b"<html>\n<title> - THE FEDERAL INFORMATION TECHNOLOGY REFORM ACT SCORECARD 2.0</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n \n      THE FEDERAL INFORMATION TECHNOLOGY REFORM ACT SCORECARD 2.0\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         INFORMATION TECHNOLOGY\n\n                                AND THE\n\n                            SUBCOMMITTEE ON\n                         GOVERNMENT OPERATIONS\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              MAY 18, 2016\n\n                               __________\n\n                           Serial No. 114-159\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n                      \n                      \n                      \n                      \n                            _________ \n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n 26-068 PDF               WASHINGTON : 2017       \n____________________________________________________________________\n For sale by the Superintendent of Documents, U.S. Government Publishing Office,\nInternet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800\n  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001     \n                      \n                      \n                      \n                      \n                      \n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                     JASON CHAFFETZ, Utah, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York\nJIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of \nTIM WALBERG, Michigan                    Columbia\nJUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri\nPAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts\nSCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee\nTREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia\nBLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania\nCYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois\nTHOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois\nMARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan\nRON DeSANTIS, Florida                TED LIEU, California\nMICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey\nKEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands\nMARK WALKER, North Carolina          MARK DeSAULNIER, California\nROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania\nJODY B. HICE, Georgia                PETER WELCH, Vermont\nSTEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico\nEARL L. ``BUDDY'' CARTER, Georgia\nGLENN GROTHMAN, Wisconsin\nWILL HURD, Texas\nGARY J. PALMER, Alabama\n\n                   Jennifer Hemingway, Staff Director\n                      Julie Dunne, Senior Counsel\n                          William Marx, Clerk\n                 David Rapallo, Minority Staff Director\n                 Subcommittee on Information Technology\n\n                       WILL HURD, Texas, Chairman\nBLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking \nMARK WALKER, North Carolina              Minority Member\nROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia\nPAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois\n                                     TED LIEU, California\n                                 ------                                \n\n                 Subcommittee on Government Operations\n\n                 MARK MEADOWS, North Carolina, Chairman\nJIM JORDAN, Ohio                     GERALD E. CONNOLLY, Virginia, \nTIM WALBERG, Michigan, Vice Chair        Ranking Minority Member\nTREY GOWDY, South Carolina           CAROLYN B. MALONEY, New York\nTHOMAS MASSIE, Kentucky              ELEANOR HOLMES NORTON, District of \nMICK MULVANEY, South Carolina            Columbia\nKEN BUCK, Colorado                   WM. LACY CLAY, Missouri\nEARL L. ``BUDDY'' CARTER, Georgia    STACEY E. PLASKETT, Virgin Islands\nGLENN GROTHMAN, Wisconsin            STEPHEN F. LYNCH, Massachusetts\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on May 18, 2016.....................................     1\n\n                               WITNESSES\n\nMr. Steven I. Cooper, Chief Infomation Officer, U.S. Department \n  of Commerce\n    Oral Statement...............................................     6\n    Written Statement............................................     9\nMs. Dawn Leaf, Chief Information Officer, U.S. Department of \n  Labor\n    Oral Statement...............................................    13\n    Written Statement............................................    15\nMr. Michael M. Johnson, Chief Information Officer, U.S. \n  Department of Energy\n    Oral Statement...............................................    20\n    Written Statement............................................    22\nMs. Renee P. Wynn, Chief Information Officer, National \n  Aeronautics and Space Administration\n    Oral Statement...............................................    26\n    Written Statement............................................    28\nMr. David A. Powner, Director, IT Management Issues, U.S. \n  Government Accountability Office\n    Oral Statement...............................................    35\n    Written Statement............................................    38\n\n                                APPENDIX\n\nOpening Statement of Mr. Meadows.................................    82\nFITARA Scorecard documents for the record........................    85\n\n\n      THE FEDERAL INFORMATION TECHNOLOGY REFORM ACT SCORECARD 2.0\n\n                              ----------                              \n\n\n                        Wednesday, May 18, 2016\n\n                  House of Representatives,\nSubcommittee on Information Technology, joint with \n         the Subcommittee on Government Operations,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The subcommittees met, pursuant to call, at 2:04 p.m., in \nRoom 2154, Rayburn House Office Building, Hon. William Hurd \n[chairman of the Subcommittee on Information Technology] \npresiding.\n    Present from Subcommittee on Information Technology: \nRepresentatives Hurd, Walker, Blum, Kelly, and Lieu.\n    Present from Subcommittee on Government Operations: \nRepresentatives Meadows, Jordan, Walberg, Buck, Carter, \nConnolly, and Plaskett.\n    Mr.  Hurd. The Subcommittee on Information Technology and \nthe Subcommittee on Government Operations will come to order. \nWithout objection, the chair is authorized to declare a recess \nat any time.\n    We believe votes are probably going to be called around \n2:20, so we are going to try to get through as many of the \nopening statements as we can before we have to take a break and \ncome back for the questioning.\n    So thank you for being here and good afternoon.\n    Earlier in this Congress, the Subcommittee on Information \nTechnology and the Subcommittee on Government Operations began \na joint effort to hold agencies accountable for implementation \nof FITARA. Our oversight on this issue is part of an ongoing \neffort to reform the state of IT in the Federal Government.\n    FITARA can play a key role in ensuring broader authorities \nfor agency CIOs and a reduction of waste, fraud, and abuse. I \nthink it is important to keep that broader goal in mind as we \ndiscuss today's grades.\n    The intent of grading agencies is to provide an objective \nmeasurement of progress and challenges. Some agencies continue \nto do better than others. Today, I am pleased to see moderate \nimprovement in the grades from the first scorecard.\n    The overarching goal is for Federal agencies to transition \nto deploying modern technology rather than spending funds on \noutdated systems. Technology is a wonderful thing. It should \nreduce errors, save taxpayer money, and be a tool to help \nagencies accomplish their missions. It should not be a burden.\n    To agency CIOs looking to improve your score, I would say, \nthree things.\n    First, understand that the grade is a snapshot in time. The \ncommittee realizes, in many cases, the situations CIOs find \nthemselves in developed long before they got there and are the \nresult of decisions made by people who are long gone.\n    Second, the risk assessment transparency metric is entirely \nwithin the CIO's control. GAO reports validate the common-sense \nconclusion that major IT projects carry much more risk than \nagency CIOs are currently acknowledging to Congress and the \nAmerican people. I would encourage CIOs to take a good look at \nthe risk ratings they are assigning to projects on the \ndashboard.\n    And third, there are millions of dollars' worth of savings \nstill on the table for data center consolidation. GAO has \nreported that agencies have closed over 3,000 of about 10,500 \ndata centers and achieved $2.8 billion in cost savings rate. \nMost of these savings are attributed to just four agencies, \nincluding Commerce, who I believe is going to talk about that \ntoday. So there is much more in terms of savings left \navailable. GAO calculates plan savings of around $1.5 billion \nper year from consolidating data centers.\n    For those advocating for billions of additional funding to \nhelp modernize IT, I would suggest that savings from data \ncenter consolidation might be a better place to look than a new \nappropriation.\n    Under FITARA, CIOs now have a proper seat at the table. No \nlonger are technology and cyber issues confined to tech geeks \nin some backroom. In the digital age, IT issues are front and \ncenter. They are central to what government does and how it \ndoes it.\n    This committee intends to focus on ensuring the men and \nwomen in these CIO positions are qualified, accountable, and \nempowered to make decisions and lead within their agencies. The \nAmerican taxpayers deserve agency CIOs who understand the value \nproposition of the cloud rather than CIOs who believe their \nagencies are so special that a proprietary mainframe database \nis needed.\n    Congress requires accurate and complete data, and answers \nfrom agencies, rather than conflicting numbers and obfuscation. \nUltimately, taxpayers deserve a government that leverages \ntechnology to serve them rather than one that deploys \nunsecured, decades-old technology and keeps sensitive \ninformation in nonencrypted databases.\n    We are not there yet, and we have a long way to go, but I \nam cautiously optimistic that we are moving the needle in the \nright direction.\n    I thank the witnesses for being here today, and I look \nforward to their testimony.\n    Now, I would like to recognize Ms. Kelly, the ranking \nmember of the Subcommittee on Information Technology from the \ngreat State of Illinois, and my friend, for her opening \nstatement.\n    Ms.  Kelly. Thank you, Mr. Chairman.\n    And thank you, Chairman Meadows and Ranking Member \nConnolly. I know they will be joining us shortly.\n    Today's hearing is the third in a series that our \nsubcommittees have held to learn how agencies are implementing \nthe requirements of the Federal Information Technology \nAcquisition Reform Act. As was noted, during November's \nhearing, these hearings help us ensure that agencies are \nhitting the required benchmarks as we move toward a more \nefficient, modern, and secure Federal Government.\n    At the last hearing, we released a FITARA scorecard \nassessing agencies' implementation of four of the seven \ninitiatives required by the act. Today, we release an updated \nFITARA scorecard measuring agencies progress in the areas of \ndata center consolidation, IT portfolio review savings, \nincremental project development, and risk assessment \ntransparency.\n    I am looking forward to discussing the grades received by \nthe four agencies here today.\n    Since the last scorecard, I am encouraged to see that out \nof the 24 agencies that are covered by FITARA, seven have shown \nimprovement in their overall grade, and others have improved in \nindividual categories.\n    Looking beyond the grades, let me say that I have been \nencouraged by the responsiveness of most agencies and the \nprogress in FITARA implementation to date. I especially want to \nrecognize, as the chairman said, the Department of Commerce's \nwork in exceeding their goal of saving $222 million through \nfiscal year 2016 in data center consolidations. I hope to see \nthis effort to continued.\n    Government-wide data center consolidations alone have \nrealized $1.3 billion in savings, and we are expecting to save \nan additional $8.2 billion by 2019. These are good first steps, \nbut it is clear that there are obstacles to overcome in \nimplementation.\n    This new scorecard shows that numerous agencies have hit \nroadblocks and others have fallen behind in implementation. I \nlook forward to addressing these challenges today, also.\n    I'm especially interested in hearing how agencies plan to \nstick to their FITARA implementation plans as a new \npresidential administration takes charge next year. No \ntransition is seamless, so I look forward to learning what \nsteps your agencies are taking to ensure a transition that will \ncontinue the progress we have made so far.\n    We all know what is at stake here. The Federal Government's \nIT acquisition process isn't just an inefficient use of \ntaxpayer money. It is also a security risk. Too many agencies \nare still reliant on outdated legacy systems. With each passing \nyear, these systems cost more and more to secure and maintain.\n    FITARA not only helps Federal agencies save money in IT \nprocurement, it also helps them make smarter IT investments. \nQuite frankly, FITARA implementation is a change that the \nFederal Government has sorely needed.\n    I want to thank the witnesses for testifying today. I know \nthat an overhaul of your IT acquisition and management is not \nan easy task, so I look forward to hearing how your agencies \nare handling the challenges in implementing FITARA.\n    Thank you, Mr. Chairman. I yield back.\n    Mr.  Hurd. Thank you, Ms. Kelly.\n    I would like to now recognize the chairman of the \nSubcommittee on Government Operations, Mr. Meadows, for his \nopening statement.\n    Mr.  Meadows. Thank you, Mr. Chairman. Thank you for your \nleadership on this particular issue.\n    I'm going to keep my remarks very brief. They are about to \ncall votes here shortly.\n    So in doing that, I think it is more important that we \nemphasize the fact that FITARA is not a law that was passed \nwith no expectation of implementation. We are going to continue \nto follow up and continue to have these types of hearings.\n    We are hearing news that two of our witnesses hopefully \nhave plans that are either on their way or very close to being \ndone, so I applaud you for those efforts.\n    Really, this is more about accountability. For us, we want \nto see progress. We are going to work with the GAO on a number \nof fronts.\n    As we look at that, it is going to be a critical component \nof what we look at. I have already been talking to \nappropriators on a number of fronts. I'm willing that, if you \nare willing to do a good job, I am willing to be your advocate. \nSo I want to just stress that.\n    But thank you. I will submit a written statement for the \nrecord, Mr. Chairman.\n    With that, I will yield back.\n    Mr.  Hurd. Thank you, sir.\n    I now would like to recognize Mr. Connolly, the ranking \nmember of the Subcommittee on Government Operations, and the \narchitect of FITARA, or, as most people like to call it, the \nConnolly-Issa bill.\n    Mr.  Connolly. You are my very favorite chairman.\n    [Laughter.]\n    Mr.  Connolly. I've always thought that, except for Mr. \nMeadows. It is kind of a tie. Both wonderful human beings.\n    Thank you, Chairman Hurd, Chairman Meadows, and my friend \nRanking Member Kelly.\n    I welcome this latest joint subcommittee hearing to examine \nthe implementation of FITARA. I'm particularly grateful to my \ntwo colleagues on the other side of the aisle.\n    They made a promise we weren't going to let this go. Unlike \nClinger-Cohen, we were going to stick with this, and we were \ngoing to provide oversight. And they have kept their word. And \nthe four of us operate seamlessly. I think that is good for the \nUnited States Government.\n    I think, in partnership with the executive branch, we can \nmake a big difference on something that may seem deceptively \nuninteresting, but that actually can help transform agencies \nand how they do business and save lots of dollars for our \ntaxpayers.\n    Today, we release our second scorecard on FITARA. As I \nstated at our last hearing, the scorecard is not intended to be \na scarlet letter on some agency's back. It is meant to \nincentivize agencies to improve management of Federal IT \ninvestments and to create metrics so that we can look at \nprogress.\n    On the initial scorecard issued prior to December 31, for \nall agencies to have FITARA implementation plans, it was \nunderstandable that we some grades on the lower end of the \nscale. We were just beginning. Ds and Fs outnumbered As, Bs, \nand Cs more than 2-to-1. Today, we are pleased to see a very \nmarked improvement in the latest scorecard with higher marks \nnow out numbering lower ones.\n    Seven agencies improved their overall grades, including the \nDepartment of Energy, one of today's witnesses, which jumped \ntwo letter grades.\n    I also want to commend the Department of Commerce for its \nwork on data center consolidation, a very critical part of \nFITARA. It originally set the goal of saving $222 million and \nactually reported $260 million in savings, an example to which \nother agencies ought to inspire.\n    While the Department of Energy and the Department of Labor \nare performing well on some aspects of the scorecard, I would \nnote both agencies only recently received OMB approval--\nrecently, I think it's in the last 24 hours, but all right, \ngood--for the initial implementation plan. Obviously, we expect \nto hear more from those agencies today about why their plans \nwere delayed and what actions they are taking to advance those \nimportant IT management and acquisition reforms.\n    It is also encouraging to see the Department of Energy \nreporting all three of its major IT projects meeting the \nincremental development benchmark for delivering functionality \nevery 6 months.\n    Similarly, I want to applaud the Labor Department for its \nrealistic evaluation of the risks present in its IT projects. \nThe department rated nearly three-fourths of its projects as \nhigh-risk, earning it high marks for risk assessment \ntransparency. I know Dave Powner and GAO are looking for \nrealistic assessment of project risks and what they entail.\n    Accurately calculating and reporting project risk is a \ncontinuing challenge. Agencies currently report two-thirds of \ntheir IT investments pose low risk. Based on GAO's more \nthorough reviews of those projects, that risk, we believe, is \nunderstated.\n    Accurately capturing the risk so we can respond to it and \nanticipate problems is one of the pillars of FITARA. It is a \nmanagement concept, so we look forward to hearing more from GAO \non how to address that challenge as we move forward.\n    I also want to hear from today's witnesses about whether we \nare accurately defining IT investments and how that may affect \nimplementation of reforms.\n    For example, neither the Commerce Department nor NASA \nincludes spacecraft or satellites in their reporting. Surely, \nthose systems fall under the IT umbrella, so we would like to \nhear their thoughts about that.\n    It is also puzzling that the government agency with \narguably the most innovative and technologically demanding \nmission continues to receive the lowest marks on the scorecard, \nNASA. NASA has not reported anything under incremental \ndevelopment and received failing grades for the other three \nmetrics. For example, it says that it plans to spend $731 \nmillion on major IT investments this year, but reports none of \nthose projects are high-risk. That stretches credulity, and we \nwant to talk about that today.\n    Mr. Chairman, before closing, let me share an example of \none agency doing the right thing, though it might not have been \nreflected in its initial grades. As my colleagues will recall, \nthe Department of Transportation scored at the lower end in \ncertain areas, but CIO Rich McKinney actually demonstrated that \nhe gets what we are trying to deal when we put a freeze on IT \nacquisitions for 90 days at the end of last year because he \ndiscovered component agency CIOs did not have a good handle on \nwhat their agencies were spending.\n    We want more CIOs exercising that kind of new authority \nunder FITARA.\n    Today's hearing is just the latest in what we all hope will \nbe an ongoing series as we continue to push agencies to adopt \nthese reforms.\n    Again, I thank my three colleagues for their willingness to \ncollaborate as one to try to make the government function \nbetter and to save money for our hardworking taxpayers. Thank \nyou very much.\n    Mr.  Hurd. Thank you, Mr. Connolly.\n    I would like to hold the record open for 5 legislative days \nfor any members who would like to submit a written statement.\n    We will now recognize our panel of witnesses. I am pleased \nto welcome Mr. Steven Cooper, chief information officer at the \nU.S. Department of Commerce; Ms. Dawn Leaf, CIO at the U.S. \nDepartment of Labor; Mr. Michael Johnson, CIO at the U.S. \nDepartment of Energy; Ms. Renee Wynn, chief information officer \nat NASA; and Mr. David Powner, director of IT management issues \nat the U.S. Government Accountability Office.\n    It is always a pleasure to have you here, David.\n    Welcome to you all. Pursuant to committee rules, all \nwitnesses will be sworn in before they testify, so please rise \nand raise your right hands.\n    Do you solemnly swear or affirm that the testimony you are \nabout to give will be the truth, the whole truth, and nothing \nbut the truth?\n    Thank you. Please be seated.\n    Let the record reflect that the witnesses answered in the \naffirmative.\n    In order to allow time for discussion, we would appreciate \nif you would implement your testimony to 5 minutes. Your entire \nwritten statements will be made part of the record. If the \nbells go off while you are talking, just keep going. We will \nconclude at your statement.\n    Now, I would like to thank Mr. Cooper at the Department of \nCommerce. You got a B, the highest grade that we gave. Mr. \nCooper, you get to kick us off today, starting with your 5 \nminutes.\n\n                       WITNESS STATEMENTS\n\n                 STATEMENT OF STEVEN I. COOPER\n\n    Mr.  Cooper. Thank you very much. Chairman Hurd, Ranking \nMember Kelly, Chairman Meadows, Ranking Member Connolly, and \nmembers of the subcommittees, thank you for the opportunity to \nappear before you today to discuss Commerce's work on the \nimplementation of the Federal Information Technology \nAcquisition Reform Act, and thank you for your resolute \nbipartisan efforts to ensure that this critical law is \nimplemented successfully.\n    To begin, I believe FITARA is one of the strongest and most \nhelpful pieces of legislation to improve CIO involvement with \nthe decision processes and policies related to managing \ninformation technology resources and increased government \nefficiency and effectiveness. I am committed to its success.\n    Secretary Pritzker and Deputy Secretary Andrews strongly \nsupport FITARA and have made FITARA one of their and my key \npriorities. They have made it clear to DOC's executive \nleadership that FITARA is the responsibility not only of the \nCIO, but all their senior staff.\n    Since October 2015, the department's FITARA team, \nrepresenting my office and the department's budget, \nacquisition, personnel, and legal offices, has been meeting \nweekly to ensure the full implementation of our FITARA plan and \nFITARA across the Department of Commerce.\n    FITARA implementation is one of my top goals, and I have \nnamed one of my senior staff, Ms. Erin Cavanaugh, who is with \nme today, our full-time program manager for FITARA \nimplementation, making the department one of only a few \ndepartments to create a full-time FITARA program official.\n    Let me now highlight progress we have collaboratively made \nin three specific areas, and why I believe we are on a path to \nachieve full implementation in the budget, personnel, and \nacquisition areas required by FITARA.\n    First, budget. My office is working closely with the \ndepartment's offices of budget to ensure that I am fully \nengaged in the budget formulation and review process to enable \nme to review and approve the overall DOC IT budget. Leveraging \nFITARA has allowed me as the DOC CIO to have full visibility \ninto each bureau's IT budget, which enhances my understanding \nof our full ask and spend, and helps me identify opportunities \nfor strategic and operational collaboration all across all 12 \nof our bureaus in areas like cybersecurity, enterprise \nlicensing agreements, cost savings, and contract consolidation. \nI am particularly pleased that the NOAA and Census CIOs and \ntheir budget offices have worked closely with my office and the \nDOC budget office to introduce greater involvement in budget \nformulation and visibility.\n    Second, acquisition. Our Office of Acquisition Management \nhas revised the Commerce acquisition manual, so that the CIO \nnow participates in the review and approval of all acquisitions \nabove $10 million, whether or not a program was initially \ndetermined to be IT. This is a significant change. Previous \nacquisition policy only required my office participation on \nacquisition over $75 million.\n    Third, personnel. Our chief human capital officer and I \ndrafted and reviewed and signed a new department bulletin, \nwhich gives me direct involvement in the selection \nresponsibility over all SES IT and all CIO-titled positions \nacross the department. That said, our IT work force planning is \nnot complete, but I expect to see considerable progress in the \nnext 6 months in addressing the hiring and retention of \ncritical IT resources for cyber and IT risk management, data \nanalytics, agile development, and Web services.\n    Another notable goal of FITARA and of every CIO is cost \nsavings in the IT environment. While my particular driver is \nnot the cost savings per se, I fully expect implementing FITARA \nwill help me drive the unit cost of every IT service we deliver \ndown. This will result from opportunities identified through \ngreater oversight, visibility, and collaboration across IT \nacquisition and budget formulation.\n    In closing, for our DOC FITARA implementation to fully \nsucceed, we need more than just law or policy. We need to \ninstitutionalize best IT practices and processes across the \ndepartment. My staff is working with their counterparts in each \nbureau CIO office and in our H.R., finance, and acquisition \noffices to improve visibility and participation in all IT \nbudget and acquisition processes. I expect to have initial \nprocess improvements and reviews in place by the end of this \nfiscal year, and to operate more efficiently in the future.\n    I thank the subcommittees for holding this hearing and for \nyour commitment to ensuring successful implementation of \nFITARA. I would be pleased to answer any questions you may \nhave.\n    [Prepared statement of Mr. Cooper follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n   \n    \n    Mr.  Hurd. Thank you, Mr. Cooper.\n    I now would like to recognize Ms. Dawn Leaf, CIO at the \nDepartment of Labor, who had a grade of C, which is one step \nbetter than you were the last time we issued these grades.\n    So, Ms. Leaf, over to you for 5 minutes.\n\n                     STATEMENT OF DAWN LEAF\n\n    Ms.  Leaf. Chairman Hurd, Ranking Member Kelly, Chairman \nMeadows, Ranking Member Connolly, and members of the \nsubcommittees, good afternoon and thank you for the opportunity \nto brief you on the Department of Labor's FITARA \nimplementation.\n    I would like to focus on some challenges, highlight some \nprogress, and provide you a working-level perspective on how \nFITARA can help the department to improve its IT services.\n    First, let me state that, historically, the Department of \nLabor has had decentralized IT organizations and resources, \nthat these have been fragmented and siloed at the department \nbureau level. We have experienced the same inefficiencies and \nissues that I know this committee has heard described in other \nhearings by other agencies.\n    Another relevant factor that I would like to emphasize is \nthat decades of information technology underinvestment and the \nfragile state of our IT infrastructure and our application \nsystems make it challenging for the department to improve its \nperformance in some of the FITARA metrics.\n    Specifically, it is difficult for the Department of Labor \nto achieve high scores and cost savings because we are on a \nbare-bones IT budget to start with. There is not much to cut.\n    On the positive side, we have a great opportunity with cost \navoidance, to leverage enterprise investments in IT, to add \ntechnology capabilities and services, and to do so more \nefficiently.\n    Turning to progress, the department has improved and \nstrengthened its IT governance processes, and that has helped \nus to improve transparency, to improve our risk management, and \nto improve our incremental delivery and development.\n    In 2012, the department launched an initiative to \nconsolidate nine separate agency infrastructures. We have made \nsome progress, and we have proven that we can deliver modern IT \nservices on time and within budget.\n    By the end of 2016, we will have closed 38 of our 90 data \ncenters. We will have achieved or met our 40 percent data \ncenter consolidation target.\n    In 2014, the department migrated 17,000 employees from nine \nseparate legacy email systems to a commercial Federal community \ncloud service. For the same cost, we are able to give our \nemployees 400 times as much storage, which gives them back 2 \nhours per month per employee, because now they are able to just \nwork instead of spending 2 hours a month archiving email so \nthat they have enough space to work, so they can send and \nreceive emails.\n    In 2015 and 2016, the department improved our cybersecurity \nposture, including a 95 percent reduction in security \nvulnerabilities by implementing an aggressive security patch in \nour patch management process.\n    We are planning a 2017 through 2019 unified communications \nproject to redesign, modernize, and consolidate nine decades-\nold networks in over 600 locations throughout the U.S. This is \nnot only critical for security, it also allows us to reduce \ncosts. We will be able to reduce 85 percent of our voice \ncircuits and 50 percent of our phone management costs.\n    In closing, I would like to just touch on two ways that \nFITARA can help the Department of Labor with its IT challenges.\n    FITARA is especially important to an agency that is \nstarting in an underfunded position, because it encourages the \ndepartment to make IT investments that are not only effective \nfor agency missions, but efficient. FITARA also provides \nstructure to help us manage change, organization change and \ntechnology change.\n    While the Department of Labor is moving forward, we realize \nthat we have a long road ahead. Thank you for the opportunity \nto share my thoughts, and I am happy to answer any questions.\n    [Prepared statement of Ms. Leaf follows:]\n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n   \n    \n    Mr.  Hurd. Thank you, Ms. Leaf.\n    Mr. Johnson, you are now recognized for 5 minutes, and the \nDepartment of Energy has moved the most in their grades to a C, \nI believe from an F, the last score. So thank you for that, Mr. \nJohnson. You are now recognized for 5 minutes.\n\n                 STATEMENT OF MICHAEL M. JOHNSON\n\n    Mr.  Johnson. Good afternoon, Chairman Hurd, Ranking Member \nKelly, Chairman Meadows, Ranking Member Connolly, and \ndistinguished members of the committee. On behalf of the \nDepartment of Energy, I appreciate the opportunity to appear \nbefore you to discuss the department's implementation of the \nFederal Information Technology Acquisition Reform Act.\n    The department has been working closely with OMB to \nimplement FITARA and cyber best practices across the complex \necosystem that is the Department of Energy as we meet our \ndiverse mission. We are pleased that the committees' just-\nrelease May 2016 FITARA implementation scorecard 2.0 \nacknowledges that the department is making progress.\n    Just this last Friday, DOE submitted to OMB the third major \nrevision to our initial FITARA implementation plan submission. \nI am pleased to say that yesterday OMB approved DOE's FITARA \nimplementation plan, and we will post it to our public Web site \nwithin the next 30 days.\n    DOE's FITARA implementation plan is transformational for \nthe department, and it results in unprecedented CIO engagement \nand DOE enterprise-wide transparency into IT budget formulation \nand review, acquisition review and approval, and IT work force \nplanning. In addition, the plan provides for the collection of \ndetailed IT and cyber performance metrics across all DOE IT \ninvestments.\n    At the request of the Secretary, I joined DOE a little over \na year ago to develop and implement an effective cyber strategy \nfor the DOE enterprise. The complex DOE enterprise comprises 97 \nentities across 27 States, to include 19 staff offices, 10 \nprogram offices, 19 field sites, 17 National Laboratories, four \ntechnology centers, and the four Power Marketing \nAdministrations.\n    Each entity is structured to perform its area of our \ndiverse mission that spans nuclear security, scientific \nresearch, energy, and environmental management. All but one of \nour National Laboratories are government-owned, contractor-\noperated facilities managed through the management and \noperating, or M&O, contracts designed to enable innovation and \nmanagement efficiencies.\n    Our cyber governance is both transparent and responsive, \nand includes close collaboration involvement with all entities \nacross DOE, notably the National Laboratories.\n    The Deputy Secretary chairs the DOE cyber council. As CIO, \nI chair the DOE Information Management Governance Board. We use \nthese entities to oversee development, coordination, and \nimplementation of DOE's cyber- and IT-related policies.\n    The information technology portion of DOE's budget is \napproximately $1.7 billion, which often is integrated into the \nlarger non-IT investments. We have expanded our processes to \nensure CIO involvement in all phases of annual and multiyear IT \nplanning, programming, budgeting, and decision-making. The \ndepartment has also developed an enterprise plan for review and \napproval of IT acquisitions that covers acquisition plans, \nstatements of work, evaluation, and selection criteria.\n    DOE understands the need to leverage human capital for \nsuccess. Accordingly, we are focusing on the development of a \nDOE cyber work force strategy that will increase the CIO's \ninvolvement in DOE's human capital selection practices with a \nfocus on developing performance goals with results-driven \ncritical elements and enhanced recruitment and retention of \nvital IT personnel.\n    The DOE continues to consolidate and optimize its data \ncenters to include advanced metering facility upgrades to \nimprove power utilization effectiveness.\n    From 2010 to present, for our updated and expanded \ninventory of 217 enterprise computing data centers, including \nboth Federal and M&O, we closed 75, increasing cost savings to \nthe department of just over $17 million.\n    We developed a unified DOE cyber strategy and \nimplementation plan that consolidates and prioritizes the \nexcellent cyber enterprise information resources management \ninitiatives ongoing at the DOE into five key areas: information \nresources management best practices, to include reliability and \nenhanced efficiencies; modernization, to quickly move from \nlegacy to transformative solutions; strengthen cybersecurity \nfundamentals, to reduce risk and enhance defense in-depth \ncapabilities; seamless integration of operations in \ncyberdefense, to combine situational awareness and threat \noperational status in enterprise-wide, real-time indicator-\nsharing; and cyber research and development intended to out-\ninnovate our adversaries and stay ahead of advanced persistent \nthreats.\n    In conclusion, DOE is actively engaged in FITARA \nimplementation and related transformational reforms, which will \nresult in significant insights into and enhanced oversight of \nDOE information and IT. Through a department-wide collaborative \nand inclusive process, we have made major strides toward the \ngoal, although further work is needed.\n    I thank the subcommittees for their commitment to ensuring \nsuccessful implementation of FITARA. Your support is vital to \nour success.\n    It has been my honor to provide this testimony, and I will \nbe pleased to address any questions you may have. Thank you.\n    [Prepared statement of Mr. Johnson follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n       \n    Mr.  Hurd. Thank you, Mr. Johnson.\n    Votes have been called. It is a six-vote series, so we are \ngoing to stand adjourned until the end of the final vote.\n    [Recess.]\n    Mr.  Hurd. The Subcommittees on Information Technology and \nGovernment Operations will reconvene.\n    I think we left off with you, Ms. Wynn, for your opening \nstatement of 5 minutes. Since I have called out the grades for \neveryone else, NASA had the lowest grade of the folks reviewed \nwith an F. Ms. Wynn, over to you for 5 minutes.\n\n                   STATEMENT OF RENEE P. WYNN\n\n    Ms.  Wynn. Thank you, Chairman Hurd, Chairman Meadows, and \nother members of the Information Technology and Government \nOperations Subcommittees for allowing me to appear before you \ntoday to update you on NASA's implementation of the Federal \nInformation Technology Acquisition Reform Act.\n    Unfortunately, NASA is at the bottom of the FITARA \nscorecard. That is not something we are proud of. NASA is fully \ncommitted to implementing the FITARA law. We know we have a lot \nof work to do, and I am here today to assure you that \nsignificant changes are already underway at NASA to improve our \nmanagement of IT.\n    But before I get into more detail about our implementation \nplans, I would like to introduce myself. My name is Renee Wynn, \nand I have more than 26 years of Federal service, spending most \nof those years at the Environmental Protection Agency. I joined \nNASA 10 months ago as the deputy CIO, and, 2 months later, I \nwas promoted to be the agency CIO.\n    Since then, I have initiated listening meetings to learn \nthe needs of my IT customers and how they can inform our joint \npath forward. I have visited each center, meeting with the CIOs \nand the center directors, and I've been meeting with each \nmission office at headquarters.\n    Everywhere I go, people are frank with me about IT needs, \nabout governance, and operational changes they are believe are \nneeded, or changes they fear are coming. So I am listening and \ntaking action as quickly as I can.\n    The ball is now in my court to manage and secure the \nagency's IT resources, so that is what I and my amazing team \nare going to do.\n    To its credit, over the last several years, NASA has \ntransformed its IT governance structure to empower the CIO with \ngreater authority, and thus, today, I am the beneficiary of \nthese many changes.\n    For example, I now report directly to the Administrator and \ncan talk to him whenever I want. The CIO now sits on all key \nNASA decision-making councils, and the CIO has direct authority \nand oversight over the center CIOs, including their IT \ndecisions and acquisitions.\n    Better yet, NASA recently completed an internal business \nservices assessment of NASA's IT program. In this BSA outlined \na series of steps the agency should take and plans to take to \noptimize and protect our IT assets.\n    In my personal opinion, this review has been a gift to \ncurrent and future NASA CIOs in that it says NASA supports you \nas the CIO and we do want you to transform the way NASA manages \nIT. Like FITARA, the BSA results will ensure that IT is seen as \na strategic agency resource establishing clear direction for \nthe NASA CIO to approve the agency's IT spend for non-highly \nspecialized and highly specialized IT.\n    Additionally, NASA is strengthening its alignment of IT \nresources against mission goals. My office will be held \naccountable for additional agency IT costs, schedule, and \nperformance through a new portfolio review process. NASA is \nproviding me with greater visibility into the overall budget \nplanning cycle, allowing me to spot IT resource problems at a \nmission level earlier on.\n    These are big steps forward for NASA, and NASA should be \ncommended for starting this process even before FITARA became \nlaw.\n    It is important to remember that NASA's scientific and \ntechnical mission is unique. For example, cooperation with \nother nations, the public, and scientists around the world is \none of NASA's founding principles. Therefore, NASA has always \nsought the widest practical and appropriate distribution of \ninformation about our missions. But in doing so, we must also \nsafeguard our IT assets against well-resourced and highly \nmotivated individuals who wish to harm us.\n    Malicious threats to our network are constantly evolving, \nwhich means our work is never done. Thus, I want to reassure \nyou today that IT is a top priority at NASA. While the number \nof attempted cyber instances against NASA continues to \nincrease, I am confident that NASA continues to appropriately \naddress them.\n    For example, NASA did not experience any major incidents in \nfiscal year 2015, as defined by the Office of Management and \nBudget. NASA has successfully met all capability targets \nestablished in the 2015 cyber sprint activity. And the DHS \ncyber hygiene report for NASA currently shows that there are a \nzero critical vulnerabilities older than 30 days.\n    In conclusion, I appreciate the opportunity to appear \nbefore you today to reassure you that NASA has a strong \nfoundation upon which to successfully implement FITARA and that \nwe are committed to fully implementing FITARA. We remain ever \nvigilant with protecting our information assets as well.\n    I would be happy to answer any questions that you may have.\n    [Prepared statement of Ms. Wynn follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n   \n    \n    Mr.  Hurd. Thank you, Ms. Wynn.\n    Now someone who has testified many times before this \ncommittee, Mr. Powner, you are recognized for your 5-minute \nopening statement.\n\n                  STATEMENT OF DAVID A. POWNER\n\n    Mr.  Powner. Chairmen Hurd and Meadows, Ranking Members \nKelly and Connolly, and members of the subcommittees, I would \nlike to thank you and your staff for your continued oversight \nof the implementation of FITARA with the second set of grades.\n    We recently completed, at your request, detailed work on \nthree of the four scorecard areas to support your grading \nefforts. This afternoon, I would like to briefly discuss the \ngrades overall in each of the three areas we performed our \nwork. Those are data centers, dashboard accuracy, and \nincremental development, all major areas of emphasis with \nFITARA.\n    Starting with the grades, overall, there has been some \nprogress with seven agencies having higher grades, one lower, \nand 16 having no change. We view the 6-month progress as quite \npositive, since implementing FITARA and receiving higher grades \nwill take time to address long-standing, systemic weaknesses in \nIT management.\n    To comprehensively implement this law to better invest our \nNation's IT dollars, CIO authorities need to be strengthened. \nCritical to that are the FITARA implementation plans that are \nto provide an assessment of gaps in CIO authorities and agency \nefforts to improve those authorities. We are pleased to hear \nthat both Labor and Energy now have approved plans, so they are \nall in, and we will actually be looking at the next round of \niterations on those plans.\n    Now turning to data center consolidation, of the roughly \n10,500 data centers, 3,121 have been closed to date and another \n2,100 are planned. Interestingly, 84 percent of the closures to \ndate have come from four agencies, Ag, DOD, Treasury, and \nInterior. Your uptick of the data center grades is quite \nappropriate.\n    We want consolidation, and we want savings. This next slide \nshows savings to date with data center consolidation. I know it \nis hard to read. There are the closures, if you look at 3,100, \nif we go back to that prior one, the prior slide, please. The \n3,100, that is what has been closed to date.\n    I want to emphasize there are four agencies that are \naccountable for 84 percent of those 3,100 closures. Your uptick \nin their grades is appropriate.\n    If we flip to the next slide, this is savings. That gray \nshaded area there from 2011 through 2015, there has been \ncollectively about $2.8 billion in savings to date. There is \nanother $5.4 billion remaining. When you look at out-years, \nover $1 billion each year.\n    This is why FITARA is so important, because without FITARA, \nwe would not have this focus and attention on data center \nconsolidation.\n    A couple points on this chart. Four agencies account for 86 \npercent of the $2.8 billion in savings. Those are Commerce, \nDefense, DHS, and Treasury. Again, rewarding these departments \nwith higher grades for their substantial savings is an \nexcellent idea.\n    The other point I would like to make is that out-years \nsavings of $5.4 billion, we actually have a lot more than $5.4 \nbillion on the table. There were 10 agencies that had planned \nclosures that did not have out-year estimates that were called \nfor by OMB. We made recommendations to those 10 agencies.\n    And your downgrading those 10 agencies to emphasize the \nimportance of these out-year projections is really the right \nway to go. So what we want to do is we want to reward closures \nand savings, and we want to make sure there are not out-year \nprojections that we have to down tick in their grade. So that \nis going to be really helpful in ensuring we get the \nappropriate savings here.\n    Next, I would like to turn to dashboard transparency. \nFITARA codified the IT dashboard and CIO risk ratings for \napproximately 750 major IT investments across the departments. \nThese ratings indicate whether each investment is low, \nmoderate, or high risk. The dashboard currently tells us there \nare about 200 investments totaling about $12 billion that are \nmoderate or high risk, and that 72 percent of IT dollars the \ngovernment invests is low risk.\n    Although CIOs are acknowledging a bit more risk from your \nlast hearing, these IT dashboard CIO ratings still greatly \nunderestimate risk.\n    This next chart shows the results of our latest review on \nCIO ratings. We looked at approximately 100 investments on the \nIT dashboard and performed our own risk assessments compared to \nthe CIO ratings. So, for instance, that green bar on the top, \nthere were 61 CIO ratings that were rated as low risk or green. \nOur assessment concluded that only 10 of those were green, 28 \nshould have been yellow, and 23 should have been red. So that \nis an indication of where we need to get better transparency \nand accuracy so that we can better manage these major IT \ninvestments.\n    Your grading scheme, Mr. Chairman, which equates higher \ngrades with acknowledging more risk is definitely the way to go \nuntil CIOs start acknowledging more risk with their ratings.\n    Turning to incremental development, FITARA requires that \nCIOs certify that IT investments deliver in increments \nconsistent with OMB policy, which requires that major \ninvestments deliver in 6 months. Agencies collectively report \nthat 65 percent of their IT projects government-wide plan to \ndeliver in 6 months.\n    Our review found some agencies were accurately reporting \nthis, like DHS and Transportation. However, others, like \nCommerce and Treasury, were not, and your grades adjustments to \nthose two agencies were appropriate.\n    I would like to conclude by thanking your subcommittees for \nyour aggressive oversight of FITARA implementation with your \nscorecard and your many other actions. With the upcoming change \nin administration, it will be very important not to lose the \npositive momentum we have. Our team at GAO will be working very \nhard through this transition, addressing several requests from \nyou to keep the focus on CIO authorities, delivering \ntransformational IT solutions, and replacing antiquated, \ninefficient, and, in many cases, insecure systems and \ninfrastructure.\n    Chairmen Hurd and Meadows, Ranking Member Kelly, I thank \nyou for your leadership. Our team at GAO looks forward to \ncontinuing to work supporting your efforts on FITARA \nimplementation.\n    [Prepared statement of Mr. Powner follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n   \n       \n    Mr.  Hurd. Thank you, Mr. Powner.\n    I will now recognize myself for 5 minutes for opening \nquestioning.\n    Mr. Cooper, I want to start with you. Commerce is one of \nthe four agencies that is responsible for 86 percent, 87 \npercent of the savings in closing down the data centers. How \nare you able to use that money that you save?\n    Mr.  Cooper. We have an internal process that is set up. As \nwe realize savings, we have a prioritized bureau-specific list \nof priorities. The bureaus bring forward, through our \ninvestment review process, their savings dollars redirected \nagainst that prioritized list.\n    So it comes through the bureau investment review process up \nto the department review process. That way we have ----\n    Mr.  Hurd. Mr. Cooper, I'm going to interrupt there.\n    Mr.  Cooper. Please.\n    Mr.  Hurd. If you realize savings in your operations, you \nshould be able to use that savings also to go after some of the \nother projects of legacy systems that you have already \nidentified. Are you able to do that?\n    Mr.  Cooper. Yes. I was going into a little bit of detail \non how we do that. The answer is yes. We have a process. We \nactually do, both at the department level and at the bureau \nlevel, redirect that savings. It is redirected based upon the \npriorities of new investments or risk-based issues that need to \nbe addressed at the bureau level and the department level.\n    Mr.  Hurd. Thank you, Mr. Cooper.\n    Ms. Wynn, 10 months at NASA, correct? Two months in the CIO \njob?\n    Ms.  Wynn. I was 2 months as the deputy CIO and then \npromoted to the CIO the last 8 months.\n    Mr.  Hurd. So are we going to be able to get to Mars if we \nare still using Fortran?\n    Ms.  Wynn. Thank you for your question, Chairman. At this \npoint, I am not an expert on what it is going to take to get to \nMars, but I'm happy to take the question for the record, and \nadd the question about programming language as well.\n    Mr.  Hurd. Please do.\n    My question for you is, so you have come in and inherited a \nsituation, and we recognize that. What additional \nresponsibilities or authorities would you like to have in order \nto right this ship?\n    Ms.  Wynn. Chairman, thank you for the recognition to the \nnewness. It is much appreciated.\n    On March 31, the agency approved our transformation plan. \nIt is about 219 pages. That gives me a lot of authority that is \naligned with the FITARA law, as well as some things that NASA \nsaw that needed to change. So at this juncture, we are changing \nour governance structure, changing the way we take a look at \nthe budget, as well as taking a look at how we do portfolio \nreview.\n    At this juncture, that feels like it is going to be an \nexcellent start for me at NASA.\n    Mr.  Hurd. When did the CIO report directly to the \nAdministrator, when did that change happen?\n    Ms.  Wynn. It is my understanding that that started about 2 \nyears ago.\n    Mr.  Hurd. When it comes to incremental developments, on \nyour scorecard, there is no data on this. Is that because there \nare no IT projects in the works? Or is it because we don't know \nwhich IT projects are in the works?\n    Ms.  Wynn. Chairman, the lack of incremental spending is \ndue to, I believe, a couple things. One is, in my opening \nstatement testimony, I emphasized the ability of the CIO to \nlook at specialized and nonspecialized IT. The nonspecialized \nIT is our mission IT where a lot of development work is in our \nregular, ongoing basis. I recently have been given the \nauthority to begin to look to make more transparent what goes \non there. That is where a lot of our development happens, and \nthat is where I am expecting to be able to say to you, yes, we \nare doing incremental.\n    Mr.  Hurd. In the next review cycle, what should we expect \nfrom NASA?\n    Ms.  Wynn. At this juncture, in discovering this in \npreparation for the hearing, this is what I expect to be able \nto deliver to you. One is information on how much we have \nactually saved in closing our data centers, to be able to say \nto you that we have a good plan for a modified portfolio review \nprocess that includes the infrastructure IT as well as our \nmission IT, and then finally be able to report to you where we \nhave actually driven a lot of savings in our software \nmanagement.\n    Mr.  Hurd. I think that would be pretty successful.\n    Mr. Johnson, the 14 or 17 National Labs, why do they need \nan exemption from FITARA?\n    Mr.  Johnson. Thank you for the question, Chairman.\n    So, as you know, DOE does not have a position on the \nlegislation, which exempted the National Labs from FITARA \nimplementation. However, we have been working closely with the \nNational Labs just over 1 year that I have been the CIO within \nDOE. Through a collaborative process, which included not only \nthe program offices and the National Labs, we have been putting \nin place a number of what we call transparency reforms that get \nto an effective management of our IT and cyber work force and \ninformation across our entire enterprise to include our \nNational Labs.\n    Mr.  Hurd. In my opinion, the National Labs are probably \nsome of the most important things to protect, and they are \nprobably the biggest target when you look at nation sponsors \nthat are looking at cutting-edge technology.\n    Not adhering to some of what I would consider some very \nbasic standards for good digital hygiene to me does not make \nsense. This is an area where my expectation is that these \nNational Labs have some greater transparency on what they are \ndoing, how they are doing it, and ensuring they are not using \nFortran and systems that are super old and outdated.\n    I think as we go forward and have new laws and go through \nappropriations, some of those things may change.\n    Ms. Leaf, what took so long to get the implementation plan \napproved?\n    Ms.  Leaf. Thank you for the question.\n    The department leadership felt that it was very important \nthat we complete due diligence in understanding the \nrelationship of FITARA with the Confidential Information \nProtection and Statistical Efficiency Act, or CIPSEA.\n    So the department reviewed that internally. They requested \nguidance from OMB, which we received. When we received it, we \nincorporated it and finished our plan.\n    Mr.  Hurd. Ms. Leaf, thank you very much.\n    I now would like to recognize my colleague, Ms. Kelly, for \n5 minutes of questioning.\n    Ms.  Kelly. Thank you, Mr. Chair.\n    Last November, the committee received a briefing on GAO's \nreview of how the 24 agencies identified in the Chief Financial \nOfficers Act of 1990 had begun implementation of FITARA. At the \ncommittee's request, four key areas of FITARA were scored, \nenhancement to agency chief information officer authorities, \ntransparency and risk management, portfolio review, and Federal \ndata center consolidations.\n    Mr. Powner, this question is for you. Can you explain why \nthose areas were selected and how the scores were calculated?\n    Mr.  Powner. First of all, in working with your staff, I \nthink we all collectively decided, and it was a great \nbipartisan effort, that these were areas directly tied to \nFITARA. They were areas that where needed reform needed to \noccur. They were also areas where agencies had data.\n    So if you look at incremental development, scores on the \ndashboard, and savings, there is publicly reported data on the \ndashboard, on the CIO ratings, and incremental development, and \nthen also, too, there is savings information that goes to the \nAppropriations Committees for both portfolios stats and data \ncenters.\n    So it is the agency's data, and I thought it was a great \nidea on your part to use the agency's data to score them \ninitially on those initial grades back in November. Now this \ngo-around, there were some tweaks to the data, because it was \nall self-reported initially, but there were some tweaks. Like \non incremental development, we didn't think it was quite \naccurate with a couple agencies.\n    Mr. Cooper, one of them was Commerce. So there was a \ndowngrade on that score for incremental development.\n    But it was also great that these committees, that you \ndecided to uptick agencies who saved a lot and closed a lot, \nbecause that is really what we want to do. So I think there has \nbeen a nice little initial evolution of the grades where it \nevolved from more just self-reporting and had some of our GAO \nreports validate the self-reporting, and to reward what you \nreally want, closures and savings.\n    Ms.  Kelly. Thank you.\n    Mr.  Johnson and Ms. Leaf, you represent two agencies that \nshowed improvement. Can you quickly review what steps you took \nto improve?\n    Mr.  Johnson. Ranking Member, thank you for the question.\n    Let's see, as I mentioned, I have been at the department \njust over a year. One of the things we prioritized was \nstreamlining governance so that we can make sure that we have a \ncommon view on what issues we face as a department, both from \nan IT information resource management point of view, and also \nfrom a cyber point of view.\n    As part of that process, we have an integrated team now \nthat includes management all the way to the top of the \ndepartment. It includes all the elements of our department, \nincluding our field and the previously mentioned National Labs.\n    What we have attempted to do is focus all of those great \nminds and all of that great effort on focusing where we can \nmake improvements. Two places where DOE did improve, as you can \nsee from the scorecard, one, in particular, was in data \ncenters, something that we are focusing on specifically to try \nto gain efficiencies that we can, as mentioned earlier, provide \nfunds back into mission to try to address the other issues we \nhave.\n    So I would account most of the success to opening up the \naperture of the governance and making sure that everyone is on \nthe same page, but, in addition, having a focused plan on what \nwe need to do.\n    Ms.  Kelly. Thank you.\n    Ms.  Leaf. So at the Department of Labor, what we have \nprimarily done is strengthened our IT governance processes.\n    The two areas that we have really improved are more \ndetailed review of agency IT spend plans and acquisitions, so \nthat we really do understand what the agencies are buying and \nhow that fits with the overall strategic department objectives. \nWe also, for the first time, expanded our IT program review \nboard to include agency projects and programs. Before it was \njust for enterprise-level projects.\n    So those are our two governance areas that we have improved \nand I think what has contributed to our improvement.\n    Ms.  Kelly. I am happy to see that all 24 agencies' plans \nhave been approved or submitted. That is one thing. But, of \ncourse, they have to be implemented.\n    Can you guys quickly go down the line and talk about what \nare your plans for the transition? Because we know, one way or \nanother, there will be a new administration.\n    Mr.  Cooper. I'm happy to start. Thank you for the \nquestion. At Commerce, we have already taken steps that \nactually even preceded my coming into the role at the \nDepartment of Commerce as the CIO.\n    We have already institutionalized in a memo actually signed \nby our Acting Secretary back in 2012 a significant amount of \nthe authorities granted to the CIO and then reinforced by \nFITARA. That has allowed Commerce to kind of have a bit of a \nhead start, if you want to think of it that way.\n    But in addition, we have implemented, through our \ngovernance process for IT, some additional reviews that did not \nexist until we had FITARA to leverage, two specific ones that \nare now part of the CIO oversight review.\n    First, programmatic reviews that my office or I or any \nbureau CIO can request. That is a formal review. You can think \nof them as being analogous or the equivalent of TechStat. But \nwe launched those. We invite OMB to join us and, in some cases, \nGAO, depending upon what is under review.\n    The second is, and this is brand new, it is kind of unique \nto Commerce that we have implemented, is what we call a CIO \nreview. That is a review that didn't previously exist. I \nleveraged FITARA, the authorities granted to the CIOs, to be \nable to call a CIO review. We are using it specifically to take \na look at programs that fall below our investment thresholds.\n    We are focused on the following three major types of \nprograms: one, any public-facing type of initiative that \nreaches to our constituents, stakeholders, citizens; second, \nany introduction of new technologies that could be state of the \nmarket, but they have not been used within the department \nbefore; and third, anything that we believe constitutes not \nabnormal risk but risk of a different nature than we are used \nto addressing.\n    An example, moving into the cloud requires new IT skill \nsets. We consider that a high risk. So even though you might \nhave an initiative in a bureau that might represent less than \n$10 million for a lifecycle investment, we can now conduct a \nCIO review on that program.\n    Ms.  Kelly. Briefly. My time is up.\n    Ms.  Leaf. Okay, so quickly, we are really focusing on \nprocess improvements that will be in place and are \ninstitutionalized, irrespective of the individuals that are in \nplace.\n    There are two areas for that. One is our actual FITARA plan \nhas quarterly milestones, so we have committed to those. The \nother is that we are actually implementing the processes in the \ndepartment through directives. So those should stand regardless \nof who is in place.\n    Ms.  Kelly. Thank you.\n    Mr.  Johnson. So within the Department of Energy, three \nmain changes.\n    One, as it relates to, as mentioned earlier, our \nimplementation plan also has quarterly deadlines that we are \nfollowing.\n    We are also modifying our program review process to include \nmodifying the charters by which those are run, including our \nInformation Management Governance Board, which will be used as \nour internal investment review board for the department. That \ncharter is being modified, and it will be signed out by the \nDeputy Secretary.\n    And finally, for the first time within the department, I, \nas CIO, am going to be included on an Energy systems advisory \nboard that analyzes all major investments to include $400 \nmillion and above, to include facilities that might include IT \nmajor investments like high-performance computing, et cetera, \nwhich is hugely transformational for the department.\n    Ms.  Kelly. Thank you.\n    Ms.  Wynn. For NASA, and thank you for the question, \nCongresswoman, that is, we basically have one thing and that is \nimplement our business services assessment, which covers such \nthings, but not just these things. It would be our governance, \nour roles and responsibilities, as well as our security, the \nway we focus on security. And there are policies and procedures \nthat go underneath that. And a huge element of this one is a \nculture change element.\n    So as long as we stay the course on what we have committed \nto do, we should be in good stead.\n    Ms.  Kelly. I don't know if you have a comment?\n    Mr.  Powner. I would just add that I think the improvements \nin governance is really needed across the Federal Government, \nnot only on the large acquisitions, but where that governance \nalso looks at the legacy spend.\n    I know, next week, we are going to look more closely at \nthese old legacy systems and the challenges in maintaining and \nthe security vulnerabilities.\n    But that governance perspective really needs to look at \neverything, so it is encouraging that these processes are being \napproved.\n    Ms.  Kelly. Thank you.\n    Thank you, Mr. Chair.\n    Mr.  Hurd. Thank you, Ms. Kelly.\n    I now would like to recognize Chairman Meadows for 5 \nminutes.\n    Mr.  Meadows. Thank you, Mr. Chairman. I thank each of you \nfor your testimony. I will try to be brief as we work through \nthis issue.\n    Ms. Leaf, I want to come to you. Your particular position, \ndo you think it is an impediment to accomplishing your overall \ngoal with where you are in the reporting status to the very top \nof your agency?\n    Ms.  Leaf. So let me just address what the department is \ngoing to do in the FITARA plan to strengthen the role of the \nCIO. We have two items. We are adding the CIO, and I am \ncurrently in that position, to the department management \nmeeting, which is where they agency heads meet regularly. We \nhave an action item to reassess this in 2017, with respect to \nthe reporting structure.\n    My honest answer to you is that I report to an Assistant \nSecretary, who is a strong champion of IT. I participate with \nhim in meetings with the Deputy Secretary and with the \nSecretary. So in this particular instance, the reporting \nstructure is not an impediment, because of the individuals who \nare in the positions.\n    I do think that it is appropriate for the department to \nreconsider it, however, with the transition.\n    Mr.  Meadows. I would concur with your last statement. I \nguess what I would say is, knowing that the reporting is a \ncritical component after you are gone, or perhaps after those \nyou report to are gone, I would encourage, while you have a \ncooperative mood, to express the sense of Congress that that \nreporting relationship is being looked at. How about that?\n    Ms. Wynn, I want to come to you. Obviously, your grade was \nnot one that I jumped up and down about, nor do you, I can \ntell. I even questioned GAO. The gentleman to your left will \nadmit that when I saw it I said that this has to be wrong, \nbecause I visited NASA, and I know the commitment to the \nmission at NASA, so certainly it has to be wrong.\n    So I guess my question to you is twofold. Do you know what \nit would take to get from an F to a C?\n    Ms.  Wynn. Chairman, thank you.\n    We are not proud of our ----\n    Mr.  Meadows. I am not here to beat you up.\n    Ms.  Wynn. I'm glad GAO said yes, we did not make a mistake \nin our reporting, so great on that one.\n    So I think with our business services assessment, we are on \ntrack to head toward a C. As long as we stay on that particular \nplan that the agency approved--and, as you know, in order for \nus to make the changes in the CIO world, we have to have the \nsupport of senior leadership, and we have to have that because \nof the culture change. I have that in place now, so it is time \nfor me and my team to capture that moment and get through the \nimplementation process.\n    Mr.  Meadows. So in a roundabout way, I guess the answer \nwas yes, you know how to get to a C.\n    So the question becomes, at the next briefing, will we see \nyou at a C?\n    Ms.  Wynn. Chairman Meadows, yes, your summary is right. We \nare to do that.\n    As far as guaranteeing a C, as long as the grading stays \nprecisely as it is right now, we know how to make those \nchanges. But I would say that there are a couple areas where \nthere are bigger changes. That is on the incremental side, \ntaking a look at some of our projects. We are headed toward \ngetting that insight. I just can't guarantee what day I'm going \nto get that one.\n    Mr.  Meadows. I am not asking for that. I knew many of your \nteammates in other areas, and we expect the culture to be one \nthat would embrace--just to be frank, they will not be \nsatisfied with being an F, so you have big shoes to fill.\n    But I guess my question is, do you have the tools and the \ninsight and the commitment to improve?\n    Ms.  Wynn. Chairman Meadows, I do.\n    Mr.  Meadows. Okay, all right.\n    So let me go to the GAO very quickly, because one of the \ngraphs that you put up there had to do with what you identified \nas I guess low risk, that was identified by the agencies as low \nrisk, but it looked like most of that was either medium or high \nrisk, according to your analysis of where it should be.\n    So is there a disadvantage for agencies to self-report now \nthat the scorecard is already out, to say, ``Okay, we made a \nmistake. They are, indeed, medium risk, high risk, or \nwhatever.'' By self-reporting to you at this point, do they get \nadversely affected by getting a different dashboard quicker? Or \nis there an incentive to go ahead and have all the agencies \ncall you tomorrow and say, ``Gosh, we agree with your \nassessment. Put us at high risk, low risk, here.''\n    Mr.  Powner. So I think, if they had more red than yellow \ninvestments, they would have a higher grade. Right now, we need \nto still move in that direction.\n    Right now, the dashboard shows 72 percent of our dollars, \nthis is both major investments in acquisition or operations, \nare low risk. There is no one in this room that believes 72 \npercent of our major investments are low risk. They are just \nnot.\n    Mr.  Meadows. So what you are saying, your testimony here \ntoday, and it needs to be a clear message to all of the \nagencies, is they can get a higher score-- am I understanding \nyou right?--just by reporting it correctly?\n    Mr.  Powner. Correct. So Commerce and Labor both have As. \nThey acknowledge a fair amount of yellows. And Labor has one \nred, but there is a fair amount of yellows in their \nassessments. It is not all green. NASA is all green, so they \nget an F on dashboard.\n    So that is kind of how it works right now. We have seen \nchanges. There is more acknowledgment of risk since your last \nhearing, but that review we did for you shows that we still \nhave a long way to go.\n    Even Commerce, there were a couple assessments that Steve \nhas that we weren't in full agreement. We think he could still \nacknowledge some more risk on certain ones.\n    Our point on this is you cannot manage these IT investments \nappropriately unless you acknowledge the risk. If you say it is \ngreen, you are not going to get reviewed when we all know that \nthere are a lot of yellows and reds.\n    We need that governance that every one of these CIOs talk \nabout. And collectively, these four CIOs spend $5 billion \ncollectively on IT in a given year. That is a lot of money that \nwe need to manage more appropriately, and it starts with \nacknowledging risk.\n    Mr.  Meadows. All right. So that message needs to be clear.\n    Let me finish up with two very small points.\n    One, Mr. Cooper, congratulations on moving forward. Do you \nhave a full-time CIO in place for Census yet?\n    Mr.  Cooper. We have made the selection. That individual \nwill be moving into that office. I apologize. I do not know the \nspecific timing, but very shortly.\n    Mr.  Meadows. Without getting into the weeds here, we \nreally have some to-do items as it relates to Census. I won't \nbeat you up in public, so let's just follow up on that.\n    Ms. Leaf, is it true that you had to buy replacement parts \non eBay for some of your system?\n    Ms.  Leaf. Yes, sir, it is. But I'm happy to say that those \nservers have been upgraded and replaced.\n    Mr.  Meadows. All right, so here is my last admonishment to \nall of you, and the chairman talked about it with Ms. Wynn with \nregards to Fortran. We have legacy systems that must--not \nmaybe, must--must be changed. So the message that needs to go \nfrom you to those who work in IT is that we will no longer \naccept that this is the way that we have always done it, \nwhether it is COBOL, Fortran, or any other language that is \ngrayer than I am.\n    It is imperative, without mentioning it in a public forum, \nwe have agencies who are taking IT dollars to prop up legacy \nsystems and stealing from the future of our IT systems to prop \nit up.\n    Mr.  Connolly and Mr. Hurd are much better versed at this \nthan I am. I will dig from an investigative standpoint, and \nthen let them weigh in from a technical standpoint, but let \nthis day be the day that we start to address that.\n    I will yield back, Mr. Chairman.\n    Mr.  Hurd. Thank you, Chairman Meadows.\n    I would like to recognize Mr. Connolly for 5 minutes.\n    Mr.  Connolly. Thank you, Mr. Chairman. I echo everything \nmy friend from North Carolina and my friend from Texas have \nsaid.\n    Picking up on a very interesting line of questioning Mr. \nHurd had, Mr. Johnson, I want to state for the record that the \ncarveout for the National Labs was an outrageous thing to do.\n    They used their influence here on the Hill. They used an \nappropriations vehicle to get around this committee and this \nbill. The ink was barely dry on the bill. We didn't have \nimplementation evaluation, and those labs got an exception.\n    Who could be hurt by that? Well, anybody depending on the \nNational Lab.\n    The whole point here isn't another pain in the neck set of \nrequirements and compliances. It is to transform how we do \nbusiness. It is to get at legacy systems. It is to make sure \nthings are encrypted and secure. It is to try to streamline \nmanagement. It is to save resources and plow them back into the \nenterprise.\n    If there is anyone who could have benefited from FITARA, it \nis the National Labs.\n    So I hope you will go home to the Department of Energy with \nthis message: We are not going to stand for it. We will revisit \nthis issue.\n    I do not presume to speak for my colleagues on the other \nside of the aisle, but I think this will be a broad bipartisan \nassault on the National Labs if they try it again. And if we \nhave to go toe-to-toe with Appropriations Committee, we will do \nso, because it has been evident that others are benefiting from \nthis effort.\n    It would be one thing if we were many years into the \nprocess and it was onerous and it was hard and it was \nbureaucratic and it was costing money and the promise wasn't \nbeing realized. I still might not like it, but I could \nunderstand why you might pursue your other options--not you, \nbut the National Labs, did not wait.\n    I hope you will go back and warn them. This time, there \nwill be a fight. And I think it will be bipartisan.\n    At any rate, other than that, Mr. Cooper, you were talking \nin your testimony about cost savings. This really isn't about \ncost savings. I take that point very well. But on the other \nhand, as Ms. Leaf pointed out, there are cost savings. She \nspecifically cited one that makes my heart go pitty-pat, data \ncenter consolidation.\n    How are we doing at DOC on that? And do you have some kind \nof number you can ascribe to it?\n    Mr.  Cooper. Yes, we are doing very well, and we continue \nto do well.\n    We have realized about--I think the number, and I will \nverify this to make sure I'm giving you an accurate number, so \nI will come back with a follow-up. But I think we now stand at \nabout $308 million that we have actually realized. We are on \ntrack to continue our very solid record of adding to that \nsavings figure.\n    If I may, I want to clarify very quickly what my remark \nwas. It was to differentiate between a focus on absolute cost \nsavings in IT. One of the things that is misunderstood in my \nexecutive leadership team that we are working to clarify is the \ndifference between absolute cost of IT--for example, for \ncapacity expansion or newer demand, new capability. That will \ndrive the total cost of IT up. But some folks are \nmisunderstanding that if the total cost of IT is going up, then \nI as the CIO and other CIOs must be doing something incorrect. \nThey believe that the total cost should be moving down or stay \nflat.\n    What we are doing is we are trying to educate our entire \nwork force in Commerce that the correct metric to use around \ncost savings is to ensure that the unit cost of any IT service \nthat we deliver, we are constantly driving the unit cost down. \nThat way, both can be true. We can reflect true efficiency, \ntrue cost savings, even when the total amount of spend may, in \nfact, be going up.\n    Mr.  Connolly. A good point, and that is why I wanted you \nto have the opportunity to clarify. I will give you a political \nnote on that.\n    But all of what you said takes a little time to \ninstitutionalize, to get everybody right with the program, to \nhave a plan, to make sure the National Labs--we have this \nmoment in time where the leadership here is completely united. \nWe have GAO and GSA and OMB all on that script. That ain't \ngoing to last forever. There are not always going to be people \nappear who go, ``Yes, I get that, no problem, as long as \ntrajectories are right.'' As you heard Mr. Hurd ask, I hope you \nare able to reinvest the savings, not everyone is going to have \nthat point of view.\n    That is why one of the things we are keen on here is taking \nadvantage of this moment while you can.\n    Mr. Powner, what changes might be made as we look down the \nroad to the scorecard, to make it even more useful and \nhopefully more accurate?\n    By the way, I like the fact that we are using some \nsubjective judgment. When we see all green, you get an F. You \nare not rewarded for that. That is terrific. That is a very \nnon-bureaucratic approach to a very important subject. I mean, \none could just absolve oneself and go check, it's all green, \nhow wonderful. We know that is not true. We know that we have \nlost billions of dollars sometimes in waste and mistaken \ninvestments. So trying to catch them early is a good thing. \nExercising that judgment, to me, is also a very welcoming, good \nthing.\n    But what might we add to the scorecard that would round it \nout and give us a better picture of DOE and NASA and others?\n    Mr.  Powner. A couple key examples. I think, one, fixing \nthe CIO authority issue, you need to find some way to score \nthat, because if you do not fix the CIO authority issue in the \ncultures and bureaucracies at all these departments and \nagencies, you are not going to be able to accomplish FITARA in \nall of these areas as well as you possibly could. So looking at \nthose plans and measuring whether the CIO authorities are truly \nbeing tackled is, as I think Ms. Leaf clearly pointed out that \nthey are doing at the Department of Labor, that is what we need \nto find a way to look into. That is critical.\n    The other thing, if you look at data center consolidation, \nover time, it is not going to be about closures and savings, \nalthough we are always going to have savings, but it is about \noptimization metrics, too, because there are some agencies that \nI still think are low-balling their estimates. It looks like \nthey are done, but their optimization metrics are nowhere \nutilizing the equipment and the facilities at those departments \nand agencies. So that means they probably still have more \nsavings.\n    I think when we mature this in the future, looking at \noptimization metrics, but clearly, the CIO authority needs to \nbe tackled aggressively.\n    Mr.  Connolly. By the way, just for the record, now every \nFederal agency has submitted a FITARA implementation plan, \nright?\n    Mr.  Powner. Yes.\n    Mr.  Connolly. Okay. The last two came in recently.\n    Mr.  Powner. Yes. You can take your C- off the scorecards \nand make them C.\n    Mr.  Connolly. Ms. Wynn, two points, and then my time is \nup. One following up on what the chairman asked you, which I \nthink is a brilliant question, are we going to get to Mars \nusing Fortran? I think you said, well, I have to get back to \nyou for the record. That is one I want to read.\n    But I think he was getting at, with legacy systems, with \nantiquated systems, what could go wrong with that, in terms of \nMars? Of all Federal agencies, yours in some ways is the most \ncritically dependent on technology and technology working.\n    I guess I would just ask you, for the record, would you not \nconcede the point I think implied in the chairman's question, \nwhich is that technology, the IT piece, is really important to \nreally all of your missions at NASA, and, therefore, getting \nthem right and making sure we have them sort of updated and \nupgraded is pretty important?\n    Ms.  Wynn. Congressman Connolly, you are absolutely right. \nIT is important for NASA's mission.\n    Mr.  Connolly. One final point with you, Ms. Wynn, as you \nare relatively new, as you are working through the FITARA plan, \nI think you said you have a 219-page plan, setting metrics in \nadvance, to me, is really important. If you do not have \nmetrics, it is all interesting but--so, for example, on data \ncenter consolidation, I think it is really important, a priori, \nto say we have X number and we are going to reduce it by this \nmuch by this date.\n    And it has to be a stretch. It has to push the organization \na little bit, not an impossible goal, but if you don't have \nstretch goals, we are not really meeting our mission.\n    So I would commend to you as you work through that plan set \nsome of those metrics for the organization and your other \ncolleagues, because that is the only way we are going to \nachieve progress. And it is the only way we are going to use \nFITARA as it was intended, which is a useful management tool \nfor you and ultimately for the head of NASA itself.\n    All right, I want to thank all of you for being here. I \nreally benefited a lot.\n    And my concern about the National Labs ought not to color, \nMr. Johnson, the progress DOE is making. I thank you, but I \nwanted you to go back, because I think the chairman is \nabsolutely right to ask that question, and it did not go \nunnoticed up here. Thank you.\n    Mr.  Hurd. Thank you, Mr. Connolly.\n    Mr. Meadows?\n    Mr.  Meadows. Thank you, Mr. Chairman.\n    A very brief follow-up, since we are talking about legacy \nsystems, and since most of the people working on those legacy \nsystems I would surmise are closer to retirement than not, what \nI would like from each one of you is the cost estimate of \nreally not waiting for 2 or 3 or 5 years for us to fall off the \ncliff, the cost estimate of getting rid of those legacy systems \nfor your agencies, if you would do that.\n    Then, Mr. Cooper, let me come back to the CIO. It is \nobvious that you get this here, and we have the Census coming \nup and we cannot afford to fail. Has it been contemplated that \nthe CIO role for Census would be incorporated as part of your \nresponsibility, or that you take that on, since you obviously \nget it and are willing to work? Because I need to get the \nCensus side with the GAO counterpart because we have GAO and we \nall stakeholders, to be frank, that are very, very concerned \nthat we are not getting it. And we have a great relationship, \nbut we are reaching a point of ``go, no go'' on a lot of \ndecisions that are creeping up.\n    You get it. I'm not so sure the new CIO would get it, so \nhave you looked at that?\n    Mr.  Cooper. Yes, and, Chairman Meadows, may I offer this, \nwould this be acceptable, I will carry back--I know the planned \ntiming. As I mentioned, we selected the individual. I know the \nplanned timing. Would you allow me to go back, work with \nDirector Thompson, and speed that up and allow us to put that \nindividual in place?\n    My commitment to you and this committee is that I will then \ncommit to working directly with that individual to ensure that \nwe help that individual come up to speed as rapidly as \npossible, but leveraging myself and my office to ensure that we \nhonor the commitments that I previously made to this committee \nand that director Thompson has previously made to this \ncommittee?\n    Mr.  Meadows. That sounds fair, because what we cannot have \nis someone in the job 8 months later, and we get an F on the \nCensus. So I appreciate that.\n    I yield back.\n    Mr.  Hurd. Mr. Powner, the issue of the CIO responsibility \nstill perplexes me. Of the 24 CFO agencies, how many of the \nCIOs report directly to the agency head?\n    Mr.  Powner. I do not have that exact number, but I think \nvery few of them do. Even if they do--we looked at this years \nago and did some work on this. It is dated, but even those that \non paper report to the agency head typically report to the \nDepSec. We found that reporting to the DepSec actually gives \nmost CIOs the right visibility and a seat at the table at most \nof the agencies. That is what we concluded.\n    Mr.  Hurd. So how many report directly to the Deputy \nSecretary or the Secretary?\n    Mr.  Powner. I don't have an exact number on that. But I \ncan tell you not enough.\n    Mr.  Hurd. So in your opinion, would an appropriate grade \nwhen it comes to CIO authorities be whether they report \ndirectly to the Secretary or the Deputy Secretary, and do all \nof the CIOs within the agency report to them?\n    Mr.  Powner. Yes, that is a good way to measure. That is \nthe intent of FITARA, where you have the CIOs reporting to the \ndepartment or agency ----\n    Mr.  Hurd. Would you agree that this metric is \ndisproportionately more influential in the overall grading of \nan agency over all the other areas that FITARA looks at?\n    Mr.  Powner. Yes, if you don't fix those CIO authorities, I \nthink you're going to continually struggle.\n    The other thing I think to keep in mind is the relationship \nwith the other CFOs. We have heard many agencies, when CIOs \nhave a solid relationship with the chief financial officers, \nthings work out a lot better.\n    Mr.  Hurd. Mr. Powner, you are reading my mind.\n    How are CFOs responding to the implementation of FITARA?\n    Mr.  Powner. Mixed bag. I don't have GAO reports that say \nthis, but we have enough anecdotes, and you have heard it. Some \nCFOs are worried about losing power. Some CFOs are working \nclosely with CIOs. We are seeing some progress, but we need to \nsee more progress so we have equal footing there.\n    I think a true measure, too, is going to be trying to get \nyour arms around the IT budget. I don't think CIOs can do that \nwithout CFOs' help. So you have to partner with CFOs to get \nyour arms around the IT budget. That is a clear position in \nFITARA. There was a reason FITARA was written that way, \nstarting with this committee.\n    Mr.  Hurd. At FITARA 3.0, I think it would be interesting \nto have some of the CFOs sitting alongside their CIO \ncolleagues, having these conversations.\n    Mr.  Connolly. Mr. Chairman?\n    Mr.  Hurd. Yes?\n    Mr.  Connolly. You have asked a very, very important \nquestion, and I would just say, when we wrote FITARA, we \ndecided to make it less prescriptive and more expansive. We \ntook cognizance of the fact that we had multiple CIOs, and \nrather than by fiat say there shall be one, we kind of \nencouraged the system to evolve, so that there would be a \nprimus inter pares, first among equals, in the CIO \nconstellation, because there were 240 or 250 CIOs. And your \nquestion is absolutely apt.\n    So will that sort of flexible legislative framework work, \nor do we have to resort to codifying and deciding by fiat? And \nthat is why I think your question is so irrelevant, and I hope \nthe CFOs understand that.\n    Thank you, Mr. Chairman, for the question.\n    Mr.  Hurd. My last question goes to Mr. Cooper.\n    I appreciate everyone being here today, and for the delay \nfor votes.\n    Commerce got the highest grade, yet Commerce has 114 \nmillion lines of Fortran code, which they have 525 employees \nsupporting that. There are 37 systems that are using operating \nsystems that are no longer supported by the vendor. Por que? \nWhy?\n    Mr.  Cooper. In most cases, those support operations that \ncannot easily be replaced by commercial, off-the-shelf \nsoftware.\n    Mr.  Hurd. You are talking about the Fortran code?\n    Mr.  Cooper. The Fortran code is, in most cases that I am \naware of--I accept what you're telling me as far as the numbers \nof systems and lines of code.\n    What we are doing is working with those bureaus directly \nwhere we have a legacy system exactly like you described. It is \nno longer vendor-supported.\n    Now, what we are doing in a lot of cases is we actually are \nbackporting, meaning we are getting patches through the public \ndomain, and we are applying those patches on a very regular \nbasis, much as we would do if we received a vendor patch. We \nare doing that in every situation that we can.\n    We are also doing the following. In a situation where we \ncannot take that approach, we are doing everything we can to \nbasically quarantine that legacy system. We are doing that \nspecifically to prevent cyber risk in the spread of something \ncoming in through a vulnerability in those legacy systems. We \nare trying to quarantine it so that we can shut it off and it \nwon't then propagate across our networks or across other \napplications.\n    Lastly, we are working as rapidly and effectively as we \ncan, quality with speed, to replace those legacy systems. But \nbecause, in most cases, we can't find readily available \ncommercial, off-the-shelf software, we still have to build it. \nWe are taking advantage of savings we are realizing through our \ndata center consolidation initiative and optimization efforts \nto redirect that savings into new development and replacement \nof some of, but not all, some of those legacy systems.\n    Mr.  Hurd. Thank you, Mr. Cooper.\n    I would like to thank the rest of the witnesses for taking \nthe time to appear before us today. If there is no further \nbusiness, without objection, the subcommittees stand adjourned.\n    [Whereupon, at 4:29 p.m., the subcommittees were \nadjourned.]\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n               \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]               \n               \n\n\n                                 <all>\n</pre></body></html>\n"