would ask the 
record remain open for 2 weeks for those submissions. And I 
believe both of you have made notes on things that we have 
discussed that we would like further clarification on from the 
subcommittee.
    Again, we wish you the best and thank you for your support. 
And with that, the subcommittee will stand adjourned.
    [Whereupon, at 12:15 p.m., the subcommittee was adjourned.]

