[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





    FEDERAL INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT, STRATEGIC 
     PLANNING, AND PERFORMANCE MEASUREMENT: $60 BILLION REASONS WHY

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 3, 2004

                               __________

                           Serial No. 108-164

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
94-773                      WASHINGTON : DC
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, 
CANDICE S. MILLER, Michigan              Maryland
TIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of 
MICHAEL R. TURNER, Ohio                  Columbia
JOHN R. CARTER, Texas                JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee          ------ ------
------ ------                                    ------
------ ------                        BERNARD SANDERS, Vermont 
                                         (Independent)

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 DIANE E. WATSON, California
TIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                 Chip Walker, Professional Staff Member
                         Juliana French, Clerk
            Adam Bordes, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 3, 2004....................................     1
Statement of:
    Johnson, Clay, III, Deputy Director for Management, Office of 
      Management and Budget; Karen Evans, Administrator, Office 
      of Electronic Government and Information Technology, OMB; 
      and David A. Powner, Director, Information Technology 
      Management Issues, U.S. General Accounting Office..........     7
Letters, statements, etc., submitted for the record by:
    Evans, Karen, Administrator, Office of Electronic Government 
      and Information Technology, OMB, prepared statement of.....    13
    Johnson, Clay, III, Deputy Director for Management, Office of 
      Management and Budget, prepared statement of...............     9
    Powner, David A., Director, Information Technology Management 
      Issues, U.S. General Accounting Office, prepared statement 
      of.........................................................    21
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     4

 
    FEDERAL INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT, STRATEGIC 
     PLANNING, AND PERFORMANCE MEASUREMENT: $60 BILLION REASONS WHY

                              ----------                              


                        WEDNESDAY, MARCH 3, 2004

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 1 p.m., in 
room 2154 House Office Building, Hon. Adam H. Putnam (chairman 
of the subcommittee) presiding.
    Members present: Representatives Putnam and Clay.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Chip Walker, professional staff member; Juliana 
French, clerk; Suzanne Lightman, fellow; Adam Bordes and David 
McMillen, minority professional staff members; and Jean Gosa, 
minority assistant clerk.
    Mr. Putnam. A quorum being present, this hearing of the 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census will come to order. 
I want to thank everyone for being here and welcome you to the 
subcommittee's kickoff hearing for 2004.
    Today's hearing is appropriately entitled, ``Federal 
Information Technology, Investment Management, Strategic 
Planning and Performance Measurement: $60 Billion Reasons 
Why.'' Today's oversight hearing sets the foundation for the 
range of oversight hearings we have planned for the remainder 
of the year in the areas of electronic governance, enterprise 
architecture, interoperability, information sharing and, 
perhaps most importantly, cybersecurity.
    Last year, this subcommittee held 22 hearings to review the 
progress being made by the Federal Government in these specific 
IT areas. While the subcommittee individually examined each 
subject matter in detail at those hearings, it became clear as 
each hearing passed that addressing any particular IT challenge 
is not only related to other competing IT challenges, but also 
must be resolved simultaneously and in an integrated way with 
all others.
    This is without doubt a difficult challenge that requires 
the ultimate combination of managing our IT investments 
effectively, planning strategically, and measuring performance 
appropriately.
    The purpose of this afternoon's hearing is to provide the 
subcommittee with a clearer understanding of the policies, 
processes and procedures that now determine the Federal 
Government's annual investment in IT.
    Four weeks ago, the President sent his fiscal year 2005 
budget to Congress, a budget requesting $60 billion in spending 
for IT products and services. Underlying this request are a 
series of acts that have established principles for sound IT 
management within the Federal Government.
    For many years, the Federal Government pursued an IT agenda 
that did not necessarily emanate from customer service or sound 
business practices. ``Stovepiped'' solutions, proprietary 
systems and a lack of interoperability or even plans to 
interface with other systems were considered ordinary and 
acceptable conditions.
    A list of congressional legislation, initiatives and 
guidance since 1996, including Clinger-Cohen Act, the E-Gov Act 
and FISMA have led to changes that provide OMB with the 
oversight flexibility needed to coordinate, manage, plan and 
measure results emanating from its IT investments made across 
the Federal Government.
    Put another way, OMB was given the responsibility and 
authority to function as the check and balance on a Federal 
Government IT culture that long accepted agency claims that 
their system absolutely required a unique solution, unique 
software, unique hardware, unique staff, unique business 
processes and could never interface with other systems.
    Additionally, past agency claims that IT performance and 
agency performance are two separate issues have taken a 
different course due to Clinger-Cohen and the E-Gov Act.
    To what extent IT management and agency performance are 
appropriately tied is an important question that deserves this 
subcommittee's attention. OMB has taken a number of steps 
through budget guidance, memoranda and circulars to ensure 
agencies unify behind effective IT planning, cross-agency 
solutions and elimination of redundancies.
    Perhaps the most visible initiative, matching agency 
performance measurements with overall IT investment, is 
embodied in the President's management agenda. I'm particularly 
pleased that Clay Johnson, the President's Deputy Director for 
Management at OMB, will be testifying today to discuss progress 
being made in this area. We're also delighted to have with us 
Karen Evans, Administrator of E-Government and Information 
Technology, OMB. In addition to connecting agency performance 
to IT spending, I look forward to this afternoon's dialog with 
Ms. Evans regarding the results of enhanced OMB budget guidance 
to agencies in preparing their 2005 request, the results of 
utilizing a Federal enterprise architecture and planning, the 
results of OMB's review of agency IT business cases, the 
results of utilizing E-Government and the results of pursuing 
consolidation of duplicative systems.
    As I mentioned earlier, cybersecurity is one of the primary 
factors that must be woven into any IT spending plan. As such, 
the subcommittee will review the steps taken this year by OMB 
in preparing its 2005 budget submission to further enhance the 
security of Federal information networks and protect the 
information they contain in accordance with FISMA.
    The General Accounting Office as also joined us to share 
their recent findings and recommendations on improving the 
linkages between IT's strategic planning, performance measures 
and investment management as required by Clinger-Cohen.
    While individual congressional appropriations subcommittees 
and some authorizing committees have kept an eye on projects 
and programs within their purview, very few congressional 
hearings have taken place to examine the cross cutting 
horizontal picture of investing $60 billion on IT more wisely 
by coordinating and collaborating across traditional agency 
boundaries.
    From the congressional perspective, we have passed our 
share of laws requiring OMB to coordinate IT expenditures. In 
addition to making sure the Federal Government is on course, 
this hearing provides Congress an opportunity to improve our 
own IT spending decisions. We need to be authorizing and 
appropriating our taxpayer dollars on IT based on the same 
cross agency collaborative methodology that we require of OMB 
and agencies in their budget submissions.
    While I recognize every Member of Congress comes to 
Washington with a different set of priorities, I encourage my 
colleagues to join me this afternoon to reflect on IT 
investment in a comprehensive and cross-cutting manner instead 
of by program or by function, just as we ask this afternoon's 
witnesses to do every day.
    At the appropriate time we will yield to the gentleman from 
Missouri, the ranking member, Mr. Clay, for his opening remarks 
and any other Members who choose to join us this afternoon.
    With that we will move directly into the testimony as is 
the custom for the Subcommittee of Government Reform, I would 
ask the witnesses to please rise and raise your right hand to 
be sworn.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T4773.001
    
    [GRAPHIC] [TIFF OMITTED] T4773.002
    
    [GRAPHIC] [TIFF OMITTED] T4773.003
    
    [Witnesses sworn.]
    Mr. Putnam. I note for the record that all three witnesses 
responded in the affirmative. And we will begin with Mr. 
Johnson. Clay Johnson is the Deputy Director for Management at 
the Office of Management and Budget responsible for providing 
governmentwide leadership to executive branch agencies to 
improve agency and program performance. He was previously 
Assistant to the President for Presidential Personnel, 
responsible for the organization that identifies and recruits 
approximately 4,000 senior officials, middle management 
personnel and part-time Board and Commission Members. From 1995 
to 2000, Mr. Johnson had the pleasure of working with Governor 
George W. Bush in Austin, first as his appointments director, 
then his chief of staff and finally as the executive director 
of the Bush-Cheney Transition.
    Mr. Johnson, you clearly have the ear of the President. We 
are honored to have you with us this afternoon. We appreciate 
the work that you have performed for the Federal Government and 
if you will pause for just 1 second. Let me check on the status 
of votes.
    [Pause.]
    Mr. Putnam. Very good. We are expecting votes somewhere 
between 1:30 and 2:15 so hopefully we can certainly get through 
the opening remarks before we have to interrupt you and I 
apologize for that. That's unfortunately the way we run the 
railroad around here.
    Welcome to the subcommittee and thank you for being here.

STATEMENTS OF CLAY JOHNSON III, DEPUTY DIRECTOR FOR MANAGEMENT, 
 OFFICE OF MANAGEMENT AND BUDGET; KAREN EVANS, ADMINISTRATOR, 
  OFFICE OF ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, 
  OMB; AND DAVID A. POWNER, DIRECTOR, INFORMATION TECHNOLOGY 
       MANAGEMENT ISSUES, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Johnson. Mr. Chairman, thank you. Thank you for having 
Karen and me here. I believe, the President believes that the 
Federal Government is in the process of becoming results-
oriented. If you asked 10 or a 100 people to raise their hand 
if they think the Federal Government is results-oriented, not 
many of them would do that. I think all of us, agencies, 
executive branch, legislative branch are in the process of 
changing that.
    Traditionally, the Federal Government is focused on the 
amount of money we spend on a problem or opportunity as a 
measure of our commitment to dealing with that problem or 
opportunity. It's harder, but more relevant to focus on what we 
actually get for the money we spend and if that's not 
satisfactory, if what we're getting is not satisfactory, 
figuring out what we do about it.
    This is the approach we're taking with our IT investments, 
and early as you said, $60 billion in IT investments. We are 
not perfect. We continue to improve each year. One of the 
reasons I believe that we are going to see significant 
continued improvement, if not accelerated improvement this next 
year in the IT management, investment management area is 
because Karen Evans has come over, we've enticed her away from 
the Department of Energy to head up this office. She's a 20 
plus year employee of the Federal Government and knows what 
goes on in agencies and knows the way it used to be and has a 
good taste for the way it can be and has tremendous credibility 
within the IT community and the Federal Government. And so I 
can't imagine a better person to head up our efforts at this 
time to continue to lead this effort in the direction that we 
all want it to go in. So you're going to hear me today refer a 
whole lot of questions and comments to Karen, but I know that's 
what you expected when you invited me to come up here, but I'm 
glad to be up here.
    [The prepared statement of Mr. Johnson follows:]

    [GRAPHIC] [TIFF OMITTED] T4773.004
    
    [GRAPHIC] [TIFF OMITTED] T4773.005
    
    Mr. Putnam. At this time we'll recognize Ms. Evans. On 
September 3, 2003, Karen Evans was appointed by President Bush 
to be the Administrator of the Office of Electronic Government 
and Information Technology at the Office of Management and 
Budget. Prior to joining OMB, Ms. Evans was Chief Information 
Officer at the Department of Energy and served as vice chairman 
of the CIO Council, the principal forum for agency CIOs to 
develop IT recommendations. Previously, she served at the 
Department of Justice as Assistant and Division Director for 
Information System Management. The last time Ms. Evans 
testified before our subcommittee, we were kind enough to 
provide her with 48 hours on the job before calling her to 
testify. Now that she's an OMB veteran with 5 months under her 
belt, we welcome her and look forward to hearing of the 
progress being made to improve the management of our IT 
spending.
    Welcome, Ms. Evans, and you're recognized for your opening 
remarks. Thank you for coming before the subcommittee.
    Ms. Evans. Mr. Chairman and members of the subcommittee, 
thank you for inviting me here today. My remarks will focus on 
the administration's strategy and progress in planning, 
managing and measuring the results of the Government's 
technology investments on the successful results of the 
President's E-Government Initiatives and on the impact of the 
Federal Enterprise Architecture [FEA].
    The President's 2005 budget includes nearly $60 billion for 
IT and reflects this administration's commitment to defense and 
homeland security. This budget also shows our continuing work 
in exercising fiscal responsibility without sacrificing 
results. We are reaffirming the administration's commitment to 
results-oriented management by reducing duplication in IT 
spending while improving service delivery for the citizen. Of 
the nearly 1,200 major projects included in this year's budget, 
621 representing about $22 billion are on a ``management watch 
list.'' These include mission-critical projects that need to 
improve performance measures, project management and/or IT 
security. The fiscal year 2005 budget requires agencies to 
successfully correct identified project weaknesses and business 
case deficiencies or OMB will limit spending on new starts and 
other developmental activities.
    Ensuring the security of the Federal Government's 
information and systems is a critical element of effective and 
responsible IT management. The Federal Information Security 
Management Act [FISMA], requires agencies and Inspector 
Generals to review and evaluate agency IT security programs and 
systems each year and to report their results to OMB and the 
Congress. Both FISMA and the longstanding OMB policy direct 
agencies to fund IT security throughout the life cycle of every 
system and to develop remediation plans for all systems with IT 
security weaknesses.
    OMB used the information from the annual FISMA reports and 
quarterly remediation updates to directly influence the fiscal 
year 2005 budget process as well as to prioritize fiscal year 
2004 expenditures. Agencies with significant weaknesses in 
information and systems security were directed to remediate 
operational systems prior to spending fiscal year 2004 
development or modernization funds. If additional resources are 
needed to resolve those weaknesses, agencies are to use their 
2004 development funds. These steps underscore the President's 
commitment to security and privacy.
    The fiscal year 2005 E-Government priorities and IT 
resource levels reflect activities in which we are presently 
engaged with the agencies. For example, agencies must now 
review all commercial software acquisitions for possible 
inclusion into the SmartBuy program which is designated to 
leverage government purchasing power and reduce redundant 
purchases. Further, the appropriate agency acquisition official 
must review all planned IT acquisitions over $2 million to 
ensure the acquisition does not duplicate any E-Government 
initiative. Agencies may only complete an acquisition found to 
be duplicative with my prior approval.
    In addition to using the ``find and apply'' solutions of 
the Grants.gov initiative, fiscal year 2004 new planning and 
development dollars are being redirected to develop an action 
plan, solution and architecture for an agency's grants 
management system that will integrate to a governmentwide 
solution by September 1, 2004.
    Finally, agencies have been asked to redirect all planning 
and acquisition dollars for core financial systems in fiscal 
year 2004 toward developing standards and architecture for a 
governmentwide solution.
    We first used the Federal Enterprise Architecture in 
formulating the fiscal year 2004 budget. Using the business 
reference model, we identified six major service areas with 
over $6.8 billion of IT investment funding that seemed to offer 
potential for the governmentwide collaboration, consolidation 
and savings.
    The Department of Health and Human Services is leading 
efforts to identify specific health-related work areas where 
technologies can be leveraged leading to real cost savings. All 
of the major Federal investigative agencies, led by the 
Department of Justice, are working to identify opportunities to 
use shared technology tools to support their case management 
needs and in the area of financial management, the Departments 
of Energy and Labor are leading a cross-agency taskforce to 
achieve seamless data interchange among partner agencies, 
reduce acquisition expenditures and plan for a common 
architecture that includes standardized data structures, 
business processes across government for core financial 
systems.
    For the fiscal year 2005 budget, we identified further 
areas within the Federal Government that have potential for 
substantial collaboration and consolidation and where the 
agencies are using the same technology components. As a result, 
we can target many of those technologies for government-wide, 
enterprise licensing through the SmartBuy program.
    The administration will continue to work collaboratively 
across the agencies and with Congress and I look forward to 
working with you on these matters and would be happy to take 
questions.
    [The prepared statement of Ms. Evans follows:]

    [GRAPHIC] [TIFF OMITTED] T4773.006
    
    [GRAPHIC] [TIFF OMITTED] T4773.007
    
    [GRAPHIC] [TIFF OMITTED] T4773.008
    
    [GRAPHIC] [TIFF OMITTED] T4773.009
    
    [GRAPHIC] [TIFF OMITTED] T4773.010
    
    [GRAPHIC] [TIFF OMITTED] T4773.011
    
    Mr. Putnam. Thank you very much, Ms. Evans. Our next 
witness is David Powner. As Director of GAO's Information 
Technology Management Issues, David Powner is responsible for 
GAO's review of Federal IT systems development and IT 
investment management. Prior to his current position at GAO, he 
spent a number of years with Quest Communication where he 
directed their information technology and financial audits, as 
well as overseeing DSL software development efforts. His 
previous work at the GAO includes reviews of its software 
development, information security and enterprise architecture 
progress at the Air Force, FAA and National Weather Service.
    On February 12th, Mr. Powner and his colleagues at GAO 
released a report that I requested, along with Chairman Davis 
and Senate Chairman Collins, entitled, ``Information Technology 
Management, Government-wide Strategic Planning, Performance 
Measurement and Investment Management Can Be Further 
Improved.''
    We look forward to your recommendations and your comments 
on GAO's findings and the conclusions that were in that report. 
You're recognized for your opening statement.
    Mr. Powner. Chairman Putnam, we appreciate the opportunity 
to testify on Federal IT strategic planning, performance 
measurement and investment management. With $60 billion spent 
annually on Federal information technology, having sound 
strategic plans, associated performance measures and the 
processes to ensure the appropriate selection and oversight of 
these investments is essential. Our most recent review that you 
just mentioned, Mr. Chairman, showed considerable room for 
improvement in these IT management areas.
    As Ms. Evans just mentioned, our findings are consistent 
with the administration's management watch list which contains 
over 600 mission-critical projects totaling $22 billion that 
are in need of improvements in the areas of performance 
measures, project management and/or IT security.
    Today's request I will summarize our recently issued report 
on the extent to which Federal agencies have in place important 
IT management practices. These practices are called for in 
legislation, OMB policies and GAO guidance. I will also discuss 
how agencies can improve in these areas.
    Our report clearly showed mixed results. Collectively, the 
26 agencies we reviewed had less than 50 percent of the 
practices fully in place. Starting with strategic planning and 
performance measurement, agencies generally had IT strategic 
plans and goals, but these goals were not always linked to 
specific performance measures.
    Moreover, few agencies monitor performance for all of their 
IT goals. Without enterprise-wise performance measures that are 
tracked against actual results, agencies lack information about 
whether their overall IT activities at a governmentwide cost of 
$60 billion annually are achieving expected results. In the IT 
investment management area which involves processes for 
selecting and overseeing investments, the agencies largely have 
IT management boards in place and use selection criteria to 
choose their investments. However, once selected, no agency had 
practices associated with the oversight of IT investments fully 
in place. Such oversight is essential to periodically ensure 
that as projects are pursued and funds are spent, the projects 
are tracked to the benefits promised at expected costs, within 
proposed timeframes and at an appropriate level of risk.
    This periodic oversight with key milestones also provides 
an ideal opportunity to ensure that investments continue to be 
aligned with enterprise architectures and are adequately 
addressing information security requirements. Without this 
executive level oversight of project activities, agencies lack 
assurance that investments are on track and are continuing to 
meet mission needs. Nor is there necessarily an early warning 
mechanism to flag under performing projects so that corrective 
actions can be pursued before projects are out of control.
    To help agencies improve their performance in these IT 
management areas, we made over 200 recommendations to the 
agencies in our review. Overall, agencies agreed with our 
recommendations and many have planned actions to pursue them. 
In addition, at today's hearing, we are releasing our latest 
version of our IT Investment Management framework. This 
framework identifies and organizes critical processes for 
selecting, overseeing and evaluating IT investments and offers 
organizations a useful tool for improving their IT investment 
management processes in a systematic and organized manner.
    First issued as an exposure drafted several years ago. This 
new version incorporates lessons learned from our use of the 
framework in our agency reviews, comments from users, as well 
as comments from public and private sector experts on IT 
investment management.
    In summary, our report shows that Federal agencies have 
some aspects of strategic planning and performance measurement 
in place, namely strategic plans, goals and investment boards. 
However, to ensure that the Government's investment in IT is 
not wasted, considerable improvements are needed in the areas 
of performance measurement and the oversight of these 
investments. This can be accomplished in part through the 
expeditious implementation of our recommendations and adoption 
of best practices like our IT investment management framework.
    We look forward to working with you, Mr. Chairman, and your 
continued oversight of these and other IT management areas. 
This concludes my statement. I'd be happy to respond to any 
questions that you have.
    [The prepared statement of Mr. Powner follows:]

    [GRAPHIC] [TIFF OMITTED] T4773.012
    
    [GRAPHIC] [TIFF OMITTED] T4773.013
    
    [GRAPHIC] [TIFF OMITTED] T4773.014
    
    [GRAPHIC] [TIFF OMITTED] T4773.015
    
    [GRAPHIC] [TIFF OMITTED] T4773.016
    
    [GRAPHIC] [TIFF OMITTED] T4773.017
    
    [GRAPHIC] [TIFF OMITTED] T4773.018
    
    [GRAPHIC] [TIFF OMITTED] T4773.019
    
    [GRAPHIC] [TIFF OMITTED] T4773.020
    
    [GRAPHIC] [TIFF OMITTED] T4773.021
    
    [GRAPHIC] [TIFF OMITTED] T4773.022
    
    [GRAPHIC] [TIFF OMITTED] T4773.023
    
    [GRAPHIC] [TIFF OMITTED] T4773.024
    
    [GRAPHIC] [TIFF OMITTED] T4773.025
    
    [GRAPHIC] [TIFF OMITTED] T4773.026
    
    [GRAPHIC] [TIFF OMITTED] T4773.027
    
    [GRAPHIC] [TIFF OMITTED] T4773.028
    
    [GRAPHIC] [TIFF OMITTED] T4773.029
    
    [GRAPHIC] [TIFF OMITTED] T4773.030
    
    [GRAPHIC] [TIFF OMITTED] T4773.031
    
    [GRAPHIC] [TIFF OMITTED] T4773.032
    
    Mr. Putnam. Thank you very much, Mr. Powner, and we 
certainly have some. I'd like to begin with Mr. Johnson. You 
have experience in the private sector, experience in State 
government and probably more experience in Federal Government 
now than you ever wanted. Tell me, explain if you would, where 
you think the President's management agenda is, where some of 
the successes have been and frankly, what the greatest 
obstacles continue to be and perhaps some ways where Congress 
can help.
    Mr. Johnson. Regarding IT?
    Mr. Putnam. Let's start in general. Let's start out here 
and then work our way into IT. Ms. Evans, I think, is going to 
have plenty of questions on IT, but while we have you, I'm 
curious to know just, in general, on the agenda.
    Mr. Johnson. When the President's management agenda was 
introduced in August 2001, thinking in terms of the scorecard 
that we use, 130 scores, 5 initiatives, 26 agencies, 110 of 
those were red. About half of them are red now and by this 
summer, 3 years after the beginning of the introduction of the 
agenda, I would guess there might be 30 or 40 reds. The average 
agency 2 plus years ago was red, the way we keep score. The 
average agency, this summer, 3 years later, will be yellow and 
if you look at the description of what a yellow agency is, it's 
a very different place. It's much more focused on results. It's 
a different place to work for. It's a different place to be 
served by if you're a citizen or taxpayer. It's a different 
place for Congress to interact with and I would suggest better 
in all instances and that's just at yellow. And the next step 
is to go to green.
    We're pleased with those, the progress that's been made. 
One of the things that's interesting is that every component 
part of what it takes to be green has been in every subpart of 
every initiative has been achieved by at least one agency. So 
we know that everything that we say is required to be green is 
really advanced state of management practice, is physically 
possible. Some part of the Federal Government has demonstrated 
their physical ability to do that, so it's not a question of 
can we do it, it's a question of how we do it and how quickly 
we can do that.
    The agencies own this. It began as the President's 
management agenda. I think it's become the agencies' management 
agenda. I think that the employees at the Interior Department 
and HHS and etc., realize that it's better to work for a 
results-oriented organization than it is for one that's not. 
This is good for them and I think they have embraced it in 
almost every case and so the pace of implementation is 
accelerating.
    So we are pleased with the progress to date. There's still 
a lot of progress to be made and one of our primary 
responsibility is to help agencies get to where they want to 
be. They have identified, they're starting to identify now 
longer term goals, where they'd like to be a year from now, 2 
years from now. And so OMB started off pushing them a quarter 
at a time. Now we're helping them get to where they want to be.
    So we can do this. We can get to where you, we, all want 
the IT part of this agenda to be, and it's just a question of 
making sure there's plenty of rigor, plenty of discipline, 
plenty of attention. There's a lot of check and balance. 
There's things we can do to make sure that agencies understand 
what the goal is, understand the importance of qualified 
management people, understand the importance of security and 
there are ways of making sure that they don't spend money on 
other things until they've taken care of that and we just to 
make sure that those disciplines are, in fact, enforced and 
that the proper attention is paid to all of these three or four 
most important parts of getting our IT management to where we 
all want it to be.
    Mr. Putnam. On the IT side, we spent an awful lot of time, 
in fact, it probably comes up in every single hearing we have, 
lamenting the fact that our IT issues are not technological 
problems. They're not even financial hurdles. They're cultural. 
They're institutional barriers to change. And in our little 
committee scorecard and on FISMA and other ways of kind of 
measuring these things we find that when the Secretary of the 
respective department makes the President's management agenda a 
priority, then things happen. And what I really don't have a 
good feel for is who keeps that on their agenda. Does it happen 
in Cabinet meetings? Does it happen at the chief of staff 
level? Is that what you do all day? Who keeps pushing these 
issues to keep the President's management agenda, the mechanics 
of operating the Government, even though in Treasury you're 
worried about collections and you're worried about the falling 
dollar and in Justice you're worrying about protecting this and 
all these kinds of things. Everybody has their own problems 
associated with the mission, but who reminds them to keep their 
eye on the ball of the mechanics and the process of making 
Government work smarter?
    Mr. Johnson. Well, all that you mentioned. In fact, I 
talked to Brian Montgomery who is the person, the Cabinet 
Secretary in the White House. The President has, I think it's 
quarterly, maybe monthly meetings with each Cabinet Secretary, 
whether he needs to or not, whether they need it or not. And 
every time he meets with them he asks them and inquires about 
their status on the President's management agenda and are they 
pleased with their progress. It comes up at Cabinet meetings. 
At their Cabinet meeting in January, I think the Attorney 
General talked about his scorecard and the next person to talk 
was John Snow, Secretary Snow who's got five reds. It was a 
very difficult 2 minutes for the Secretary. In fact, the next 
week the Secretary called me. We went to have lunch and he was 
seeking advice on how to get the Department of Treasury out of 
a red status state. So a little public shame and humiliation 
within the Cabinet and outside also keeps their attention.
    I work directly with the Chief Operating Officers, the 
Deputies in most cases, of the agencies and we are in constant 
communication on all of the President's management agenda items 
and again, helping them get to where, as I said, they want to 
be. And they all have very aggressive goals for their agencies. 
These are all competitive people and they also want to do the 
right thing. They want to leave a good, strong legacy and so 
it's not like we're trying to get them to pay attention. It's 
like we're trying to help them get to where they want to be.
    So I'm working at it on the operating standpoint that 
Cabinet Secretaries are reminded in informal meetings and at 
Cabinet meetings, not every Cabinet meeting, but they talked 
about it at the January Cabinet meeting I know for sure. So 
it's all of the above.
    And the public quarterly scorecard puts that out there for 
all to see and make of it what they will.
    Mr. Putnam. Thank you. Clinger-Cohen was enacted 8 years 
ago and it gave OMB responsibility and the authority to raise 
the concerns that are addressed in the GAO's findings and, 
after 8 years, the results are mixed as the report and Mr. 
Powner indicated.
    And Clinger-Cohen holds OMB responsible. Rightly or 
wrongly, they're the designated, the buck stops with you all. 
How do you respond to some of the findings of this GAO report?
    We'll begin with Mr. Johnson.
    Mr. Johnson. It's better. It's kind of like our situation 
with homeland security. It's a whole lot better than it used to 
be. It's not good enough. And 20 some odd percent of our 
systems used to be secured. It's now 62. Our plan is for it to 
be 80 this year. Our plan is for it to be this year 80. The 
goal to be green in our--keeping scores--all but 90 percent of 
all the systems be secure. We have whatever it is half of the 
systems that are on the watch list. That's unsatisfactory. 
We're doing a better job this year of putting restrictions on 
agencies via apportionment, via whatever mechanisms we have to 
make sure that they address security matters, quality of 
management matters, quality of business case matters before 
they spend development moneys on new systems.
    So we're trying to put more rigor, more discipline, more 
check and balance into the enforcement of these mechanisms this 
year than we even have done in the past and I have confidence, 
plus the fact that Karen is there, that we will continue to 
make progress on this.
    The progress, particularly in the security area is not what 
we planned for it to be this year, but we intend to correct 
that.
    Mr. Putnam. Ms. Evans, do you wish to add anything to that?
    Ms. Evans. I think that Mr. Johnson has clearly summed up 
where our priorities are and what we are doing is using the 
mechanisms that are available to us as OMB to ensure that the 
agencies are really adhering to what the goals of the 
administration are, so that we can adequately address this, we 
do the recommended actions that are in the GAO report that next 
time this is evaluated that you will see that it is implemented 
versus the mixed results that it currently demonstrates.
    Mr. Putnam. The GAO mentioned in their testimony that most 
agencies do not have information resources, management plans 
that are supposed to address privacy records management, 
information collection. Half the agencies told GAO they would 
like to see additional guidance on the content of those plans 
and at the same time the 2005 budget document discusses the 
OMB's evaluation of their IRM practices.
    How does OMB evaluate those plans that GAO says are not 
complete and do you share their opinion that they're 
incomplete?
    Ms. Evans. There are several requirements that are on the 
agencies as far as how they need to manage their overall IT 
investments. The IRM strategic plan is one of many plans that 
the agencies submit. As far as the recommendation about OMB 
offering additional guidance as far as strategic plans, we're 
evaluating that now. We did tell GAO orally that we didn't plan 
to give them more specific guidance, but that we were 
evaluating our overall guidance that we give out in A-11 and A-
130 as far as how the agencies would move forward and how they 
would manage their IT portfolio overall.
    So what we're doing now is in our post mortem of fiscal 
year 2005's budget submission, we're looking at what guidance 
needs to be supplemented and then update that and we'll be 
working with the agencies through the CIO Council to issue 
draft guidance shortly to address some of the concerns that 
were in here. But right now, we do not specifically intend to 
just address IRM strategic plans, but really to address 
guidance as a whole for portfolio management.
    Mr. Putnam. Mr. Powner, do you want to address this?
    Mr. Powner. One comment I think OMB does deserve a fair 
amount of credit through the budget submission process, the 300 
process that most folks refer to, we found in our review that 
the questions that they asked on the front end when the budgets 
are submitted, that agencies generally have those practices in 
place. I think where a lot of attention and focus needs to go 
now is once we prioritize and select investments and we decide 
to march forward, that's where we started seeing the rigor and 
the practices not really being in place. So when we have 
agencies that continually have these cost overruns and schedule 
slippages and not delivering functionality, that's where we 
really need to put processes into place to make sure that we're 
staying on track with the benefits promised and we're 
delivering within cost and schedule. So OMB clearly has made 
some strides in terms of the agency's rigor on that front end.
    Also too, there's a fair amount of accountability that 
resides within the agencies with the CIOs. If we go back to the 
legislation that's in place, a lot of the accountability does 
reside with the CIOs, so I think it's a combination of the two. 
OMB can do their part, but we're going to continue to push and 
ensure that the CIOs are performing these functions that are 
called for in law and basically are called for in best 
practices in IT management.
    Mr. Putnam. Thank you very much. The ranking member of the 
subcommittee, Mr. Clay, is from Missouri, and when he walks in 
the spotlights come on. If I had known that I would have put on 
a little more powder.
    You're recognized for your questions and remarks.
    Mr. Clay. Thank you, Mr. Chairman, let me say that I'm glad 
that this is our first meeting of the year and I'm glad to be 
back here with you. I'm glad to see the panel here today and 
this is a pretty important subject to talk about, the IT role 
of Government, as our first meeting now for this session of 
Congress and thank you for calling it.
    For Mr. Johnson, generally speaking, do you consider the 
Government's annual investment of roughly $60 billion in IT an 
adequate level of funding or are we spending too much on IT 
systems and not enough on implementing and training? Should the 
amounts be adjusted to an appropriate level in order to better 
integrate new IT programs and systems at the agencies?
    Mr. Johnson. I didn't hear the last part. Are we doing 
investments or should we be spending more on implementing?
    Mr. Clay. Let's start over. Should the Government's annual 
investment of roughly $60 billion in IT--is it an adequate 
level of funding, first of all?
    Mr. Johnson. Yes, I believe it is. Agencies requested more 
than that, but the amount that was agreed to and budgeted for 
was $58 point whatever it is billion. We didn't think there was 
a strong enough business case for the additional $4, $5 or $6 
billion that were requested.
    The agencies are challenged to achieve the goals of their 
mission, goals of their agency and they are encouraged to 
figure out how investments in IT can help them achieve those 
goals and so it's all supposed to be mission-specific and they 
come to us with their recommendations and it adds up to $60 
plus billion. We looked at it and decided that, in fact, it was 
a legitimate reason to spend the $58 billion this year. So yes, 
I would say that in light of what the Federal Government's 
individual agencies' goals are, it is an appropriate amount to 
be spending.
    Mr. Clay. Does the $58 billion also include implementation 
and training of employees on the system?
    Mr. Johnson. I do not know that. Karen.
    Ms. Evans. As the agencies prepare their business cases, 
they're supposed to plan for the full life cycle of that 
investment. So that would mean that representative in that 
amount does deal with depending on how they're reporting a 
business case. So if it's development, if it's in the early 
stages of development or steady state which is on-going, they 
have to reflect the full cost such as training and 
implementation. So if it's a new investment, those investment 
dollars should include training and implementation of the users 
for that system as well as cybersecurity.
    Mr. Clay. Do we need to address the levels of 
appropriations at this point or is this adequate to $58 to $60 
billion? Is it adequate or do you need an adjustment on that?
    Ms. Evans. Sir, based on the President's budget submission 
and the review that my office did in accordance with the budget 
examiners, we believe that on the business cases, the way that 
they have been justified, that it is an adequate level that 
reflects the administration's priorities.
    Mr. Clay. Well put. And in your opinion do the annual 
performance reports of the Government Performance and Results 
Act provide an adequate forum for agencies to communicate their 
information about IT acquisition programs or should another 
tool for such information be dedicated to the process?
    Ms. Evans. I think right now in conjunction, the business 
cases have a fairly rigorous process associated with that and 
with the questions that the agencies are asked about their 
investments, but I also--we are working very closely with 
another part of the President's management agenda which is 
budget and performance integration and on that particular 
element there is an assessment tool that is also in there, the 
PART, which is the Program Assessment Rating Tool which talks 
about the program overall. So the IT investments need to ensure 
that they complement the way that the program is moving 
forward. And so we are really working now to ensure the 
integration of the IT investments into the overall program 
performance and the results that program intends to achieve.
    So the results and the performance results that are 
outlined in the business case need to complement and enhance 
the overall program results that we are now using the 
assessment tool for. So I think between those two elements, 
we're moving forward in that we have tools that are there now 
to work with the agencies to reflect that.
    Mr. Clay. Thank you. Mr. Powner, let me say it's my belief 
that the investment management process is integral for 
effective program stewardship and necessary in a time of severe 
budget constraints. Having said that, your findings indicate 
that the absence of an agency CIO was hindering a number of 
agencies from implementing some of the recommendations made for 
investment management practices. Can you tell us how many of 
the agencies detailed in the report were missing a CIO and if 
the absence of this leadership position is common at the agency 
level?
    Mr. Powner. I would have to get back to you on the exact 
number that were missing, the CIO, and they gave that for a 
reason why they didn't have that practice in place. We received 
a number of reasons why some of these key practices were not in 
place. Clearly, not having a CIO was one of several reasons. In 
many instances, agencies and departments told us that it was 
clearly an oversight and they were in the process of putting 
these practices in place.
    Mr. Clay. How long have they been in the process of doing 
this? I mean, how many years has it been have they been told to 
get a CIO?
    Mr. Powner. Clearly, it differed by agency. We had agencies 
differ in terms of the timeframe which they've been putting 
these in place, clearly it's been in law and required for quite 
a number of years. You're absolutely correct on that, but the 
specifics by agency, I'd need to get back to you on that.
    Mr. Clay. OK, I'd appreciate that. Mr. Johnson.
    Mr. Johnson. Mr. Clay, all of these agencies have had CIOs. 
If they don't have one now it's because the person left and 
they haven't been replaced yet. Not having a CIO is not an 
excuse for not having done this.
    Our agencies are supposed to be set up to continue to 
function and to continue to do good work in the absence of 
Assistant Secretary or Deputy Assistant Secretary, whatever. 
And the absence of a CIO should not be given as an excuse.
    Mr. Clay. Thank you for that answer.
    Mr. Putnam. Thank you, Mr. Clay. We have four votes pending 
which will be about a 30 to 35 minute delay. So, if your 
schedule will accommodate, we would ask your indulgence and 
your patience and offer our apologies. So the subcommittee will 
stand in recess for 30 minutes, feel free to go check your e-
mail.
    [Recess.]
    Mr. Putnam. The committee will reconvene and I want to 
thank you again for your indulgence and I apologize for leaving 
you stranded for 30 minutes with the reporters. [Laughter.]
    They had you sort of captured, but it's unfortunately, just 
a part of this process.
    We will pick up where we left off in terms of performance 
measures and proceed.
    Ms. Evans, what mechanisms are in place to prepare for and 
manage for our long-term IT needs as opposed to we're 
constantly playing catch-up with legacy systems and eliminating 
stovepipes and all that? What process is in place to look ahead 
to see how we end up where we really need to be as opposed to 
playing catch-up all the time?
    Ms. Evans. With our efforts on the Federal Enterprise 
Architecture, that really is our plan of how to move forward. 
That effort with the reference models and then the way the 
whole architecture process works where we'll be defining our 
to-be architecture, that is where we want to be. And as we 
start using the agencies' submission of their Enterprise 
Architectures and how they align to the Federal Enterprise 
Architecture, we've had the opportunity, both in fiscal year 
2004 as well as 2005, to identify collaboration efforts that we 
can see where agencies are planning expenditures, where 
agencies are planning modernization efforts and then based on 
it all coming into a central location and doing the analysis 
that we have with the Federal Enterprise Architecture and how 
they map to the reference models. We can then see where there 
is potential collaboration efforts and we can work with the 
agencies so that they realize that versus them doing it on 
their own. That cycle by having it in the budget cycle right 
now has a 2-year budget cycle associated with it, as well as 
the long term out year through the plans that the agencies 
submit with a 5-year cycle.
    So that really is our long-term plan, to continue to use 
the enterprise architecture efforts of the agencies as well as 
our own Federal Enterprise Architecture.
    Mr. Putnam. And how do you then measure the success of an 
IT purchase? Is it about just simple compliance with the RFP or 
is there a performance linkage associated with it? You or Mr. 
Johnson can----
    Ms. Evans. OK, first, there is a performance reference 
model contained within the Federal Enterprise Architecture. We 
released the first model of that and we're going to continue to 
work, as I stated earlier with the budget and performance 
integration team that is that part of the tenet of the 
President's management agenda.
    The PART does have metrics in there that will measure the 
effectiveness of the program. The IT investments have to 
support that and so also within the business case, there is a 
specific area that deals with performance measures. And so we 
ask the agencies to ensure that those align with the reference 
model as well as those going forward with the PART. Also, we're 
asking the agencies and what we're working with the agencies 
now on is earned value management which is having an EVMS 
system in place. That then gets to a lot of the issues that 
were brought up in the GAO report as far as execution of 
measuring your expected results against your actual results, 
about having business processes in place that will then track 
all of that so that we can say yes, this is what we thought we 
were going to do. This is what we actually did. Or, if an 
investment starts to get off track, because of the way, if you 
implement this appropriately, you'll have leading indicators 
which will then allow you to adjust whatever you have to adjust 
on a project that is supporting the overall mission of the 
agency. So we think between the PART, the Federal Enterprise 
Architecture and then more specifically an earned value 
management system within an agency will then allow us to be 
able to match and measure planned results against actual 
results.
    Mr. Putnam. What are the consequences when an agency fails 
to meet their goals or their milestones or their performance 
measures? What consequences are there?
    Ms. Evans. Right now we are using what we have available 
which is and several things are available, but it's 
apportionment of funds and what that means is that if a project 
is to fall off target and we have major concerns and right now 
there are several, obviously, that are on the management's 
watch list, we work very closely with the budget side of the 
house of OMB and what we do is make sure that the agency has a 
good remediation plan in place, that it's agreed upon between 
the agency and OMB and then we have tools that are available to 
us that say OK, you have to take this particular action and 
then we apportion the funds to ensure that those actions are 
met and that they are complying with the action plans that they 
said that they would.
    Mr. Putnam. And have you done that, Mr. Johnson?
    Mr. Johnson. Karen and I have talked and I have a 15,000 or 
20,000 foot view of it. We need to put more check and balance, 
more teeth into it. There needs to be more consequence and 
there's more this year than there was last, and more last than 
the year before that and that's just something we need to do 
working with the OMB branches and working with the agencies and 
we just--we have a clear definition of where--the agencies have 
a clear definition of where they want to be, to be yellow and 
green is the way we discussed it and they've talked to us about 
timeframes by which they'd like to be at what we call green 
state of affairs and almost to help them be rigorous about it, 
we need to be--make sure there's plenty of teeth. I told Karen 
last week, in fact, let's figure out how we can put as many 
teeth into this mouth as possible. All these things--the rigor, 
disciplines and checks and balances that we need to ensure 
that, in fact, we are properly focused on security and the 
quality of management and project management and budget 
management and so forth.
    Mr. Putnam. So you currently can apportion funds. What 
additional teeth would you like to see?
    Mr. Johnson. We can apportion funds. We don't apportion 
funds to the extent to which we can.
    Mr. Putnam. So it is not a matter of authority.
    Mr. Johnson. Right.
    Mr. Putnam. So much as it just hadn't been done.
    Mr. Johnson. Right. I mean when you go in and stop a 
project that's mid-development, you're fixing to have a little 
wrestling match with the agency and there are opportunities to 
do that and sometimes it's going to take that.
    Mr. Putnam. I wouldn't think you'd have to do it but once 
or twice and everybody else would catch on.
    Mr. Johnson. Right.
    Mr. Putnam. Every time I need something from OMB, we have 
to wrestle with them. [Laughter.]
    Mr. Johnson. You wouldn't recommend it, would you?
    Mr. Putnam. I lose every time. [Laughter.]
    Have you ever been in an arm wrestling match with OMB? Have 
you ever won? It's not fun and yet----
    Mr. Johnson. We're gentlemanly about it, aren't we?
    Mr. Putnam. You're very gracious, just wiping the mat with 
us. And yet, I see these agencies and we're going to get into 
this in our next hearing, but agencies don't even know what 
equipment they own and can't find it, don't know where it is. 
Didn't know they had it. They're not accountable for securing 
it and nothing happens and----
    Mr. Johnson. We have plenty of authorities now and it's our 
responsibility to make sure that we are using every authority 
we know.
    Mr. Putnam. If you all are as tough on agencies as you are 
on Members of Congress, we can save a bunch of money because it 
concerns me.
    Mr. Johnson. But you're talking about those B people, 
right, not the M people.
    Mr. Putnam. That's right, that bad old B team. But it's a 
legitimate issue in that you have this authority. Everybody is 
pretty clear on what the problem is and we just can't seem to 
get our arms around it. And that's a little disappointing.
    Mr. Johnson. Although great progress has been made in every 
area, I mean 3 years ago, 2 years--we were 20 percent secure. 
We're 62 percent secure, just as an example. But we want to be 
at 80, so we are making great strides. We can make greater 
strides and will.
    Mr. Putnam. Fair point and I don't want to diminish the 
progress that you have made. We didn't get into this position 
overnight and we're not going to get out of it overnight.
    So you have 621 IT projects totaling $22 billion on the OMB 
management watch list. That means they need improvement in 
performance measures, earned value management or IT security or 
some combination and so can we--let's begin with how do you 
decide who gets on the list and I guess to our earlier 
discussion, what point will you decide or do you decide that 
you're just going to terminate or modify these at risk projects 
and what are they? Is that a list that we can get our arms on, 
get our hands around?
    Ms. Evans. OK. First, the way that we determine the list--
--
    Mr. Putnam. Mr. Johnson, you're such a gentleman letting 
her answer first.
    Mr. Johnson. Southern. You know how we were raised.
    Mr. Putnam. Ladies first.
    Ms. Evans. I get to go first. OK, the way that we determine 
the management watch list is based on the business case 
submissions and so the business cases are reviewed internally 
within OMB and they're assigned a score between 1 and 5, a 
total score. The management watch list is composed of any 
business case that has received a 3 or lower, total score. Or, 
if you've gotten a 4 or 5 on the overall business case, but you 
have a 3 in the cybersecurity element of the business case, 
then you're put on management watch list.
    Then what happens at that particular point, say for 
example, if it's cybersecurity, agencies receive specific 
guidance during the budget process of what they needed to do to 
remediate that particular risk. So in the case of cybersecurity 
they had a specific date that they had to turn in a remediation 
plan to us to talk about how they were going to address the 
overall cybersecurity posture within an agency. And then also 
what had to be included are the costs associated to accomplish 
that remediation. When that came in, now we're in the process 
of evaluating that plan to see if it meets everything that is 
under the guidance of FISMA, that it has the IG review, how to 
go forward and do they have adequate funding levels within 
their current levels. If they don't, what the process was of 
how we went forward is the guidance is very specific that no 
new development efforts should go forward in that agency until 
they have remediated this weakness and dollars that they have 
associated with new development efforts would be redirected to 
help supplement and remediate that particular weakness. And 
that's where we're working hand in hand with the budget side of 
the house to ensure that happens under our current authorities.
    If it's something else like the EVMS or performance 
measures, we also have asked the agencies to turn in plans to 
deal with that and we set a target for June of this year, 
associated with the scorecard, because we measure their 
progress on a quarterly basis with the President's management 
agenda scorecard. And so those plans will also be looked at 
prior to them actually expending funds in fiscal year 2005 and 
so in the meantime, we're looking to see how far down, how bad 
is it and then we're making recommendations to go forward of 
whether that project should be stopped if we don't feel that 
there's an adequate plan to remediate the weakness and that's 
what I'm working with Mr. Johnson on very closely.
    Mr. Putnam. Can we get a list of the projects on that list?
    Ms. Evans. I need to check because we normally don't 
release the list and so I will check internally since it's 
coming to you. We don't normally release it to the press at all 
because what we really want to do is have the agencies have the 
opportunity to be able to justify that business case, be able 
to remediate the weakness, have a good business practice in 
place to ensure the success of that project.
    So I will check and get back to you on that.
    Mr. Putnam. Thank you. Let me just ask one final question 
before I recognize Mr. Clay.
    Help me to understand this; $60 billion spent on all IT 
investments governmentwide. And the State of Florida's budget 
is about $56 billion this year. So it kind of puts it in 
perspective as a former legislator, thinking about all the 
things that we used to be able to do with $56 billion, actually 
it was more like $50 back then and what we're spending just on 
IT.
    How much of that roughly $60 billion is just ordinary kind 
of stuff that anybody in America who owns a small business or a 
big business or a home computer would understand, you're just 
upgrading your operating system, making sure everybody has the 
latest, the greatest, the newest to do the things that they 
need to do that are commercially available off-the-shelf kind 
of stuff, and what percentage of that $60 billion are really 
zebras, things that are unique to the mission of IRS or DOD or 
whomever that really do fit that unique category?
    Is the overwhelming majority of the $60 billion just 
because of the sheer size and scope of the government? Or is it 
because we're still building zebras to do what anybody could go 
down to the store and buy a horse to do?
    Ms. Evans. Well, if I understand the question correctly, so 
the way the $60 billion is broken out for the fiscal year 
2005's budget, it reflects the administration's priorities of 
defense and homeland security. So if you look at--it's actually 
$59.7 billion; $27.4 billion are associated with DOD systems. 
And then----
    Mr. Johnson. Can you say that again?
    Ms. Evans. $27.4 billion----
    Mr. Johnson. Alone are DOD?
    Ms. Evans. Yes. Out of that total. And then of the homeland 
security, $10.3 billion is associated with homeland security. 
So that leaves $22 billion associated with all other.
    So that all other includes all the civilian agencies going 
forward. Now, also in the homeland security piece, and I want 
to make a distinction there, as agencies send business cases 
forward, that is not just the homeland security's IT budget. It 
is what agencies who have homeland security missions or are 
supporting homeland security missions, they mark their business 
cases and say that this is in support of homeland security and 
then what a particular area is. So we pull that out of the 
investments to show where the agencies were investing their 
dollars. So it's not just the Department of Homeland Security, 
but it also reflects what the Department of Justice may be 
doing, what Department of Treasury may be doing in the area of 
homeland security.
    Mr. Putnam. What I'm really asking, and we're getting there 
is, take CAPPS II for example, it's not something that 
everybody in America needs or wants or would have or could go 
out and buy. Obviously, it's a very expensive thing to make it 
all happen.
    So that's a big ticket item that clearly government is 
going to spend a lot of money to get it right. But of that 
$27.4 billion defense and certainly the $22 billion of the 
other, how much of that is just getting the newest Windows 
system on every extension agent's desk in America for the 
Department of Agriculture and those kinds of things?
    Mr. Johnson. So purchasing an upgraded computer, new, 
latest version of an operating system or Windows or something--
--
    Mr. Putnam. Sure.
    Ms. Evans. I would have to get back to you on the specific 
of what that number is and we have it available because we did 
ask the agencies this year as part of their 2005 submission to 
send in one business case that consolidated all the 
infrastructure costs such as office automation, computer 
purchases, network, cost, network infrastructures, so we should 
be able to pull that and I'd be glad to get back to you and 
give you a specific number of what's related to that.
    Mr. Putnam. I think that would be helpful because when I 
give the Rotary Club speech and I tell people we spend $60 
billion on this stuff, people are just in shock. And the 
assumption is that it's because of things related to homeland 
security, things related to defense like CAPPS II or the things 
that truly are unique, but my sense that the majority of it is 
just when you figure up how many employees of the Federal 
Government we have and all the offices we have and everything 
else, it's just ordinary upgrade that every business in America 
does in an outfit the size of the Federal infrastructure. 
That's the real goal here is to see what that is.
    Do you want to add anything?
    Mr. Johnson. Well, I'm going to conjecture. My sense of it 
is, the number that you're asking about is a gargantuan number, 
but it's a small percent of the total.
    Mr. Putnam. Thank you. Mr. Clay.
    Mr. Clay. For Mr. Powner, of the many practices that GAO 
evaluated in its recent report, which rise to the top as the 
most critical for agencies to fix?
    Mr. Powner. Clearly, there were two that require more work. 
One is associated with strategic planning and performance 
measurement. As I had mentioned prior, we saw strategic plans 
in place and goals. What we didn't see was the associated 
performance measures nor processes in place that would actually 
track those performance measures to results. So performance 
measurement would be No. 1.
    Second, when you look at investment management, there was a 
fair amount of rigor on the front end where we had investment 
boards in place and selection processes. We were choosing 
investments based on sound criteria, but once we selected those 
investments, having the appropriate oversight processes in 
place, those were clearly lacking.
    Mr. Clay. Are there any agencies that would have greater 
challenges in managing their IT strategic planning and 
performance practices or investment management practices due to 
the nature of programs they administer? In other words, are 
some agencies in need of more frequent upgrade due to the 
change in technologies or trends?
    Can you identify of them that have some unique issues that 
they----
    Mr. Powner. I don't know if there's unique issues by 
agency. I think when you look across the board, almost every 
Federal agency, we look at--the FAAs, the DHS--we are really 
trying to insert technology into these organizations. So I 
would say the majority of these organizations are challenged to 
ensure that we have new technologies in place to meet missions.
    Mr. Clay. OK, thank you. Ms. Evans, how does OMB intend to 
utilize the CIO Council to encourage better IT management 
across the government?
    Ms. Evans. The CIO Council directly in partnership with OMB 
has two major committees that we use. Actually, there's three 
major committees, but the two that impact what we're talking 
about today are the Best Practices Committee as well as the 
Architecture and Infrastructure Committee.
    The Architecture and Infrastructure Committee really works 
on in partnership with us on governance of the overall models 
that we have in place that are leading us to better management 
of the IT as a whole. And then the Best Practices Committee 
looks at where there are pockets of innovation, who has best 
practices in place and then takes those out so that we can then 
share those across the IT community as a whole.
    So both of those committees are very important to ensure 
that we have all that information out to all the CIOs.
    Mr. Clay. Let me ask you, we've been talking about 
information management, information security and investment and 
information technology, but we haven't talked very much about 
information itself.
    Most of the systems we are talking about are used to create 
a process, government information. Now some of this information 
should be readily available to the public. I would like to know 
what OMB is doing to assure that these systems make it easier 
for permanent, public access to government information.
    What happens all too often is that a citizen writes to an 
agency and asks for Document X. The agency writes back that it 
is going to take six people 4 hours each to search through the 
filing cabinets to find that document and if you will send us a 
check for $4,000, we will go look for that document.
    What are you doing to make sure this investment improves 
public access to this information?
    Ms. Evans. Every investment proposal that comes forward, we 
evaluate that investment for interoperability, as well as 
utilization. And the whole focus of the President's management 
agenda in the tenet of E-Government is a citizen-centered 
approach. So everything that we're doing, along with things 
that are already existing such as the Government Paperwork 
Elimination Act, even though we reported on that, that doesn't 
mean that we are not continuing our work to eliminate those 
areas and to automate those transactions.
    So all those investments are looked at that way to ensure 
that we have transparency and then availability of the 
Government's information to the public.
    Mr. Clay. Will the public have better access to the 
documents, to the information that they seek, or will it be the 
same bureaucratic delay that they encounter now?
    Ms. Evans. The answer is yes, they will have better access, 
yes sir.
    Mr. Clay. Thank you, Ms. Evans. Mr. Johnson, has the 
Program Assessment Rating Tool [PART], that has been used for 
the past two budget cycles by OMB for the evaluation of program 
performance and outcomes offered any insights into the ways in 
which the lack of IT management is impacting the effectiveness 
of programs at the agency level?
    Mr. Johnson. I don't know the answer to that, but whether 
it's indicated where there are bit IT gaps, where IT has not 
been deployed and should have been. My suspicion is no, it has 
not identified any large IT gaps, but I don't have a specific 
answer.
    Mr. Clay. Can you respond back to us in writing?
    Mr. Johnson. I'm sorry, what?
    Mr. Clay. Could you respond back to us in writing?
    Mr. Johnson. Sure.
    Mr. Clay. On that question. Thank you and thank you, Mr. 
Chairman.
    Mr. Putnam. Thank you very much. Let's talk about the 
enterprise architecture for a second.
    How have OMB and the agencies addressed the lines of 
business consolidation opportunities within their submissions 
and how has OMB addressed that--how did the individual agencies 
address lines of business consolidation and how have you 
addressed it and what success have we seen from that?
    Ms. Evans. Each agency, as they go forward in their efforts 
of putting together their enterprise architecture, see the 
opportunities to consolidate and I believe the best example of 
that right now is the Department of Agriculture. They did a 
very rigorous analysis, using their architecture this year 
before they submitted their fiscal year 2005 budget and it 
resulted in $162 million worth of savings within their IT 
portfolio.
    So that's a clear example of how an agency has used that 
internally within their own enterprise. That then translates up 
into the overall efforts of where we see investments going 
along a path, for example, of the ones we've already 
highlighted, such as financial management and grants management 
systems and human resource systems. And so what we've done this 
year again through the budget passback process that we have 
available to us is that we have specific levels of effort now, 
lines of business analysis, as you've said, that has resulted 
from us looking at the Federal Enterprise Architecture and said 
we want a very concerted effort looking at that, seeing what 
can be the common solution, how we can move forward.
    And what we have done is we have directed the fiscal year 
2004 development and modernization dollars that are associated 
in these lines of business to support that analysis which will 
then move the agencies to the common solution that will be 
defined by September of this year.
    Mr. Putnam. What is it that USDA consolidated to save $162 
million?
    Ms. Evans. They looked at their entire portfolio, 
everything that they were investing IT dollars in and they did 
a very rigorous analysis and tied it in with their overall 
capital planning and what they did was consolidate down their 
portfolio, so that as they send in their business cases they 
really looked at what is supporting their corporate, what is 
supporting program specific IT investments and it resulted in 
them really taking a hard look at what they were going for and 
asking for in the past and what they were asking for this year 
in fiscal year 2005 and it resulted in $162 million worth of 
savings.
    Mr. Putnam. And did they benefit from any of that savings? 
Were they able to redirect it to other priorities?
    Ms. Evans. The way that this works prior to it coming in, 
what should happen and the way that this should work and the 
way that it does work, it worked at Energy in this way as well 
is that if the agency moves forward and through its budget 
process they give specific guidance that are aligned with the 
President's priorities, so in the spring, they'll do a call out 
to their entire agency and say send everything in and align 
with this guidance.
    Then the departmental offices will evaluate how that aligns 
very similar to the same questions that you're asking me of how 
I do it on the $60 billion, each agency does it for their 
piece. Then as they go forward there is then a review in the 
summer that the Secretaries and the Deputy Secretaries then 
look at that.
    In this particular case, as Agriculture went forward, there 
were certain targets that we are given by OMB that each agency 
is supposed to have their budget meet. So as we consolidate and 
have saving and realize that we can consolidate or leverage 
what we already have or get an enterprise license for our 
department as a whole, those savings are then reflected within 
the agency submission to meet the target levels that we've been 
given by OMB. That's how an agency puts together its overall 
budget.
    So the answer, that's a long answer to yes, they realize 
the savings because it's reflected in how they put together 
their overall target numbers that go forward to OMB for us to 
review.
    Mr. Putnam. Do you have other success stories like that? Is 
it totaled up, $165 million here, $70 million there, $10 here. 
Pretty soon, it's real money.
    Ms. Evans. Right, and that's why we're going back through 
each portfolio and really working with the agencies through the 
scorecard process as well, so that we can really get a handle 
on what the true cost savings are.
    I can tell you from an overall piece of looking at the 
budget as a whole that development and modernization dollars 
went down by 5.66 percent this year from 2004 to 2005. So the 
next logical question you would think is OK, all the 
maintenance dollars really skyrocketed through the roof because 
everything that was new is now implemented in the separate 
agencies.
    But there's only a 3.45 percent increase in steady State 
dollars. So what we're now starting to see is benefits from the 
consolidation efforts as the agencies are moving forward 
because their budgets reflect how they plan to use the common 
solutions that are being developed under the government 
initiatives.
    Mr. Putnam. I went through a Coca-Cola Shared Services 
Center in my District that I went through over the Presidents' 
Day break. They have 400 people, one building, who do all the 
accounts receivable, all of the accounts payable, payroll, 80 
CPAs doing their tax accounting, their financial accounting, 
all their books for Coca-Cola North America.
    They have a sales force that doesn't have an office to 
report to, they have wireless devices. They visit their 
clients, the convenience store, the restaurant, the mom-and-pop 
diner, whatever it may be, key in the order, no paper. Their 
hours are paperless. Direct deposit, paperless. Are we even 
close to getting to that type of efficiency in the Federal 
Government?
    Mr. Johnson. I've met in the last week with the people in 
Social Security, student loan operation in Education, the IRS, 
phone operation, customer service operation, this isn't 
specifically IT, but those operations and I've referenced 
that--I compare that to my experience in mail order business. 
Those operations are very, very sophisticated, very 
sophisticated, very results-oriented. They measure everything. 
They're very focused on service. They have great use of 
technology. They deploy things here and there and their 
facilities are doing BlackBerries and so forth, but that's very 
sophisticated use of technology to provide high levels of 
service. I bet you that's the anomaly in the Federal 
Government, but there are places where technology really lends 
itself to getting the mission accomplished like that, like in 
Defense, all the things you see when we go to the battlefield. 
That is extremely sophisticated. So we are using--we are 
deploying very sophisticated IT intensive systems in those 
service operations, Social Security and student loans and so 
forth in the defense world, those things we're exploring it 
there. As sophisticated as the brainiest people can think of, 
there are other areas where it's not that sophisticated.
    One of the things I know that Karen's group looks at is to 
make sure that when we are going from a manual, basically a 
manual operation to a system attached operation, we just don't 
systemize the manual process. We just don't get computers to do 
what human beings were doing. We look at that as an opportunity 
to completely change the way we do business and do you really 
need a copy--those kinds of things.
    But with $60 billion and all the things that we do in the 
Federal Government, there's a wide range, but in some areas 
it's as sophisticated as it can be.
    Mr. Putnam. And this goes back to our question of Ms. Evans 
earlier on our long-term needs. I'm less interested in playing 
catch up with the Federal Government than I am in skipping 
generations of technology and getting us where we need to be. 
So if INS doesn't have enough computers, maybe they don't need 
to buy more desk tops. Maybe we need to have Border Control 
agents who have wireless devices that are beaming at real time 
so that we have a better sense of what's going on. And the 
Defense example is an outstanding example, because it 
represents the best and the worst of the Federal Government.
    We are so good, so effective and ought to be so proud of 
how we can move things from the laboratory to the battlefield 
and then into the commercial sector. You know, GPS. Everybody 
in Florida has a $99 hand held GPS and they've got 4,000 
lobster and grouper holes programmed into it. That's a rapid 
movement of technology because of the Federal Government.
    And then if you look at the rest of the DOD, they can't 
find $1 trillion worth of stuff and they've got an ancient, 
Stone Age procurement and personnel and payroll system and all 
of this other stuff. It's just abysmal. You've got the best and 
the worst all in the same five-sided building and so that's 
where I'd like to see us go. Instead of focusing on let's catch 
everybody up and make sure that we're fine with 2003 computers, 
let's get them to the next step.
    Mr. Johnson. I'm not a defense specialist by any stretch of 
the imagination, but I know there's been a lot of talk about 
skipping generations of technology in the defense world and 
because of these major weapons systems it does take 10, 20, 30 
years oftentimes to bring them to full utilization and by then 
the technologies change dramatically and so, a lot of attention 
is being paid to that at the Defense Department.
    Mr. Putnam. I'm going to keep going. Ms. Evans, I 
understand that you have developed a new way to fund the 
Government through GSA surplus revenues. Could you discuss this 
a little bit further for us?
    Ms. Evans. Well, the way that the President's budget is put 
together this year for fiscal year 2005 is that we have the $5 
million that we're going back and asking for that. That has 
been previously appropriated, not this year. We got $3 million, 
but the previous year we had $5 million.
    We're looking to use surpluses in the GSA supply fund and 
the thought process behind that was that fund is built on 
transactions that occur from the agencies as GSA does services 
for them. And since the E-Government Fund is really to then go 
back and reinvest into the agencies and really serve as an 
innovation fund similar to what like a venture capitalist fund 
would be like, then we thought that the agencies should be able 
to benefit from the dollars that they've already spent and then 
reinvest back into the agencies so that they would then be able 
to move forward with the common solution, whatever a pilot 
program may be. And use that as we have the formal budget 
process, catch up with the planning and the execution of the 
long-term solution.
    Mr. Putnam. So you do see that as potential long-term 
solution, not just a 1-year event. How successfully have we 
ingrained in IT managers' and CIOs' minds the importance of 
building cybersecurity into their new systems and how would you 
rate where we are on that?
    Ms. Evans. That is actually highlighted as well in the 
fiscal year 2005 budget. It's in the chapter associated with 
information technology and we did set a specific goal for 
ourselves of trying to achieve that which was again 80 percent 
of the systems would have that appropriately budgeted for in 
the life cycle. To date, we're just slightly over 60 percent 
and so we are still targeting to have 80 percent of the major 
systems have cybersecurity budgeted for it. So we are still 
shooting for that target. We missed it for the calendar year, 
but we are pushing the agencies forward for that.
    Mr. Putnam. And is there a common approach to cybersecurity 
for all the new systems? Obviously, it varies by mission but 
when a--walk me through the process of governmentwide what the 
reaction is when a new virus or worm is identified and begins 
to move. How quickly can the entire Federal Government either 
apply the new patch or take the appropriate measures to protect 
their systems? How quickly can we get that information out 
there and how consistent is our response?
    Ms. Evans. We work very closely with the CIO Council and as 
well as with DHS and as DHS has moved forward, they actually 
have now taken over what is FedCIRC. And so FedCIRC then 
notifies the agencies and there are multiple levels of which 
they get notification that there is a new virus out there.
    And so then what will happen is to ensure that we hit at 
all levels and I'm sure that you're aware that DHS has also 
started a new forum which will complement the CIO Council which 
is the Chief Information Security Officers Forum, to then 
continue to talk about best practices to do that. But it does 
vary from agency to agency, depending on what types of services 
they have in place and how those operations from a corporate 
level, as well as by program specific level, within an agency 
are handled.
    So if they have a very centralized approach, then the 
dissemination of a patch can happen very quickly. If they have 
a very decentralized approach, then it takes a little bit 
longer for the CIO and the Headquarters Operation to have full 
accounting of how a patch is applied.
    Mr. Putnam. I guess what concerns me is the number of 
agencies and departments out there who don't know everything 
they have. So even if everybody is doing everything they can 
you still have a pretty gaping hole in your readiness, don't 
you? Because people forget about the server that's out in Iowa 
or down in Florida, that all of these machines that over the 
years have accumulated and are still on the network that just 
don't know where they are according to, at least, our scorecard 
and FISMA.
    Ms. Evans. Well, cybersecurity is multi-tiered. The way 
that you manage the cybersecurity posture of a department or 
the government as a whole is very--it's multi-tiered. So 
applying a patch or when there's things dealing with viruses, 
those are very technological types of approach. But 
cybersecurity starts at day 1 when an employee enters into the 
Federal work force. Or, if an employee enters into any type of 
facility, there is a whole piece associated with cybersecurity 
that deals with education and how best to secure your own 
asset. So even though as you said, there's huge gaping holes of 
how we manage from a centrally postured type of approach, each 
person is responsible again and has responsibilities to 
management their portion or their asset going forward.
    So if I'm an individual system administrator down in a 
field office operation that may be a CIO may not know that my 
particular server is there, based on the way our security 
programs work and our education programs work within the 
Department, I am responsible as the system administrator to 
ensure the cybersecurity posture of the resources that have 
been assigned to me.
    So that is done and that education is done as new employees 
come and that level of education is commensurate with the level 
of responsibility that you have for your Federal assets.
    Mr. Putnam. How safe--excuse me, how comfortable are you 
with our access management issues in terms of being able to get 
on to the systems as a new employee. How long does it take to 
process that new name in the system and give them access to the 
things they need to have access to and only the things that 
they need to have access to. How are we dealing with access 
management?
    Ms. Evans. That is now currently being reviewed. And it 
always can improve because as you also probably know that 80 
percent of security vulnerability in types of attacks and all 
types of things that happen, usually happen internally. They 
don't normally come from the outside; 80 percent of the 
problems are internal and usually are related to education of 
employees or unauthorized access.
    OMB did release in December of this year guidance out to 
the agencies to really look at the process to go forward to 
support our E-Authentication Initiative which talks about 
identity management as well as authorized access. And it's 
asking the agencies to look at each of the systems that are in 
place, what level of access do they really need to have and 
then go forward to ensure that there's adequate security that's 
in place with that and they have to report back to us on that 
for their major systems. I believe it's at the end of this 
year. And then do the rest of the systems. But this is all in 
support of what the question that you're asking right now. We 
need to make sure that the agencies have a good handle as an 
employee comes on board that based on--is that the right 
employee, do they have the right clearances and then are they 
authorized to access those systems and that's what we're 
working with the agencies now on.
    Mr. Putnam. And conversely, how quickly can we terminate 
their access?
    Ms. Evans. Right, absolutely and that is all part of the 
same process.
    Mr. Putnam. I'm also reminded that we have in October, 
somewhat related to your role, a deadline for foreign visitors 
to this country, that if they don't have a passport with a 
biometric they will have to get a visa to come in, even from 
current nations who are visa-waiver nations and that has 
Floridians and the tourism industry a little bit concerned 
because they don't think that too many countries are going to 
be in that position and frankly, our country with our 
passports, are a long way in being in that position, and so 
from a management inside of OMB that's an issue that all of us 
are going to have to deal with as we move forward.
    Mr. Clay, do you have any additional questions or comments?
    Mr. Clay. I have no further questions.
    Mr. Putnam. Do you all have anything that you would like to 
add that we haven't dealt with or anything that you'd like to 
mention?
    Mr. Johnson. Just one comment, one of you used the phrase a 
minute ago about that even though an agency might be doing all 
that it can, we try not to fall back on. We're working as hard 
as we can. We're doing everything possible. That's not--it's 
like there's not a CIO that should not be an excuse. We're 
working as hard as we can. That should not be an excuse.
    We should have a definition of success in a given 
timeframe. We want to be 80 percent secure by a certain date. 
That's our goal. And if we don't have the resources to do that, 
we need to get those resources.
    When we say that we're at 60 some off percent security now, 
some agencies are 90 plus. Some are at 30. It's not that 
they're all hovering around 60. There is a wide disparity in 
security here and there's no excuse why some of those agencies 
that are in the 30's are there and we need to make sure they 
get caught up.
    Mr. Putnam. We're certainly prepared to do whatever it 
takes to help you get them there. We appreciate your efforts.
    Ms. Evans, Mr. Powner, thank you very much. this has been a 
good hearing and we stand adjourned.
    [Whereupon, at 3:22 p.m., the hearing was adjourned.]

                                 
