[House Hearing, 113 Congress] [From the U.S. Government Publishing Office] DATA CENTERS AND THE CLOUD: IS THE GOVERNMENT OPTIMIZING NEW INFORMATION TECHNOLOGIES OPPORTUNITIES TO SAVE TAXPAYERS MONEY? ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT OPERATIONS of the COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEETH CONGRESS FIRST SESSION __________ MAY 14, 2013 __________ Serial No. 113-26 __________ Printed for the use of the Committee on Oversight and Government Reform Available via the World Wide Web: http://www.fdsys.gov http://www.house.gov/reform U.S. GOVERNMENT PRINTING OFFICE 81-280 WASHINGTON : 2013 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]. COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM DARRELL E. ISSA, California, Chairman JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland, MICHAEL R. TURNER, Ohio Ranking Minority Member JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of JIM JORDAN, Ohio Columbia JASON CHAFFETZ, Utah JOHN F. TIERNEY, Massachusetts TIM WALBERG, Michigan WM. LACY CLAY, Missouri JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts JUSTIN AMASH, Michigan JIM COOPER, Tennessee PAUL A. GOSAR, Arizona GERALD E. CONNOLLY, Virginia PATRICK MEEHAN, Pennsylvania JACKIE SPEIER, California SCOTT DesJARLAIS, Tennessee MATTHEW A. CARTWRIGHT, TREY GOWDY, South Carolina Pennsylvania BLAKE FARENTHOLD, Texas MARK POCAN, Wisconsin DOC HASTINGS, Washington TAMMY DUCKWORTH, Illinois CYNTHIA M. LUMMIS, Wyoming ROBIN L. KELLY, Illinois ROB WOODALL, Georgia DANNY K. DAVIS, Illinois THOMAS MASSIE, Kentucky PETER WELCH, Vermont DOUG COLLINS, Georgia TONY CARDENAS, California MARK MEADOWS, North Carolina STEVEN A. HORSFORD, Nevada KERRY L. BENTIVOLIO, Michigan MICHELLE LUJAN GRISHAM, New Mexico RON DeSANTIS, Florida Lawrence J. Brady, Staff Director John D. Cuaderes, Deputy Staff Director Stephen Castor, General Counsel Linda A. Good, Chief Clerk David Rapallo, Minority Staff Director Subcommittee on Government Operations JOHN L. MICA, Florida, Chairman TIM WALBERG, Michigan GERALD E. CONNOLLY, Virginia MICHAEL R. TURNER, Ohio Ranking Minority Member JUSTIN AMASH, Michigan JIM COOPER, Tennessee THOMAS MASSIE, Kentucky MARK POCAN, Wisconsin MARK MEADOWS, North Carolina C O N T E N T S ---------- Page Hearing held on MAY 14, 2013..................................... 1 WITNESSES Mr. David A. Powner, Director, Information Technology Management Issues, U.S. Government Accountability Office Oral Statement............................................... 7 Written Statement............................................ 9 Mr. Bernard Mazer, Chief Information Officer, U.S. Department of the Interior Oral Statement............................................... 33 Written Statement............................................ 35 Mr. Steve O' Keefe, Founder, Meritalk Oral Statement............................................... 49 Written Statement............................................ 52 Ms. Teresa Carlson, Vice President, World Wide Public Sector, Amazon Web Services Oral Statement............................................... 56 Written Statement............................................ 58 Mr. Kenyon Wells, Vice President of U.S. Federal, CGI Federal Oral Statement............................................... 63 Written Statement............................................ 65 APPENDIX Statement for the Record Submitted by Facebook, Inc.......... 82 The Government IT Network, The FDCCI Big Squeeze............. 86 Data Center ``Statistics''................................... 90 Statement for the Record of Thomas A. Schatz................. 91 DATA CENTERS AND THE CLOUD: IS THE GOVERNMENT OPTIMIZING NEW INFORMATION TECHNOLOGIES OPPORTUNITIES TO SAVE TAXPAYERS MONEY? ---------- Tuesday, May 14, 2013 House of Representatives, Subcommittee on Government Operations, Committee on Oversight and Government Reform, Washington, D.C. The subcommittee met, pursuant to call, at 2:49 p.m., in the Meese Conference Room in Mason Hall at George Mason University, 4379 Mason Pond Drive, Fairfax, Virginia, Hon. John Mica [chairman of the subcommittee] presiding. Present: Representatives Mica and Connolly. Staff Present: Alexia Ardolina, Assistant Clerk; Richard A. Beutel, Senior Counsel; and Mark D. Marin, Director of Oversight. Mr. Mica. Well, good afternoon. I am Congressman John Mica. I am pleased to chair one of the Oversight and Reform subcommittees, which is Government Operations, and have the opportunity to be here today. The Democrat leader of the subcommittee is the distinguished gentleman and Congressman from this district--I believe we are in his district---- Mr. Connolly. Yes. Mr. Mica. --Mr. Connolly. So, with that partnership, we have the responsibility to conduct various oversight hearings and look at government operations. But today I call and convene the subcommittee hearing to order in this district. And the title of today's hearing is ``Data Centers and the Cloud: Is the Government Optimizing New Information Technology Opportunities to Save Taxpayer Dollars?'' And that is the subject. And we are here, actually, at the request of the ranking member, Mr. Connolly. What we try to do is operate the panel in a bipartisan manner, and areas of interest or particular expertise, we like to highlight the priorities of Members. And Mr. Connolly has been very active and a leader in trying to consolidate some of the duplicative and costly data centers in the Federal Government. He has been on this issue before I got the opportunity to chair this subcommittee, so he has a long history. And it was one of his priority requests that we conduct the hearing. And, jointly, we decided that this would be a great place, Fairfax County, George Mason University, to have a field hearing here. I apologize for the delay. My plane was on time, but, as I told Mr. Connolly, the traffic in northern Virginia is horrendous. In spite of my efforts to help with the rail connection to Dulles and all, we still have a ways to go. But we are delighted to be here. The order of business--I will step out of order for just a second because we are here at a very distinguished university. If I could, maybe I could ask the ranking member to introduce the president of this university, and we could inject a few comments before we get to the business of the subcommittee. Again, we are delighted to be here. I think it is great to come to a university setting. I don't know if we have students, professors, or others here, but it's an awesome opportunity. I see some of us may, in fact, be recorded. And, again, it is an actual hearing of Congress and part of our realtime work. So we are pleased to be here. Would you do us the honors, Mr. Connolly? Mr. Connolly. I would. Thank you, Mr. Chairman. And thank you so much for being here. And we all apologize for our traffic, but when you were both the ranking member and the chairman of the Transportation and Infrastructure Committee, you were very sympathetic and supportive of our efforts to extend rail to Dulles Airport. And we want to thank you for your support, because you did get it, about how serious the congestion is here. It is my privilege to introduce the president of George Mason University, Angel Cabrera. We just actually celebrated the installation ceremony for our new president. He comes to us after many years of serving in the southwest part of the United States in other academic endeavors, and we are delighted to have him here. George Mason University is about a little over 40 years old now and in that 40-year time period has grown to become the largest single university in the Commonwealth of Virginia, which always surprises people at UVA, Mr. Jefferson's university, which is over 200 years old, and Virginia Tech, also a very large campus. So it just tells you a lot about what is going on in terms of academic programs here in northern Virginia. And it is a center of excellence, especially for the technology community, but for so many other things as well. So welcome, President Cabrera. Mr. Cabrera. Well, thank you so much. Thank you, Mr. Chairman. Mr. Mica. You might come over. I don't know, are these live right here? Mr. Cabrera. Yes. Thank you so much, Chairman Mica and Congressman Connolly, for moving the business of Congress across the river. And I hope the air of Fairfax will make the meeting very, very productive. I want to point out that even though we have a problem with physical transportation of vehicles, the transportation of bits through the Internet couldn't be any faster than it is in northern Virginia, which I think is one of the reasons why this is a perfect location to have this discussion. I would also point out that we are, of course, in one of the most educated and one of the wealthiest counties in America. Those two things go hand-in-hand. And one of the reasons why this area has become probably the world's hotbed for the Internet and for cloud computing and other information technologies is precisely because we have universities like George Mason that right now ranks in the top 200 of research universities in the world. So it is a privilege to have you here. I wish you a very productive meeting. And thank you so much for having chosen George Mason University to conduct your business. Thank you. Mr. Mica. Well, thank you. And, again, we are pleased to be here. And we will proceed. We are a little bit late in beginning the proceedings, but the order of business will be as follows: I will start with an opening statement. I will yield to Mr. Connolly. Then we have two panels of witnesses. I will introduce the two panels. One is primarily government; the second looks like primarily private sector. We will proceed with questions after we have heard from the witnesses, the first two on the first panel and then the second panel. So, with that, we will go ahead and proceed, and I will recognize myself to sort of set the stage and talk about the topic. Today's hearing, actually, again, is the result of some of the work of the Democrat leader of the committee. Some several years ago, the GAO began some work and looked at some of the data center consolidations. In fact, today, coinciding with this hearing, there is the release of this report, ``Data Center Consolidation: Strengthened Oversight Needed to Achieve Cost-Savings Goals.'' And the subject matter contained in this report will be discussed by the GAO representative. But some of the background here is that GAO reports, in fact, that in fiscal year 2011 the government funded 622 separate human resources systems, costing $2.4 billion; some 580 financial management systems, costing some $2.7 billion; 777 supply chain management systems, costing some $3.3 billion; and so the list continues. Most of these systems perform, unbelievably, the same function. To address some of this wasteful duplication, and with much fanfare, the OMB, the Office of Management and Budget, rolled out a program in 2010 entitled the Federal Data Center Consolidation Initiative. Sometimes you will hear me refer to it as the FDCCI. But they trumpeted the fact that they thought that they could close 40 percent of the data centers by 2015 and save taxpayers a welcome $3 billion. That would have meant that, in closing 1,253 of the 3,133 total Federal database centers, we could save that much money. To accomplish this savings, 24 of the CFO Act agencies were tasked by the OMB to do several things: first of all, to conduct an initial inventory of data center assets by April 30th of 2010; and then, secondly, to develop a plan by June 30th, 2010; and report quarterly on their closures and savings via an online portal called data.gov. Today, GAO has released the latest of its three reports, the one I referred to. In that report, we will find that the GAO uncovered the fact that the program was not being effectively implemented, unfortunately, and, also unfortunately, that taxpayers are not going to recognize or realize the projected savings that were anticipated. Specifically, OMB and the agencies, some of the findings-- again, not mine, but theirs--were that the agencies were delinquent on finalizing their data consolidation, their migration plans. And, also, we have, I think, a chart up here that shows the cells in orange, and we see missing data in these cells, lots of question marks. So we also found in that report that we lacked a basic system to track cost savings so that progress toward that $300 billion cost-savings goal could be measured. GAO states, and let me quote them, ``As of November 2012, the total savings to date had not been tracked but were believed to be, unfortunately, minimal.'' Again, their commentary. OMB recently announced its plan to roll up the FDCCI into its broader--a new process called PortfolioStat, potentially losing focus and motivation to carry out this much-behind consolidation of the original intended government data centers, again, consolidation. At a time of fiscal austerity and tight budgets, it has never been more important for the Federal Government to drive efficiencies and cost savings through effective management of its information technology systems. It is absolutely essential that IT assets should be optimized to maximize the return on investments, reduce operational risk, and provide responsive services to its citizens. We must, I believe, accelerate data center optimization by urging agencies to complete meaningful transition and consolidation plans for their data centers and, also, accurately track these savings. And another thing that we are going to have to do is support broader transition to the cloud solutions for Federal IT resources and hopefully drive broader efficiencies in the use and deployment of IT data centers. We are going to hear from some of the private sector in here a little bit about how we might achieve some of that in our second panel. So, with that sort of setting the stage for where we are in this hearing and, again, the review of what is taking place with this consolidation effort, let me now yield to the gentleman from Virginia, Mr. Connolly. Mr. Connolly. Thank you so much, Mr. Chairman. And thank you for your gracious willingness to have this field hearing here in the 11th District of Virginia at George Mason University. I have very much appreciated the spirit in which you and I have been able to work, beginning this year when this subcommittee was first formed. And my hat is off to you in terms of bipartisan cooperation and comity, and I thank you. We have something like 3,100 data centers in the Federal Government, and that is an astounding number. It is a stovepipe kind of operation, and it is expensive and inefficient. And what we are trying to do here is identify ways to optimize, you know, the purpose here, through private-sector cloud computing, through some remaining Federal data centers that may make sense, but to try to achieve efficiencies, especially right now when we are in budget contraction. It is imperative for agencies to be able to expand their scope and to be able to try to replace through better deployment of technology lost dollars in their bottom line in terms of the budget. If we don't do that, if we are not, you know, seized with a sense of urgency about that mission, then, you know, Federal agencies are going to have to do less with less. And that will not serve the American people very well. And so this, while for some a dry topic, is really at the cutting edge of, can we organize ourselves in the Federal Government to replicate what the private sector has done in terms of the utilization of technology, better investments in technology, smarter investments in technology? We have had hearings, as the chairman knows, on the Oversight and Government Reform Committee where it is estimated that, of the $81-billion-a-year Federal information technology budget, perhaps as much as $20 billion of it is spent in less- than-optimum ways, some of it maintaining very old legacy systems. Now, the good news about that, as was pointed out in one of our hearings, was that the Chinese don't know how to hack into those legacy systems. So maybe that's an upside. But in terms of efficiency for the future and making sure that we're ready to go for the future, I'm not sure it's the kind of investment we want to be maintaining forever. And so data center consolidation is one piece of a larger piece of Federal IT policy. And as the chairman indicated, I requested the GAO report--and we are going to hear about it today in testimony from Mr. Powner--on how are we doing. And you can see from this chart, as the chairman just pointed out, well, I wouldn't give us an A in terms of compliance with trying to consolidate and eliminate duplicative data centers. For some agencies, it may just be that it is not a priority. For others, maybe they don't share the goal. But we have got to reach the OMB goal of 40 percent reduction, or consolidation, and we want to actually go way beyond that, because that still leaves us with 1,100 or 1,200 data centers, and it's not at all clear that we need all of them. And so this is an important part of a larger picture. This bill that I introduced on data center consolidation is an entire title of what is known as the FITARA bill that Chairman Issa, Chairman Mica, myself, and Ranking Member Elijah Cummings have introduced in this Congress that would be the most comprehensive rewrite of Federal IT acquisition policy since-- well, in 20 years. And so this is a vital piece of it, and that's what we're doing here today, to try to really focus on how can we do better at the Federal level. We need to do better. So thank you all for being here. And, again, Mr. Mica, thank you so much for having this hearing. Mr. Mica. Again, pleased to be here. And what we will do is, we have additional statements that Members may like to submit. And, also, if the public or anyone else is interested in submitting, it has to be done through a Member, so in this case it would be Mr. Connolly or another member of our subcommittee panel. But, without objection, the record will be left open for 7 days, with Mr. Connolly's concurrence. Mr. Mica. And I also see that Facebook has a written statement that they would like to be entered into the record. Mr. Connolly asked that that be permitted. Without objection, so ordered. Mr. Mica. Now we will turn to our first panel of witnesses. And we have two distinguished panelists: Mr. David A. Powner, and he is the director of information technology management issues with the U.S. Government Accountability Office. We refer to it commonly as GAO. Then we have Mr. Bernard Mazer, and he is the Chief Information Officer of the Department of the Interior. Now, I think we've got two more witness little plaques out there. And I'm not a happy camper, Mr. Connolly, that OMB and GSA have chosen not to provide us a witness this morning. And they are not going to squirm out of appearing before the panel, so we will schedule another hearing. It may not be here, but it will be in Washington. And we will call them in either voluntarily or however we have to do it, because we do--this is about saving taxpayers significant sums of money and achieving something that they set out to do. So we need answers, and we want it straight from those individuals involved. Mr. Connolly. Mr. Chairman? Mr. Mica. Yes, Mr. Connolly. Mr. Connolly. I concur in your sense of disappointment with OMB. I conveyed my disappointment to folks at the White House directly and to OMB directly for their nonparticipation today. None of that should, of course, detract from the fact that we are delighted to have the witnesses we do have. Mr. Mica. Yes, and we'll start it, and we'll start it here in Fairfax at George Mason, and we'll get to the bottom of it. Sometimes it takes more time. I understand last night, apparently in response to this hearing--and these hearings do actually make things happen, believe it or not--GSA, which is a no-show, updated their data posting from zero to 74 planned data centers closings on data.gov. So we sometimes can get some things moving along. And that's part of this process, is the constant oversight that we're responsible for in this important committee and subcommittee. So those are the two witnesses we have from GAO and the Department of the Interior. This is an investigative panel, and it is part of the procedures of the panel to swear in our witnesses. So I would ask you to stand, if you can, Mr. Powner and Mr. Mazer. Raise your right hand. Do you solemnly swear or affirm that the testimony you are about to give and provide this subcommittee of Congress is the whole truth and nothing but the truth? Mr. Mazer. Yes, I do. Mr. Powner. Yes, I do so solemnly swear. Mr. Mica. Let the record reflect that the witnesses answered and responded in the affirmative. So, with that, the way we proceed, for everyone's information, is first I will call on GAO's representative, Mr. Powner, and then Mr. Mazer, in that order. And we have a little bit of extra time. We try to hold it to 5 minutes. If you have prepared information or background data that you would like submitted to the record, just request it to the chair, and that will be accomplished. So, with that, we welcome you. And, Mr. Powner, first, you are recognized. STATEMENT OF DAVID A. POWNER Mr. Powner. Chairman Mica, Ranking Member Connolly, we appreciate the opportunity to testify on the Federal Government's efforts to consolidate its data centers and to save taxpayers billions of dollars. In a time when we hear too often about fraud, waste, and duplicative Federal programs, the Data Center Consolidation Initiative is an effort that is good government. Its goals are to reduce costs, increase current low-server utilization rates, and shift to more efficient computer platforms and technologies. The specific goals are very clear and aggressive: close 40 percent of the government's over 3,000 data centers and save the taxpayers $3 billion. This afternoon, we are releasing our third report on this initiative. The first two highlighted holes in agencies' inventories and plans and made recommendations to ensure that inventories were complete and that agency plans clearly had comprehensive schedules to close centers and associated cost savings. For example, last summer, we reported that only three agencies had complete inventories: SSA, HUD, and the National Science Foundation. And only one agency had a completed plan, that being the Department of Commerce. While incomplete, these plans still showed great opportunities for cost savings. For example, DOD claimed that it could save $2.2 billion. In its recent budget submission, DOD plans to save $575 million in fiscal year 2014 alone. And I think that is represented on your chart up there, fiscal year 2014. This afternoon, I will provide a progress report on closure and cost-saving goals and recommendations to ensure progress continues. My comments will also address the importance of FITARA in this area. Data center closures to date and those planned are promising. Four hundred centers were closed by the end of December, and another 400 are planned to be closed by September of this year, as your chart shows up there. And the plan is to close well over 1,000 centers by December 2015. Despite impressive progress and visibility into the closure situation, this is not the case regarding progress and transparency toward the cost-savings goal of $3 billion. In fact, OMB is not tracking cost savings. This lack of such data raises questions about the government's ability to meet its overall goal. But let's be very clear on the cost savings issue: Closing over 800 centers should yield significant cost savings. The Department of Agriculture recently reported to the Appropriations Committee that it saved nearly $50 million in fiscal year 2013. DHS is reporting $20 million of savings in fiscal year 2013. And we've already discussed DODs plans to save $575 million in fiscal year 2014. Now is not the time to take our foot off the accelerator regarding associated cost savings, and FITARA would be extremely helpful since it requires the tracking and reporting of cost savings. OMB has recently integrated the data center effort with the broader PortfolioStat initiative and is in the process of revamping metrics in this area. OMB stated that its new goal is to close 40 percent of the non-core data centers and that additional metrics in areas like energy consumption are to be developed by the data center task force. Folding the data center effort under this initiative is fine as long as the right metrics are in place, including cost savings, and that it provides the appropriate level of transparency. Mr. Chairman, having the right metrics and transparency moving forward is currently a big question mark. Our recommendations are to track and annually report on key data center metrics, including cost savings to date, extend the time frame for achieving cost savings beyond the current 2015 horizon because significant savings will occur beyond that date, given where agencies are at today. Regarding governance, we need better leadership out of OMB and the GSA program office if we expect the data center initiative to be successful. With OMB, this leadership starts with the Federal CIO. In addition, each CIO needs this to be one of their top priorities and at any point in time should be able to report on closures and cost savings to date and those planned for the next fiscal year. If these simple questions cannot be answered, we do not have adequate governance at the agency level. And, finally, codifying the data center optimization consolidation effort the way FITARA does will ensure cost savings are tracked and reported and that this initiative will span multiple administrations. I would also like to mention, Mr. Chairman, your comment about GSA's data changing, that really shows the importance of this committee's oversight. Your staff made a couple of key questions to GSA, and clearly we went from zero reported centers to 74 in a couple days. And having that reported is very important so that we can perform the appropriate oversight so, in fact, those 74 data centers do get closed, with their associated cost savings, and then we can think about optimizing the centers that remain open. So this concludes my statement, Mr. Chairman and Ranking Member Connolly. Thank you for your leadership on this topic, and I look forward to answering your questions. Mr. Mica. Thank you. [Prepared statement of Mr. Powner follows:] [GRAPHIC] [TIFF OMITTED] T1280.001 [GRAPHIC] [TIFF OMITTED] T1280.002 [GRAPHIC] [TIFF OMITTED] T1280.003 [GRAPHIC] [TIFF OMITTED] T1280.004 [GRAPHIC] [TIFF OMITTED] T1280.005 [GRAPHIC] [TIFF OMITTED] T1280.006 [GRAPHIC] [TIFF OMITTED] T1280.007 [GRAPHIC] [TIFF OMITTED] T1280.008 [GRAPHIC] [TIFF OMITTED] T1280.009 [GRAPHIC] [TIFF OMITTED] T1280.010 [GRAPHIC] [TIFF OMITTED] T1280.011 [GRAPHIC] [TIFF OMITTED] T1280.012 [GRAPHIC] [TIFF OMITTED] T1280.013 [GRAPHIC] [TIFF OMITTED] T1280.014 [GRAPHIC] [TIFF OMITTED] T1280.015 [GRAPHIC] [TIFF OMITTED] T1280.016 [GRAPHIC] [TIFF OMITTED] T1280.017 [GRAPHIC] [TIFF OMITTED] T1280.018 [GRAPHIC] [TIFF OMITTED] T1280.019 [GRAPHIC] [TIFF OMITTED] T1280.020 [GRAPHIC] [TIFF OMITTED] T1280.021 [GRAPHIC] [TIFF OMITTED] T1280.022 [GRAPHIC] [TIFF OMITTED] T1280.023 [GRAPHIC] [TIFF OMITTED] T1280.024 Mr. Mica. And we will hold the questions until we have heard from Mr. Mazer. And he is the Chief Information Officer at the Department of the Interior. Welcome, sir, and you are recognized. STATEMENT OF BERNARD MAZER Mr. Mazer. Good afternoon, Chairman Mica and Ranking Minority Member Connolly. I would like to summarize my testimony and submit the full testimony for the record. Mr. Mica. Without objection, we'll submit the additional data. Mr. Mazer. My name is Bernard Mazer. I currently serve as the Chief Information Officer for the Department of the Interior. As a representative of the Federal CIO Council, I also serve as an executive sponsor of the Federal Data Center Consolidation Task Force. Thank you for providing the opportunity to testify regarding cloud computing and optimization of data centers across the Federal Government. The Federal Government information technology infrastructure is a massive collection of networks. In the span of 11 years, from 1998 to 2009, the number of Federal data centers drastically increased from 432 to more than 1,100. The result was an inefficient Federal data center population with unnecessary operations and maintenance costs. To reverse this trend, OMB in February of 2010 launched the Federal Data Center Consolidation Initiative, referred to as FDCCI. A year later, in February 2011, the Federal Data Center Consolidation Task Force was chartered. The task force is comprised of agency representatives who are working together to share progress toward individual agency goals and the overall Federal goal of optimization and consolidation. Today, the task force has contributed to the FDCCI by advising on policy and implementation; sharing information, best practices, and lessons learned; and by working with agencies to assess the benefits and challenges of cloud computing. One of the critical roles of the task force has been to share best practices. For example, the Department of the Interior has launched an IT transformation initiative to consolidate IT infrastructure operations at the department level, including data center operations, in order to eliminate redundancy and speed the adoption of new technologies, such as the migration to cloud computing. Information provided by the task force has helped evolve the FDCCI. Under the March 13th OMB memorandum on PortfolioStat, the FDCCI was formally integrated into PortfolioStat and shifted the FDCCI focus from consolidation to both optimizing core data centers and consolidating non-core data centers. Through PortfolioStat, agencies have already realized $300 million in savings, some of which is attributed to data center consolidation. The expected benefits of moving to the cloud can be great and are driving the transition from existing hosting environments that focus on managing servers to modern cloud- based environments. These benefits include improving service delivery to customers, modernizing computing capabilities, enhancing collaboration, and replacing legacy information technology infrastructure. Moreover, as agencies refine their business processes during cloud migration, they can also realize significant cost savings. The deployment of cloud tech computing also presents challenges, including culture and change management, data interoperability and portability, and the lack of expertise or experience in implementation of migrating to cloud-computing technologies. Another challenge agencies have experienced is calculating cost savings related to optimization and consolidation. This requires calculation of a total cost of ownership which is much more comprehensive than just equipment or energy cost. That is why the task force, working with participating agencies and GSA and OMB, are developing a total-cost-of-ownership model. This model is now being used as a planning tool as agencies optimize and consolidate their data centers. Agencies are at different stages of moving IT applications to the cloud and, in doing so, can leverage offerings from the Federal Risk and Authorization Management Program, known as FedRAMP, that provide a standardized approach to security for cloud products and services. In conclusion, Federal agencies are continuing to make progress toward optimizing and consolidating data centers. Since launching the FDCCI, agencies have closed 484 data centers as of last week, with plans to close 855 by the end of the fiscal year 2013. The progress is being publicly tracked through data.gov. FDCCIs integration into PortfolioStat is expected to strengthen the focus on tracking cost savings, increase the number of tracked metrics, facilitate collaboration across agencies, expedite implementation of best practices, and should result in a consistent method for tracking costs. All of this is expected to result in a more accurate assessment of the benefits of this initiative. I am confident that cloud computing and data center consolidation has the potential to provide modernized IT at a significant cost savings. It is our job as chief information officers to provide the evidence of these benefits to the American people. Chairman Mica, Ranking Member Connolly, this concludes my prepared statement, and I would be happy to answer any questions that you may have at this time. [Prepared statement of Mr. Mazer follows:] [GRAPHIC] [TIFF OMITTED] T1280.025 [GRAPHIC] [TIFF OMITTED] T1280.026 [GRAPHIC] [TIFF OMITTED] T1280.027 [GRAPHIC] [TIFF OMITTED] T1280.028 [GRAPHIC] [TIFF OMITTED] T1280.029 Mr. Mica. Well, we'll go ahead with some questions. And let me first ask our GAO representative, while one of the basic questions is that this whole project was projected to save $3 billion, and I think that was by 2015, I think I quoted the report as saying that the savings to date had not been tracked but were believed to be minimal. It seems pretty apparent now we're getting some data in as a result of this hearing. But do you think they're going to be able to approach the goal and meet the goal? Or what is your prediction now looking at---- Mr. Powner. So a couple comments here. If you look at the projected cost savings--at one time we had plans that were being updated; now those plans are off the table since this is being merged under PortfolioStat. But at one time we had about $2.4 billion in very preliminary plans. Inventories weren't complete yet. $2.2 billion of that came from DOD. Now, there were some things where upfront costs needed to be considered. But if you look at this chart up here, the Ag and the DHS numbers, that comes from a report that goes to the appropriation committees. Those agencies are reporting already in fiscal year 2013 a savings. And if you just project--I mean, 800 closures in DOD alone, $575 million in fiscal year 2014 alone. Our thought is this: If you extend it beyond 2015 out to--and it's great to have these stretched goals near term, but I think $3 billion is very realistic. And when this initiative was started, there was a goal of $3 billion. At one time, OMB was talking about a $5 billion cost savings, and they went back to $3 billion. So it's somewhere--who knows, really, where it is? But I think that's why you need good hard numbers on these closures. And if we have over 1,000 centers that we are closing, there has to be significant associated cost savings. Mr. Mica. Uh-huh. Well, what's interesting, now entering on the scene we have this PortfolioStat. I'm wondering if the consolidation efforts were to merge with this new thing, is this all going by the wayside? Or do you see them as compatible? Mr. Powner. They're clearly compatible. So if you look at the PortfolioStat initiative--and that's something we looked at very closely for the Congress--PortfolioStat---- Mr. Mica. Tell me how that's going to work, how you see it working. Mr. Powner. Yeah, so what PortfolioStat is, that takes commodity IT, so you can think of it more as administrative systems, and it puts them in groupings, so HR systems, financial management systems, email systems? And OMB has an initiative, which we highly commend their efforts on that, where they went to each of the agencies, and they identified about 100 opportunities at 24 major departments and agencies to save $2.5 billion. Okay? And that was the first cut in PortfolioStat. Now, clearly, when you start looking at consolidating commodity IT and moving to the cloud, there is a lot of overlap with data center consolidation. So movement to the cloud-based center consolidation, PortfolioStat, their shared service approaches--all these different terms that they have. But the bottom line on all of this, Mr. Chairman, is you have significant effort, PortfolioStat and $2.5 billion in savings; data center consolidation, $3 billion in savings. They did some TechStat reviews looking at troubled projects. The committees looked at that. Chairman and Ranking Member Connolly, I know you've looked at a lot of the troubled projects. But there were $3 billion in savings. All of a sudden, you do the math real quickly, and there is $7 billion or $8 billion in savings that we could spend more appropriately on modernizing government IT operations and furthering our mission. So that's why these savings are very significant. If we do things much more efficiently and save a significant amount of money, it will be in the ballpark of, you know, $7 billion to $8 billion, $9 billion. Mr. Mica. Okay. Now, there are three components to making this consolidation effort work, as I understand. One is supposed to be OMB and sort of its oversight; GSA, and they have a program management office involved; and then we have the task force. Now, you said we need better leadership with sort of a general statement with the CIOs, but somehow some thing is lacking here. We don't even have OMB willing to come in today and testify. I mean, please be frank with us. Has OMB dropped part of the ball, an important part of the ball, that is making this not work? Mr. Powner. So our report is fairly balanced here, Mr. Chairman---- Mr. Mica. No, no, just be honest. You don't have to be balanced. Mr. Powner. --OMB, GSA, and the task force, and they have done some things well. OMB has actually set the goals well. And we've got the ball rolling on---- Mr. Mica. But they're not---- Mr. Powner. --they're not driving it to closure. GSA, they have a program office responsible for plans and inventories. Our work over there shows the plans and the inventories have not been complete. Okay? We've got agencies like DOT where FAA wasn't reporting their air traffic control facilities. And then when you look at what Mr. Mazer is doing, I think he's done a great job with the task force and the like, but we pointed out the peer-review process was not where it needed to be. So all three organizations we felt needed to do more from a leadership perspective. Mr. Mica. Okay. And since we've got Mazer here, we'll pick on him a little. How can their effort be improved? And do you cite that here in the report? Mr. Powner. Yeah, we did cite that. That was a time--so the task force was put in place to perform peer reviews of the various agencies. And we clearly made a very clear point that we thought there could be more peer review going across the agencies to help each other out. And I commend Mr. Mazer for his efforts to date and for him being here and what he's done to date, but I also think that that task force can do better, similar to GSA and OMB. Mr. Mica. Well, with that being said, Mr. Mazer, and as chair of the task force, where do you see, again, us going from here in your particular role? You're an important part of the equation. Mr. Mazer. Chairman, where I see the role of the task force is--we appreciated GAO's examination of the overall FDCCI activities. In previous years, they were looking at the paucity of information populating what constitutes a data center. We are going to take into earnest the incorporation of the peer-to-peer reviews. We had those in the past. It will keep agencies on course in terms of their schedules and in terms filling out their inventory. The Federal Data Center Consolidation Initiative task force, as it's being integrated into PortfolioStat, it's really linked to the shared services activities that we're engaged upon, about looking at these duplicative business systems like HR and financial management systems. It's related to the TechStat activities that we're looking at. What the Federal Data Center Consolidation Initiative is going to do is identify criteria for examining what will become core data centers and what will become non-core data centers. Non-core data centers, we're going to encourage those data centers either to move to the core data center or to move out into the cloud. But we're following the approach of optimizing the portfolio, which includes applications---- Mr. Mica. Can you define a little bit better the core and the non-core, just for the record? Mr. Mazer. Chairman Mica, core data centers are those that are capable of delivering enterprise or private-sector-like class services. They're reliable, they're secure, they're following green IT, and they have the capability to deliver a variety of services across an agency or across agencies. Non-core data centers are activities that might be specific to a location or they might be supporting a particular scientific or monitoring-type of system. Many of the non-core data centers are, in effect, really small data centers. You could sometimes characterize them as closets, so they're 500 square feet or less, with a lot of cost inefficiencies about maintaining those. So we're going to encourage those to move to the core. Or if they have applications, then we're going to look at the promise of moving those out into the cloud. Mr. Mica. Okay. Well, finally--and I want to give Mr. Connolly plenty of time--is there--now, we are considering, again, some update in legislation and are working together on that. Have you looked at that? Is there anything that we are missing that would give us the tools to move forward, from what you have seen, either on an agency basis, on the whole consolidation? Maybe you've reviewed some of what we have proposed, but-- and we want to pursue giving all the tools necessary to expedite this. And sometimes, you know, you have to have language that actually mandates certain actions because the agencies are so inclined to stay static and not take initiatives. But maybe you could both quickly comment on, or briefly comment on anything you see. Mr. Powner. Yeah, so on FITARA and the data center optimization section, a couple key things that we're very supportive of the bill is in the area of tracking and reporting key metrics. Not only do you want to track and report closures and cost savings--and that is very clear, because there are cost savings that need to be had--but you also have aspects of that bill that talk about optimization metrics, where you look at energy usage and those types of things, higher server utilization rates and that type of thing. So, obviously, you want both. You want the right metrics on closures and cost savings, but you want also the right metrics on optimizing what remains. And, clearly, I think that's something that the task force is charged to do going forward as part of the PortfolioStat. So I see your bill being very consistent with the direction that the administration is going. What it does is it mandates, codifies it in law, and it will ensure that it will span multiple administrations. Because, regardless of whether you want to look at this in 2015 or not, this is a long-term initiative that will go beyond 2015. Mr. Mica. Right. Mr. Mazer. Chairman Mica, the administration I don't believe has a position yet on the bill, but I have examined the bill from a data center perspective, metrics perspective. A lot of those cost-tracking metrics are what the Federal Data Center Consolidation Initiative is looking at. There are some things that we're looking at, about power usage effectiveness; we're looking at cost per operating system virtualization; we're looking at ratios of employees to the amount of servers; and we're also looking at facility and storage utilization. One of the activities that I feel good about the Federal Data Center Consolidation Initiative is, as we're looking at metrics, or we're attempting to look at metrics and all that that have meaning and salience and trying to comport ourselves into the 21st-century information technology. Mr. Mica. Great. I am a little bit more frosted as we go on and not seeing the two other witnesses. We'll have to definitely reschedule that, and we may have to have at least one of the witnesses back. Let me yield now to Mr. Connolly. Mr. Connolly. Thank you, Mr. Chairman. And I think the answer I just heard to your question of, did we get it right on the FITARA bill we introduced, I thought I heard both Mr. Powner and Mr. Mazer say we got it absolutely right and don't change a word, it's perfect. I want to thank our panel for being here. Mr. Powner, you've had a chance to look at the legislation, which stands for Federal Information Technology Acquisition Reform Act, which I referred to in my opening statement. And I heard your answers to the chairman's question, that it does encapsulate some of the reforms we're trying to make, including what the task force is doing, and going even back to the 25- point plan that Vivek Kundra put out when he was CTO. Can you elaborate just a little bit about what it might achieve and how, if that legislation could perhaps help us with better compliance and better metrics and data center consolidation? Mr. Powner. Well, I clearly think from a metrics point of view it will help significantly, because it makes it very clear that cost savings are significant and that has to be reported and tracked. The other part of the bill that I think will help is CIO authority. This is a CIO issue in every department and agency. And, clearly, you know, it varies in terms of the progress and the reported cost savings that CIOs are currently making. You know, we're all trying to get to a position where IT is more effectively managed at $80 billion, and we know that's understated based on some of the prior hearings that you've held. So I think in addition to the data center section, the CIO authority section also could play a significant role in moving the ball forward in this area. Mr. Connolly. At the moment, are you satisfied that OMB has consistent methods of evaluation to capture cost and cost savings with respect to data centers? Mr. Powner. No, I'm not--we're not. In fact, what OMB told us is that they were not tracking cost savings and that the savings were minimal. So if you're going to establish a goal of closures and cost savings, we need to then track that and ensure that we actually drive it to closure. We have a lot of good plans in D.C. at times in the IT area; what we don't do is implement them completely. And, also, folks aren't held accountable to implement them completely. This is a prime example. Mr. Connolly. Well, if they're not tracking cost savings, what do they think the consolidation effort is for? Mr. Powner. That's a very good question, Mr. Chairman. So we did not agree; that's why we made the recommendation in our report that cost savings needs to be front and center in terms of metrics. And we can talk about optimization goals and all this other stuff, but we're optimizing the stuff that remains. Okay? All those closures, and even if those are all small wiring closets, 800 of them, there's a lot of money to be had with those. And if we get to a point where we have 1,100 or 1,200 centers, which would get to the 40 percent---- Mr. Connolly. Can you refresh our memory, Mr. Powner, on how much these data centers expend, what it costs the taxpayers every year just on energy consumption? Mr. Powner. I don't have good numbers on that. Mr. Connolly. Would about $450 million roughly sound right to you? Mr. Powner. I would have to get back to you on that, but likely even higher, though, if you start adding all the departments and agencies. You look at DOD alone and you look at their centers---- Mr. Connolly. Yeah. Mr. Powner. And, frankly, they're reporting some numbers there that they probably would have missed. They don't have a complete inventory yet. Mr. Connolly. It underscores your frustration, Mr. Chairman, which I share. We've got to have some consistent measurement by OMB. And, for goodness' sake, obviously cost savings are part of the goal here, not the only goal, but a pretty important part of the goal. And if they're not consistently measuring that or even seeing it as a significant factor in making the decision about to stay open, to close, to consolidate, then they're not with the program. And, certainly, they're not consistent with the legislation we've introduced. Would that be a fair statement, Mr. Powner? Mr. Powner. Yeah, so if you look at the IT budget--we spend $80 billion on IT in the Federal Government, and 70 percent of that is operations and maintenance, which includes data centers. And the challenge going forward is to take some of that O&M spend and move it into systems development and acquisition so we modernize the government and further the mission. But we spend a lot of money keeping the lights on, and if we can do it more efficiently in this example, or movement to the cloud, we need to do more of that. Mr. Connolly. Yeah. Absolutely. Mr. Mazer, you are a constituent. I cannot imagine a better spokesperson for this whole subject than yourself, hailing, as you do, from Annandale. But just a couple of questions. You chair the task force. What is the mandate of the task force? Mr. Mazer. The mandate of the task force, it was initially chartered to provide information sharing, examining best practices, to examine activities like power usage effectiveness, and to follow and optimize--or to follow working with the agencies on the schedules and all that for closure on activity. Mr. Connolly. Okay, but there is a goal, an end goal, which is to promote this consolidation. Mr. Mazer. It's to promote the consolidation. And it's also to promote--this task force, we had a year gap of the peer review. But when the peer reviews that we had going forth on all that was having one agency encouraging another agency to either follow the intention of the schedule or to follow intention with the scope or to look at the missing inventory elements that are a part of what a data center consists of. Mr. Connolly. What are some of--could you enumerate for us a little bit the process and the criteria used in the process for determining, or for helping to determine in that task force process, ``You know, that sounds like an inefficiency. Ought to close, ought to consolidate, or go entirely to the private sector?'' What are the criteria whereby you look at something going, ``That's great, don't change a thing,'' versus, ``That's not so great, and maybe it ought to be closed?'' Mr. Mazer. Well, what we're looking at is, in terms of the--you know, initially the task force was chartered to reflect on best practices, and a reflection of noticing that we are having a problem coming to grips with what we have in our inventory. We started working on a series of metrics and all of that, in terms of criteria. So some of the metrics that we're looking at are how much virtualizing we've done of the boxes. And we're establishing a standard for the U.S. Government. We're looking at metrics in terms of how much floor space that we're using. We're looking at metrics in terms of the energy costs that we are looking at and establishing a baseline there for those activities. We also are looking at metrics in terms of what's the ratio of things that are out in the cloud as opposed to things that are actually to be put on premises. And right now the task force is engaged in establishing these metrics as a baseline which will serve as the basis for when the PortfolioStat sessions start in the summer so that agencies will have a good apples-to-apples comparison of what costs are and what we should strive to. Mr. Connolly. I assume utilization is one of the criteria? Mr. Mazer. Yes, sir. Utilization is a heavy criteria--one of the criteria. We've got about nine criteria. I'd be happy to submit for you a---- Mr. Connolly. That would be very helpful, I think, to all of us here. Thank you. Mr. Connolly. Yeah, because I would think, in some ways, utilization alone could be a qualifier or disqualifier. I mean, if you find something grossly underutilized, it's a strong candidate for consolidation or elimination. Mr. Mazer. Yes. Many of our servers are at 5 percent or 10 percent---- Mr. Connolly. Yeah. Mr. Mazer. --utilization, which does fit the---- Mr. Connolly. I think that--could you repeat that? Because I'm not sure that's fully appreciated. When we're looking at data consolidation, it isn't because we're obsessed with smaller numbers. It is because we're looking at how efficient it is. Mr. Mazer. Right. When the teams have gone out and done either using automated tools or on-site examination of the capacity of servers, many of them are woefully underutilized. There's more efficiency by putting multiple operating systems or applications on one particular server, particularly given the state of technology that it is today. Mr. Connolly. Right. Thank you. And a final question for now. You mentioned FedRAMP. Could you just remind us all what FedRAMP is and give us a status as to where it is? Mr. Mazer. The status I will defer to my colleagues from GSA, but I will tell you---- Mr. Connolly. Yeah, but they're not here, Mr. Mazer. Mr. Mazer. FedRAMP--well, what FedRAMP is looking at is, you know, the security is a very important issue concerning the U.S. Government and how do we protect our data and our content. And what we have done over the past 10 years, with the advent of the FISMA laws and all that, is really establish a set of controls. And if agencies can subscribe to those particular controls, whether it's, like, access, availability, those types of activities, then they're saying, okay, they're reasonably protected given the categorization of that security. FedRAMP is a model where, if anyone can subscribe to these set of controls, then they can be delivering that particular service. So FedRAMP is a model that, let's say if a private- sector company says, ``I'd be able to do something for you, the U.S. Government,'' they will follow the standards as promulgated by FedRAMP, and you'll have an independent auditor or a validator come in and say, ``Yes, they're matching these controls.'' And it actually establishes a common baseline, so rather than every agency doing its own set of, ``I think the security should be this,'' or, ``I think the security should be that,'' it subscribes to a standard baseline by which all private- sector companies should subscribe to. Mr. Connolly. So another way of putting it would be, Mr. Mazer, that what FedRAMP is designed to do is to set some common standards that people, other agencies buy in to. And that helps us in terms of the acquisition process because the private sector now doesn't have to deal with 100 variations. Mr. Mazer. Right. The private sector doesn't have to divine the intentions of each individual agency. Mr. Connolly. And are we expected to finalize that process soon? Mr. Mazer. The FedRAMP process is ongoing. There are a couple of, they call them--there's an acronym; forgive me if I can't break it out--3PAOs, that they are that qualified to look at a private-sector company as they are offering cloud services to the U.S. Government. Mr. Connolly. So can we expect something soon? Mr. Mazer. There are three--as services, as agencies are migrating to the cloud, they will avail themselves of the FedRAMP. The private-sector companies will avail themselves of the FedRAMP. Mr. Connolly. But you are anticipating we will proceed with FedRAMP as planned? Mr. Mazer. Yes, sir. Mr. Connolly. Thank you. Thank you, Mr. Chairman. Mr. Mica. Just a final question, a follow-up question. In your review, who is getting it right? Examples to look toward? Mr. Powner. Agencies that are getting it right? Mr. Mica. Yeah. Mr. Powner. We can look at some of those agencies. You know, typically, DOD is the agency that we point a lot of flaws out when it comes to the IT management recently with the IT Dashboard. Obviously, there's a lot of opportunity there for them to get it right. I turn to Mr. Mazer's organization, Interior; they're at the top of the list. You know, GSA was a latecomer up there, as we mentioned. But you have a number--DHS is also a leader. I mean, they were planning on going from 43 to 2 at one time, and now their numbers are a little bit different. But DOD, DHS, and Interior are clearly leaders up there. Mr. Mica. Okay. Did you have anything else, Mr. Connolly? Mr. Connolly. Not at this time, Mr. Chairman. Mr. Mica. Well, what we're going to have to do is thank you for being with us. We'll probably submit some additional questions to you from the committee. I didn't get to all that I wanted answered. Mr. Mica. And this is kind of a meat-and-potato hearing, as you fellow geeks would love this one, but---- Mr. Connolly. All the acronyms. Mr. Mica. Yes, exactly. Well, I have to sort through them. I kept going back to make certain I knew what they were talking about. And you've been doing this, focusing on this a lot more than I. But very important. I mean, we're talking saving billions and actually much more efficiently operating. Sometimes when I go back after we have done our hearings together, Gerry, we see the debt we're in and the situation we're in financially. If we could just start implementing these things on a fast track, we could---- Mr. Connolly. Yeah. Mr. Mica. --take that column of losses and get us into a much better fiscal condition. Now, again, I thank you for coming. I want to--particularly, we're going to ask Mr. Powner to probably come back when we have the other two witnesses, and maybe again you, too, Mr. Mazer. You could see how we have to have some other answers from OMB and GSA, who are not with us today. So, at this time, again, I thank you. We'll excuse you, and I'll call up our second panel. Our second panel of witnesses I will introduce as they're taking their seats. We have Mr. Steve O'Keeffe, and he is the founder of MeriTalk. We have Ms. Teresa H. Carlson. She is the vice president, worldwide public sector, of Amazon Web Services. We have Mr. Kenyon Wells, vice president of U.S. Federal, CGI Federal. Those are our three industry panel witnesses. I think this will be an interesting panel. I always think it's great to hear from the government witnesses, and we had two key witnesses here today who provided us with their perspective. But I think those from the outside that are involved in IT and also data center consolidation that they undertake for the private sector and the public sector, to get their on-the-ground, firsthand evaluation and provide that to our subcommittee today. So, with that, I welcome again Mr. O'Keeffe, Ms. Carlson, and Mr. Wells. As I indicated before, this is an investigative panel of Congress, so if you haven't done so, we're going to do it now. We're going to ask you to stand and be sworn in. Do you swear that the testimony you are about to give before this subcommittee of Congress is the whole truth and nothing but the truth? Mr. O'Keeffe. Yes. Ms. Carlson. I do. Mr. Wells. Yes. RPTS MCCONNELL DCMN CRYSTAL Mr. Mica. The witnesses have all answered in the affirmative. Let the record reflect that. And again, welcome you. We are fairly informal today, but we're trying to make certain that--I read, pre-read some of your testimony. Some of it's pretty long, but if you can consolidate your points, and if you have additional information, certainly your whole testimony will be included in the record. And then we'll go through all three of you, and then we'll do the questions rather than after each witness testifies. So I'm looking forward to all three of your testimonies. I have read a little bit of Mr. O'Keeffe's, and welcome him at this time, and recognize him. And thank you again for participating. STATEMENT OF STEVE O'KEEFFE Mr. O'Keeffe. Thank you. Chairman Mica, Ranking Member Connolly, and members of the subcommittee, thank you for the opportunity to speak to you today. My name is Steve O'Keeffe and I am not the voice for the GEICO gecko, as has been asked before. I'm, in fact, the founder of MeriTalk, the Data Center and Cloud Computing Exchanges. These are public-private partnerships focused on delivering tangible increases in efficiency in government IT. I have spent more than 20 years listening to Federal IT leaders talk about their challenges, their opportunities, and their frustrations. You have already heard a lot of numbers here today, but I'd like to cut to what's really important: tangible savings. I'm afraid the Federal IT reform is like a bad reality TV show. There is no budget. The actors are powerless. The end is predictable. But somehow we still keep watching. We need to change the script. As you've noted, it is sad that OMB and GSA are not here. So when Vivek Kundra announced FDCCI in February of 2010, we talked about this, OMB said that taxpayers would save between $3 billion and $5 billion by 2015. That's a lot of hamburgers. And so as we set tangible goals we need to report against those goals, and I think that's what this is all about. Cloud, too, was billed as an IT budget crusher. Today we are 18 months from the FDCCI savings deadline, and we have no idea how much money we have saved the taxpayer, which is not right. I would argue we don't need to keep counting data centers. We need to understand how much we've saved, which agencies are doing it right, and what we need to do to accelerate savings. Let's get straight about this. To help surface some answers MeriTalk recently released a new study, and I'm Ross Perot-style going to use some charts to illustrate. Mr. O'Keeffe. The study is called ``FDCCI: The Big Squeeze,'' and it is based on a survey of the operators in the agencies. What we want to do is learn from people on the frontlines what's going on. So a couple of statistics. Fifty-six percent of data center leads give their agencies a C grade or below on FDCCI. I think earlier Congressman Connolly asked if we were getting an A. It seems we're getting a C or below. I wouldn't be very excited if my children brought that grade home. Only half of Feds believe their agency is on target to meet the FDCCI number of closures. Ironically in this case, one of the questions you asked earlier about electricity savings, Feds believe that power is a significant area where we're going to save a lot of money. But based on our meetings with Federal data center leads, we found that 1 in 20 data center executives have an understanding of what they pay for electricity. So that's a significant blind spot. What about top obstacles? What we see is the Fed site, budget constraints, mission-owner objections, and the inability to consolidate applications as the biggest obstacles to progress, which gives me the impression that the model for the data center leads should really be that beatings will continue until morale improves. They have no ability, they're not empowered to change the equation. So it's great to point out what the challenges are, but let's go on the positive side and look at what we should do in order to remedy the situation. We call this our five-point plan. And the points are, number one, don't hide. Our concern is that by merging FDCCI with PortfolioStat we are going to be gerrymandering the metrics. And so we are concerned about that. We need to set realistic goals in the open and publish real status on success and failures. And yes, failures if that's what transpired. OMB has a total cost of ownership model. I think Mr. Mazer referenced it. In this era of open government, why does OMB insist on keeping this a secret? Why not publish the TCO model so we can find out where the money is? Number two, there is no money. Recognize that there is no new money to fund data center optimization. And so with that, we need to empower the CIOs to rationalize applications and maybe trust new approaches because we know the old ones have failed. Number three, application rationalization. If you do not cut the number of applications, you will not cut the number of data centers. The Army is running over 100 operating systems because it has so many legacy platforms. I think GAO flagged this. Uncle Sam does not need 622 HR systems. I think we can all agree on that. Four, marry IT and facilities. Wouldn't it seem logical that the data center lead should understand and own the budget for the total data center environment? GSA owns most of the facilities and pays the electricity bills. Why not publish the energy bills for each data center so we'd have a better sense for how to proceed? There are a series of new energy contracts out there, the energy savings performance contracts, and we'd like to see those moving forward more aggressively. Five, public-private partnership, please. Why don't we recognize that government is not the only organization that operates data centers? We can learn a huge amount from industry. Organizations like NASDAQ have put forth data center consolidation optimization initiatives. Let's look at some of those metrics. Now to cloud. The onramp to Federal cloud, FedRAMP, is horribly congested. We talked about problems with traffic earlier. In fact, you can hear the honking on the digital highway right now as software companies line up trying to get through cloud certification. After almost a year in operation, GSA's FedRAMP team has only certified two cloud service providers. How are agencies supposed to move to cloud when there are only two applications? It's just not feasible. If the cost of FedRAMP certification and the delays outweigh the volume of business that solution providers receive from agencies, that industry will take another road. That said, cloud acquisition vehicles are sorely needed. In closing, it's time to get real about Federal IT modernization. Are the agency CIOs really in charge, and therefore accountable for results? This question has very real implications for FITARA. Richard Spires' recent experience at Department of Homeland Security makes all CIOs question whether they have authority or not. We are ready and willing to discuss our initiatives and recommendations. We look forward to working with you to deliver improved efficiency in Federal IT, and welcome any of your questions. Thank you for the opportunity to talk today. Mr. Mica. Well, thank you. Thank you for your testimony and your candor. [Prepared statement of Mr. O'Keeffe follows:] [GRAPHIC] [TIFF OMITTED] T1280.030 [GRAPHIC] [TIFF OMITTED] T1280.031 [GRAPHIC] [TIFF OMITTED] T1280.032 [GRAPHIC] [TIFF OMITTED] T1280.033 Mr. Mica. Let's turn next to Teresa Carlson, vice president for Amazon Web Services. Welcome, and you're recognized. STATEMENT OF TERESA CARLSON Ms. Carlson. Good afternoon, Chairman Mica and Ranking Member Connolly. Mr. Mica. She is not coming in very loud. Ms. Carlson. Good afternoon, Chairman Mica and Ranking Member Connolly. My name is Teresa Carlson, and I'm the vice president, Amazon Web Services World Wide. Thank you very much for inviting me to testify today on the Federal data center optimization and transition to cloud computing, and to discuss how the U.S. Federal agencies can do more with less and to save taxpayer dollars. I'd like to submit my written testimony for the record. Mr. Mica. Without objection, your entire statement will be part of the record. Ms. Carlson. Also, I wanted to thank the university for having us here today. I spent many, many Saturdays and Sundays here at swim meets with my sons, and it is in beautiful Fairfax County, and it is a beautiful day. So I really appreciate them having us here as well. Companies that leverage Amazon Web Services in the commercial sector range from large enterprises, such as Bristol-Myers Squibb, Shell, NASDAQ, to innovative startups like Pinterest and Dropbox. Throughout the U.S. Federal Government, agencies and departments are adopting AWS for a wide range of technology infrastructure services and applications, to include groups like the U.S. National Institutes of Health, NASA's Jet Propulsion Laboratory, and the U.S. Department of the Navy, Navy, and the U.S. Securities & Exchange Commission. AWS is passionately committed to sharing the benefits we can achieve as a cloud provider to Federal Government agencies, and our economies of scale have resulted in the rapid innovation of public cloud services and lowering the price for our customers. Specifically, we have lowered our cloud computing prices 31 times since 2006. Let me repeat, 31 times with no one pressuring us to lower those prices. We lowered those prices based on our savings and providing them back to the customer. Given the proven secure and game-changing efficiencies of cloud computing, we believe that the FDCCI should be directly linked to the Office of Management and Budget's ``Cloud First'' policy in order to be truly successful in the data optimization model. While there is no doubt that since Federal Government workloads can continue to operate in government-owned data centers, there are a very large number of workloads that should be more suitable and efficiently managed in large-scale commercial cloud platforms. Therefore, the adoption of cloud computing services should be a central part of the Federal strategy. One way to think about cloud computing is that instead of buying and owning and maintaining their own data centers or servers, Federal agencies can acquire technology resources and compute power and storage on an as-needed basis and dispose of it when it's no longer needed. In fact, we have something called a Trusted Advisor service where we actively work with our customers to turn off servers when they're not being utilized, and they actually don't even have to worry about what their electric bill is because that's part of the service we provide and it's part of the pricing model, so they'll know that in real time. And users only pay for what they use by the compute hours, or storage-gigabyte, and they are not locked, they are not locked to any long-term contracts. They can choose long-term contracts, but they are not locked into anything like that. There's many, many examples of Federal agencies that have begun to embrace the cloud. A couple I'd like to highlight for you today is NASA's Jet Propulsion Lab. When the Mars Space Lab, also known as the Curiosity, successfully landed last year, public cloud computing infrastructure from AWS was utilized in support of various aspects of the mission, including the public outreach around the landing itself, so that everyone in the United States and the world could enjoy that landing, as well as the data and image pipeline--the pipeline management dealing with all the new data streaming that was actually coming down from Mars. Tom Soderstrom, the CTO of NASA JPL, described it this way: JPL has leveraged cloud services to dramatically reduce IT costs, and in the process increasing their agility and decreased the time to science while enabling JPL to have complete flexibility when using those computing resources. In fact, we worked with them in a very short period of time to get that set that up. It did not take much for them to procure and set that up. The U.S. Department of the Navy CIOs office recently initiated a pilot project to move unclassified data to the commercial cloud environment. The Secretary of the Navy's public-facing information portal is now on AWS, and they also have an initiative to work on a strategy to migrate all public- facing sites. And he's already said that--CIO Terry Halvorsen stated that the Department has achieved a 50 percent reduction in cost to operate this portal. Let's imagine for a moment, if that level of cost savings could be applied to all Federal IT spending, how much money could that actually be? And I believe it' a lot more than those $3 billion that were initially brought up. The reality is that cost savings is only part of the picture and that what we think is a fundamental and clearly a need to transition to cloud computing and this will be a big part of the optimization for the data center consolidation. There are many companies out there that have already taken full advantage of that in a commercial site like Netflix to move their entire infrastructure to the cloud. We think there is exciting opportunities out there to actually do a lot more with cloud services. We support what you've done already in both FITARA and FDCCI, and we appreciate having the opportunity today to speak to you and are prepared to answer any questions. Thank you again. Mr. Mica. Well, thank you also. [Prepared statement of Ms. Carlson follows:] [GRAPHIC] [TIFF OMITTED] T1280.034 [GRAPHIC] [TIFF OMITTED] T1280.035 [GRAPHIC] [TIFF OMITTED] T1280.036 [GRAPHIC] [TIFF OMITTED] T1280.037 [GRAPHIC] [TIFF OMITTED] T1280.038 Mr. Mica. And we'll turn now to our final witness on this panel, Mr. Kenyon Wells, vice president of U.S. Federal, CGI Federal. Welcome, and you are recognized. STATEMENT OF KENYON WELLS Mr. Wells. Thank you. Thank you. Thank you, Chairman Mica, Congressman Connolly. Thank you very much for the opportunity to appear before you today. My name is Kenyon Wells, and I'm vice president at CGI Federal Incorporated, a global information technology and business process services firm. I'm honored to provide some thoughts today about ongoing efforts for Federal agencies to optimize their use of their data centers and move to greater use of cloud computing technology. CGI applauds the subcommittee not only for its continued efforts to eliminate wasteful IT spending, but also for its recognition that continued investments in IT will save money, improve efficiency, and provide better services to U.S. citizens and businesses. In particular, CGI thanks the leadership of this subcommittee, as well as Chairman Issa, Ranking Member Cummings, and the full Oversight and Government Reform Committee for bringing many important issues to light with the introduction of H.R. 1232, the Federal Information Technology Acquisition Reform Act, and for the open and transparent manner in which that legislation was drafted. In February of this year, CGI became just the second company to be granted a FedRAMP cloud security provisional authority to operate. CGI is now delivering more than $100 million in secure cloud solutions to dozens of Federal programs, in addition to many other cloud implementations for State government and commercial clients. Based on these projects and discussions with other Federal agencies, CGI offers the following observations. First, there is significant progress, but more can be done. There are two major drivers that lead to immediate cost savings for agencies in adopting cloud computing. One of these is the speed with which new systems can transition to go live in the cloud. For example, CGI worked with GSA to bring 30 systems live in less than 90 days. As a result, that agency program reduced their overall server footprint by 50 to 70 percent. The other immediate cost-savings driver is that agencies only pay for the capacity they need. So instead of running data centers that continuously provide peak capacity that is always underutilized, CGI's cloud clients have significantly lowered day-to-day costs and pay only for added capacity when it's needed. These immediate savings are a great achievement, but longer term the consolidation of data centers and migration to the cloud are but a step in the journey towards Federal IT modernization and consolidation. These more holistic efforts will eventually deliver savings that dwarf the numbers we are talking about for FDCCI today. Second observation. Cost savings are often difficult to quantify. A lot of what we are talking about here today, we have seen some of the reality as to why agencies struggle with it. And as the GAO report indicates, many agencies do struggle to determine just how much they save under consolidation initiatives. The challenges here are exacerbated by the lack of baseline IT costs on an agency-by-agency basis. Additionally, there are some initial costs associated with moving the cloud computing or closing down data centers which can delay the initial cost savings even though an agency will save significantly in the long run. Third, significant acquisition challenges exist. In discussions with numerous agencies on this topic, CGI has seen many that have struggled to modify their procurement methods when purchasing cloud services. Cloud computing not only represents a fundamental change in how IT services are delivered, but also how they are procured. A focus on using readily available contract vehicles could significantly accelerate cloud migration. Additionally, Congress and the administration could provide agencies with more freedom to enter into innovative agreements with industry to allow government to significantly reduce its upfront costs on the public-private partnership we're talking about. Many of CGI's commercial and State government clients have entered into an agreement where CGI assumes the initial transition costs so those clients can start saving on day one. If the Federal Government wants to do more with less, then it should embrace new methods of contracting that shift that risk and upfront costs to industry partners. Finally, strong leadership and interdepartmental cooperation increase the results from cloud. CGI commends DOD, DHS, and GSA for their collaboration as members of the Joint Authorization Board overseeing the FedRAMP program, which represents a significant and necessary step forward as the Federal Government looks to implement the cloud. FedRAMP's common-risk framework for all agencies is a critical piece of the puzzle that eliminates the needs for highly customized solutions that often hold no real extra benefit and severely increase cost. Moving forward, FedRAMP's continuing monitoring process is more frequent and more detailed than those already in place at most Federal agencies, which will create more confidence in security around commercial providers who receive their P-ATO. This will be followed on by the new DHS-led efforts around continuous monitoring which will only help push this effort forward so that agencies and Congress know both what IT assets an agency has and how they're secured. Thank you once again for the opportunity to participate in this important hearing. Since I'm a few seconds under, I'll add two additional things. One, thank you very much for holding this hearing here in my alma mater, though this campus looks very different than when I was here a couple of decades ago. And finally, since it is a few days from Mother's Day, I want to thank my mother and brother who surprised me by attending today, and thank her for making me come to this school and therefore be here. So I would look forward to any questions. [Prepared statement of Mr. Wells follows:] [GRAPHIC] [TIFF OMITTED] T1280.039 [GRAPHIC] [TIFF OMITTED] T1280.040 [GRAPHIC] [TIFF OMITTED] T1280.041 [GRAPHIC] [TIFF OMITTED] T1280.042 [GRAPHIC] [TIFF OMITTED] T1280.043 [GRAPHIC] [TIFF OMITTED] T1280.044 Mr. Mica. Well, we have a lot of mothers to be thankful for. But it's nice to have some of your family with you, and a successful alumni return and be a witness today. Interesting perspective from the private sector. Mr. O'Keeffe, your first--or your five-point recommendation seemed to differ a little bit from what I got out of Mr. Powner. I asked about the compatibility of what was going on with PortfolioStat, and it was interesting. I guess under PortfolioStat agencies are no longer required to submit the previously required consolidation plan and the memorandum does not identify a cost-savings goal. And you, of course, in your first recommendation said that's not the way to go. So I guess you differ a little bit with the testimony we had from GAO. Mr. O'Keeffe. I think it's very important to be consistent. If we said we were going to save--if we said we were going to save $3 billion, or $5 billion, or however many billion dollars it is---- Mr. Mica. Don't try to count. Mr. O'Keeffe. --don't keep changing the rules. So I think we just need to be consistent in terms of what we're doing. And I'm, again, also very interested to see this TCO model which Mr. Mazer talked about. Mr. Mica. The secret TCO model. Mr. O'Keeffe. Right. I don't see why that wouldn't--this is an era of open government. Why can't we see the way the agencies are measuring or OMB is measuring efficiency? Mr. Mica. We would have liked to ask that question to OMB today, but we will ask it at a future hearing. Mr. Connolly. In the spirit of open government they're not here. Mr. Mica. Oh, and I have to--first of all, I have to compliment this panel, Mr. Connolly. My experience has been that it's been like pulling teeth to get anybody from the private sector to come before any of our investigative or oversight hearings. I mean, they run like scalded dogs from us because they're so afraid of the agencies coming down on them for some reason or participating with us. So I thank you. I think you are providing a very valuable public service and insight, and I think it's important that we hear from people who are dealing with government on a day-to-day basis, see how things work and don't work, and then make recommendations to us. Again, I thought, Mr. O'Keeffe, excellent points here. Now, the other problem we have is, I think you highlighted in one of your recommendations--and GSA owns most of the facilities. I guess they pay the power bills and things like that. So there is not the accountability. There is no incentive. How do you change that now? And then we have pending legislation. I asked the question of the other panelists, do we need to do more to beef up the pending legislation? So first I will ask that, then I have another question. Have you read any of the proposed legislation? I think some of you actually participated. It's a fairly open process. Will it resolve some of these issues? I don't think it's going to resolve that one. Mr. O'Keeffe. If I might, I mean, I think that the language of FITARA was great. But the message in terms of empowering the CIO, which is critical in terms of the success of the program, runs contrary to what we have seen from an experience standpoint. I mentioned the experience with Richard Spires who recently was put on leave at Department of Homeland Security, and then resigned, very recently, and it just doesn't seem as though that there is real support for the CIOs to stand up against the components and the mission owners. And if that's the case, then, you know, given the experience with Richard Spires, I'm not sure other Federal CIOs are going to rush to stand up, because the support hasn't been there. So the language, I think, of FITARA is good, but I think we have to show that support. Mr. Mica. Should we beef up the language and empower the CIO more or---- Mr. O'Keeffe. I think we absolutely should empower the CIO more. But again, language is one thing, you know, it's actions which are going to be more important. Mr. Mica. It's interesting, because actually some of my first work many years ago was looking at government organizations and restructuring governments, primarily local governments, and after some years of doing that, you know, we could write the best charter of government and guidelines and everything, and then you get lousy people, they couldn't implement. And sometimes you would have lacking legislative authority, or a charter, and you get people who are creative and innovative, and they could succeed. So sometimes it's hard to craft that. But we want to make certain that we give them the tools to be able to do the job. So there is a disconnect between the facilities, the energy, things of that sort, so maybe there could be some change there. That's a tougher one, Mr. Connolly. I kind of think of things again that would empower a CIO to move forward. The thing that drives you nuts with government, you've seen it, is people are making a decision, or then the lack with this FedRAMP and the certification of--well, for cloud participation. We are up to two, you say? Ms. Carlson. Yes, two. Mr. Mica. And how long has that taken? Mr. O'Keeffe. Almost a year. Mr. Mica. A year. Ms. Carlson. We've been going through the FedRAMP process. We are very close, but it's a very long process, and I do really appreciate what, you know, the FedRAMP office is doing, because security is obviously very important. The one thing is, once it's there, they need to be able to utilize it, because as you begin to set more and more controls, every agency can stack and put more controls on top of the FedRAMP process, and you really don't have a FedRAMP process. You just have a FedRAMP process plus, plus, plus. Mr. Mica. And it goes on and on. Ms. Carlson. And it goes on and on, and it never, you know, comes to fruition. And then I think the second thing is the ``Cloud First'' policy. In order for this to really make sense, I do think they need measurements, respect to what Steve was saying, they need measurements in there to say, here is the real process we've made toward ``Cloud First,'' you know, around the application, consolidation effort as well, because you're only going to truly get there when you begin to take a look at what are those applications that you've done? How are you looking at the total picture as actually the consolidation effort? Mr. Mica. Does anybody know how many cloud certification requests are pending? Mr. Wells. There are over 80. Mr. Mica. Over 80? Mr. Wells. Yes, and many of those were just in the last couple of months. Mr. Mica. Okay. Mr. Wells. There were about 40 the beginning of December. Mr. Mica. Okay, so a huge number. So we need to get, first of all, some stability in the certification process, and people certified, then some motivation, and some empowerment of those charged with this responsibility to move forward, and again, some accountability in the system. Mr. Wells. Yes. Mr. Mica. I'm going down O'Keeffe's recommendations here. I thought it was a good summarization of some of the things that we needed. But do you not need 600 HR systems? That got me, because we started looking at Office of Personnel Management, and I think they have blown either a third of a billion or a half a billion dollars. And finally I was told--were any of you involved in that? No? Then they finally settled on a smaller contract after blowing lots of money and attempts, smaller contract, and then they discarded that. Now I understand they are going back to almost hand processing. That's the Office of Personnel Management for the Federal Government. And then we've 600 HR systems on top of that. So I can't even begin to imagine how much we spend in sort of a mundane process, not that there aren't variations for background checks and all kinds of information to be combined. The other thing is on retirement systems. That whole area, again, is just unbelievable money that's been spent, and I guess my comments were actually the hand processing for retirees is what they have gone back to, very costly. They just hired more and more personnel and abandoned IT as a solution. Is that---- Ms. Carlson. The opportunity there, especially with cloud computing, is the ability to not have to spend millions of dollars to test out systems. So with the cloud computing model you can set up and design something in a very small way without spending a lot of money. And the minute that works you move it into the test adaptive environment, and then right from there you can move it into production and then scale it. So you don't have to build a system for complete scale and then try to deploy it. So again, that's another opportunity because your cost, if you fail, you can fail fast, use those failures as understandings, and then recover, and you don't even have to throw away all that code. It actually can be utilized for the success that you need. Mr. Wells. And then taking that one step further, that makes sense, complete sense for custom application. But getting back to the retirement systems and the HR systems and all the other common systems that every agency has to use, moving toward software as a service, where you actually have a handful of applications that have been precertified and FedRAMP certified, that then agencies don't have to start from scratch, they don't have to reinvent the wheel. They'll have a handful of those, so hopefully more than that, enough to make it a competitive market space, but something they know works so that at least we can streamline it. Mr. Mica. A final question, and actually motivated by Ms. Carlson, is she had cited those that she felt were getting it right, and she talked about Jet Propulsion Lab, NASA, Navy. Are there good examples? I think it's always good to see who is doing things well and what steps they've taken, how they got to that success and--go ahead. Mr. Wells. I can add an additional one: Department of Homeland Security. Mr. Mica. Which is stunning to me, because I think it's one of the loose cannons of Federal Government, but that's another matter. Mr. Wells. As was discussed earlier, has certain challenges, both based on the size and the politics involved, but there is some very good work being done there. And a couple of years ago they purposely went down their own data center consolidation into two large DC1, DC2 data centers, and more recently when they decided to embrace cloud, they decided to go two different routes. One, build a private cloud on site in government infrastructure, since so much of their stuff is so sensitive; and second, to conduct a procurement to select a government community cloud, an external provider who has all the appropriate certifications. We were lucky enough to win that contract. Mr. Mica. Well, I'll have to go back and look at that, because I think almost all of our terrorist incidents, even the Boston, we still can't connect the dots. Maybe Homeland is doing a good job, but they haven't connected to State, and--I mean, other agencies. And it's very sensitive information. I don't know, but you're just talking about the practical implementation standpoint. Mr. Wells. Right. So, for example, they started with a couple of very small Web sites. They got comfortable with it, started adding more. Now all of DHS' public sector---- Mr. Mica. And it is a newer agency, so... Mr. Wells. Correct. Mr. Mica. Mr. O'Keeffe, any---- Mr. O'Keeffe. NOAA has also done a very good job, the weather guys. Mr. Mica. NOAA. Mr. O'Keeffe. Have put forth, you know, excellent progress in terms of modernization Mr. Mica. Just their IT. We still have a lot of people. Mr. O'Keeffe. They've consolidated a lot of their data centers. They've built a $2.4 billion data center out in Martinsburg, West Virginia, and they are operating at tremendous levels in terms of energy efficiency and such. Mr. Mica. Well, I could go on. I have a whole bunch of questions I would like to get. Let me let Mr. Connolly have a shot here. I went well over my time. Mr. Connolly. Thank you, Mr. Chairman. It was actually a very interesting line of questioning. Ms. Carlson, in your prepared testimony, I would like to cite something you said, because, Mr. Chairman, I think it sort of encapsulates the whole challenge of cloud for the Federal Government. And you say, ``One way to think about cloud computing is that instead of buying, owning, and maintaining their own data centers and servers, Federal agencies can acquire technology resources such as computing power and storage on an as-needed basis and dispose of it when it no longer is needed. Many industry experts refer to this as a utility model of obtaining and using IT capability analogous to how the government obtains access to water, gas or electrical power. Users to only pay for what they use.'' That's a pretty commonsense model. What's your understanding of how the government looks at that? And, for example, the task force, to the extent you're aware of their process, are they also looking at junk the whole thing and go private sector using this model? Ms. Carlson. I think it's a very good question. I think some are really evaluating that, as they begin to look at this different heavy lifting that they're trying to do when they can have what I call more mission for the money. You know, why not utilize your dollars for the true mission and not worry about building out infrastructure and these tools? And it's a very common model that you use now, and, you know, hundreds of thousands of customers and 190 countries, that for government, it is still an ``ah ha'' moment when we actually show them that they can provision virtual machines like that on a portal. They just can't believe it. And as Mr. Wells was saying, when that's configured in FedRAMP all they have to do is go provision it. They don't have to wait 6 months for the supply chain management. It's there and available. And it's very, I mean from a mission perspective, it's really a game changer for the U.S. Federal Government. Mr. Connolly. And I want to acknowledge that it may not always be appropriate, but it is an option that needs to be on the table. Ms. Carlson. That's correct. And we don't suggest that they just jump in. We suggest they take the opportunity to learn, because it is a big culture shift and we understand that. And the agencies that are getting there, it has taken them a little bit of time, but they're gradually moving more and more, and their really smart architects and engineers and research scientists now, are really--they enjoy the fact that they have capacity on demand as they need it and then they can shut it down. And they can see how much it costs. They can look at a portal and know immediately how much they're spending and the servers that aren't being utilized, and they can be turned off. And we help them with that. And that's really the key. We want them to be able to reduce costs so they can do more and to have all of the other components around security. Mr. Connolly. And I'm going to come back to that. Mr. Wells, you look like you wanted to talk to that point as well. Mr. Wells. We're in absolute agreement with this. And if you think about the overall Federal portfolio, what could go to the cloud, what can't, you know, under FISMA they have to categorize all of their applications low, moderate, or high. Low basically is, obviously, a system that, you know, doesn't have quite the same level of barriers as the others. FISMA moderate means normally there is Privacy Act data in it. PII, the kind of stuff we're worried about for identity theft, HIPAA data, confidential but unclassified, confidential business information, regulatory data, stuff that you really don't want to get out. And there are a number of controls put in place, defined by NIST, to do that. Low and moderate together is 88 percent of the entire Federal portfolio; 12 percent is classified FISMA high. That 12 percent is normally national security or critical infrastructure protection, the stuff that---- Mr. Connolly. I want to make sure we all understand what you just said. So what you're saying is that in data evaluation, 88 percent of the Federal market, in this market, would lend itself to private sector cloud computing. Mr. Wells. Correct. And that's for FISMA moderate. A FedRAMP FISMA moderate is a higher bar than a normal FISMA moderate. A normal FISMA moderate certification, as defined by NIST, has 252 controls. When the FedRAMP program sat down with all the different agencies to try to come up with what they would all accept, they ended up with 298 controls. And so it's a much higher bar, and they tried to get every agency to say, all right, what's the unique thing that you absolutely have to have. Fine, we'll incorporate that under the standard. But still many of those agencies will take that FedRAMP-certified infrastructure, or application, and they'll still want to do their own security checks on it again. That, I think, will be unnecessary as we go forward. Now, the FedRAMP process is still in the early stages. Mr. Connolly. Excuse me, but if they want to do that, for example, your services allow for that. Mr. Wells. Oh, absolutely, absolutely. That's a requirement. Ms. Carlson. In fact, we create a package and we make it very easy. And we sit down and they go through each and every control. And I actually might say that there's a lot of commercial companies that work and utilize that FISMA and FedRAMP process. We have many that say they go through the controls of the commercial company, because they think it is a Good Housekeeping seal of approval for security. Mr. Wells. It is the one area that I can say the Federal Government is probably ahead of the commercial sector from IT, and if the controls are followed and applied, it may not always be done in the most efficient method possible, but it is much more secure. Mr. Connolly. You mentioned, Ms. Carlson, JPL, and you said they achieved significant savings, dramatically saved IT costs, I think were your actual words. Ms. Carlson. Yes. Mr. Connolly. Could you just elaborate a little bit on that, because I think that's one of the things we're looking for--and I'm going to go back to Mr. O'Keeffe, if I may, Mr. Chairman--to talk about cost savings. But we need models. Ms. Carlson. Yes. Mr. Connolly. Where you can look at the reluctant players and say, don't be so afraid. It works. And you will be the better off for it. Tell us a little bit about JPL, your experience with JPL. Ms. Carlson. Yes. So one quick thing about JPL is they were seeing a trend where their engineers and researchers were trying to build their own OSs, their own operating systems, and it was highly inefficient. They were concerned about security. They knew that they were trying--they needed capacity when they needed it. So they started looking toward a cloud computing model to fulfill that. And then as a result, they gained a lot of knowledge over the last few years. But this one particular program that I talked about, and they can tell you the exact dollars better, but they said they paid 10 percent of the original cost by using a cloud computing model. They also have talked about another major Mars program that they ran. The program manager told me, if it hadn't been for the utilization of cloud computing, they would have had to shut the program down, because the original Mars Curiosity kept going, but they didn't think that the little buggy would go very long, like 2 months, and it was still running around taking pictures after 6 months, 7 months. And all of that amazing data being streamed from Mars, they wanted the ability to take advantage of that for educators, researchers, but they couldn't store it, they couldn't manage it, it was very costly. So as a result, that was another reason they looked to cloud. And I wanted to point out where we've seen the real push in cloud in the Federal Government is more on the program side, because the programs begin to say, I don't have enough money, like, I don't have enough money. So they look for options to keep their programs going, and then they begin to find that there are new realities out there of how they could deliver IT and really transform it. They think NASA JPL is a great example. And another one is Health and Human Services that's doing across the board, and many of their agencies are utilizing cloud now, especially for open and transparent programs like the 1000 Genomes, the oxygen database, BioSense. They're starting to look for ways that they can provide citizen services that are effective, that again reduce cost, and be able to scale when they need to scale things. Mr. Connolly. And, Mr. Wells, you actually have, you are one of the two companies certified so far for---- Mr. Wells. Correct. Mr. Connolly. --this activity. Presumably in your experience with Federal clients, you have also been able to identify significant cost savings for the client. Mr. Wells. Correct, and I think a lot of it comes back to what Teresa was just describing as far as the elasticity and that sort of thing. For example, I was mentioning the DHS Web sites earlier. One of those is FEMA.gov, and Ready.gov, which is their disaster preparedness site. And moving that into the cloud, out of one of their data centers, used to be that they had to build the infrastructure in their data center to the peak capacity they would ever think they would need. But when it's not hurricane season or when there is not a major disaster, they need less than a tenth of the power for those Web sites that they do need when there is a disaster. So when Superstorm Sandy was coming ashore, the President held a press conference, and he said, go to Ready.gov, there is disaster preparedness information there, take a look at that. And that was up and running in our cloud and we instantly saw a huge spike, nearly a hundredfold increase in the amount of activity on that. And the elasticity of the cloud allowed us to spin up those services and spin them back down a few days later when they weren't necessary. Mr. Connolly. That's a great example. I would think particularly applicable to you, Mr. Mica, coming from Florida, in terms of the spiking in hurricane season and then coming down. Mr. Wells. And one other cautionary aspect of that tale which I will throw out there is that at the same time we saw all of this incredible spike and people flooding to the site, the spike in the number of attacks on those sites--denial of services attacks, attempts at hacking, et cetera--spiked as well. And the people in our security operation centers were watching it and were having to do some things to make sure that there was no interruption in service. But coming back to even a public-facing Web site that most of the year may not seem so critical, for a brief period is absolutely mission critical. And it's a sad testament, but it's the world we live in, that as soon as people started paying attention to it, people started attacking it, but that is the case. Mr. Connolly. Sure. Yeah. Well, that's another hearing for us, cybersecurity, because it's an incredible problem. Mr. O'Keeffe, I was really struck by your presentation, thank you. And I thought the point you made with Chairman Mica was an excellent one. It isn't, while hopefully we do have it right, I mean, the idea that we have 250-plus CIOs in 26 agencies tells you what you need to know in terms of accountability. Mr. O'Keeffe. Right. Mr. Connolly. And decision making. We have to change that. But that alone, and maybe hopefully legislatively we've got that right. Enumerating the authorities of powers of that designated CIO, even that doesn't necessarily solve the problem, because what you're getting at is a culture, and changing a culture is always difficult. What are the attributes, if we were to have a successful cultural change, in the CIO you would look for, given private sector experience in the Federal Government. Mr. O'Keeffe. Well, I think metrics are very, very important. The CIO is not an IT person. They are not putting together wires. They are not provisioning systems. This is a business professional. And so what we need to do is establish some real metrics. I think that everybody is afraid of accountability, and so what we see is that people run away from coming up with any metrics at all. No metrics at all is better than any kind of metrics whatsoever because you are going to be held accountable for them. So I think we have to--let's look at the private sector. When we look at data center consolidation, whether it's NASDAQ, or Dow or whoever it may be, private sector organizations, they've done data center consolidations. And, you know, it's not a one-time operation. It's an ongoing operation. How long does it take to consolidate data centers or optimize data centers? How much does it cost? How much money do we have to put into the process in order to get something out of the process? Looking at things like PUE, it's another acronym, but it's a metric which shows the power efficiency of data centers. I think what we need to have is a practical framework in order to move the ball forward. And we need to make sure that when we commitments that we measure ourselves against those commitments. And sometimes we're going to fail, but let's be open about what's actually transpiring. So I think, you know, as far as the CIO role across agencies go, they need to have authority, and with authority, was it Spiderman said, with great power comes great responsibility. Mr. Connolly. Well, and one of the things I have heard from Mr. Spires and others who were CIOs, or are CIOs, from the private sector in the Federal Government, we need more flexibility and authority to award contracts, to make decisions about this system, not that system, close that, open that, you know, not dictatorial powers, but everything by committee means the path of least resistance, the least risky, but also the lowest payoff kind of outcome. And again, briefly, you might want to comment on that as well, in terms of the powers that we want to infuse CIOs with. Mr. O'Keeffe. I think you're exactly right. You know, a camel is a horse built by committee. And so in many circumstances what we see is a lot of different camels running around the Beltway. And so we need to be prepared to take, you know, to take some chances on new approaches, whether that's, you know, cloud computing or what you will. I think that the cholesterol that we see in programs like FedRAMP, the cure can be worse than the disease. So if we don't simplify what's going on, then we're never going to see any real progress. Mr. Connolly. And that's my final question, actually, about FedRAMP. By the way, I would say to you, Mr. Mica, that sometimes we're the problem. I mean, if you want to understand why we have a risk-averse culture in the Federal Government, Congress has to bear some responsibility here. The minute somebody makes a mistake, if somebody thinks there's political advantage in exploiting that mistake, we have a hearing and we haul you before Congress and we threaten you with subpoenas. Well, who the hell wants to take a risk and face all of that? And we know in the private sector, I spent 20 years in the IT world of the private sector, some things work and some things don't. And a lot of what is considered highly successful today started out failing. And it took a lot of, you know--and if private sector entities had not--if they had the tolerance for failure we've in the Federal Government, a lot of this would not have happened, I submit. But final question. FedRAMP. The idea that there are 80 pending applications--and my guess is, by the way, there could have been more, people got discouraged. Mr. O'Keeffe. That's right. Mr. Connolly. Who wants to wait that long? And only two have been approved? What's your sense of the problem? What's the nature of the problem and what should we do to try to accelerate the certification process? Mr. O'Keeffe. I think perfection is the enemy of the good, and so we're trying to solve for every scenario, and that's just not practical. So we need to simplify the process. That's really it. Ms. Carlson. Yeah, I agree. I agree with that. I think it can evolve. I don't think it has to be perfect out of the gate. But I believe it's already, by the way, a very, very solid process. And they need to be confident in what they've developed already and get it out there and try it. It doesn't mean that you can't come back around and hold the companies accountable once they've gotten the FedRAMP. They need to be able, which we do, we have to show that we're patching and doing everything appropriately. But I believe they need to be confident in what they develop, and also the agencies probably need to get more involved because the FedRAMP office themselves is not going to be able to do everything, so the agencies are going to have to work with the FedRAMP office and the vendor to certify in an appropriate way, along with the three PAOs. Mr. Wells. I think the process is slowly getting better, just to say something positive out there. But it is important to remember that the FedRAMP requirement was in the end the result of something of a political process, again. The JAB wanted to make sure that this standard would be acceptable to all of the various agencies out there, so whenever someone would throw in a new barrier, they would add it to the list. So the bar is high. And the bar should be high. But if they had a little bit more authority, or there was agreement on, you know, amongst all the agencies that let's bring this down a couple of notches, it would streamline the process a great deal. But let's also recognize this is a brand new process with a brand new program that is, you know, trying to do something really groundbreaking across the entire Federal market space. So while I'd love for it to go better, I do want to give them some recognition that they're trying something very ambitious. Mr. Connolly. Very helpful. I want to join the chairman in thanking our panel. I think it's very thoughtful, very insightful. I will add, though, and I know Mr. Mica shares this, there is no way Congress is going to continue to allow this process to go forward without cost saving being a major criterion. The idea that it's sort of incidental to the process and sometimes not even impacted at all is a stunning thing to learn in the current environment, and by the way, takes an efficiency off the table. You know, you cited in your testimony, Ms. Carlson, that in some cases there could be 50 percent effectuated savings. Well, you know, in an $80 billion IT budget, let's just project and extrapolate that out: 50 percent saving across the board means we've taken $80 billion, not changed the appropriation one bit, but it's worth $120 billion, I mean, in terms of its buying power and so forth. But we're actually shrinking budgets, and so we've got to look for efficiencies, and I think the private sector is going to help us figure that out, because I don't know that left to our own devices we're going to do it. Mr. O'Keeffe. Just one point. As far as appropriations go, one of the challenges is exactly on the Hill, inasmuch as if you look to close data centers and they're closed in specific people's districts, that's not real popular. So that's, you know, that's definitely a factor in this equation, right? If you try to close--you know, the whole point in closing data centers is you have to shut them. And if that data center is in a specific district, that can be a problem, so it can be somewhat of a circular discussion. Mr. Connolly. Mr. Chairman, I thank you so much for your indulgence, and thank you so much for holding this hearing. Mr. Mica. Well, it is interesting, very educational for me. A couple of final points. I can't remember, I read several of these reports in some other background information, I guess one of the problems that was identified someplace, and maybe it was--I thought it was in GSA, they said that the quality of the people who are involved in evaluating some of these systems in all is not the level that they need, because some of these people, you know, they're buying paper clips and office supplies and stuff. And I know this is kind of touchy. Isn't GSA the one that's doing the certification, or responsible for it? Have you seen some of that or is that--anybody want to comment on it? Ms. Carlson. I mean, the individuals we have worked with, I don't agree with that. I think the individuals we've been working with in the FedRAMP process---- Mr. Mica. They get it? Ms. Carlson. Yeah, they are very good. And they have the three PAOs and they have been--I mean, they have been very professional. And like Mr. Wells says, this is a really important process, and they haven't put anyone in there that I don't feel has been competent. Mr. Mica. The other thing too, Gerry, is we are asking people to dismantle sort of the standard operating safe procedure, buy a couple more hard drives, hire a few more people, as opposed to dismantling a lot of what they've got. And then of course Mr. O'Keeffe just said the politics of--I've tried FAA, I've tried some of the consolidation of the centers, like one in Florida, is like the, you know, every card in the world is pulled out to keep some things that are unnecessary in today's IT world, and computer and technology world. But it's very tough, so we end up being the problem. Well, again, I think we've gotten some good testimony. Just fascinated hearing--I guess if Amazon could get a little bit more experience under their belt, maybe they could get certified. For a mom-and-pops startup, I understand the difficulty you're incurring. But we should look a little bit more at that if we could get--yeah, and if 88 percent, you know, we could probably take it down a few more notches. We're not risking the national treasury or secrets. We could have a little bit more efficiency in this process. Well, again, I think it's most informative. I'm still disappointed we didn't have a couple of the key players here. We will convene another hearing, and we will talk to our leaders. If we have to bring them here voluntarily, we will; if we have to bring them involuntarily, we will. But we will have a follow-up hearing. I think it's very important. Mr. Connolly. Mr. Chairman, I also want to thank your staff. They have been very, very helpful and cooperative. We really appreciate it. Mr. Mica. The beatings will not continue? Mr. Connolly. No more beatings. Mr. Mica. The sequestration will be eliminated. So think you so much for joining us today and providing us with your testimony. Mr. Connolly, no further business? No further business before the Subcommittee on Government Operations. This hearing is adjourned. [Whereupon, at 4:46 p.m., the subcommittee was adjourned.] [GRAPHIC] [TIFF OMITTED] T1280.047 [GRAPHIC] [TIFF OMITTED] T1280.048 [GRAPHIC] [TIFF OMITTED] T1280.049 [GRAPHIC] [TIFF OMITTED] T1280.050 [GRAPHIC] [TIFF OMITTED] T1280.051 [GRAPHIC] [TIFF OMITTED] T1280.052 [GRAPHIC] [TIFF OMITTED] T1280.053 [GRAPHIC] [TIFF OMITTED] T1280.054 [GRAPHIC] [TIFF OMITTED] T1280.055 [GRAPHIC] [TIFF OMITTED] T1280.056 [GRAPHIC] [TIFF OMITTED] T1280.057 [GRAPHIC] [TIFF OMITTED] T1280.058 [GRAPHIC] [TIFF OMITTED] T1280.059 [GRAPHIC] [TIFF OMITTED] T1280.060 [GRAPHIC] [TIFF OMITTED] T1280.061 [GRAPHIC] [TIFF OMITTED] T1280.062