b"<html>\n<title> - FEDERAL INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT, STRATEGIC PLANNING, AND PERFORMANCE MEASUREMENT: $60 BILLION REASONS WHY</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n    FEDERAL INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT, STRATEGIC \n     PLANNING, AND PERFORMANCE MEASUREMENT: $60 BILLION REASONS WHY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION\n                POLICY, INTERGOVERNMENTAL RELATIONS AND\n                               THE CENSUS\n\n                                 of the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 3, 2004\n\n                               __________\n\n                           Serial No. 108-164\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n                                 ______\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n94-773                      WASHINGTON : DC\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\nCHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nMARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nDOUG OSE, California                 DENNIS J. KUCINICH, Ohio\nRON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois\nJO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts\nTODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri\nCHRIS CANNON, Utah                   DIANE E. WATSON, California\nADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland\nJOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California\nNATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, \nCANDICE S. MILLER, Michigan              Maryland\nTIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of \nMICHAEL R. TURNER, Ohio                  Columbia\nJOHN R. CARTER, Texas                JIM COOPER, Tennessee\nMARSHA BLACKBURN, Tennessee          ------ ------\n------ ------                                    ------\n------ ------                        BERNARD SANDERS, Vermont \n                                         (Independent)\n\n                    Melissa Wojciak, Staff Director\n       David Marin, Deputy Staff Director/Communications Director\n                      Rob Borden, Parliamentarian\n                       Teresa Austin, Chief Clerk\n          Phil Barnett, Minority Chief of Staff/Chief Counsel\n\n   Subcommittee on Technology, Information Policy, Intergovernmental \n                        Relations and the Census\n\n                   ADAM H. PUTNAM, Florida, Chairman\nCANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri\nDOUG OSE, California                 DIANE E. WATSON, California\nTIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts\nMICHAEL R. TURNER, Ohio\n\n                               Ex Officio\n\nTOM DAVIS, Virginia                  HENRY A. WAXMAN, California\n                        Bob Dix, Staff Director\n                 Chip Walker, Professional Staff Member\n                         Juliana French, Clerk\n            Adam Bordes, Minority Professional Staff Member\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on March 3, 2004....................................     1\nStatement of:\n    Johnson, Clay, III, Deputy Director for Management, Office of \n      Management and Budget; Karen Evans, Administrator, Office \n      of Electronic Government and Information Technology, OMB; \n      and David A. Powner, Director, Information Technology \n      Management Issues, U.S. General Accounting Office..........     7\nLetters, statements, etc., submitted for the record by:\n    Evans, Karen, Administrator, Office of Electronic Government \n      and Information Technology, OMB, prepared statement of.....    13\n    Johnson, Clay, III, Deputy Director for Management, Office of \n      Management and Budget, prepared statement of...............     9\n    Powner, David A., Director, Information Technology Management \n      Issues, U.S. General Accounting Office, prepared statement \n      of.........................................................    21\n    Putnam, Hon. Adam H., a Representative in Congress from the \n      State of Florida, prepared statement of....................     4\n\n \n    FEDERAL INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT, STRATEGIC \n     PLANNING, AND PERFORMANCE MEASUREMENT: $60 BILLION REASONS WHY\n\n                              ----------                              \n\n\n                        WEDNESDAY, MARCH 3, 2004\n\n                  House of Representatives,\n   Subcommittee on Technology, Information Policy, \n        Intergovernmental Relations and the Census,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 1 p.m., in \nroom 2154 House Office Building, Hon. Adam H. Putnam (chairman \nof the subcommittee) presiding.\n    Members present: Representatives Putnam and Clay.\n    Staff present: Bob Dix, staff director; John Hambel, senior \ncounsel; Chip Walker, professional staff member; Juliana \nFrench, clerk; Suzanne Lightman, fellow; Adam Bordes and David \nMcMillen, minority professional staff members; and Jean Gosa, \nminority assistant clerk.\n    Mr. Putnam. A quorum being present, this hearing of the \nSubcommittee on Technology, Information Policy, \nIntergovernmental Relations and the Census will come to order. \nI want to thank everyone for being here and welcome you to the \nsubcommittee's kickoff hearing for 2004.\n    Today's hearing is appropriately entitled, ``Federal \nInformation Technology, Investment Management, Strategic \nPlanning and Performance Measurement: $60 Billion Reasons \nWhy.'' Today's oversight hearing sets the foundation for the \nrange of oversight hearings we have planned for the remainder \nof the year in the areas of electronic governance, enterprise \narchitecture, interoperability, information sharing and, \nperhaps most importantly, cybersecurity.\n    Last year, this subcommittee held 22 hearings to review the \nprogress being made by the Federal Government in these specific \nIT areas. While the subcommittee individually examined each \nsubject matter in detail at those hearings, it became clear as \neach hearing passed that addressing any particular IT challenge \nis not only related to other competing IT challenges, but also \nmust be resolved simultaneously and in an integrated way with \nall others.\n    This is without doubt a difficult challenge that requires \nthe ultimate combination of managing our IT investments \neffectively, planning strategically, and measuring performance \nappropriately.\n    The purpose of this afternoon's hearing is to provide the \nsubcommittee with a clearer understanding of the policies, \nprocesses and procedures that now determine the Federal \nGovernment's annual investment in IT.\n    Four weeks ago, the President sent his fiscal year 2005 \nbudget to Congress, a budget requesting $60 billion in spending \nfor IT products and services. Underlying this request are a \nseries of acts that have established principles for sound IT \nmanagement within the Federal Government.\n    For many years, the Federal Government pursued an IT agenda \nthat did not necessarily emanate from customer service or sound \nbusiness practices. ``Stovepiped'' solutions, proprietary \nsystems and a lack of interoperability or even plans to \ninterface with other systems were considered ordinary and \nacceptable conditions.\n    A list of congressional legislation, initiatives and \nguidance since 1996, including Clinger-Cohen Act, the E-Gov Act \nand FISMA have led to changes that provide OMB with the \noversight flexibility needed to coordinate, manage, plan and \nmeasure results emanating from its IT investments made across \nthe Federal Government.\n    Put another way, OMB was given the responsibility and \nauthority to function as the check and balance on a Federal \nGovernment IT culture that long accepted agency claims that \ntheir system absolutely required a unique solution, unique \nsoftware, unique hardware, unique staff, unique business \nprocesses and could never interface with other systems.\n    Additionally, past agency claims that IT performance and \nagency performance are two separate issues have taken a \ndifferent course due to Clinger-Cohen and the E-Gov Act.\n    To what extent IT management and agency performance are \nappropriately tied is an important question that deserves this \nsubcommittee's attention. OMB has taken a number of steps \nthrough budget guidance, memoranda and circulars to ensure \nagencies unify behind effective IT planning, cross-agency \nsolutions and elimination of redundancies.\n    Perhaps the most visible initiative, matching agency \nperformance measurements with overall IT investment, is \nembodied in the President's management agenda. I'm particularly \npleased that Clay Johnson, the President's Deputy Director for \nManagement at OMB, will be testifying today to discuss progress \nbeing made in this area. We're also delighted to have with us \nKaren Evans, Administrator of E-Government and Information \nTechnology, OMB. In addition to connecting agency performance \nto IT spending, I look forward to this afternoon's dialog with \nMs. Evans regarding the results of enhanced OMB budget guidance \nto agencies in preparing their 2005 request, the results of \nutilizing a Federal enterprise architecture and planning, the \nresults of OMB's review of agency IT business cases, the \nresults of utilizing E-Government and the results of pursuing \nconsolidation of duplicative systems.\n    As I mentioned earlier, cybersecurity is one of the primary \nfactors that must be woven into any IT spending plan. As such, \nthe subcommittee will review the steps taken this year by OMB \nin preparing its 2005 budget submission to further enhance the \nsecurity of Federal information networks and protect the \ninformation they contain in accordance with FISMA.\n    The General Accounting Office as also joined us to share \ntheir recent findings and recommendations on improving the \nlinkages between IT's strategic planning, performance measures \nand investment management as required by Clinger-Cohen.\n    While individual congressional appropriations subcommittees \nand some authorizing committees have kept an eye on projects \nand programs within their purview, very few congressional \nhearings have taken place to examine the cross cutting \nhorizontal picture of investing $60 billion on IT more wisely \nby coordinating and collaborating across traditional agency \nboundaries.\n    From the congressional perspective, we have passed our \nshare of laws requiring OMB to coordinate IT expenditures. In \naddition to making sure the Federal Government is on course, \nthis hearing provides Congress an opportunity to improve our \nown IT spending decisions. We need to be authorizing and \nappropriating our taxpayer dollars on IT based on the same \ncross agency collaborative methodology that we require of OMB \nand agencies in their budget submissions.\n    While I recognize every Member of Congress comes to \nWashington with a different set of priorities, I encourage my \ncolleagues to join me this afternoon to reflect on IT \ninvestment in a comprehensive and cross-cutting manner instead \nof by program or by function, just as we ask this afternoon's \nwitnesses to do every day.\n    At the appropriate time we will yield to the gentleman from \nMissouri, the ranking member, Mr. Clay, for his opening remarks \nand any other Members who choose to join us this afternoon.\n    With that we will move directly into the testimony as is \nthe custom for the Subcommittee of Government Reform, I would \nask the witnesses to please rise and raise your right hand to \nbe sworn.\n    [The prepared statement of Hon. Adam H. Putnam follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4773.001\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.002\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.003\n    \n    [Witnesses sworn.]\n    Mr. Putnam. I note for the record that all three witnesses \nresponded in the affirmative. And we will begin with Mr. \nJohnson. Clay Johnson is the Deputy Director for Management at \nthe Office of Management and Budget responsible for providing \ngovernmentwide leadership to executive branch agencies to \nimprove agency and program performance. He was previously \nAssistant to the President for Presidential Personnel, \nresponsible for the organization that identifies and recruits \napproximately 4,000 senior officials, middle management \npersonnel and part-time Board and Commission Members. From 1995 \nto 2000, Mr. Johnson had the pleasure of working with Governor \nGeorge W. Bush in Austin, first as his appointments director, \nthen his chief of staff and finally as the executive director \nof the Bush-Cheney Transition.\n    Mr. Johnson, you clearly have the ear of the President. We \nare honored to have you with us this afternoon. We appreciate \nthe work that you have performed for the Federal Government and \nif you will pause for just 1 second. Let me check on the status \nof votes.\n    [Pause.]\n    Mr. Putnam. Very good. We are expecting votes somewhere \nbetween 1:30 and 2:15 so hopefully we can certainly get through \nthe opening remarks before we have to interrupt you and I \napologize for that. That's unfortunately the way we run the \nrailroad around here.\n    Welcome to the subcommittee and thank you for being here.\n\nSTATEMENTS OF CLAY JOHNSON III, DEPUTY DIRECTOR FOR MANAGEMENT, \n OFFICE OF MANAGEMENT AND BUDGET; KAREN EVANS, ADMINISTRATOR, \n  OFFICE OF ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, \n  OMB; AND DAVID A. POWNER, DIRECTOR, INFORMATION TECHNOLOGY \n       MANAGEMENT ISSUES, U.S. GENERAL ACCOUNTING OFFICE\n\n    Mr. Johnson. Mr. Chairman, thank you. Thank you for having \nKaren and me here. I believe, the President believes that the \nFederal Government is in the process of becoming results-\noriented. If you asked 10 or a 100 people to raise their hand \nif they think the Federal Government is results-oriented, not \nmany of them would do that. I think all of us, agencies, \nexecutive branch, legislative branch are in the process of \nchanging that.\n    Traditionally, the Federal Government is focused on the \namount of money we spend on a problem or opportunity as a \nmeasure of our commitment to dealing with that problem or \nopportunity. It's harder, but more relevant to focus on what we \nactually get for the money we spend and if that's not \nsatisfactory, if what we're getting is not satisfactory, \nfiguring out what we do about it.\n    This is the approach we're taking with our IT investments, \nand early as you said, $60 billion in IT investments. We are \nnot perfect. We continue to improve each year. One of the \nreasons I believe that we are going to see significant \ncontinued improvement, if not accelerated improvement this next \nyear in the IT management, investment management area is \nbecause Karen Evans has come over, we've enticed her away from \nthe Department of Energy to head up this office. She's a 20 \nplus year employee of the Federal Government and knows what \ngoes on in agencies and knows the way it used to be and has a \ngood taste for the way it can be and has tremendous credibility \nwithin the IT community and the Federal Government. And so I \ncan't imagine a better person to head up our efforts at this \ntime to continue to lead this effort in the direction that we \nall want it to go in. So you're going to hear me today refer a \nwhole lot of questions and comments to Karen, but I know that's \nwhat you expected when you invited me to come up here, but I'm \nglad to be up here.\n    [The prepared statement of Mr. Johnson follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4773.004\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.005\n    \n    Mr. Putnam. At this time we'll recognize Ms. Evans. On \nSeptember 3, 2003, Karen Evans was appointed by President Bush \nto be the Administrator of the Office of Electronic Government \nand Information Technology at the Office of Management and \nBudget. Prior to joining OMB, Ms. Evans was Chief Information \nOfficer at the Department of Energy and served as vice chairman \nof the CIO Council, the principal forum for agency CIOs to \ndevelop IT recommendations. Previously, she served at the \nDepartment of Justice as Assistant and Division Director for \nInformation System Management. The last time Ms. Evans \ntestified before our subcommittee, we were kind enough to \nprovide her with 48 hours on the job before calling her to \ntestify. Now that she's an OMB veteran with 5 months under her \nbelt, we welcome her and look forward to hearing of the \nprogress being made to improve the management of our IT \nspending.\n    Welcome, Ms. Evans, and you're recognized for your opening \nremarks. Thank you for coming before the subcommittee.\n    Ms. Evans. Mr. Chairman and members of the subcommittee, \nthank you for inviting me here today. My remarks will focus on \nthe administration's strategy and progress in planning, \nmanaging and measuring the results of the Government's \ntechnology investments on the successful results of the \nPresident's E-Government Initiatives and on the impact of the \nFederal Enterprise Architecture [FEA].\n    The President's 2005 budget includes nearly $60 billion for \nIT and reflects this administration's commitment to defense and \nhomeland security. This budget also shows our continuing work \nin exercising fiscal responsibility without sacrificing \nresults. We are reaffirming the administration's commitment to \nresults-oriented management by reducing duplication in IT \nspending while improving service delivery for the citizen. Of \nthe nearly 1,200 major projects included in this year's budget, \n621 representing about $22 billion are on a ``management watch \nlist.'' These include mission-critical projects that need to \nimprove performance measures, project management and/or IT \nsecurity. The fiscal year 2005 budget requires agencies to \nsuccessfully correct identified project weaknesses and business \ncase deficiencies or OMB will limit spending on new starts and \nother developmental activities.\n    Ensuring the security of the Federal Government's \ninformation and systems is a critical element of effective and \nresponsible IT management. The Federal Information Security \nManagement Act [FISMA], requires agencies and Inspector \nGenerals to review and evaluate agency IT security programs and \nsystems each year and to report their results to OMB and the \nCongress. Both FISMA and the longstanding OMB policy direct \nagencies to fund IT security throughout the life cycle of every \nsystem and to develop remediation plans for all systems with IT \nsecurity weaknesses.\n    OMB used the information from the annual FISMA reports and \nquarterly remediation updates to directly influence the fiscal \nyear 2005 budget process as well as to prioritize fiscal year \n2004 expenditures. Agencies with significant weaknesses in \ninformation and systems security were directed to remediate \noperational systems prior to spending fiscal year 2004 \ndevelopment or modernization funds. If additional resources are \nneeded to resolve those weaknesses, agencies are to use their \n2004 development funds. These steps underscore the President's \ncommitment to security and privacy.\n    The fiscal year 2005 E-Government priorities and IT \nresource levels reflect activities in which we are presently \nengaged with the agencies. For example, agencies must now \nreview all commercial software acquisitions for possible \ninclusion into the SmartBuy program which is designated to \nleverage government purchasing power and reduce redundant \npurchases. Further, the appropriate agency acquisition official \nmust review all planned IT acquisitions over $2 million to \nensure the acquisition does not duplicate any E-Government \ninitiative. Agencies may only complete an acquisition found to \nbe duplicative with my prior approval.\n    In addition to using the ``find and apply'' solutions of \nthe Grants.gov initiative, fiscal year 2004 new planning and \ndevelopment dollars are being redirected to develop an action \nplan, solution and architecture for an agency's grants \nmanagement system that will integrate to a governmentwide \nsolution by September 1, 2004.\n    Finally, agencies have been asked to redirect all planning \nand acquisition dollars for core financial systems in fiscal \nyear 2004 toward developing standards and architecture for a \ngovernmentwide solution.\n    We first used the Federal Enterprise Architecture in \nformulating the fiscal year 2004 budget. Using the business \nreference model, we identified six major service areas with \nover $6.8 billion of IT investment funding that seemed to offer \npotential for the governmentwide collaboration, consolidation \nand savings.\n    The Department of Health and Human Services is leading \nefforts to identify specific health-related work areas where \ntechnologies can be leveraged leading to real cost savings. All \nof the major Federal investigative agencies, led by the \nDepartment of Justice, are working to identify opportunities to \nuse shared technology tools to support their case management \nneeds and in the area of financial management, the Departments \nof Energy and Labor are leading a cross-agency taskforce to \nachieve seamless data interchange among partner agencies, \nreduce acquisition expenditures and plan for a common \narchitecture that includes standardized data structures, \nbusiness processes across government for core financial \nsystems.\n    For the fiscal year 2005 budget, we identified further \nareas within the Federal Government that have potential for \nsubstantial collaboration and consolidation and where the \nagencies are using the same technology components. As a result, \nwe can target many of those technologies for government-wide, \nenterprise licensing through the SmartBuy program.\n    The administration will continue to work collaboratively \nacross the agencies and with Congress and I look forward to \nworking with you on these matters and would be happy to take \nquestions.\n    [The prepared statement of Ms. Evans follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4773.006\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.007\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.008\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.009\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.010\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.011\n    \n    Mr. Putnam. Thank you very much, Ms. Evans. Our next \nwitness is David Powner. As Director of GAO's Information \nTechnology Management Issues, David Powner is responsible for \nGAO's review of Federal IT systems development and IT \ninvestment management. Prior to his current position at GAO, he \nspent a number of years with Quest Communication where he \ndirected their information technology and financial audits, as \nwell as overseeing DSL software development efforts. His \nprevious work at the GAO includes reviews of its software \ndevelopment, information security and enterprise architecture \nprogress at the Air Force, FAA and National Weather Service.\n    On February 12th, Mr. Powner and his colleagues at GAO \nreleased a report that I requested, along with Chairman Davis \nand Senate Chairman Collins, entitled, ``Information Technology \nManagement, Government-wide Strategic Planning, Performance \nMeasurement and Investment Management Can Be Further \nImproved.''\n    We look forward to your recommendations and your comments \non GAO's findings and the conclusions that were in that report. \nYou're recognized for your opening statement.\n    Mr. Powner. Chairman Putnam, we appreciate the opportunity \nto testify on Federal IT strategic planning, performance \nmeasurement and investment management. With $60 billion spent \nannually on Federal information technology, having sound \nstrategic plans, associated performance measures and the \nprocesses to ensure the appropriate selection and oversight of \nthese investments is essential. Our most recent review that you \njust mentioned, Mr. Chairman, showed considerable room for \nimprovement in these IT management areas.\n    As Ms. Evans just mentioned, our findings are consistent \nwith the administration's management watch list which contains \nover 600 mission-critical projects totaling $22 billion that \nare in need of improvements in the areas of performance \nmeasures, project management and/or IT security.\n    Today's request I will summarize our recently issued report \non the extent to which Federal agencies have in place important \nIT management practices. These practices are called for in \nlegislation, OMB policies and GAO guidance. I will also discuss \nhow agencies can improve in these areas.\n    Our report clearly showed mixed results. Collectively, the \n26 agencies we reviewed had less than 50 percent of the \npractices fully in place. Starting with strategic planning and \nperformance measurement, agencies generally had IT strategic \nplans and goals, but these goals were not always linked to \nspecific performance measures.\n    Moreover, few agencies monitor performance for all of their \nIT goals. Without enterprise-wise performance measures that are \ntracked against actual results, agencies lack information about \nwhether their overall IT activities at a governmentwide cost of \n$60 billion annually are achieving expected results. In the IT \ninvestment management area which involves processes for \nselecting and overseeing investments, the agencies largely have \nIT management boards in place and use selection criteria to \nchoose their investments. However, once selected, no agency had \npractices associated with the oversight of IT investments fully \nin place. Such oversight is essential to periodically ensure \nthat as projects are pursued and funds are spent, the projects \nare tracked to the benefits promised at expected costs, within \nproposed timeframes and at an appropriate level of risk.\n    This periodic oversight with key milestones also provides \nan ideal opportunity to ensure that investments continue to be \naligned with enterprise architectures and are adequately \naddressing information security requirements. Without this \nexecutive level oversight of project activities, agencies lack \nassurance that investments are on track and are continuing to \nmeet mission needs. Nor is there necessarily an early warning \nmechanism to flag under performing projects so that corrective \nactions can be pursued before projects are out of control.\n    To help agencies improve their performance in these IT \nmanagement areas, we made over 200 recommendations to the \nagencies in our review. Overall, agencies agreed with our \nrecommendations and many have planned actions to pursue them. \nIn addition, at today's hearing, we are releasing our latest \nversion of our IT Investment Management framework. This \nframework identifies and organizes critical processes for \nselecting, overseeing and evaluating IT investments and offers \norganizations a useful tool for improving their IT investment \nmanagement processes in a systematic and organized manner.\n    First issued as an exposure drafted several years ago. This \nnew version incorporates lessons learned from our use of the \nframework in our agency reviews, comments from users, as well \nas comments from public and private sector experts on IT \ninvestment management.\n    In summary, our report shows that Federal agencies have \nsome aspects of strategic planning and performance measurement \nin place, namely strategic plans, goals and investment boards. \nHowever, to ensure that the Government's investment in IT is \nnot wasted, considerable improvements are needed in the areas \nof performance measurement and the oversight of these \ninvestments. This can be accomplished in part through the \nexpeditious implementation of our recommendations and adoption \nof best practices like our IT investment management framework.\n    We look forward to working with you, Mr. Chairman, and your \ncontinued oversight of these and other IT management areas. \nThis concludes my statement. I'd be happy to respond to any \nquestions that you have.\n    [The prepared statement of Mr. Powner follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4773.012\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.013\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.014\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.015\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.016\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.017\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.018\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.019\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.020\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.021\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.022\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.023\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.024\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.025\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.026\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.027\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.028\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.029\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.030\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.031\n    \n    [GRAPHIC] [TIFF OMITTED] T4773.032\n    \n    Mr. Putnam. Thank you very much, Mr. Powner, and we \ncertainly have some. I'd like to begin with Mr. Johnson. You \nhave experience in the private sector, experience in State \ngovernment and probably more experience in Federal Government \nnow than you ever wanted. Tell me, explain if you would, where \nyou think the President's management agenda is, where some of \nthe successes have been and frankly, what the greatest \nobstacles continue to be and perhaps some ways where Congress \ncan help.\n    Mr. Johnson. Regarding IT?\n    Mr. Putnam. Let's start in general. Let's start out here \nand then work our way into IT. Ms. Evans, I think, is going to \nhave plenty of questions on IT, but while we have you, I'm \ncurious to know just, in general, on the agenda.\n    Mr. Johnson. When the President's management agenda was \nintroduced in August 2001, thinking in terms of the scorecard \nthat we use, 130 scores, 5 initiatives, 26 agencies, 110 of \nthose were red. About half of them are red now and by this \nsummer, 3 years after the beginning of the introduction of the \nagenda, I would guess there might be 30 or 40 reds. The average \nagency 2 plus years ago was red, the way we keep score. The \naverage agency, this summer, 3 years later, will be yellow and \nif you look at the description of what a yellow agency is, it's \na very different place. It's much more focused on results. It's \na different place to work for. It's a different place to be \nserved by if you're a citizen or taxpayer. It's a different \nplace for Congress to interact with and I would suggest better \nin all instances and that's just at yellow. And the next step \nis to go to green.\n    We're pleased with those, the progress that's been made. \nOne of the things that's interesting is that every component \npart of what it takes to be green has been in every subpart of \nevery initiative has been achieved by at least one agency. So \nwe know that everything that we say is required to be green is \nreally advanced state of management practice, is physically \npossible. Some part of the Federal Government has demonstrated \ntheir physical ability to do that, so it's not a question of \ncan we do it, it's a question of how we do it and how quickly \nwe can do that.\n    The agencies own this. It began as the President's \nmanagement agenda. I think it's become the agencies' management \nagenda. I think that the employees at the Interior Department \nand HHS and etc., realize that it's better to work for a \nresults-oriented organization than it is for one that's not. \nThis is good for them and I think they have embraced it in \nalmost every case and so the pace of implementation is \naccelerating.\n    So we are pleased with the progress to date. There's still \na lot of progress to be made and one of our primary \nresponsibility is to help agencies get to where they want to \nbe. They have identified, they're starting to identify now \nlonger term goals, where they'd like to be a year from now, 2 \nyears from now. And so OMB started off pushing them a quarter \nat a time. Now we're helping them get to where they want to be.\n    So we can do this. We can get to where you, we, all want \nthe IT part of this agenda to be, and it's just a question of \nmaking sure there's plenty of rigor, plenty of discipline, \nplenty of attention. There's a lot of check and balance. \nThere's things we can do to make sure that agencies understand \nwhat the goal is, understand the importance of qualified \nmanagement people, understand the importance of security and \nthere are ways of making sure that they don't spend money on \nother things until they've taken care of that and we just to \nmake sure that those disciplines are, in fact, enforced and \nthat the proper attention is paid to all of these three or four \nmost important parts of getting our IT management to where we \nall want it to be.\n    Mr. Putnam. On the IT side, we spent an awful lot of time, \nin fact, it probably comes up in every single hearing we have, \nlamenting the fact that our IT issues are not technological \nproblems. They're not even financial hurdles. They're cultural. \nThey're institutional barriers to change. And in our little \ncommittee scorecard and on FISMA and other ways of kind of \nmeasuring these things we find that when the Secretary of the \nrespective department makes the President's management agenda a \npriority, then things happen. And what I really don't have a \ngood feel for is who keeps that on their agenda. Does it happen \nin Cabinet meetings? Does it happen at the chief of staff \nlevel? Is that what you do all day? Who keeps pushing these \nissues to keep the President's management agenda, the mechanics \nof operating the Government, even though in Treasury you're \nworried about collections and you're worried about the falling \ndollar and in Justice you're worrying about protecting this and \nall these kinds of things. Everybody has their own problems \nassociated with the mission, but who reminds them to keep their \neye on the ball of the mechanics and the process of making \nGovernment work smarter?\n    Mr. Johnson. Well, all that you mentioned. In fact, I \ntalked to Brian Montgomery who is the person, the Cabinet \nSecretary in the White House. The President has, I think it's \nquarterly, maybe monthly meetings with each Cabinet Secretary, \nwhether he needs to or not, whether they need it or not. And \nevery time he meets with them he asks them and inquires about \ntheir status on the President's management agenda and are they \npleased with their progress. It comes up at Cabinet meetings. \nAt their Cabinet meeting in January, I think the Attorney \nGeneral talked about his scorecard and the next person to talk \nwas John Snow, Secretary Snow who's got five reds. It was a \nvery difficult 2 minutes for the Secretary. In fact, the next \nweek the Secretary called me. We went to have lunch and he was \nseeking advice on how to get the Department of Treasury out of \na red status state. So a little public shame and humiliation \nwithin the Cabinet and outside also keeps their attention.\n    I work directly with the Chief Operating Officers, the \nDeputies in most cases, of the agencies and we are in constant \ncommunication on all of the President's management agenda items \nand again, helping them get to where, as I said, they want to \nbe. And they all have very aggressive goals for their agencies. \nThese are all competitive people and they also want to do the \nright thing. They want to leave a good, strong legacy and so \nit's not like we're trying to get them to pay attention. It's \nlike we're trying to help them get to where they want to be.\n    So I'm working at it on the operating standpoint that \nCabinet Secretaries are reminded in informal meetings and at \nCabinet meetings, not every Cabinet meeting, but they talked \nabout it at the January Cabinet meeting I know for sure. So \nit's all of the above.\n    And the public quarterly scorecard puts that out there for \nall to see and make of it what they will.\n    Mr. Putnam. Thank you. Clinger-Cohen was enacted 8 years \nago and it gave OMB responsibility and the authority to raise \nthe concerns that are addressed in the GAO's findings and, \nafter 8 years, the results are mixed as the report and Mr. \nPowner indicated.\n    And Clinger-Cohen holds OMB responsible. Rightly or \nwrongly, they're the designated, the buck stops with you all. \nHow do you respond to some of the findings of this GAO report?\n    We'll begin with Mr. Johnson.\n    Mr. Johnson. It's better. It's kind of like our situation \nwith homeland security. It's a whole lot better than it used to \nbe. It's not good enough. And 20 some odd percent of our \nsystems used to be secured. It's now 62. Our plan is for it to \nbe 80 this year. Our plan is for it to be this year 80. The \ngoal to be green in our--keeping scores--all but 90 percent of \nall the systems be secure. We have whatever it is half of the \nsystems that are on the watch list. That's unsatisfactory. \nWe're doing a better job this year of putting restrictions on \nagencies via apportionment, via whatever mechanisms we have to \nmake sure that they address security matters, quality of \nmanagement matters, quality of business case matters before \nthey spend development moneys on new systems.\n    So we're trying to put more rigor, more discipline, more \ncheck and balance into the enforcement of these mechanisms this \nyear than we even have done in the past and I have confidence, \nplus the fact that Karen is there, that we will continue to \nmake progress on this.\n    The progress, particularly in the security area is not what \nwe planned for it to be this year, but we intend to correct \nthat.\n    Mr. Putnam. Ms. Evans, do you wish to add anything to that?\n    Ms. Evans. I think that Mr. Johnson has clearly summed up \nwhere our priorities are and what we are doing is using the \nmechanisms that are available to us as OMB to ensure that the \nagencies are really adhering to what the goals of the \nadministration are, so that we can adequately address this, we \ndo the recommended actions that are in the GAO report that next \ntime this is evaluated that you will see that it is implemented \nversus the mixed results that it currently demonstrates.\n    Mr. Putnam. The GAO mentioned in their testimony that most \nagencies do not have information resources, management plans \nthat are supposed to address privacy records management, \ninformation collection. Half the agencies told GAO they would \nlike to see additional guidance on the content of those plans \nand at the same time the 2005 budget document discusses the \nOMB's evaluation of their IRM practices.\n    How does OMB evaluate those plans that GAO says are not \ncomplete and do you share their opinion that they're \nincomplete?\n    Ms. Evans. There are several requirements that are on the \nagencies as far as how they need to manage their overall IT \ninvestments. The IRM strategic plan is one of many plans that \nthe agencies submit. As far as the recommendation about OMB \noffering additional guidance as far as strategic plans, we're \nevaluating that now. We did tell GAO orally that we didn't plan \nto give them more specific guidance, but that we were \nevaluating our overall guidance that we give out in A-11 and A-\n130 as far as how the agencies would move forward and how they \nwould manage their IT portfolio overall.\n    So what we're doing now is in our post mortem of fiscal \nyear 2005's budget submission, we're looking at what guidance \nneeds to be supplemented and then update that and we'll be \nworking with the agencies through the CIO Council to issue \ndraft guidance shortly to address some of the concerns that \nwere in here. But right now, we do not specifically intend to \njust address IRM strategic plans, but really to address \nguidance as a whole for portfolio management.\n    Mr. Putnam. Mr. Powner, do you want to address this?\n    Mr. Powner. One comment I think OMB does deserve a fair \namount of credit through the budget submission process, the 300 \nprocess that most folks refer to, we found in our review that \nthe questions that they asked on the front end when the budgets \nare submitted, that agencies generally have those practices in \nplace. I think where a lot of attention and focus needs to go \nnow is once we prioritize and select investments and we decide \nto march forward, that's where we started seeing the rigor and \nthe practices not really being in place. So when we have \nagencies that continually have these cost overruns and schedule \nslippages and not delivering functionality, that's where we \nreally need to put processes into place to make sure that we're \nstaying on track with the benefits promised and we're \ndelivering within cost and schedule. So OMB clearly has made \nsome strides in terms of the agency's rigor on that front end.\n    Also too, there's a fair amount of accountability that \nresides within the agencies with the CIOs. If we go back to the \nlegislation that's in place, a lot of the accountability does \nreside with the CIOs, so I think it's a combination of the two. \nOMB can do their part, but we're going to continue to push and \nensure that the CIOs are performing these functions that are \ncalled for in law and basically are called for in best \npractices in IT management.\n    Mr. Putnam. Thank you very much. The ranking member of the \nsubcommittee, Mr. Clay, is from Missouri, and when he walks in \nthe spotlights come on. If I had known that I would have put on \na little more powder.\n    You're recognized for your questions and remarks.\n    Mr. Clay. Thank you, Mr. Chairman, let me say that I'm glad \nthat this is our first meeting of the year and I'm glad to be \nback here with you. I'm glad to see the panel here today and \nthis is a pretty important subject to talk about, the IT role \nof Government, as our first meeting now for this session of \nCongress and thank you for calling it.\n    For Mr. Johnson, generally speaking, do you consider the \nGovernment's annual investment of roughly $60 billion in IT an \nadequate level of funding or are we spending too much on IT \nsystems and not enough on implementing and training? Should the \namounts be adjusted to an appropriate level in order to better \nintegrate new IT programs and systems at the agencies?\n    Mr. Johnson. I didn't hear the last part. Are we doing \ninvestments or should we be spending more on implementing?\n    Mr. Clay. Let's start over. Should the Government's annual \ninvestment of roughly $60 billion in IT--is it an adequate \nlevel of funding, first of all?\n    Mr. Johnson. Yes, I believe it is. Agencies requested more \nthan that, but the amount that was agreed to and budgeted for \nwas $58 point whatever it is billion. We didn't think there was \na strong enough business case for the additional $4, $5 or $6 \nbillion that were requested.\n    The agencies are challenged to achieve the goals of their \nmission, goals of their agency and they are encouraged to \nfigure out how investments in IT can help them achieve those \ngoals and so it's all supposed to be mission-specific and they \ncome to us with their recommendations and it adds up to $60 \nplus billion. We looked at it and decided that, in fact, it was \na legitimate reason to spend the $58 billion this year. So yes, \nI would say that in light of what the Federal Government's \nindividual agencies' goals are, it is an appropriate amount to \nbe spending.\n    Mr. Clay. Does the $58 billion also include implementation \nand training of employees on the system?\n    Mr. Johnson. I do not know that. Karen.\n    Ms. Evans. As the agencies prepare their business cases, \nthey're supposed to plan for the full life cycle of that \ninvestment. So that would mean that representative in that \namount does deal with depending on how they're reporting a \nbusiness case. So if it's development, if it's in the early \nstages of development or steady state which is on-going, they \nhave to reflect the full cost such as training and \nimplementation. So if it's a new investment, those investment \ndollars should include training and implementation of the users \nfor that system as well as cybersecurity.\n    Mr. Clay. Do we need to address the levels of \nappropriations at this point or is this adequate to $58 to $60 \nbillion? Is it adequate or do you need an adjustment on that?\n    Ms. Evans. Sir, based on the President's budget submission \nand the review that my office did in accordance with the budget \nexaminers, we believe that on the business cases, the way that \nthey have been justified, that it is an adequate level that \nreflects the administration's priorities.\n    Mr. Clay. Well put. And in your opinion do the annual \nperformance reports of the Government Performance and Results \nAct provide an adequate forum for agencies to communicate their \ninformation about IT acquisition programs or should another \ntool for such information be dedicated to the process?\n    Ms. Evans. I think right now in conjunction, the business \ncases have a fairly rigorous process associated with that and \nwith the questions that the agencies are asked about their \ninvestments, but I also--we are working very closely with \nanother part of the President's management agenda which is \nbudget and performance integration and on that particular \nelement there is an assessment tool that is also in there, the \nPART, which is the Program Assessment Rating Tool which talks \nabout the program overall. So the IT investments need to ensure \nthat they complement the way that the program is moving \nforward. And so we are really working now to ensure the \nintegration of the IT investments into the overall program \nperformance and the results that program intends to achieve.\n    So the results and the performance results that are \noutlined in the business case need to complement and enhance \nthe overall program results that we are now using the \nassessment tool for. So I think between those two elements, \nwe're moving forward in that we have tools that are there now \nto work with the agencies to reflect that.\n    Mr. Clay. Thank you. Mr. Powner, let me say it's my belief \nthat the investment management process is integral for \neffective program stewardship and necessary in a time of severe \nbudget constraints. Having said that, your findings indicate \nthat the absence of an agency CIO was hindering a number of \nagencies from implementing some of the recommendations made for \ninvestment management practices. Can you tell us how many of \nthe agencies detailed in the report were missing a CIO and if \nthe absence of this leadership position is common at the agency \nlevel?\n    Mr. Powner. I would have to get back to you on the exact \nnumber that were missing, the CIO, and they gave that for a \nreason why they didn't have that practice in place. We received \na number of reasons why some of these key practices were not in \nplace. Clearly, not having a CIO was one of several reasons. In \nmany instances, agencies and departments told us that it was \nclearly an oversight and they were in the process of putting \nthese practices in place.\n    Mr. Clay. How long have they been in the process of doing \nthis? I mean, how many years has it been have they been told to \nget a CIO?\n    Mr. Powner. Clearly, it differed by agency. We had agencies \ndiffer in terms of the timeframe which they've been putting \nthese in place, clearly it's been in law and required for quite \na number of years. You're absolutely correct on that, but the \nspecifics by agency, I'd need to get back to you on that.\n    Mr. Clay. OK, I'd appreciate that. Mr. Johnson.\n    Mr. Johnson. Mr. Clay, all of these agencies have had CIOs. \nIf they don't have one now it's because the person left and \nthey haven't been replaced yet. Not having a CIO is not an \nexcuse for not having done this.\n    Our agencies are supposed to be set up to continue to \nfunction and to continue to do good work in the absence of \nAssistant Secretary or Deputy Assistant Secretary, whatever. \nAnd the absence of a CIO should not be given as an excuse.\n    Mr. Clay. Thank you for that answer.\n    Mr. Putnam. Thank you, Mr. Clay. We have four votes pending \nwhich will be about a 30 to 35 minute delay. So, if your \nschedule will accommodate, we would ask your indulgence and \nyour patience and offer our apologies. So the subcommittee will \nstand in recess for 30 minutes, feel free to go check your e-\nmail.\n    [Recess.]\n    Mr. Putnam. The committee will reconvene and I want to \nthank you again for your indulgence and I apologize for leaving \nyou stranded for 30 minutes with the reporters. [Laughter.]\n    They had you sort of captured, but it's unfortunately, just \na part of this process.\n    We will pick up where we left off in terms of performance \nmeasures and proceed.\n    Ms. Evans, what mechanisms are in place to prepare for and \nmanage for our long-term IT needs as opposed to we're \nconstantly playing catch-up with legacy systems and eliminating \nstovepipes and all that? What process is in place to look ahead \nto see how we end up where we really need to be as opposed to \nplaying catch-up all the time?\n    Ms. Evans. With our efforts on the Federal Enterprise \nArchitecture, that really is our plan of how to move forward. \nThat effort with the reference models and then the way the \nwhole architecture process works where we'll be defining our \nto-be architecture, that is where we want to be. And as we \nstart using the agencies' submission of their Enterprise \nArchitectures and how they align to the Federal Enterprise \nArchitecture, we've had the opportunity, both in fiscal year \n2004 as well as 2005, to identify collaboration efforts that we \ncan see where agencies are planning expenditures, where \nagencies are planning modernization efforts and then based on \nit all coming into a central location and doing the analysis \nthat we have with the Federal Enterprise Architecture and how \nthey map to the reference models. We can then see where there \nis potential collaboration efforts and we can work with the \nagencies so that they realize that versus them doing it on \ntheir own. That cycle by having it in the budget cycle right \nnow has a 2-year budget cycle associated with it, as well as \nthe long term out year through the plans that the agencies \nsubmit with a 5-year cycle.\n    So that really is our long-term plan, to continue to use \nthe enterprise architecture efforts of the agencies as well as \nour own Federal Enterprise Architecture.\n    Mr. Putnam. And how do you then measure the success of an \nIT purchase? Is it about just simple compliance with the RFP or \nis there a performance linkage associated with it? You or Mr. \nJohnson can----\n    Ms. Evans. OK, first, there is a performance reference \nmodel contained within the Federal Enterprise Architecture. We \nreleased the first model of that and we're going to continue to \nwork, as I stated earlier with the budget and performance \nintegration team that is that part of the tenet of the \nPresident's management agenda.\n    The PART does have metrics in there that will measure the \neffectiveness of the program. The IT investments have to \nsupport that and so also within the business case, there is a \nspecific area that deals with performance measures. And so we \nask the agencies to ensure that those align with the reference \nmodel as well as those going forward with the PART. Also, we're \nasking the agencies and what we're working with the agencies \nnow on is earned value management which is having an EVMS \nsystem in place. That then gets to a lot of the issues that \nwere brought up in the GAO report as far as execution of \nmeasuring your expected results against your actual results, \nabout having business processes in place that will then track \nall of that so that we can say yes, this is what we thought we \nwere going to do. This is what we actually did. Or, if an \ninvestment starts to get off track, because of the way, if you \nimplement this appropriately, you'll have leading indicators \nwhich will then allow you to adjust whatever you have to adjust \non a project that is supporting the overall mission of the \nagency. So we think between the PART, the Federal Enterprise \nArchitecture and then more specifically an earned value \nmanagement system within an agency will then allow us to be \nable to match and measure planned results against actual \nresults.\n    Mr. Putnam. What are the consequences when an agency fails \nto meet their goals or their milestones or their performance \nmeasures? What consequences are there?\n    Ms. Evans. Right now we are using what we have available \nwhich is and several things are available, but it's \napportionment of funds and what that means is that if a project \nis to fall off target and we have major concerns and right now \nthere are several, obviously, that are on the management's \nwatch list, we work very closely with the budget side of the \nhouse of OMB and what we do is make sure that the agency has a \ngood remediation plan in place, that it's agreed upon between \nthe agency and OMB and then we have tools that are available to \nus that say OK, you have to take this particular action and \nthen we apportion the funds to ensure that those actions are \nmet and that they are complying with the action plans that they \nsaid that they would.\n    Mr. Putnam. And have you done that, Mr. Johnson?\n    Mr. Johnson. Karen and I have talked and I have a 15,000 or \n20,000 foot view of it. We need to put more check and balance, \nmore teeth into it. There needs to be more consequence and \nthere's more this year than there was last, and more last than \nthe year before that and that's just something we need to do \nworking with the OMB branches and working with the agencies and \nwe just--we have a clear definition of where--the agencies have \na clear definition of where they want to be, to be yellow and \ngreen is the way we discussed it and they've talked to us about \ntimeframes by which they'd like to be at what we call green \nstate of affairs and almost to help them be rigorous about it, \nwe need to be--make sure there's plenty of teeth. I told Karen \nlast week, in fact, let's figure out how we can put as many \nteeth into this mouth as possible. All these things--the rigor, \ndisciplines and checks and balances that we need to ensure \nthat, in fact, we are properly focused on security and the \nquality of management and project management and budget \nmanagement and so forth.\n    Mr. Putnam. So you currently can apportion funds. What \nadditional teeth would you like to see?\n    Mr. Johnson. We can apportion funds. We don't apportion \nfunds to the extent to which we can.\n    Mr. Putnam. So it is not a matter of authority.\n    Mr. Johnson. Right.\n    Mr. Putnam. So much as it just hadn't been done.\n    Mr. Johnson. Right. I mean when you go in and stop a \nproject that's mid-development, you're fixing to have a little \nwrestling match with the agency and there are opportunities to \ndo that and sometimes it's going to take that.\n    Mr. Putnam. I wouldn't think you'd have to do it but once \nor twice and everybody else would catch on.\n    Mr. Johnson. Right.\n    Mr. Putnam. Every time I need something from OMB, we have \nto wrestle with them. [Laughter.]\n    Mr. Johnson. You wouldn't recommend it, would you?\n    Mr. Putnam. I lose every time. [Laughter.]\n    Have you ever been in an arm wrestling match with OMB? Have \nyou ever won? It's not fun and yet----\n    Mr. Johnson. We're gentlemanly about it, aren't we?\n    Mr. Putnam. You're very gracious, just wiping the mat with \nus. And yet, I see these agencies and we're going to get into \nthis in our next hearing, but agencies don't even know what \nequipment they own and can't find it, don't know where it is. \nDidn't know they had it. They're not accountable for securing \nit and nothing happens and----\n    Mr. Johnson. We have plenty of authorities now and it's our \nresponsibility to make sure that we are using every authority \nwe know.\n    Mr. Putnam. If you all are as tough on agencies as you are \non Members of Congress, we can save a bunch of money because it \nconcerns me.\n    Mr. Johnson. But you're talking about those B people, \nright, not the M people.\n    Mr. Putnam. That's right, that bad old B team. But it's a \nlegitimate issue in that you have this authority. Everybody is \npretty clear on what the problem is and we just can't seem to \nget our arms around it. And that's a little disappointing.\n    Mr. Johnson. Although great progress has been made in every \narea, I mean 3 years ago, 2 years--we were 20 percent secure. \nWe're 62 percent secure, just as an example. But we want to be \nat 80, so we are making great strides. We can make greater \nstrides and will.\n    Mr. Putnam. Fair point and I don't want to diminish the \nprogress that you have made. We didn't get into this position \novernight and we're not going to get out of it overnight.\n    So you have 621 IT projects totaling $22 billion on the OMB \nmanagement watch list. That means they need improvement in \nperformance measures, earned value management or IT security or \nsome combination and so can we--let's begin with how do you \ndecide who gets on the list and I guess to our earlier \ndiscussion, what point will you decide or do you decide that \nyou're just going to terminate or modify these at risk projects \nand what are they? Is that a list that we can get our arms on, \nget our hands around?\n    Ms. Evans. OK. First, the way that we determine the list--\n--\n    Mr. Putnam. Mr. Johnson, you're such a gentleman letting \nher answer first.\n    Mr. Johnson. Southern. You know how we were raised.\n    Mr. Putnam. Ladies first.\n    Ms. Evans. I get to go first. OK, the way that we determine \nthe management watch list is based on the business case \nsubmissions and so the business cases are reviewed internally \nwithin OMB and they're assigned a score between 1 and 5, a \ntotal score. The management watch list is composed of any \nbusiness case that has received a 3 or lower, total score. Or, \nif you've gotten a 4 or 5 on the overall business case, but you \nhave a 3 in the cybersecurity element of the business case, \nthen you're put on management watch list.\n    Then what happens at that particular point, say for \nexample, if it's cybersecurity, agencies receive specific \nguidance during the budget process of what they needed to do to \nremediate that particular risk. So in the case of cybersecurity \nthey had a specific date that they had to turn in a remediation \nplan to us to talk about how they were going to address the \noverall cybersecurity posture within an agency. And then also \nwhat had to be included are the costs associated to accomplish \nthat remediation. When that came in, now we're in the process \nof evaluating that plan to see if it meets everything that is \nunder the guidance of FISMA, that it has the IG review, how to \ngo forward and do they have adequate funding levels within \ntheir current levels. If they don't, what the process was of \nhow we went forward is the guidance is very specific that no \nnew development efforts should go forward in that agency until \nthey have remediated this weakness and dollars that they have \nassociated with new development efforts would be redirected to \nhelp supplement and remediate that particular weakness. And \nthat's where we're working hand in hand with the budget side of \nthe house to ensure that happens under our current authorities.\n    If it's something else like the EVMS or performance \nmeasures, we also have asked the agencies to turn in plans to \ndeal with that and we set a target for June of this year, \nassociated with the scorecard, because we measure their \nprogress on a quarterly basis with the President's management \nagenda scorecard. And so those plans will also be looked at \nprior to them actually expending funds in fiscal year 2005 and \nso in the meantime, we're looking to see how far down, how bad \nis it and then we're making recommendations to go forward of \nwhether that project should be stopped if we don't feel that \nthere's an adequate plan to remediate the weakness and that's \nwhat I'm working with Mr. Johnson on very closely.\n    Mr. Putnam. Can we get a list of the projects on that list?\n    Ms. Evans. I need to check because we normally don't \nrelease the list and so I will check internally since it's \ncoming to you. We don't normally release it to the press at all \nbecause what we really want to do is have the agencies have the \nopportunity to be able to justify that business case, be able \nto remediate the weakness, have a good business practice in \nplace to ensure the success of that project.\n    So I will check and get back to you on that.\n    Mr. Putnam. Thank you. Let me just ask one final question \nbefore I recognize Mr. Clay.\n    Help me to understand this; $60 billion spent on all IT \ninvestments governmentwide. And the State of Florida's budget \nis about $56 billion this year. So it kind of puts it in \nperspective as a former legislator, thinking about all the \nthings that we used to be able to do with $56 billion, actually \nit was more like $50 back then and what we're spending just on \nIT.\n    How much of that roughly $60 billion is just ordinary kind \nof stuff that anybody in America who owns a small business or a \nbig business or a home computer would understand, you're just \nupgrading your operating system, making sure everybody has the \nlatest, the greatest, the newest to do the things that they \nneed to do that are commercially available off-the-shelf kind \nof stuff, and what percentage of that $60 billion are really \nzebras, things that are unique to the mission of IRS or DOD or \nwhomever that really do fit that unique category?\n    Is the overwhelming majority of the $60 billion just \nbecause of the sheer size and scope of the government? Or is it \nbecause we're still building zebras to do what anybody could go \ndown to the store and buy a horse to do?\n    Ms. Evans. Well, if I understand the question correctly, so \nthe way the $60 billion is broken out for the fiscal year \n2005's budget, it reflects the administration's priorities of \ndefense and homeland security. So if you look at--it's actually \n$59.7 billion; $27.4 billion are associated with DOD systems. \nAnd then----\n    Mr. Johnson. Can you say that again?\n    Ms. Evans. $27.4 billion----\n    Mr. Johnson. Alone are DOD?\n    Ms. Evans. Yes. Out of that total. And then of the homeland \nsecurity, $10.3 billion is associated with homeland security. \nSo that leaves $22 billion associated with all other.\n    So that all other includes all the civilian agencies going \nforward. Now, also in the homeland security piece, and I want \nto make a distinction there, as agencies send business cases \nforward, that is not just the homeland security's IT budget. It \nis what agencies who have homeland security missions or are \nsupporting homeland security missions, they mark their business \ncases and say that this is in support of homeland security and \nthen what a particular area is. So we pull that out of the \ninvestments to show where the agencies were investing their \ndollars. So it's not just the Department of Homeland Security, \nbut it also reflects what the Department of Justice may be \ndoing, what Department of Treasury may be doing in the area of \nhomeland security.\n    Mr. Putnam. What I'm really asking, and we're getting there \nis, take CAPPS II for example, it's not something that \neverybody in America needs or wants or would have or could go \nout and buy. Obviously, it's a very expensive thing to make it \nall happen.\n    So that's a big ticket item that clearly government is \ngoing to spend a lot of money to get it right. But of that \n$27.4 billion defense and certainly the $22 billion of the \nother, how much of that is just getting the newest Windows \nsystem on every extension agent's desk in America for the \nDepartment of Agriculture and those kinds of things?\n    Mr. Johnson. So purchasing an upgraded computer, new, \nlatest version of an operating system or Windows or something--\n--\n    Mr. Putnam. Sure.\n    Ms. Evans. I would have to get back to you on the specific \nof what that number is and we have it available because we did \nask the agencies this year as part of their 2005 submission to \nsend in one business case that consolidated all the \ninfrastructure costs such as office automation, computer \npurchases, network, cost, network infrastructures, so we should \nbe able to pull that and I'd be glad to get back to you and \ngive you a specific number of what's related to that.\n    Mr. Putnam. I think that would be helpful because when I \ngive the Rotary Club speech and I tell people we spend $60 \nbillion on this stuff, people are just in shock. And the \nassumption is that it's because of things related to homeland \nsecurity, things related to defense like CAPPS II or the things \nthat truly are unique, but my sense that the majority of it is \njust when you figure up how many employees of the Federal \nGovernment we have and all the offices we have and everything \nelse, it's just ordinary upgrade that every business in America \ndoes in an outfit the size of the Federal infrastructure. \nThat's the real goal here is to see what that is.\n    Do you want to add anything?\n    Mr. Johnson. Well, I'm going to conjecture. My sense of it \nis, the number that you're asking about is a gargantuan number, \nbut it's a small percent of the total.\n    Mr. Putnam. Thank you. Mr. Clay.\n    Mr. Clay. For Mr. Powner, of the many practices that GAO \nevaluated in its recent report, which rise to the top as the \nmost critical for agencies to fix?\n    Mr. Powner. Clearly, there were two that require more work. \nOne is associated with strategic planning and performance \nmeasurement. As I had mentioned prior, we saw strategic plans \nin place and goals. What we didn't see was the associated \nperformance measures nor processes in place that would actually \ntrack those performance measures to results. So performance \nmeasurement would be No. 1.\n    Second, when you look at investment management, there was a \nfair amount of rigor on the front end where we had investment \nboards in place and selection processes. We were choosing \ninvestments based on sound criteria, but once we selected those \ninvestments, having the appropriate oversight processes in \nplace, those were clearly lacking.\n    Mr. Clay. Are there any agencies that would have greater \nchallenges in managing their IT strategic planning and \nperformance practices or investment management practices due to \nthe nature of programs they administer? In other words, are \nsome agencies in need of more frequent upgrade due to the \nchange in technologies or trends?\n    Can you identify of them that have some unique issues that \nthey----\n    Mr. Powner. I don't know if there's unique issues by \nagency. I think when you look across the board, almost every \nFederal agency, we look at--the FAAs, the DHS--we are really \ntrying to insert technology into these organizations. So I \nwould say the majority of these organizations are challenged to \nensure that we have new technologies in place to meet missions.\n    Mr. Clay. OK, thank you. Ms. Evans, how does OMB intend to \nutilize the CIO Council to encourage better IT management \nacross the government?\n    Ms. Evans. The CIO Council directly in partnership with OMB \nhas two major committees that we use. Actually, there's three \nmajor committees, but the two that impact what we're talking \nabout today are the Best Practices Committee as well as the \nArchitecture and Infrastructure Committee.\n    The Architecture and Infrastructure Committee really works \non in partnership with us on governance of the overall models \nthat we have in place that are leading us to better management \nof the IT as a whole. And then the Best Practices Committee \nlooks at where there are pockets of innovation, who has best \npractices in place and then takes those out so that we can then \nshare those across the IT community as a whole.\n    So both of those committees are very important to ensure \nthat we have all that information out to all the CIOs.\n    Mr. Clay. Let me ask you, we've been talking about \ninformation management, information security and investment and \ninformation technology, but we haven't talked very much about \ninformation itself.\n    Most of the systems we are talking about are used to create \na process, government information. Now some of this information \nshould be readily available to the public. I would like to know \nwhat OMB is doing to assure that these systems make it easier \nfor permanent, public access to government information.\n    What happens all too often is that a citizen writes to an \nagency and asks for Document X. The agency writes back that it \nis going to take six people 4 hours each to search through the \nfiling cabinets to find that document and if you will send us a \ncheck for $4,000, we will go look for that document.\n    What are you doing to make sure this investment improves \npublic access to this information?\n    Ms. Evans. Every investment proposal that comes forward, we \nevaluate that investment for interoperability, as well as \nutilization. And the whole focus of the President's management \nagenda in the tenet of E-Government is a citizen-centered \napproach. So everything that we're doing, along with things \nthat are already existing such as the Government Paperwork \nElimination Act, even though we reported on that, that doesn't \nmean that we are not continuing our work to eliminate those \nareas and to automate those transactions.\n    So all those investments are looked at that way to ensure \nthat we have transparency and then availability of the \nGovernment's information to the public.\n    Mr. Clay. Will the public have better access to the \ndocuments, to the information that they seek, or will it be the \nsame bureaucratic delay that they encounter now?\n    Ms. Evans. The answer is yes, they will have better access, \nyes sir.\n    Mr. Clay. Thank you, Ms. Evans. Mr. Johnson, has the \nProgram Assessment Rating Tool [PART], that has been used for \nthe past two budget cycles by OMB for the evaluation of program \nperformance and outcomes offered any insights into the ways in \nwhich the lack of IT management is impacting the effectiveness \nof programs at the agency level?\n    Mr. Johnson. I don't know the answer to that, but whether \nit's indicated where there are bit IT gaps, where IT has not \nbeen deployed and should have been. My suspicion is no, it has \nnot identified any large IT gaps, but I don't have a specific \nanswer.\n    Mr. Clay. Can you respond back to us in writing?\n    Mr. Johnson. I'm sorry, what?\n    Mr. Clay. Could you respond back to us in writing?\n    Mr. Johnson. Sure.\n    Mr. Clay. On that question. Thank you and thank you, Mr. \nChairman.\n    Mr. Putnam. Thank you very much. Let's talk about the \nenterprise architecture for a second.\n    How have OMB and the agencies addressed the lines of \nbusiness consolidation opportunities within their submissions \nand how has OMB addressed that--how did the individual agencies \naddress lines of business consolidation and how have you \naddressed it and what success have we seen from that?\n    Ms. Evans. Each agency, as they go forward in their efforts \nof putting together their enterprise architecture, see the \nopportunities to consolidate and I believe the best example of \nthat right now is the Department of Agriculture. They did a \nvery rigorous analysis, using their architecture this year \nbefore they submitted their fiscal year 2005 budget and it \nresulted in $162 million worth of savings within their IT \nportfolio.\n    So that's a clear example of how an agency has used that \ninternally within their own enterprise. That then translates up \ninto the overall efforts of where we see investments going \nalong a path, for example, of the ones we've already \nhighlighted, such as financial management and grants management \nsystems and human resource systems. And so what we've done this \nyear again through the budget passback process that we have \navailable to us is that we have specific levels of effort now, \nlines of business analysis, as you've said, that has resulted \nfrom us looking at the Federal Enterprise Architecture and said \nwe want a very concerted effort looking at that, seeing what \ncan be the common solution, how we can move forward.\n    And what we have done is we have directed the fiscal year \n2004 development and modernization dollars that are associated \nin these lines of business to support that analysis which will \nthen move the agencies to the common solution that will be \ndefined by September of this year.\n    Mr. Putnam. What is it that USDA consolidated to save $162 \nmillion?\n    Ms. Evans. They looked at their entire portfolio, \neverything that they were investing IT dollars in and they did \na very rigorous analysis and tied it in with their overall \ncapital planning and what they did was consolidate down their \nportfolio, so that as they send in their business cases they \nreally looked at what is supporting their corporate, what is \nsupporting program specific IT investments and it resulted in \nthem really taking a hard look at what they were going for and \nasking for in the past and what they were asking for this year \nin fiscal year 2005 and it resulted in $162 million worth of \nsavings.\n    Mr. Putnam. And did they benefit from any of that savings? \nWere they able to redirect it to other priorities?\n    Ms. Evans. The way that this works prior to it coming in, \nwhat should happen and the way that this should work and the \nway that it does work, it worked at Energy in this way as well \nis that if the agency moves forward and through its budget \nprocess they give specific guidance that are aligned with the \nPresident's priorities, so in the spring, they'll do a call out \nto their entire agency and say send everything in and align \nwith this guidance.\n    Then the departmental offices will evaluate how that aligns \nvery similar to the same questions that you're asking me of how \nI do it on the $60 billion, each agency does it for their \npiece. Then as they go forward there is then a review in the \nsummer that the Secretaries and the Deputy Secretaries then \nlook at that.\n    In this particular case, as Agriculture went forward, there \nwere certain targets that we are given by OMB that each agency \nis supposed to have their budget meet. So as we consolidate and \nhave saving and realize that we can consolidate or leverage \nwhat we already have or get an enterprise license for our \ndepartment as a whole, those savings are then reflected within \nthe agency submission to meet the target levels that we've been \ngiven by OMB. That's how an agency puts together its overall \nbudget.\n    So the answer, that's a long answer to yes, they realize \nthe savings because it's reflected in how they put together \ntheir overall target numbers that go forward to OMB for us to \nreview.\n    Mr. Putnam. Do you have other success stories like that? Is \nit totaled up, $165 million here, $70 million there, $10 here. \nPretty soon, it's real money.\n    Ms. Evans. Right, and that's why we're going back through \neach portfolio and really working with the agencies through the \nscorecard process as well, so that we can really get a handle \non what the true cost savings are.\n    I can tell you from an overall piece of looking at the \nbudget as a whole that development and modernization dollars \nwent down by 5.66 percent this year from 2004 to 2005. So the \nnext logical question you would think is OK, all the \nmaintenance dollars really skyrocketed through the roof because \neverything that was new is now implemented in the separate \nagencies.\n    But there's only a 3.45 percent increase in steady State \ndollars. So what we're now starting to see is benefits from the \nconsolidation efforts as the agencies are moving forward \nbecause their budgets reflect how they plan to use the common \nsolutions that are being developed under the government \ninitiatives.\n    Mr. Putnam. I went through a Coca-Cola Shared Services \nCenter in my District that I went through over the Presidents' \nDay break. They have 400 people, one building, who do all the \naccounts receivable, all of the accounts payable, payroll, 80 \nCPAs doing their tax accounting, their financial accounting, \nall their books for Coca-Cola North America.\n    They have a sales force that doesn't have an office to \nreport to, they have wireless devices. They visit their \nclients, the convenience store, the restaurant, the mom-and-pop \ndiner, whatever it may be, key in the order, no paper. Their \nhours are paperless. Direct deposit, paperless. Are we even \nclose to getting to that type of efficiency in the Federal \nGovernment?\n    Mr. Johnson. I've met in the last week with the people in \nSocial Security, student loan operation in Education, the IRS, \nphone operation, customer service operation, this isn't \nspecifically IT, but those operations and I've referenced \nthat--I compare that to my experience in mail order business. \nThose operations are very, very sophisticated, very \nsophisticated, very results-oriented. They measure everything. \nThey're very focused on service. They have great use of \ntechnology. They deploy things here and there and their \nfacilities are doing BlackBerries and so forth, but that's very \nsophisticated use of technology to provide high levels of \nservice. I bet you that's the anomaly in the Federal \nGovernment, but there are places where technology really lends \nitself to getting the mission accomplished like that, like in \nDefense, all the things you see when we go to the battlefield. \nThat is extremely sophisticated. So we are using--we are \ndeploying very sophisticated IT intensive systems in those \nservice operations, Social Security and student loans and so \nforth in the defense world, those things we're exploring it \nthere. As sophisticated as the brainiest people can think of, \nthere are other areas where it's not that sophisticated.\n    One of the things I know that Karen's group looks at is to \nmake sure that when we are going from a manual, basically a \nmanual operation to a system attached operation, we just don't \nsystemize the manual process. We just don't get computers to do \nwhat human beings were doing. We look at that as an opportunity \nto completely change the way we do business and do you really \nneed a copy--those kinds of things.\n    But with $60 billion and all the things that we do in the \nFederal Government, there's a wide range, but in some areas \nit's as sophisticated as it can be.\n    Mr. Putnam. And this goes back to our question of Ms. Evans \nearlier on our long-term needs. I'm less interested in playing \ncatch up with the Federal Government than I am in skipping \ngenerations of technology and getting us where we need to be. \nSo if INS doesn't have enough computers, maybe they don't need \nto buy more desk tops. Maybe we need to have Border Control \nagents who have wireless devices that are beaming at real time \nso that we have a better sense of what's going on. And the \nDefense example is an outstanding example, because it \nrepresents the best and the worst of the Federal Government.\n    We are so good, so effective and ought to be so proud of \nhow we can move things from the laboratory to the battlefield \nand then into the commercial sector. You know, GPS. Everybody \nin Florida has a $99 hand held GPS and they've got 4,000 \nlobster and grouper holes programmed into it. That's a rapid \nmovement of technology because of the Federal Government.\n    And then if you look at the rest of the DOD, they can't \nfind $1 trillion worth of stuff and they've got an ancient, \nStone Age procurement and personnel and payroll system and all \nof this other stuff. It's just abysmal. You've got the best and \nthe worst all in the same five-sided building and so that's \nwhere I'd like to see us go. Instead of focusing on let's catch \neverybody up and make sure that we're fine with 2003 computers, \nlet's get them to the next step.\n    Mr. Johnson. I'm not a defense specialist by any stretch of \nthe imagination, but I know there's been a lot of talk about \nskipping generations of technology in the defense world and \nbecause of these major weapons systems it does take 10, 20, 30 \nyears oftentimes to bring them to full utilization and by then \nthe technologies change dramatically and so, a lot of attention \nis being paid to that at the Defense Department.\n    Mr. Putnam. I'm going to keep going. Ms. Evans, I \nunderstand that you have developed a new way to fund the \nGovernment through GSA surplus revenues. Could you discuss this \na little bit further for us?\n    Ms. Evans. Well, the way that the President's budget is put \ntogether this year for fiscal year 2005 is that we have the $5 \nmillion that we're going back and asking for that. That has \nbeen previously appropriated, not this year. We got $3 million, \nbut the previous year we had $5 million.\n    We're looking to use surpluses in the GSA supply fund and \nthe thought process behind that was that fund is built on \ntransactions that occur from the agencies as GSA does services \nfor them. And since the E-Government Fund is really to then go \nback and reinvest into the agencies and really serve as an \ninnovation fund similar to what like a venture capitalist fund \nwould be like, then we thought that the agencies should be able \nto benefit from the dollars that they've already spent and then \nreinvest back into the agencies so that they would then be able \nto move forward with the common solution, whatever a pilot \nprogram may be. And use that as we have the formal budget \nprocess, catch up with the planning and the execution of the \nlong-term solution.\n    Mr. Putnam. So you do see that as potential long-term \nsolution, not just a 1-year event. How successfully have we \ningrained in IT managers' and CIOs' minds the importance of \nbuilding cybersecurity into their new systems and how would you \nrate where we are on that?\n    Ms. Evans. That is actually highlighted as well in the \nfiscal year 2005 budget. It's in the chapter associated with \ninformation technology and we did set a specific goal for \nourselves of trying to achieve that which was again 80 percent \nof the systems would have that appropriately budgeted for in \nthe life cycle. To date, we're just slightly over 60 percent \nand so we are still targeting to have 80 percent of the major \nsystems have cybersecurity budgeted for it. So we are still \nshooting for that target. We missed it for the calendar year, \nbut we are pushing the agencies forward for that.\n    Mr. Putnam. And is there a common approach to cybersecurity \nfor all the new systems? Obviously, it varies by mission but \nwhen a--walk me through the process of governmentwide what the \nreaction is when a new virus or worm is identified and begins \nto move. How quickly can the entire Federal Government either \napply the new patch or take the appropriate measures to protect \ntheir systems? How quickly can we get that information out \nthere and how consistent is our response?\n    Ms. Evans. We work very closely with the CIO Council and as \nwell as with DHS and as DHS has moved forward, they actually \nhave now taken over what is FedCIRC. And so FedCIRC then \nnotifies the agencies and there are multiple levels of which \nthey get notification that there is a new virus out there.\n    And so then what will happen is to ensure that we hit at \nall levels and I'm sure that you're aware that DHS has also \nstarted a new forum which will complement the CIO Council which \nis the Chief Information Security Officers Forum, to then \ncontinue to talk about best practices to do that. But it does \nvary from agency to agency, depending on what types of services \nthey have in place and how those operations from a corporate \nlevel, as well as by program specific level, within an agency \nare handled.\n    So if they have a very centralized approach, then the \ndissemination of a patch can happen very quickly. If they have \na very decentralized approach, then it takes a little bit \nlonger for the CIO and the Headquarters Operation to have full \naccounting of how a patch is applied.\n    Mr. Putnam. I guess what concerns me is the number of \nagencies and departments out there who don't know everything \nthey have. So even if everybody is doing everything they can \nyou still have a pretty gaping hole in your readiness, don't \nyou? Because people forget about the server that's out in Iowa \nor down in Florida, that all of these machines that over the \nyears have accumulated and are still on the network that just \ndon't know where they are according to, at least, our scorecard \nand FISMA.\n    Ms. Evans. Well, cybersecurity is multi-tiered. The way \nthat you manage the cybersecurity posture of a department or \nthe government as a whole is very--it's multi-tiered. So \napplying a patch or when there's things dealing with viruses, \nthose are very technological types of approach. But \ncybersecurity starts at day 1 when an employee enters into the \nFederal work force. Or, if an employee enters into any type of \nfacility, there is a whole piece associated with cybersecurity \nthat deals with education and how best to secure your own \nasset. So even though as you said, there's huge gaping holes of \nhow we manage from a centrally postured type of approach, each \nperson is responsible again and has responsibilities to \nmanagement their portion or their asset going forward.\n    So if I'm an individual system administrator down in a \nfield office operation that may be a CIO may not know that my \nparticular server is there, based on the way our security \nprograms work and our education programs work within the \nDepartment, I am responsible as the system administrator to \nensure the cybersecurity posture of the resources that have \nbeen assigned to me.\n    So that is done and that education is done as new employees \ncome and that level of education is commensurate with the level \nof responsibility that you have for your Federal assets.\n    Mr. Putnam. How safe--excuse me, how comfortable are you \nwith our access management issues in terms of being able to get \non to the systems as a new employee. How long does it take to \nprocess that new name in the system and give them access to the \nthings they need to have access to and only the things that \nthey need to have access to. How are we dealing with access \nmanagement?\n    Ms. Evans. That is now currently being reviewed. And it \nalways can improve because as you also probably know that 80 \npercent of security vulnerability in types of attacks and all \ntypes of things that happen, usually happen internally. They \ndon't normally come from the outside; 80 percent of the \nproblems are internal and usually are related to education of \nemployees or unauthorized access.\n    OMB did release in December of this year guidance out to \nthe agencies to really look at the process to go forward to \nsupport our E-Authentication Initiative which talks about \nidentity management as well as authorized access. And it's \nasking the agencies to look at each of the systems that are in \nplace, what level of access do they really need to have and \nthen go forward to ensure that there's adequate security that's \nin place with that and they have to report back to us on that \nfor their major systems. I believe it's at the end of this \nyear. And then do the rest of the systems. But this is all in \nsupport of what the question that you're asking right now. We \nneed to make sure that the agencies have a good handle as an \nemployee comes on board that based on--is that the right \nemployee, do they have the right clearances and then are they \nauthorized to access those systems and that's what we're \nworking with the agencies now on.\n    Mr. Putnam. And conversely, how quickly can we terminate \ntheir access?\n    Ms. Evans. Right, absolutely and that is all part of the \nsame process.\n    Mr. Putnam. I'm also reminded that we have in October, \nsomewhat related to your role, a deadline for foreign visitors \nto this country, that if they don't have a passport with a \nbiometric they will have to get a visa to come in, even from \ncurrent nations who are visa-waiver nations and that has \nFloridians and the tourism industry a little bit concerned \nbecause they don't think that too many countries are going to \nbe in that position and frankly, our country with our \npassports, are a long way in being in that position, and so \nfrom a management inside of OMB that's an issue that all of us \nare going to have to deal with as we move forward.\n    Mr. Clay, do you have any additional questions or comments?\n    Mr. Clay. I have no further questions.\n    Mr. Putnam. Do you all have anything that you would like to \nadd that we haven't dealt with or anything that you'd like to \nmention?\n    Mr. Johnson. Just one comment, one of you used the phrase a \nminute ago about that even though an agency might be doing all \nthat it can, we try not to fall back on. We're working as hard \nas we can. We're doing everything possible. That's not--it's \nlike there's not a CIO that should not be an excuse. We're \nworking as hard as we can. That should not be an excuse.\n    We should have a definition of success in a given \ntimeframe. We want to be 80 percent secure by a certain date. \nThat's our goal. And if we don't have the resources to do that, \nwe need to get those resources.\n    When we say that we're at 60 some off percent security now, \nsome agencies are 90 plus. Some are at 30. It's not that \nthey're all hovering around 60. There is a wide disparity in \nsecurity here and there's no excuse why some of those agencies \nthat are in the 30's are there and we need to make sure they \nget caught up.\n    Mr. Putnam. We're certainly prepared to do whatever it \ntakes to help you get them there. We appreciate your efforts.\n    Ms. Evans, Mr. Powner, thank you very much. this has been a \ngood hearing and we stand adjourned.\n    [Whereupon, at 3:22 p.m., the hearing was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"