[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]












 THE FEDERAL INFORMATION TECHNOLOGY REFORM ACT (FITARA) SCORECARD 3.0: 
                   MEASURING AGENCIES IMPLEMENTATION

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                AND THE

                            SUBCOMMITTEE ON
                         GOVERNMENT OPERATIONS

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            DECEMBER 6, 2016

                               __________

                           Serial No. 114-171

                               __________

Printed for the use of the Committee on Oversight and Government Reform



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform

                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

26-178 PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
























              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois
CYNTHIA M. LUMMIS, Wyoming           ROBIN L. KELLY, Illinois
THOMAS MASSIE, Kentucky              BRENDA L. LAWRENCE, Michigan
MARK MEADOWS, North Carolina         TED LIEU, California
RON DeSANTIS, Florida                BONNIE WATSON COLEMAN, New Jersey
MICK, MULVANEY, South Carolina       STACEY E. PLASKETT, Virgin Islands
KEN BUCK, Colorado                   MARK DeSAULNIER, California
MARK WALKER, North Carolina          BRENDAN F. BOYLE, Pennsylvania
ROD BLUM, Iowa                       PETER WELCH, Vermont
JODY B. HICE, Georgia                MICHELLE LUJAN GRISHAM, New Mexico
STEVE RUSSELL, Oklahoma
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
                    Andrew Dockham, General Counsel
    Troy D. Stock, Information Technology Subcmmittee Staff Director
                      Julie Dunne, Senior Counsel
                    Sharon Casey, Deputy Chief Clerk
                 David Rapallo, Minority Staff Director
                 Subcommittee on Information Technology

                       WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking 
MARK WALKER, North Carolina              Minority Member
ROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois
                                     TED LIEU, California

                 Subcommittee on Government Operations

                 MARK MEADOWS, North Carolina, Chairman
JIM JORDAN, Ohio                     GERALD E. CONNOLLY, Virginia, 
TIM WALBERG, Michigan, Vice Chair        Ranking Minority Member
TREY GOWDY, South Carolina           CAROLYN B. MALONEY, New York
THOMAS MASSIE, Kentucky              ELEANOR HOLMES NORTON, District of 
MICK MULVANEY, South Carolina            Columbia
KEN BUCK, Colorado                   WM. LACY CLAY, Missouri
EARL L. ``BUDDY'' CARTER, Georgia    STACEY E. PLASKETT, Virgin Islands
GLENN GROTHMAN, Wisconsin            STEPHEN F. LYNCH, Massachusetts





















                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on December 6, 2016.................................     1

                               WITNESSES

Mr. David A. Powner, Director, IT Management Issues, U.S. 
  Government Acountability Office
    Oral Statement...............................................     5
    Written Statement............................................     8
The Hon. Chip Fulghum, Deputy Under Secretary of Management and 
  Chief Financial Officer, U.S. Department of Homeland Security
    Oral Statement...............................................    31
    Written Statement............................................    33
Mr. Luke J. McCormack, Chief Information Officer, U.S. Department 
  of Homeland Security
    Oral Statement...............................................    40
The Hon. Frontis B. Wiggins III, Chief Information Officer, 
  Bureau of Information Resource Management, U.S. Department of 
  State
    Oral Statement...............................................    41
    Written Statement............................................    44
Mr. Douglas Pitkin, Director of Budget and Planning, U.S. 
  Department of State
    Oral Statement...............................................    51
    Written Statement............................................    53


 
 THE FEDERAL INFORMATION TECHNOLOGY REFORM ACT (FITARA) SCORECARD 3.0: 
                   MEASURING AGENCIES IMPLEMENTATION

                              ----------                              


                       Tuesday, December 6, 2016

                  House of Representatives,
Subcommittee on Information Technology, joint with 
         the Subcommittee on Government Operations,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittees met, pursuant to call, at 2:00 p.m., in 
Room 2154, Rayburn House Office Building, Hon. Tim Walberg 
presiding.
    Present from the Subcommittee on Information Technology: 
Representatives Hurd, Farenthold, Walker, Blum, Gosar, and 
Kelly.
    Present from the Subcommittee on Government Operations: 
Representatives Walberg, Carter, Grothman, Connolly, Maloney, 
Chaffetz and Plaskett.
    Mr. Walberg. The Subcommittee on Information Technology and 
the Subcommittee on Government Operations will come to order.
    Without objection, the chair is authorized to declare a 
recess at any time.
    In fiscal year 2017, the Federal Government plans to invest 
more than $89 billion on IT. This is a significant area of 
Federal spending that requires Congress' attention. We focus so 
much attention on Federal IT acquisition and management because 
it's simply important to everything agencies do and because IT 
acquisition remains on the GAO high-risk list.
    I would like to acknowledge that there has been progress. 
The GAO has reported that, as of October 2016, OMB and Federal 
agencies have fully implemented about 46 percent of about 800 
GAO recommendations that led to this area being put on the 
high-risk list. Now this hearing continues this committee's 
oversight of agencies' implementation of FITARA. In fact, this 
is the third FITARA scorecard hearing, or, as we like to call 
it, ``FITARA Scorecard 3.0.''
    After today, we will have heard testimony from nine 
agencies. The scorecard, which the committee developed with 
assistance from GAO, continues to use the same key areas-- data 
center consolidation, IT portfolio review savings, risk-
assessment transparency, and incremental development--for 
purposes of measuring agencies FITARA implementation.
    There has been progress in the grades: 12 agencies improved 
their grade; 11 stayed the same; and 1 agency's grade declined. 
I would also note that NASA, which was one of the agencies at 
our May 2016 FITARA hearing, improved from two straight Fs to a 
C-plus. DHS improved its FITARA grade from a C to a B-minus. 
State's grade declined slightly from a D to a D-minus. In 
fiscal year 2016, DHS spent $6.2 billion while State spent 2 
billion on IT.
    FITARA provides a critical tool to effectively manage these 
IT investments. We'll continue our FITARA oversight in the next 
Congress, and I commend Mr. Hurd for his leadership on this 
oversight.
    I now want to recognize Ms. Kelly, ranking member of the 
Subcommittee on Information Technology, for her opening 
statement.
    Mr. Kelly. Thank you.
    As this session of Congress draws to an end, I want to 
thank Chairman Hurd, Chairman Meadows, and Ranking Member 
Connolly for your leadership and partnership during the 2 years 
our subcommittees have been working together to monitor how 
Federal agencies manage their information technology projects. 
In that timeframe, our subcommittee has held extensive hearings 
that examine the state of IT at almost every Federal agency and 
heard testimony from the majority of Federal chief information 
officers on the challenges they face in overhauling the 
management of IT resources.
    Our subcommittees also worked together to develop our very 
own scorecard for grading agency progress and implementing the 
requirements of the Federal Information Technology Acquisition 
Reform Act, or FITARA.
    Last November, we released the first of these scorecards 
and held our first hearing to discuss the grades of three 
agencies. Since then, our subcommittees have released updated 
scorecards at least twice a year and held hearings with 
different agencies to hold them accountable for implementing 
the FITARA provisions. Since we first began conducting 
oversight over the 24 agencies FITARA covers, we have already 
seen a marked improvement with several of those agencies.
    For example, since the release of our last scorecard, 
NASA's overall grade went from F to a C-plus. The Department of 
Education and Energy also showed substantial improvement since 
the last scorecard going from an F to a C. Overall, since May 
of this year, 12 agencies have shown improvement in their 
overall grades.
    Looking beyond the grades, I am encouraged by the 
responsiveness of most agencies and their progress to date in 
FITARA implementation. Notably, governmentwide data center 
consolidations alone have realized over 1.6 billion in savings. 
These are all good first steps, but it's clear that there 
remain obstacles to overcome in implementation. The new 
scorecard shows that some agencies have hit roadblocks, that 
some have fallen behind in implementation.
    I believe that our oversight hearings have helped improve 
accountability of IT management in Federal agencies. I believe 
hearings like these will be as important next year, and I hope 
there will be bipartisan interest in holding the next 
administration to the same high standards we have held the 
current administration.
    The stakes are simply too high when it comes to improving 
the efficiency and security of the Federal Government's IT 
systems. The Federal Government's IT acquisition process isn't 
just an inefficient use of taxpayers' money. It also poses a 
security risk as too many agencies are still having to rely on 
outdated legacy IT systems that, with each passing year, cost 
more and more to secure and maintain.
    I want to thank the witnesses for testifying today. I know 
that an overhaul of your IT acquisition and management is not 
an easy task, so I look forward to hearing how your agencies 
are handling the challenges in implementing FITARA.
    Thank you, Mr. Chair, and I yield back.
    Mr. Walberg. I thank the gentlelady.
    And now I recognize Mr. Connolly, ranking member of the 
Subcommittee on Government Operations, for his opening 
statement.
    Mr. Connolly. Thank you, Mr. Chairman.
    And I thank my co-collaborator, Ms. Kelly, for her 
leadership, Mr. Hurd, and Mr. Meadows. The four of us have 
tried to act as one in terms of oversight, and I think that's 
been pretty effective, and we're going to continue to do the 
same in the 115th Congress, so look forward to working with you 
again, Ms. Kelly.
    I think oversight by the two subcommittees of the Federal 
Information Technology Acquisition Reform Act, better known as 
Issa-Connolly, is really important because that didn't happen 
in its predecessor legislation known as Clinger-Cohen. Our 
bipartisan legislation represents the first major reform of 
laws governing Federal IT management since 1996.
    When I was chairman of Fairfax County just across the 
river, I used to tell our staff we needed three things to be 
successful: We needed a clear mission. We needed passion for 
that mission. And we needed metrics to measure progress on that 
mission.
    With FITARA's passage, we clarified the mission, and these 
scorecards, I believe, give us the metrics to try to see how 
we're doing and to keep the pressure on ourselves to implement.
    I'm pleased to see these subcommittees continuing to 
exercise its oversight responsibility. Since our last hearing 
in May, I, like Ms. Kelly, am encouraged by how quickly the 
administration and the majority of Federal agencies have in 
fact embraced the effort. I appreciate the leadership of 
Federal CIO Tony Scott and the Office of Management and Budget, 
and the GAO, Mr. Powner and Gene Dodaro in particular. I hope 
for continued leadership in the new administration and a 
renewed focus on implementation.
    As I stated at that hearing in May, the results of the 
scorecard should not be seen as some kind of scarlet letter on 
the backs of agencies but rather a guidepost, a milestone on 
the path toward self-improvement. The scorecard process ought 
to be dynamic, continually incorporating stakeholder feedback 
with the possibility of eventually including all seven pillars 
of FITARA.
    We received favorable feedback from agency CIOs on the 
components of the scorecard, but we do recognize that there is 
always room to improve the metrics that are used to determine 
agency progress. The enormous amount of feedback we've received 
has proved that agencies are taking FITARA seriously.
    Charged by Congress to provide quarterly progress reports, 
the GAO examined OMB's steps to consolidate data centers, 
enhance agency transparency, and implement incremental 
development. These metrics were selected because their 
implementation will have a demonstrable benefit on IT 
acquisition and operation, and this data is updated and 
available on a quarterly basis.
    The scorecard is a tool of both congressional oversight of 
FITARA and CIO empowerment. FITARA requires CIOs to certify 
that IT investments are adequately implementing incremental 
development. We wanted to include CIO authorities in the 
scorecard because this will tell us if CIOs are being given the 
tools to succeed, and if they are not, then that becomes either 
an issue of additional congressional oversight or a foothold 
for CIOs to assert themselves under the law. It's important 
that Congress continue its oversight and urge OMB to clarify 
its guidance directing agencies to make information about major 
IT investments publicly available.
    On a related front, I was proud to join my friend Will Hurd 
in introducing the Modernizing Government Technology Act. The 
bill makes a significant upfront investment to retire 
vulnerable large-scale legacy systems affecting multiple 
agencies. The bill allows agencies to use savings generated 
through FITARA and other reforms to make investments in cloud 
transition.
    The act passed easily through this committee and on the 
House floor. Unfortunately, because of a last-minute CBO 
scoring issue--the priesthood of the CBO, Mr. Chairman, is one 
that mystifies all of us, and the infallibility we invest the 
CBO with would make the Pope in Rome envious. I would like to 
express some concern on a different issue with the lack of 
perceived support for FITARA implementation many CIOs have 
experienced within their agencies because of leadership 
squishiness, if one could call it that.
    I find it unacceptable for any of the agencies to be 
working against the intent of FITARA. Secretaries of agencies 
and division heads and likewise ignoring the critical role of 
CIOs in FITARA implementation and in directing IT investment 
defeats the very purpose of the law. We found that some 
agencies are struggling to elevate the CIO position to its 
appropriate management level.
    I look forward to hearing from the Department of Homeland 
Security and the Department of State today about their efforts 
to streamline CIO reporting authorities, and this is an issue 
that will carry through in the next Congress with the next 
administration. It's not going to go away.
    Finally, I was pleased to see that DHS surpassed its 
savings goal by reporting $248 million from consolidation of 
data centers. However, I have concern about the Department's 
lack of a strategic plan. It was also disappointing to see that 
the State Department reported zero savings from data center 
consolidation or IT portfolio review. Strange, Mr. Wiggins and 
Mr. Pitkin. We certainly look forward to an explanation of 
that.
    State has also underperformed in assessing the risk in its 
major IT investments. I look forward to working with Mr. 
Wiggins to improve that performance moving forward.
    And, with that, Mr. Chairman, I yield back. Thank you.
    Mr. Walberg. I thank the gentleman.
    I'll hold the record open for 5 legislative days for any 
members who would like to submit a written statement, but now 
we recognize our panel of witnesses.
    I'm pleased to welcome back in front of us, Mr. David 
Powner, Director of IT Management Issues at the U.S. Government 
Accountability Office; the Honorable Chip Fulghum, Deputy Under 
Secretary of Management and Chief Financial Officer at the U.S. 
Department of Homeland Security; Mr. Luke McCormack, Chief 
Information Officer at the U.S. Department of Homeland 
Security; the Honorable Frontis Wiggins, III, Chief Information 
Officer at the Bureau of Information Resource Management at the 
U.S. Department of State; and Mr. Douglas Pitkin, Director of 
Budget and Planning at the U.S. Department of State.
    Welcome to you all. Pursuant to committee rules, all 
witnesses will be sworn in before they testify, so if you would 
please rise and raise your right hands.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    Thank you. You may be seated. Let the record reflect that 
the witnesses all answered in the affirmative.
    In order to allow time for discussion, we would appreciate 
it if you would please limit your testimony to 5 minutes. Your 
entire written statement will be made part of the record.
    And so now it's my pleasure to recognize Mr. Powner for 
your 5 minutes of testimony.

                       WITNESS STATEMENTS

                  STATEMENT OF DAVID A. POWNER

    Mr. Powner. Chairman Walberg, Ranking Members Kelly, 
Connolly, and Mr. Farenthold, I'd like to thank you and your 
staff for your continued oversight on implementation of FITARA 
with this third set of grades. Clearly, we have seen 
improvements over the past 2 years from several agencies.
    The 800 recommendations GAO has made on our IT high-risk 
area are associated with many of the FITARA areas, are about 46 
percent addressed. That's a substantial increase from last 
year. Your latest set of grades has 12 agencies improving, 11 
staying the same, and 1 lower. Your oversight has been critical 
here.
    Take, for example, NASA, one of your witnesses at your last 
hearing for receiving the only F, now receiving a C-plus. NASA 
has made great strides in the data optimization area, and Renee 
Wynn deserves much credit.
    I'd like to emphasize the criticality of the four areas 
this committee is focused on. Although there has been progress, 
we still have too many acquisitions that use a waterfall 
approach; too many duplicative systems; transparency of IT 
spending isn't as accurate as we need; and we have data centers 
that are far from being optimized.
    Let's look at the data center situation. For the first 
time, we finally see inventory stabilizing around 10,000 
centers. We have closed just over 4,300 centers. And five 
agencies have closed more than 50 percent of their centers. 
These are Ag, Justice, Treasury, GSA, and NASA. There are about 
another 1,300 centers planned to be closed. Although the 
closures look good, savings and meeting optimization metrics 
don't.
    Our last report in my testimony highlights the fact that 
agencies have saved about $3 billion to date and another $5 
billion was planned. New reporting required in FITARA and to 
OMB is incomplete and only showing less than $500 million in 
outyear savings, a tenth of what it should be.
    Our ongoing work for this committee will be making 
recommendations to address this to ensure that we save at least 
$5 billion so that we can use this for critical modernization 
needs. We actually believe there is more savings than the $5 
billion, taking into account agencies' limited progress toward 
meeting the five optimization metrics.
    The new grading area associated with whether the CIO 
reports to at least the DepSec is a good start towards delving 
into CIO authorities more completely. In fact, agencies' CIO 
self-assessments to OMB are higher on average if they report to 
the agency head.
    We have ongoing work for this committee on CIO authorities 
that could further inform comprehensive grading and oversight 
in this area. Clearly, CIO authority is still a mayor issue at 
departments and agencies.
    As we have discussed, Mr. Chairman, there is even more this 
committee could do to help CIOs with their authorities. The 
first is ensuring that CIOs have full support from the heads of 
departments and agencies. We think your suggestion that the 
heads of agencies be asked to testify at these FITARA hearings 
in the next Congress is a good one.
    The Comptroller General, Gene Dodaro, held a forum recently 
on our IT high-risk area and FITARA that Chairman Hurd and 
Ranking Member Connolly participated in that we thank you for, 
along with former and current Federal and agency CIOs. We will 
soon be publishing the results of this forum.
    One of over 200 key things that came out of that session 
was the need for top agency support regarding cyber and IT 
issues. Another area that this committee should consider is the 
IT workforce under the CIO. We issued a report 2 weeks ago for 
this committee that showed agencies need to do a better job 
assessing their IT staffing needs by performing gap assessments 
and putting in place plans to bolster the IT workforce. 
Enhancements to your scorecard and FITARA oversight in the next 
Congress, we believe, should be focused on critical targeted 
areas. This starts with ensuring CIOs have support from the 
top.
    Next, we need qualified and accountable CIOs. By 
``accountable,'' we mean those that welcome the strength in CIO 
authorities and this committee's oversight and assistance in 
strengthening those authorities.
    Then we need a stronger, more robust IT workforce under the 
CIO. This would include the needed influx of private sector 
talent that is more integrated into the Federal IT workforce 
because at times the current efforts at the White House and GSA 
are a bit too much of a we-versus-them mentality. So, in 
addition to bolstering top support, strengthening CIO 
authorities in the IT workforce, we believe there needs to be 
better transparency, more incremental and agile development, 
and more efficient legacy spending. On the legacy side, we 
still need to focus on eliminating wasteful duplicative 
spending and optimizing our data centers, which would include 
far greater cloud adoption.
    Despite the billions already saved, there are billions of 
dollars still on the table that can be saved that are directly 
tied to your scorecard. These savings can be used to modernize 
and perhaps fill agencies' working capital funds that this 
committee has introduced.
    Thank you, again, for your oversight, and I look forward to 
your questions.
    [Prepared statement of Mr. Powner follows:]
    
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    
       
    Mr. Walberg. I thank the gentleman.
    And now I recognize Mr. Fulghum for your 5 minutes of 
testimony.

            STATEMENT OF THE HONORABLE CHIP FULGHUM

    Mr. Fulghum. Chairman Walberg, Ranking Member Kelly, 
Ranking Member Connolly, and members of the subcommittee, thank 
you for the opportunity to talk to you today about the progress 
the Department of Homeland Security has made in implementing 
FITARA. First, I'd like to say how proud I am of the expertise 
and hard work of our employees, who have taken many steps to 
ensure that FITARA is fully implemented.
    It is my privilege to serve with such dedicated folks. I'm 
proud to say that there is a true collaboration between myself 
and Mr. McCormack who is a recognized leader in the Federal CIO 
community. In addition, we also work closely with the CIOs and 
CFOs at our components to increase integration throughout the 
agency.
    While we're pleased with our progress, we recognize much 
more needs to be done to mature and strengthen our process. 
Since the Department was stood up, we've been working toward 
greater integration, transparency, and effectiveness of our IT 
systems. For example, we have tracked IT investment in our 
system of records since 2010 and worked closely with the CIO on 
several major initiatives to improve the health of our IT 
infrastructure. We saved money by focusing on more efficient 
ways of doing business, consolidating when it makes sense, and 
making strategic sourcing a priority.
    I applaud FITARA for reinforcing good government 
principles, ensuring accountability, and reenergizing our 
efforts. IT is a critical important aspect of the DHS mission 
space, and we are committing to get an A on the scorecard. With 
your continued support and working together across the 
Department, we'll get to the top of the class.
    To improve, we will continue to incorporate and empower the 
CIO in our resource planning and programming actions. IT is a 
critical part of the DHS operation and touches most programs. 
As such, CIO's input and insights are necessary throughout the 
planning, programming, budgeting, and execution process.
    The CIO exercises a significant role in resource 
decisionmaking for all programs that include IT resources, and 
we will continue to strengthen that role. This is also codified 
in our Department's management directives.
    During our annual program and budget review, component CFOs 
and CIOs jointly provide a complete picture of IT spending and 
their component. These inputs are aggregated at the Department 
level in order to provide senior leadership with a 
comprehensive picture of IT funding needs, making sure we use 
the most of our limited resources efficiently and effectively.
    Under the leadership of the Under Secretary for Management, 
our integration is not just a close partnership between the CFO 
and the CIO but also includes a chief human capital officer, 
chief procurement officer, and the acquisition community both 
at the headquarters and at the components. The Secretary's 
Unity of Effort initiative focused our efforts on 
institutionalizing former processes, procedures, and 
operational structures that integrate component strengths in a 
coordinated effort to protect our homeland. We built a strong 
foundation through the Unity of Effort, and we'll use that 
foundation to keep making improvements in the Department's 
operations as well as its management.
    Our CIO will continue to be consulted in any and all 
situations where needed. Whether it's an issue to be negotiated 
between the lines of business or components or a topic that 
requires the Secretary's attention, our CIO is always a full 
and trusted participant in any discussion that has an IT 
element. Our CFO and CIO counsels work in close cooperation all 
year long, not just at budget time.
    Ultimately, we're institutionalizing how our lines of 
business work together to strengthen resource requests and 
demonstrate links to mission outcomes. Although we've made 
significant progress, we will continue to collaborate closely 
across communities to further strengthen our ability to 
properly manage the Department's IT portfolio. We fully 
recognize that IT is foundational to the success of our 
mission.
    Thank you, and I welcome the opportunity to answer any 
questions you may have.
    [Prepared statement of Mr. Fulghum follows:]
    
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    
     
    Mr. Walberg. Thank you, Mr. Fulghum.
    I now recognize Mr. McCormack for your testimony.

                 STATEMENT OF LUKE J. MCCORMACK

    Mr. McCormack. Chairman Meadows, Chairman Hurd, Ranking 
Member Kelly, Ranking Member Connolly, and members of the 
subcommittee, thank you for the opportunity to appear before 
you today to share the Department of Homeland Security's 
progress on implementation of the Federal Information 
Technology Acquisition Reform Act.
    I would like to start by providing you with some key 
background on the management and oversight of Federal 
information technology at the Department of Homeland Security. 
In 2007, DHS instituted the information technology acquisition 
review process, which enables the DHS CIO to review and 
effectively guide all agency IT expenditures above $2.5 million 
to ensure their alignment with DHS missions, goals, policy, and 
guidelines. In 2011, DHS implemented an enterprise approach to 
the delivery of IT services that leverage strategic sourcing 
and shared services.
    In 2014, simultaneous with Congress' work on FITARA, the 
Office of the CIO began to adopt a new IT business model, which 
was implemented in 2015 and has brought about initial results 
throughout 2016. Rather than procure, engineer, and implement 
our own products, we have begun to take advantage of emerging 
service-based technologies and develop multiple strategy 
partnerships, including with Federal shared service providers, 
along with public and private cloud service providers.
    This open-market strategy, which fosters continued 
competition, allows all DHS to gain access to a variety of 
world-class services while keeping costs low and time to market 
short. FITARA is helping with all of this.
    At DHS, we used a phased implementation approach for 
FITARA. In 2015, our planning year, the DHS OCIO established a 
comprehensive self-assessment report that indicated how well 
DHS aligned to each of the core FITARA requirements, identified 
current gaps, and outlined how DHS would ensure that all FITARA 
requirements are fully executed. We also updated the DHS IT 
strategic plan in 2015, which was in strong agreement with the 
goals and objectives of FITARA.
    This year, 2016, was the year of FITARA implementation at 
DHS. To lead the Department through the FITARA transformation, 
we strengthened the Office of the CIO. DHS now has a second 
deputy CIO, a chief technology officer with elevated 
responsibilities, and a newly formed DHS digital services team. 
This talent, which was all obtained from the private sector, 
has joined our leadership team, and they are playing a key role 
in transforming how we deliver critical IT services.
    FITARA places strong emphasis on maintaining workforce 
skills in a rapidly developing IT environment and recruiting 
and retaining IT talent. Efforts are under way at DHS to 
identify gaps between current and future skill needs to ensure 
employees are effectively developed. The Department is also 
looking to maximize the appropriate use of hiring authorities 
and flexibilities to attract diverse and highly skilled 
candidates.
    On July 27 and 28 of this year, OCIO partnered with both 
the chief human capital officer and the chief security officer 
communities across DHS as well as the Office of Personnel 
Management to support the first ever Department-wide cyber and 
technology hiring fare. This 2-day event generated more than 
14,000 applications, and the Department made more than 400 
prospective job offers.
    DHS is in compliance with FITARA for conducting and 
submitting risk assessments for its 92 major IT investments. We 
proactively support these programs, and if any of them are 
rated as high risk for 3 consecutive months, we conduct a 
TechStat accountability session, which is a deep-dive review to 
address the root cause and get programs back on track.
    To advocate incremental development as the preferred 
development approach for applications and projects, we 
published the DHS Agile Instruction and Guidebook, established 
the DHS Agile Center of Excellence, and are in the process of 
conducting five pilots on programs in various stages of their 
lifecycle and across multiple DHS operating components. These 
pilots are helping the Department to mature best practices to 
ensure we consistently and predictably deliver solutions that 
meet our mission operator needs. In 2017, we will continue our 
consolidation efforts, having consolidated and closed 41 of 102 
data centers per the Federal Data Center Consolidation 
Initiative inventory.
    We are also working to provide key strategic sourcing 
vehicles that allow and encourage access to modern technologies 
and services. Two prime examples are ECS and FLASH. Through 
Flexible Agile Support for the Homeland, or FLASH, we are able 
provide DHS components with highly qualified agile teams 
focused on deploying IT capabilities quickly and securely to 
support their missions. Enterprise Computing Services, or ACS, 
is designed to provide easy open-market access to leading cloud 
technology providers. This will allow for components to 
purchase infrastructure-as-a-service and platform-as-a-service 
offerings in order to meet critical infrastructure needs in a 
flexible and cost-effective fashion. ECS and FLASH form 
significant building blocks for the Department service delivery 
model.
    In closing, while the Department continues to head in the 
right direction, we recognize there is still work remaining to 
achieve full implementation of FITARA. I would like to thank 
you for your continued support and your commitment to helping 
us achieve the goals of FITARA. DHS looks forward to working 
with you and our partners to continue to increase the value of 
IT acquisitions and better enable our mission through effective 
and efficient implementation of FITARA. I am happy to answer 
your questions.
    Mr. Walberg. Thank you, Mr. McCormack.
    I now recognize Mr. Wiggins for your testimony.

       STATEMENT OF THE HONORABLE FRONTIS B. WIGGINS III

    Mr. Wiggins. Chairman Hurd and Meadows, Vice Chairman 
Walberg, Ranking Members Kelly and Connolly, and distinguished 
members, thank you for inviting me to testify before the 
committee on the Department of State's progress on its Federal 
Information Technology Acquisition Reform Act implementation.
    I want to start by expressing my appreciation for the 
legislation. FITARA reinforces the Department's longstanding 
efforts to be collaborative, transparent, and forward-thinking 
in how we use and acquire information technology. These focus 
areas are central to how the Department manages IT as a whole.
    Today, I would like to share with you how the Department 
approaches IT management and some recent successes. We will 
continue our success with the right processes, people, and 
tools in place, all of which are well aligned with FITARA's 
provisions. However, we recognize that more can be done, and we 
will build on these successes and apply lessons learned to 
overall IT management.
    Over the past 5 months in my new role as CIO, I am working 
to strengthen the established relationships with my peers in 
acquisitions, human resources, and budget and planning. My 
focus has been on frequent and open communication, 
collaboration, and transparency. This approach to IT management 
helps us address the realities we face with fast-moving 
technology, risk from cyber threats, and the ongoing need to 
use our funding wisely.
    Like all agencies, we must tailor our IT to best meet our 
mission needs. We have a distinctive global foreign affairs 
mission, which is reflected in the Department's organizational 
structure. Within this environment, we mapped out an approach 
to FITARA implementation that works best for us.
    We work in a global environment, in places no other 
civilian agency operates, including areas with limited access 
to Internet. We maintain hundreds of applications and provide 
around-the-clock IT services, domestically and abroad. We serve 
275 posts worldwide, including 24 Federal agencies under Chief 
of Mission authority.
    More than 100,000 computers throughout the world are 
connected to our networks, and 38,000 mobile devices allow on-
demand communications for users globally. We drive the 
Department's IT programs and resources and maximize value to 
our users who are increasingly mobile.
    We just completed our IT strategic plan for fiscal years 
2017 to 2019. We drafted the plan collaboratively with leaders 
from throughout the Department. This collaboration is not 
insignificant. It is the foundation for our approach to IT 
management. Let me provide an example to illustrate how this 
collaborative approach is benefitting our FITARA 
implementation.
    Our first step to FITARA involved close coordination 
between the CIO's office and the Bureau of Budget and Planning. 
We consciously focused on this first because it provides the 
foundation for budget execution and acquisitions processes. I 
am proud to highlight that we have made significant progress in 
intertwining the budgeting process with IT management, both at 
a high level and at the working level.
    My office and the Bureau of Budget and Planning improved 
visibility and IT spending, for example, and jointly certified 
the fiscal year 2017 and fiscal year 2018 IT budget submission. 
Additionally, the Bureau of Budget and Planning has become a 
regular contributor to our internal FITARA working group 
meetings, and we have partnered with them to strengthen 
guidance for requesting IT resources.
    My office also continues to strengthen its relationship 
with the Office of Acquisition Management within our Bureau of 
Administration. I work collaboratively with the chief 
acquisition officer to bring IT management and acquisitions 
management together through senior-level meetings and through 
collaboration on IT governance.
    The chief acquisition officer also dedicates staff to 
personally work with us on IT requests. Together, we discuss 
proposed IT solutions and coordinate with program offices to 
determine the most appropriate acquisition approaches.
    This increasing collaboration, empowered by FITARA, paves 
the way for strategic sourcing, improved IT management, and 
even more visibility in how we are using our limited resources. 
Looking forward, I am committed to building on our successes, 
applying lessons learned, enhancing our relationships 
throughout the Department and with our external partners in the 
spirit of FITARA.
    Thank you for your time. I am happy to take any questions 
you may have.
    [Prepared statement of Mr. Wiggins follows:]
    
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
      
    Mr. Walberg. We thank you, Mr. Wiggins.
    And now, Mr. Pitkin, we recognize you.

                  STATEMENT OF DOUGLAS PITKIN

    Mr. Pitkin. Good afternoon. Vice Chairs Walberg and 
Farenthold, Chairman Hurd and Meadows, Ranking Members Kelly 
and Connolly, and members of the subcommittees. Thank you for 
the opportunity to appear before the committee today to provide 
an update on the Department's implementation of FITARA, 
particularly on its budget process. As the director of the 
Bureau of Budget and Planning, I coordinate the development of 
the Department's annual resource request that the Secretary 
presents to OMB and Congress each year, and my Bureau is also 
responsible for overseeing the allocation of funds provided by 
Congress.
    Throughout these efforts, my Bureau has sought to ensure 
that the CIO and the Bureau of Information Resource Management 
has both the funding and engagement that it needs to address 
FITARA.
    As reported on the IT Dashboard, the Department's 2017 IT 
budget request is approximately $1.8 billion. The centerpiece 
of that investment is our IT central fund, which provides 
nearly $300 million for the development of enterprise-level 
systems infrastructure. The remaining 1.5 billion resides in 
other Department accounts to support both IRM's enterprise-
level operation and also Bureau-specific programs.
    Both our Bureaus, BP and IRM, continuously seek to improve 
coordination across the entire span of the IT portfolio. We are 
committed to transparency and accountability in the management 
of all aspects of our IT budgets, and this has been greatly 
enhanced by the partnerships, as Frontis mentioned, between the 
CIO and IT project and program managers and other bureaus.
    I also echo his views on how we have made FITARA 
implementation work at the Department of State for IT 
management. From my perspective, FITARA did not superimpose a 
brandnew budgeting process on the Department, rather helped 
codify and strengthen existing IT management principles and 
reinforce ongoing coordination efforts between our offices.
    As an example of this collaboration, in forming the fiscal 
year 2017 budget, my Bureau leveraged the CIO's project 
performance and schedule information to help us jointly 
determine the appropriate funding needed to support the 
Department's electronic health records management project. This 
ongoing collaboration has and will enable us to make better 
informed resource decisions, manage IT investment risk, and 
most importantly, deliver IT services and capabilities that 
support the Department's mission.
    My Bureau has also worked with the CIO's office to include 
FITARA requirements at our annual budget formulation guidance, 
which has improved Bureau supporting documentation for IT 
funding, which now includes more analysis of cost-effectiveness 
and long-term planning in Bureau IT requests.
    Further, over the entire fiscal year, my Bureau works 
closely with the CIO's team to review IT funding allocations 
and actual spending, especially for major IT investments. Our 
goal is to reduce duplication of efforts, share technology 
across the Department, and deliver best value for the taxpayer.
    In support of this effort, my Bureau is looking at how we 
can further improve the transparency of IT budgets with the 
CIO. As part of our Bureau's budget system modernization 
project, we'll be implementing a commercial off-the-shelf 
product to track our IT assets and costs in all phases of the 
project lifecycle from formulation to financial plan and 
including performance metrics as determined by the CIO. This 
will improve the integration of IT portfolio management data 
and budget data, would also promote information sharing across 
the IT enterprise, foster more informed management decisions, 
and help us do both of our jobs more effectively.
    With Congress' continued support and robust collaboration 
with our Federal and non-Federal stakeholders, we believe we 
are on a path toward improved FITARA implementation at the 
Department. We look forward to working with Congress to ensure 
that our efforts not only comply with FITARA but also reflect 
our collective desire to transform how the Department does its 
business both domestically and overseas.
    Thank you for your time, and I'm happy to answer any 
questions.
    [Prepared statement of Mr. Pitkin follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Mr. Walberg. I thank each of the witnesses for your 
testimony.
    And now it gives me great pleasure to recognize the 
chairman of the subcommittee, Mr. Hurd, for your opening 
statement.
    Mr. Hurd. Thank you, Mr. Walberg, and good afternoon 
everyone. The technological change we are going to see in the 
next 20 years is going to make the last 20 years look 
insignificant. We are at a pivotal point in the development and 
utilization of emerging technologies.
    And the current state of IT at most Federal agencies is, in 
most cases, decades behind the private sector. I want to be 
clear: we have made progress. Some have complained that we are 
not reflecting that in the scores, but we recognize there is 
progress being made, but we have a long way to go to get where 
we should be.
    The new administration must prioritize IT management and 
cybersecurity. As seen in the OPM breach, the consequences to 
allowing our government to remain in the horse-and-buggy days 
of technology implementation can be disastrous. This is not a 
partisan issue. This is a security issue. We must come 
together, not as Republicans or as Democrats, but as Americans 
to solve this pressing challenge.
    As I said in May when the committee released the Scorecard 
2.0, the intent of grading agencies is not to shame agencies 
but to provide an objective measurement of progress and 
challenges so that we can facilitate the continued 
implementation of FITARA. The grades improve overall from the 
first scorecard to the second, and I'm pleased to see continued 
improvement in the grades from the second scorecard to the one 
released today.
    The committee has made two key adjustments to the 
scorecard. First, as I highlighted in the hearing in May, when 
CIOs are reporting--who CIOs are reporting to is important. 
This committee intends to ensure the men and women in these CIO 
positions are qualified, accountable, and empowered to make 
decisions and lead within their agencies.
    Consequently, the FITARA Scorecard 3.0 final grades include 
a plus if the CIO reports directly to the Secretary or Deputy 
Secretary of the agency and a minus if the CIO does not report 
to one of those two officials. Neither of the CIOs on today's 
panel report directly to the Secretary or Deputy Secretary, and 
I look forward to discussing the implications of the reporting 
structures at their respective agencies.
    Second, the portfolio review metric has been adjusted. For 
a Scorecard 3.0, each agency's total portfolio stat savings was 
divided by its total IT budget for the most recent fiscal 
year--most recent 3 fiscal years, and then, as with the risk 
assessment transparency grades, the resulting ratio was ranked 
in the five agencies with the highest savings ratio received an 
A, the next B, et cetera.
    This tiered system is more accurate than the system used in 
the first two scorecards, which benchmarked all agencies to one 
outlier agency. Moving forward, the committee will continue to 
evolve and adjust the scorecard as appropriate and, in doing 
so, will help ensure successful implementation of FITARA.
    I urge all agency CIOs to reach out to the committee staff 
if you have questions or concerns about the scorecard generally 
or about any aspect of their agency's grade, because remember, 
this is all information you all have reported to us.
    I thank the witnesses for being here today and for their 
service to the Nation, and I look forward to the questions.
    Thank you, Mr. Vice Chair, and I'll turn it over to you.
    Mr. Walberg. Thank you, Mr. Chairman, and at your good 
graces, I will now recognize myself for my 5 minutes of 
questioning.
    I would add, as what was just stated, that these hearings 
are meant to be a partnership and support and encouragement, 
and I think seeing some of the grades of those that have been 
before us, we've seen some of that take place, and we want to 
continue that.
    And so I have an opportunity here today, as I begin my 
questioning, talking concerning specifically to each of the 
agencies, and I'll let you decide which or both that would want 
to answer the questions. But I want to look at both DHS on data 
centers received a grade of A, and State received an F. So we 
have a complete spectrum there. So be interested to hear your 
answers.
    First of all, going to DHS, how many data centers does DHS 
currently have?
    Mr. McCormack. DHS, we have approximately 102.
    Mr. Walberg. 102 data centers.
    State, how many centers do you have?
    Mr. Wiggins. We have 366 nontiered and 19 tiered, so about 
380-some-odd.
    Mr. Walberg. How many centers, DHS, did you close in the 
last few years, and I guess respond beyond that, how many more 
can we expect you to close by fiscal year 2019?
    Mr. McCormack. And I apologize. I should have said we had 
102. We have consolidated 40 of 102. I hesitate only because we 
are, as I had said in my opening testimony, that we are in the 
middle of shifting our model to not only consolidate into our 
internal data centers, of which we have two core data centers, 
but really shifting that consolidation to the public cloud. And 
while we expect that to take a little bit of time, we have done 
some--had some success with that already at great savings. We 
expect that to ramp up very quickly.
    So I would expect us, in 2019, if I had to have sort of 
rough estimate, that we would have probably less than 25, maybe 
less than a dozen at that point, and what I can't tell you 
right now is how many of those are going to end up in our 
internal consolidated core data centers versus out into the 
cloud.
    Mr. Walberg. Okay.
    Mr. McCormack. We are still doing that analysis right now.
    Mr. Walberg. Okay. But significant movement.
    I turn to State, again, how many has State closed in the 
last few years and how many more can we reasonably except to 
see close because you have a significant number of centers?
    Mr. Wiggins. Thank you for that question. Part of 2012, we 
actually closed one. Since 2012, we closed six. We are 
targeting an additional four, one tiered and three nontiered, 
in coming before 2018. I think this also brings up an 
interesting point and one we need to work with OMB and GAO on 
very closely because the definition of a ``data center'' or as 
is currently presented loops in a lot of our overseas posts, 
and it's a challenge for us to look at closing what are 
considered data centers at our posts due to our infrastructure. 
I think the definition of the ``data center'' needs to be 
reviewed, perhaps, in conjunction with OMB and GAO, because, 
frankly, what most people consider data center is not what we 
have at our embassies overseas. Some of them are actually 
communications closets with a single rack of equipment, but 
because they have got a UPS in that rack and there's a 
generator in the courtyard for that embassy, it falls in the 
definition of a ``data center,'' as narrowly defined. So we 
need to work on that.
    The target that has been given to us is about 220 data 
centers to be closed in the next year and a half, which is 
going to be an extreme stretch for us. To Congressman 
Connolly's point, if you don't mind, I'll just address this as 
well. You asked about data center savings. I'm not sure whether 
to quote Pogo or Shakespeare, whether the fault is in ourselves 
or our stars; or whether we have met the enemy, and it is us.
    Mr. Walberg. Maybe both will work.
    Mr. Wiggins. Yeah, exactly. We actually had about $35 
million in data center closure cost savings, but our scorecard 
shows zero, so that's on us. We have failed to report that 
properly through the database and through the scorecard, so we 
are getting credit for zero, and we should have about 35 
million.
    OMB had put us down for a target of 17.1, so we have 
exceeded that by two times what the target was, but we have not 
properly reported it. So when you talk about FITARA 
refinements, some of it calls upon the individual agencies as 
they report them.
    So I do look forward to having continued conversation with 
OMB and GAO in exactly how we define a data center, because, 
again, I think the other thing the State perhaps doesn't get a 
credit for is we provide a shared service for a lot of agencies 
overseas. There are a number agencies that actually ride our 
infrastructure, and we provide them service. They have 
collapsed their data centers because we provide that over to 
them. So we need to continue to refine and review that.
    Mr. Connolly. Mr. Chairman, would you yield just for a 
second?
    Mr. Walberg. Yeah, while I'm chairman, I can yield for just 
a second.
    Mr. Connolly. Just to your point, I would hope that a 
refined scorecard would reflect the data not reported but 
recorded here, because the exercise again is to mark progress, 
not to dig into you because you were late or something like 
that. So I would hope we can incorporate that so the State 
Department is credited for the progress it achieved.
    Thank you, Mr. Chairman.
    Mr. Walberg. I don't want to miss this point, so I want to 
go to Mr. Powner. Could you comment on definition of ``data 
center'' that was brought up by Mr. Wiggins?
    Mr. Powner. Yeah, this gets back to, you know, we have had 
many definitions of ``data centers.'' We started off with one. 
When Steve Van Roekel was the CIO, he changed the definition to 
include all these small closets. Now we are at a tiered, 
nontiered. I think what's really important going forward is we 
have these data center consolidation plans required in FITARA, 
and I know DHS--Mr. McCormack, I know you are working on yours, 
getting it in by the end of December--we are tracking those.
    I think what's really important is that these issues and 
those plans which go to OMB get resolved through OMB. We can be 
part of those discussions to make sure that we're focused on 
the right things, and if there are some closets and the whole 
bit, we can acknowledge that moving forward. That's fair. 
That's fair.
    I think what's really important with the hearing here, 
Ranking Member Connolly, to your point, is some of this 
reporting that was one time to the Appropriation Committees is 
now it's OMB, and not all the agencies were taking this serious 
enough, and we just need to be consistent and serious so that 
we get the right savings so that we can modernize more.
    We need to root out these inefficiencies because there's a 
lot of modernization that everyone has, and hopefully, we can 
reinvest and do the right thing.
    Mr. Walberg. Thank you. And my time is expired, and now I 
have the privilege to recognize the ranking member as well as 
the gentlelady who has the privilege of representing my 
hometown, Ms. Kelly.
    Mr. Kelly. Thank you. One of the things we've learned is 
the importance of grading whether or not an agency CIO reports 
directly to the Secretary or the Deputy Secretary of the 
agency. Mr. Powner, in your assessment, why is it important to 
the success of an agency's overall FITARA implementation plan 
that there be a direct reporting relationship between the CIO 
and the head of an agency?
    Mr. Powner. So I think the higher up you report, the 
better. Typically, that's associated with more authorities. 
Now, can it work if you don't? Absolutely it can, but we've 
seen plenty of situations in DHS--not going to revisit history 
here--where that reporting arrangement wasn't great for the CIO 
and the CIO wasn't really backed--not with the current folks.
    But I think what's important is if you look at the FITARA 
implementation plans that get reports, self-assessments by the 
agencies, the self-assessments are higher for those CIOs that 
report to the DepSec or higher. So CIOs are telling us that 
their authorities are stronger the higher they report.
    Mr. Kelly. And how did you go about evaluating whether each 
of the agencies that were scored had a direct reporting 
relationship between their CIO and Secretary or Deputy 
Secretary?
    Mr. Powner. We have ongoing work for this committee that 
we're looking at CIO authorities, which include the reporting 
structures, and honestly, a lot of this comes right off of the 
agencies' and departments' Web sites, but we confirmed a lot of 
that through our ongoing work that we're performing for this 
committee.
    Mr. Kelly. Thank you. In my opening I talked about there 
were agencies that improved their letter grade. For example, 
the current scorecard shows significant improvement from NASA 
that went from an F to a C-plus. Since GAO first began working 
with our subcommittee on a scorecard for monitoring agency 
progress in FITARA, have you seen a steady improvement in the 
overall grades?
    Mr. Powner. I think there's some agencies that have had 
excellent improvement. NASA, that was highlighted, not only did 
Renee Wynn make remarkable improvements in the data center 
area, on software licensing, she's also reporting tens of 
millions of dollars in software licensing savings.
    So I think having NASA up here at your last hearing 
resulted in great improvements. Clearly, there are some 
agencies that are in that D range that we need to get more 
progress on. And to comment on the F, you know, Richard 
McKinney at DOT is one of the best CIOs we have, but he has a 
situation there at the Department of Transportation that's very 
difficult that he inherited, but it's not from his efforts. And 
even though he has an F, he deserves a lot of credit for what 
he's done. I know he's been in front of this committee.
    Mr. Kelly. And out of the four areas, which area has been 
one that you've seen more improvement than others?
    Mr. Powner. I think clearly data center consolidation has 
been on a nice track with reported savings, and then clearly, 
too, I think the adjustment that Chairman Hurd mentioned on the 
portfolios that were--tiered it--that was an appropriate 
adjustment. It was more fair to the agencies, and I think 
that's part of the reason why you see an increase in a lot of 
the grades too is because of the portfolio stat grades creeped 
up.
    Mr. Kelly. Thank you.
    Mr. McCormack, DHS was among the agencies whose overall 
score improved, going from C to B-minus. Can you briefly 
explain what were the steps DHS has taken to improve its 
success?
    Mr. McCormack. It was in a portfolio review. We went up 
significantly there. We spent a lot of attention on that, 
worked very closely with GAO to make sure that we were doing 
that correctly and thoroughly, and I think that's where we made 
most of our strides in this particular round.
    Mr. Kelly. And while we've seen agencies that have 
improved, we have seen agencies that haven't or have stayed the 
same.
    Mr. Wiggins, can you explain what challenges the State 
Department has been facing when it comes to FITARA 
implementation that would account for its overall score 
remaining so low?
    Mr. Wiggins. Yes. Thank you for the question. I think, as I 
outlined earlier, I think part of the challenge is, when we 
don't do our own reporting properly, then we get a failing 
grade in certain areas. But in other areas, there has been a 
tendency on our part to perhaps get into analysis paralysis. 
For example, when it comes to enterprise license agreement, we 
have about $47 million in software savings we've already 
realized, and there's another 43 that we're expecting to 
realize, but we did not report it because we could not confirm 
it 100 percent, so that's something we have to improve.
    The other thing is when you look at incremental 
development, for example, we did not have a mandatory use of 
incremental development as part of our project management plan. 
Since I have come into this office 5 months ago, I have made 
that mandatory.
    In addition, we did not have an office that focused on 
workforce. We did have an IT strategic plan. We did not have a 
cybersecurity strategy. We did not have a cybersecurity 
tracker. All those things have been put in place since I've 
assumed the role. So we have a lot of work to do to catch up. I 
have set a stretch goal for my staff to get us to a B this 
year, and I'll say on the record that I will accept a C, but I 
would like to get us to a B. And I think we have a number of 
processes in place to get us there. We just have to knuckle 
down and do it.
    We have an excellent partnership with our colleagues in the 
old office of bureau--excuse me, Bureau of Budget and Planning, 
as well as our other peers, like the chief of human resources 
officer. We have to leverage those and kind of land the planes. 
We've got a lot of very good planes in place. As Mr. Powner 
mentioned, we've already undertaken our workforce review. Our 
report was given to us in November. We are now going through 
that. So there are a lot of things that have taken place in the 
last few months. We just have to get those things and drill 
into them.
    Mr. Kelly. And in what ways can Congress help you with the 
implementation?
    Mr. Wiggins. Time. You know, the one thing that no one has 
enough of. I think, in relation to your question earlier, 
Congresswoman Kelly, I--again, this is coming from the new kid 
on the block who got a D-minus, so, of course, this is going to 
be a self-serving comment, but when you look at the CIO 
authorities, I think, if I could offer a chance of refinement, 
I think it's not so much what box reports to what box but what 
you actually do with that opportunity.
    So, for example, I don't report directly to the Deputy 
Secretary or the Secretary of State, but I meet with the 
Secretary four times a week, I meet with the Deputy Secretary 
eight times a months. I have a direct tasking from her on 
cybersecurity. I have a direct tasking from her on knowledge 
management. An outcome from that was our overall cybersecurity 
strategy, which we never had before, and the creation of a risk 
officer for the first time ever in the Department.
    So I would almost say quality of engagement, and even 
quantity is one measure, obviously, but quantity and quality of 
engagement is a little bit more nuanced than just a plus or a 
minus. And, again, this is coming from a guy who got a minus, 
so take that with a grain of salt.
    Mr. Kelly. Thank you, and I yield back.
    Mr. Hurd. [Presiding.] I'd now like to recognize the 
distinguished gentleman from the great State of Texas, Mr. 
Farenthold, for your questions.
    Mr. Farenthold. Thank you, Mr. Chairman.
    And I have some questions, but I want to start off with Mr. 
Powner.
    You mentioned in your testimony that there were billions of 
dollars in low-hanging fruit of technology fixes we could do. I 
don't want to let that remark just slide by. You want to share 
a couple of pieces of low-hanging fruit? Anything we can do to 
help the budget is a win.
    Mr. Powner. I think the number one area for cost savings--
and it always has been the number one area--is data center 
consolidation. We have $5 billion on the table, and honestly, 
if you look at the optimization metrics at some of these 
agencies, I think that $5 billion could be higher. That's the 
biggest bucket. When you look at your scorecard here, we need 
to keep the pressure on savings. The metrics are fine. We can 
weave that in down the road, but there's a lot of money to be 
saved
    Mr. Farenthold. Anything else?
    Mr. Powner. That's number one. Portfolio stats, some 
duplicative spending, I could sit here and tell you stories of 
agencies that still have component bureaus that refuse to go to 
emails of service, even though it's can cheaper than their 
current email. There's some low-hanging fruit there that we 
could still fix with duplicative wasteful spending at agencies, 
in the portfolio stat area.
    Mr. Farenthold. All right. So, while your microphone is on, 
and I'm going to address this to anybody else who wants to 
answer it as well. What are we not measuring in FITARA that we 
need to be measuring?
    Mr. Powner. I think the people measurement is very, very 
important. Clearly, these are four areas in the law--these are 
four areas to save money, incremental development. No one is 
going to argue that going small isn't the right thing, so you 
need to continue to measure these areas. But if you look at the 
people part of it, the CIO authorities, to be given the right 
authorities with support from the top, that continues--should 
be the focus of this committee. But, also, if you have support 
from the top and a strong CIO but you have a workforce that has 
a lot of holes in it, you're going to have a tough time.
    So I think that people part at the top--and we just issued 
a report that showed these gap assessments on IT skills, which 
includes the cyber workforce. Agencies have big gaps that we 
need to address more comprehensively.
    Mr. Farenthold. I'll get to people in a second. Does 
anybody else want to add a missing?
    Okay. So let's go into people. You talked specifically 
within the cyber. I want to talk with the workforce in general. 
You can get the best technology in the world, but when you have 
somebody who's used to doing things on a Windows XP or a, you 
know, out-of-date BlackBerry or whatever, how are we addressing 
the people issues and training? Do we have an adequate way to 
look at that, and is that something we need to be focusing more 
on?
    I'll start with Mr. Wiggins. You're smiling over there, and 
I know we've had some unrelated testimony in this committee on 
something completely different about State Department 
technology.
    Mr. Wiggins. Thank you for the question. I am chafing at 
the bit. As a former dean of our School of Applied Information 
Technology at FSI and a former instructor, I'm a big believer 
in the power of people. And if you allow me to wax 
philosophically, I'm a guy who started as a GS-7 who worked my 
way up to where I am. I paid my dues up full on the way, and 
the only way I got there is to be a lifelong learner. Our gap 
analysis is demonstrating that we--the Department of State has 
significant needs in the areas of skills, specifically with 
cyber, and since plagiarism is the sincerest form of flattery, 
we're going after DHS' model of enhanced skills incentive pay.
    Skills incentive pay actually started with the Department 
of State when I was the dean, and now DHS has expanded on that 
for cyber skills incentive pay to try andcapture and retain the 
best talent out there, and we want do the same thing.
    The other thing I think is important, it's not just the 
technologists who are behind the equipment; it's the users. 
It's the customers, and I always tell my folks we're a 
customer-service organization. If we're not giving training to 
our customers, we might as well be handing them bricks. And 
this also gets in the cyber realm because, as I think everybody 
knows, our biggest threat is--well, there is an insider threat 
to a certain degree, obviously, but it's when our customers 
click on that spear phishing link or click on the ransomware 
that we've experience our greatest problems, and so it's that 
education of the total workforce, not just the IT workforce, 
that's very important.
    In fact, we are getting ready to deploy this month--I won't 
give the technology, because I don't it leveraged against us, 
but an artificial intelligence learning tool to combat spear 
phishing in particular, because we've been vulnerable to both 
spear phishing and ransomware. So I take it to heart that the 
technology training, both for the workforce and for the IT 
workforce, larger workforce, is vital to us.
    Mr. Farenthold. One more question as I'm running out of 
time. Mr. Wiggins, I'll hit you with it, too. The State 
Department is the only one that basically dropped in grade with 
your minus. Is there anything unique about the State Department 
that makes your challenges different from another agency?
    Mr. Wiggins. Thank you for the question. I would say, as I 
alluded to earlier, it's kind of our overseas posture and the 
necessity of providing a shared service to all those missions I 
discussed. It's also the fact that we had a complete turnover 
in our senior management. It's not just me. It's every other 
deputy chief information officer has been changed out in the 
last 4 months with one exception. So we've got an entirely new 
group that's looking at this. And so we're taking--it's an 
opportunity to take a fresh look at everything, but it's also a 
challenge to get us geared up and going forward, so that's 
when----
    Mr. Farenthold. Your staff are professional employees. 
They're not political.
    Mr. Wiggins. That's correct. And every one of my members, 
including myself, we're professional members. We worked our way 
up through the ranks.
    Mr. Farenthold. Thank you, Mr. Chairman. I see my time is 
expired.
    Mr. Hurd. I'd like to now recognize my friend from the 
Commonwealth of Virginia and the original cosponsor of the 
Connolly-Issa bill, also known as FITARA, Mr. Connolly, for his 
5 minutes of questioning.
    Mr. Connolly. Thank you, Mr. Chairman. Thank for your 
generosity there.
    Just a parenthetical note, Mr. Wiggins, Mr. Pitkin, 
compliance with FITARA and reporting under FITARA is not a 
voluntary activity. I was on the floor yesterday passing a 
truncated State Department authorization bill. Included in that 
bill is my amendment requiring the State Department to comply 
fully with the terms of FITARA.
    So we are not going away, and we'll use--I happen to be on 
that committee too. So one way or another, the State Department 
is going to have to come to grips with reality here. Every 
agency can claim, to Mr. Farenthold's question--I think it was 
Mr. Farenthold--every agency is unique. Every agency has unique 
missions, and you're no different than anybody else in that 
regard.
    Technology--the management of IT is potentially--and, Mr. 
Wiggins, your testimony was welcomed, a welcome addition from 
State Department--a transformative force for changing how we do 
business, how we can improve efficiency and performance and 
productivity, and do a better job of providing service to our 
clients and our customers, as Mr. Wiggins indicates.
    So it needs to be looked at in that way. I am concerned, 
Mr. Wiggins, that your testimony about who you report to, 
because, as Mr. Powner, we know this from our own experience, 
and you mentioned DOT: It's got to come from the top. It's got 
to have--that person, whoever is the Secretary of the agency, 
has got to understand the transformative nature of IT, and oh, 
by the way, the other side: What could go wrong if this goes 
bad?
    And I don't know how often we have to learn that in the 
form of Web site collapses or cyber attacks that are 
successful. But, you know, this is not something tangential to 
the mission. It's actually integral to the mission. And I can 
see you want to comment, Mr. Wiggins. I welcome your comment.
    Mr. Wiggins. Thank you, Congressman Connolly, and can you 
hear me? I'm sorry. First off, I wholeheartedly agree with your 
evaluation of the transformative nature of IT. I like to say 
that IT is a tool. It's a very powerful and expensive tool, but 
that's just it; it's a tool. And that gets back to the whole 
education piece of, if we're going to put those tools out 
there, we have to make sure that people have the background to 
leverage them.
    On taking FITARA seriously and being passionate about it, I 
can tell you that my concerns about our FITARA implementation 
are such that I've identified five full-time employee positions 
I'm conferring over from programmatic status to support FITARA 
specifically so we can move forward on getting from a D to a 
higher grade. Because whether it's the evaluation of 
incremental development or any of the other budgetary pieces or 
programmatic pieces, we have to focus on it, and I think by 
putting additional FTEs against this, it will definitely help.
    As far as the reporting structure, thank you for your 
comments. As I said, I meet on a regular basis with the Deputy 
Secretary. She is directly involved in a lot of the activities, 
and it's almost a dotted line between me and her office--excuse 
me--me and my office, excuse me. But the other nuance, if you 
will, is that working with my other Assistant Secretaries, such 
as Mr. Pitkin--you heard a lot about collaboration in my 
testimony. That's kind of how I like to operate. I like to work 
among peers. I don't like to work by fiat necessarily. I feel 
I'm very effective in working collaboratively with my peers. In 
having that dash line to the DepSec gives me that authority. 
When I walk in and say, ``The DepSec has identified that we 
have to do this,'' I get a lot of responses. So your point is 
well-taken, though, and I will continue to review that.
    In fact, there was an Office of the Inspector General 
report recommending it. In reviewing it, both the Deputy 
Secretary and Under Secretary conquered that the CIO position 
should remain where it is, at least for the time being.
    Mr. Connolly. Yeah. We want to elevate your position. We 
didn't--in writing the legislation, we weren't overly 
prescriptive. We were hoping that the situation--I mean, the 
hierarchy would evolve to a more rational hierarchy. We have 
250 people named CIO in 24 agencies. There is no private 
corporation, no matter how big, that would have anything like 
that.
    In fact, it's one of my favorite hobbies to ask a CEO of a 
major corporation, Fortune 500, ``How many CIOs have you got,'' 
you know, and I do it with a straight face. And they always 
look at me quizzically, like, ``Well, one.'' And I go: ``Well, 
let me tell you what we've got in the Federal Government.''
    So we didn't do that, but we do expect that there is a 
primus inter pares, somebody emerges as the chief CIO, and that 
that person has the backing of the head of the agency, the head 
of the agency, not 16 rungs down or 3 rungs, and the 
alternative is we get prescriptive.
    I mentioned in the beginning in my opening statement, the 
four of us are not going away. We have been shepherding this, 
and we are quite capable of writing bipartisan legislation. We 
would prefer not to do that, but we've got to have cooperation 
from the very top. And Mr. Powner mentioned a couple that, 
``Well, we don't have it,'' and I don't know if you want to 
comment on this, Mr. Powner, because my time is up, but on this 
whole issue of CIO authority and how well or poorly it's 
evolving.
    Mr. Powner. Yeah, I think clearly reporting higher helps. I 
think a key question we look, whether you have CIO authority of 
not, is, are you in a position that you could halt or terminate 
a troubled project? We have too many troubled projects, and we 
continue to throw money at bad projects. And when CIOs attempt 
to interject themselves, if they can interject appropriately 
and halt, manage risk, do the right thing, then you have 
authority. We don't have that across the board, and having 
support from the top does help you do that.
    Mr. Hurd. I would like to now recognize Mr. Blum for 5 
minutes of questioning.
    Mr. Blum. Thank you, Chairman Hurd. From the great State of 
Iowa, I think you omitted that.
    Welcome to the panelists today. I think it was a couple of 
weeks ago, in our IT Subcommittee hearing, we had the Social 
Security Administration sitting in your seats. In my 
questioning of them, we stumbled upon the fact that, in 2006, 
they undertook a massive IT project that lasted 7 years to 
around 2013, 2014. And the end result was it was scrapped.
    So I asked how much was spent. The answer was $340 million 
was wasted on that IT project in the Social Security 
Administration. I posted that in social media, and I can't 
repeat some of the comments that I have received from the 
people in the First District of Iowa about wasting $340 million 
of the taxpayers' money.
    The largest city in my district, Cedar Rapids, Iowa, 
they've had two 500-year floods in the last 8 years. They need 
$85 million for a flood wall. We wasted four times that, four 
flood walls, in the Social Security Administration on a 
scrapped IT project.
    To add insult to injury, I asked, was the vendor paid, 
Lockheed Martin? They were paid. I asked, was the CEO 
terminated? He was reassigned, of course, of course.
    So incremental software development makes a tremendous 
amount of sense to me. And this question is for Mr. Powner and 
Mr. McCormack and Mr. Wiggins. Is incremental software 
development, A, is it working, and B, what are the challenges 
to implementing it? Mr. Powner first.
    Mr. Powner. I think clearly when you look at the historical 
nature of incremental development--we did a report a few years 
ago on successful IT acquisitions. There were seven that 
agencies pointed to that were a success story deployed within--
somewhere within cost and schedule. Users liked this system. 
Every one of them was an increment of a larger development 
effort.
    So I think when you look at incremental development, 
there's no argument that's the right way to go. Agile 
development incremental, we need to continue to go down that 
path. I think we need to look real hard about funding projects 
that you can't deliver something within that budget year. OMB 
has a 6-month requirement on incremental development, but if 
you can't deliver something within the budget year, we ought to 
think real hard about whether we ought to be throwing money at 
it.
    Mr. Blum. Mr. McCormack.
    Mr. McCormack. Thank you for the question. If I could 
rewind--and indulge me for just a moment on the reporting 
relationship situation. I've been a CIO of an operating 
component. I've been a CIO at Department of Justice and now the 
CIO at the Department of Homeland Security and the vice chair 
of the executive council, and I will tell you the number one 
thing, in my opinion, that makes this successful is what I call 
goal congruence and a governance structure at the Department.
    Mr. Connolly. Did you say--I'm sorry, I couldn't hear what 
you just said.
    Mr. McCormack. Goal congruence--and I'll explain that in a 
minute--and a governance structure. Every CxO in the Department 
of Homeland Security has the authority to sort of throw the 
flag in and say, ``I've got a problem with that project,'' and 
when I say ``CxO,'' I'm talking about the chief procurement 
officer, the chief of human capital officer, certainly myself. 
All of us together as sort of a board of directors have that 
authority.
    In regards to the agile development, and this is where the 
goal congruence comes into play. It works, right. It's a 
private sector best practice. If you go out and look at any 
advanced private sector company that uses IT as a strategic 
weapon, I'll call it, they are all developing in this kind of a 
process. But you cannot do that unless you have the right 
skills, which means you need your CHCOs to help you hire those 
folks. You cannot do that unless you have the right 
procurements in place.
    Right, I talked about FLASH and ECS, which is our cloud-
based technology services and our agile software development 
capability. Right, that's our chief procurement officer. If 
they're not completely aligned with your movement, so to speak, 
none of this happens. And so all those folks typically report 
into--a lot of times it's not the Deputy Secretary. It's the 
Under Secretary of Management, and that's what's really 
important.
    So if you're going to sort of move the ball forward on 
whether it's security with FISMA, whether it's your digital 
transformation effort, whether it's FITARA, you need to make 
sure that the folks that are reporting to that individual are 
on board, and particularly that person is on board. I think 
that----
    Mr. Blum. Are there documents signed off to make sure 
those----
    Mr. McCormack. Sorry?
    Mr. Blum. Are there documents that are physically signed 
off on to make sure the physical parties you just mentioned are 
on board so that goals are congruent?
    Mr. McCormack. Absolutely. We have----
    Mr. Blum. In the private sector, we sign off on----
    Mr. McCormack. --elements in their performance plans in 
regards to the governance process. Every single gate review 
gets certified and codified in writing and cannot go through 
that process and has to be approved by every one of those 
members in our acquisition review board going forward. That's 
that governance structure I was talking about. Every one of the 
CxOs are sort of board of directors of that governance 
structure. It's run by, in this particular case, the Under 
Secretary of Management.
    But I think it's--I just wanted to point that out that I 
think it's very important. While you can have the CIO report to 
the Deputy Secretary, which is important and could be powerful, 
if they're not associated to the individual that you're 
reporting to, then you're still in negotiation, right, you're 
constantly negotiating.
    If that individual is on board and that individual says, 
``Hey, we're going to move,'' then we're going to move, right, 
and so that's just something that I would think this group 
ought to think about and consider.
    Mr. Blum. Mr. Chairman, can Mr. Wiggins answer my question?
    Mr. Hurd. [Nonverbal response.]
    Mr. Blum. Thank you. Mr. Wiggins.
    Mr. Wiggins. Thank you for the time to answer. I just want 
to echo both Mr. McCormack's comments and also Mr. Powner's in 
getting to an earlier point. As the only CIO at the Department 
of State, I have the ability, as the authorizing official, to 
approve IT projects and kill IT projects. We have a governance 
structure in place that's pretty comprehensive. We have an E-
Gov Program Board that meets on a quarterly basis, and then 
you've got an E-Gov Advisory Board that meets on a monthly 
basis. We also have a new cloud computing governance board that 
started in May to review ongoing cloud efforts.
    The governance structure is extremely important, and as I 
mentioned earlier, when I was responding to Congressman 
Connolly, excuse me, we've now added that incremental 
development into the baseline change request for all IT 
projects going forward. We also have something called Managing 
State Projects for IT, MSPIT, that has control gates, and 
there's a review process. Not only do you have to have a 
sponsor for your project, but it goes through a regular control 
gate, and agile development is a part of that.
    There are two challenges I see with agile development. 
Number one, the user interface and the user experience has to 
be built into it. So we have what are called UX expertise that 
we've gotten from U.S. Digital Services to help in that whole 
usability phase of it and also for that agile loopback.
    And the other thing I would say that is a challenge is that 
when you, in our case, we use a firm-fixed-price contract, and 
when you start to look at agile, oftentimes when you say to a 
developer, who is oftentimes a contractor, ``Okay, I now want 
you to go in a different direction,'' and they say, ``Fine, 
that's a surge, and that's going to cost you X amount of money 
in addition.'' So I think the contracting aspect of it too, 
when you have a number of non-FTE who are doing contracting 
development--or, excuse me, programming development is another 
key component and a challenge. But absolutely, agility, agile 
workforce--agile development is a key component. Thank you.
    RPTR JOHNSON
    EDTR CRYSTAL
    [3:19 p.m.]
    Mr. Blum. I yield back the time I don't have, and thank you 
for your indulgence, Mr. Chairman.
    Mr. Hurd. I would like to thank the gentleman for his 
insightful questions.
    Now I would like to recognize the distinguished gentleman 
from America's Dairyland, Mr. Grothman, for 5 minutes of 
questions.
    Mr. Grothman. Very good. I hate to pick on Mr. McCormack 
again, but I guess you're it. How many positions at DHS have 
the title of CIO?
    Mr. McCormack. Fifteen, including myself.
    Mr. Grothman. Okay. And what is your relationship between 
you and the others, daily or weekly or monthly or whatever?
    Mr. McCormack. Depending on the CIO, it could be daily. 
It's certainly weekly and monthly. We have regularly scheduled 
CIO Council meetings. I have a dotted-line reporting 
relationship. They all do. I have input into their performance 
plans and I have the ultimate selection authority of all CIOs.
    Mr. Grothman. So you supervise the other 14.
    Mr. McCormack. Sure.
    Mr. Grothman. And every part of DHS has a CIO assigned to 
it?
    Mr. McCormack. They do.
    Mr. Grothman. Okay. Do you provide input on their 
performance reviews?
    Mr. McCormack. I do.
    Mr. Grothman. Okay. Is there a lot of turnover in these 
jobs? First of all, I should ask, how long have you had your 
current position?
    Mr. McCormack. This will be my third year.
    Mr. Grothman. Okay. And you came, what was your position 
before this?
    Mr. McCormack. I was the CIO at the Department of Justice.
    Mr. Grothman. Okay. A lot of turnover in these positions or 
no?
    Mr. McCormack. I'm sorry?
    Mr. Grothman. Is there a lot of turnover in these 
positions?
    Mr. McCormack. I would say the average tenure is probably 
3-plus years. There are some that have been there more than 
that, maybe as long as 5. But it's fairly stable. That's one of 
the things I spend a lot of time on, is making sure that we 
have a good what I call leadership pipeline, including the 
deputy CIOs, which I pay attention to quite a bit as well.
    I am happy to say that we have very little vacancies right 
now across our community. And we spend a lot of time paying 
attention to that because that's just, I think, one of the 
leadership responsibilities that we have, is to make sure that 
we're filling that pipeline, paying attention to it, and 
developing the future leaders.
    Mr. Grothman. Okay. About what percentage of your budget is 
spent on the cloud? Kind of switching gears.
    Mr. McCormack. On the cloud it's about 4 percent right now.
    Mr. Grothman. Okay. Has that increased over time?
    Mr. McCormack. Yes. And that will increase significantly 
with the implementation--we have been doing a lot of pilots, 
which are really more than pilots, over the last year. I had 
some significant successes there. We just recently awarded this 
cloud contract, and we expect that to ramp up very quickly.
    Mr. Grothman. Do you feel overall that'll decrease the 
amount of money that's spent on information technology from the 
government?
    Mr. McCormack. Absolutely. Again, I hesitate only from the 
standpoint is there is a lot of pent-up demand for capability 
in the Federal Government. So right now all of us are making 
choices based on different types of technology and different 
costs associated to that.
    What we have found through our cloud pilots is that we're 
able to deliver capability, incrementally, at a fraction of the 
cost and a fraction of the price.
    Mr. Grothman. Okay.
    Mr. McCormack. So it's been very interesting to see the 
emerging technology and our ability to adopt it quickly and 
deliver at a short amount of timeframe.
    Mr. Grothman. Do you believe that means, in the end, less 
personnel?
    Mr. McCormack. I wouldn't say less personnel. I would say 
different personnel, in many cases, again, simply because the 
demand signal is very high in regards to the capabilities that 
the operators need and want.
    Mr. Grothman. Can you give me any specific example in which 
as you put more and more into the cloud, any one of your 
subgroups or whatever, that you have seen a savings? Just an 
anecdotal piece of evidence that you can give this committee to 
say this is how we can save money?
    Mr. McCormack. Yeah. I mean, even with our traditional data 
center delivery models that we would use compared to some of 
the cloud-based delivery models, the cost is much less than the 
cloud.
    I will tell you in our open market strategy we've 
reconstructed the contracts that we were using in our private 
cloud data centers, which allowed the current vendors in those 
data centers to sharpen their pencils because we have 
requirements and needs at times to use a private cloud versus a 
public cloud. But what we were trying to do is get the costs to 
balance out. So we have been able to do that fairly 
aggressively by reconstructing that.
    I will tell you, by the way, this is why the partnership is 
very important. That takes an extensive amount of work on our 
staff to figure out how to do that and on our procurement 
organization to put those contracts together. So that 
partnership that I was talking about earlier, to hiring those 
types of people that can do those types of negotiations, to 
work with our procurement community, to work through those 
capabilities, is very significant.
    Mr. Grothman. Okay. I see my time is up. So thank you for 
giving me my 5 minutes.
    Mr. Hurd. Thank you, sir.
    I would like to recognize myself now.
    Mr. Pitkin, what's the IT budget for the State Department?
    Mr. Pitkin. Sir, approximately $1.9 billion.
    Mr. Hurd. $1.9 billion. How much of that does Mr. Wiggins 
have responsibility over?
    Mr. Pitkin. Approximately 50 percent.
    Mr. Hurd. Fifty? Five-zero?
    Mr. Pitkin. Five-zero.
    Mr. Hurd. And what's the reason for not having 
responsibility over the other 50 percent?
    Mr. Pitkin. Another 25 percent is under the control or 
falls under the Bureau of Consular Affairs. It's essentially 
our visa and passport system. So they essentially have a very 
large both a legacy system as well as systems they're 
developing to modernize our visa passport systems. And the 
other 25 percent is distributed among other bureaus. About 5 
percent with our comptroller for payroll and the financial 
system 5 percent.
    Mr. Hurd. So does the Consular Bureau have a CIO? Who is 
responsible for the implementation of their digital 
infrastructure?
    Mr. Pitkin. They have an information office, but it falls 
within the overall authorities of the CIO. So they have their 
own personnel, their own IT infrastructure but they report----
    Mr. Hurd. Who has the ability to halt or terminate a 
troubled project within the Consular Bureau?
    Mr. Pitkin. Certainly the assistant secretary for consular 
affairs would, as well as her management team, primarily the 
deputy or her----
    Mr. Hurd. Do you?
    Mr. Pitkin. On my own authority I would not. Certainly I 
can control the spigot of funds, but I would not make a 
unilateral decision to halt funding for a project without 
consultation with the CIO. So with the CIO I could make that 
determination, but of course I would defer to Frontis' 
expertise and whether it was truly a troubled project.
    Mr. Hurd. Thanks for the perspective. That's why one of the 
reasons that we asked the deputies of your two agencies to sit 
and visit with us as well, to have this broader conversation. 
And in future hearings we are going to be doing that.
    Mr. Wiggins, the visa and passport system, is this the same 
as the Consular Systems Modernization program?
    Mr. Wiggins. I believe you are referring, yes, to Consular 
One and the overall consular IT system, yes.
    Mr. Hurd. And you've assigned--you've actually assigned a 
medium risk rating for this IT investment. Is that right?
    Mr. Wiggins. That's correct.
    Mr. Hurd. And yet you have no budgetary control over this?
    Mr. Wiggins. I would say I have budgetary collaboration on 
it. We sit in on the Bureau of Consular Affairs budget review, 
along with Mr. Pitkin, and I meet on a monthly basis with the 
assistant secretary from Consular Affairs. Their principal 
deputy assistant secretary also meets with my principal deputy 
assistant secretary to review the investments and the overall 
projects within IT. And I would say that that was recently--it 
was at a 2 and it was upgraded to a 3.
    Mr. Hurd. So about $50 million has roughly been put into 
this project. Is that correct?
    Mr. Wiggins. That's correct.
    Mr. Hurd. Is there something working?
    Mr. Wiggins. Yes. I believe that they overhauled part of 
the combined consular database. And I know that there is a DVIS 
system--I can't remember exactly what the acronym stands for--
but that's targeted to be replaced starting this year.
    Mr. Hurd. And the additional $118 million that is going to 
be spent this year, what is that going to get us?
    Mr. Wiggins. Honestly, I do not know. I'd have to take that 
back and get back to you.
    Mr. Hurd. Good copy. Please do. I'd be interested in having 
an insight on that.
    Are you responsible for all the licensing?
    Mr. Wiggins. Enterprise license agreements? Yes, sir, I am.
    Mr. Hurd. You have software and operating systems that 
stopped being supported back in 2010, and these are fairly well 
known operating systems. Is it not included in your budget or 
in the contract with those entities to upgrade those systems?
    Mr. Wiggins. Yes. In fact we have a Global IT Modernization 
office, which is referred to as GITM, that is responsible for 
the overall upgrade of our systems. We are in the process of 
upgrading our systems worldwide right now to BladeSystems. It's 
called an enterprise converged platform. We are averaging about 
five offices a month and five posts a month. We hope to get to 
10 a month.
    On the enterprise license agreement, we currently have five 
ELAs or BPAs. They are with Microsoft, Oracle, VMware, Citrix, 
and Adobe. We have realized about $47 million in savings so far 
in the ELA for that and we anticipate another $43 million. And 
in addition we do partner with the other bureaus through our 
capital investment process to look at----
    Mr. Hurd. So is the plan to upgrade all the systems, all 
the operating systems?
    Mr. Wiggins. Absolutely.
    Mr. Hurd. And when is that going to happen?
    Mr. Wiggins. I'd have to do my math very quickly, but if 
not this fiscal year, by the next fiscal year.
    Mr. Hurd. And that includes the Bureau of Consular Affairs?
    Mr. Wiggins. That's correct.
    Mr. Hurd. Gotcha.
    Mr. Fulghum, what is the IT budget for the DHS?
    Mr. Fulghum. Six billion.
    Mr. Hurd. And how much does Mr. McCormack have?
    Mr. Fulghum. He has oversight of all 6 billion during the 
programming phase. You know, we execute budgets decentralized, 
but he has gates throughout that process where he can exercise 
oversight.
    Mr. Hurd. Does he have the ability to terminate or halt a 
troubled project?
    Mr. Fulghum. So the chief acquisition officer in the 
Department is the one who will halt a program. No program, 
however, will move forward without his concurrence. So in 
essence he does have veto power.
    Mr. Hurd. Mr. McCormack, how often do you meet with the 
Secretary or the deputy secretary?
    Mr. McCormack. It depends on the subject. I would say, you 
know, maybe once a month. A lot of times that's on 
cybersecurity-related issues.
    Mr. Hurd. How do I put this question? I don't want to get 
anybody in trouble. That seems a little low. How about I just 
make a statement. That seems a bit low.
    And, ultimately, I do believe one of the most important 
things that FITARA is giving us is to strengthen the CIO's 
authorities. And the goal of our two committees is to make sure 
you have all the tools you need so that we can ultimately hold 
you and your other 14 CIOs in your Department accountable.
    And that is why we stress this reporting, something as 
simple as how many times do you report and who do you talk to, 
because it's not an industry standard to have the CIO and the 
CISO not report directly to someone within the C suites.
    I am going to yield to Mr. Blum for a question.
    Mr. Blum. Thank you, Chairman Hurd.
    I just have one quick question. According to our report 
here it says the following: ``FITARA requires OMB and agency 
CIOs to annually review the IT investments of an agency to, 
among other things, identify potential duplication and waste 
and identify cost savings.''
    So I will start with our two CIOs here, Mr. McCormack and 
Mr. Wiggins. My questions are, first of all, have you done 
exactly that every year? Secondly, is it in a report that I can 
read? And thirdly, are the recommendations, assuming you did 
it, being acted upon?
    Mr. Wiggins, start with you.
    Mr. Wiggins. Thank you for the question.
    In the 5 months I have been in office, no, I have not. But 
I will go back and check. I do know that since I became an 
acting CIO I have been meeting on a regular basis with Tony 
Scott. We have a regular meeting, the CIO Council, talking 
about FITARA and implementation. I do not know factually if 
that report has been reviewed by OMB. I will take that back and 
review it.
    Mr. Blum. But you are aware of the requirement
    Mr. Wiggins. Oh, absolutely, yes.
    Mr. Blum. Duplication, waste, cost savings, very, very 
important.
    Mr. Wiggins. I agree. I know that. I have been doing that 
internally through our CCGB process and our various governance 
processes. I am assuming that we are reporting that to OMB, but 
I have to make sure that we actually have done so.
    Mr. Blum. Mr. McCormack?
    Mr. McCormack. Yes, we have done that analysis. We have 
pulled that information together, done that analysis, and we do 
report on that.
    Mr. Blum. Are there savings? Are there duplication? Is 
there waste? Is it substantial?
    Mr. McCormack. I am sorry?
    Mr. Blum. That number, what you have come up with in that 
report, is it a substantial dollar amount of duplication, 
waste, and cost savings?
    Mr. McCormack. It was substantial. It's less substantial 
now because we have done a lot of work to wring those cost 
savings out, right? So we talked about the 40 data centers that 
we have consolidated. And that's where a lot of our cost 
savings came from. While we have, you know, there are 60 to go, 
we are not going to get the same kind of savings opportunities 
there simply because there is just not that much--as much 
savings in there because of the nature of the types of data 
centers.
    We've put together over a dozen enterprise license 
agreements based on this analysis that we had done with the 
duplication and the opportunities there. We have wrung out 
significant savings in those areas as well. And so while we 
continue to do this analysis and go after these opportunities, 
obviously over time they become less and less because the low-
hanging fruit has been pursued.
    Mr. Blum. Let me ask you a follow-up question to your 
answer. What incentives are there for Federal employees to seek 
out, to find duplication, waste, cost savings? What incentives 
are there? Are there any financial incentives? In the private 
sector, where I come from, there is financial incentives 
typically. Are there any in the Federal Government? Are there 
any in the IT area in DHS?
    Mr. McCormack. I would like to hope I am speaking on behalf 
of every public servant that everyone wants to do the right 
thing. I would say what would incentivize a component CIO, 
particularly in the Department of Homeland Security and I think 
other areas as well, we did this at DOJ, is what I call the 
cut, cost, and reinvest, where if you give them the opportunity 
to cut those costs and then reinvest it into these areas that 
they need funding in versus just sweep it up and go buy Coast 
Guard cutters or helicopters or whatever it is the agency 
needs--and of course we make those decisions based on risk and 
other things--but if there is an opportunity for them to use 
those savings then there is always more incentive to pursue it. 
And so that has worked really well for us.
    Mr. Blum. But there is no personal financial incentive.
    Mr. McCormack. There is no personal financial incentive for 
it other than internal goodness to stretch the taxpayer's 
dollar.
    Mr. Blum. Would an idea to have personal financial 
incentives, would that have some merit, do you think? Is there 
a place for that in government?
    Mr. McCormack. I would say personally no. That's not why 
civil servants become Federal employees, right? I would say no.
    Mr. Blum. What would you say to that, Mr. Wiggins? The same 
question.
    Mr. Wiggins. Yeah, first of all, it has been confirmed by 
somebody smarter than me that we do report our cost savings to 
OMB, and it is on the IT Dashboard. So I can confirm that we 
have done that.
    I would say we have taken a look at it from a slightly 
different perspective. We have an award for IT innovation, it 
stands for Sean Smith award. So we promote innovation, and 
there is a cash incentive and an award for that.
    In addition, we have something called the Thomas Morrison 
award, which is for the IT manager of the year, and there is a 
cash incentive for that, and that includes both innovation and 
improvement in processes.
    So we have a couple of ways of getting at it through 
innovation. It is not necessarily a cost saving metric, but 
oftentimes when we put innovation into place there is a cost 
savings realized through that.
    Mr. Blum. Just for the record, I come from the private 
sector. I think personal financial incentives for employees are 
good things, and I think we could use more of it in government.
    Do you have a comment on that, Mr. Powner, before I yield 
back, at all? I notice you are kind of smiling.
    Mr. Powner. I think right now in the government it's not 
set up that way.
    I do think Mr. McCormack's point on the reinvest is very 
important. If I'm at DHS, I want to reinvest money to better 
secure the homeland. There's a lot of things we can't get to 
that we need to get to and do a much better job to protect this 
country. And that would be the incentive, to save money on 
inefficiencies and do a better job on the mission side.
    Mr. Blum. Thank you.
    Thank you, Chairman Hurd. And I yield back.
    Mr. Hurd. And, gentlemen, we hear you loud and clear. We 
are trying to give you an additional tool to be able to use 
that savings you realize. Unfortunately, it's likely to have to 
wait until 2017 to pull that trigger.
    I would now like to recognize Mr. Connolly again, round 
two.
    Mr. Connolly. Thank you, Mr. Chairman.
    And I would say to my friend from Iowa, we are not entirely 
lacking in incentives. Now, Mr. Hurd and I and Ms. Kelly and 
others are actually--that's what the MGT Act does writ large in 
rewarding agencies by reinvesting the savings. And our silly 
system here with CBO is precluding us from doing it, frankly, 
by double counting money. It's a very strange, Druidic 
methodology, passive understanding. But at any rate we can talk 
about that later.
    But there are also some personal incentives. There are 
rewards. Every agency has its own reward program. There are 
bonuses, performance bonuses in Federal service, which they are 
not as generous as the private sector. I was in the private 
sector too for 20 years. But it's not nonexistent. And maybe we 
should take a fresh look at this in terms of incentivizing 
Federal employees a little bit more generously. God knows we 
haven't been very generous to Federal employees in the last 
number of years. But I think it's an idea worthy of merit, and 
I thank my colleague from Iowa for bringing it up.
    This subject of risk, I think one of the things, Mr. 
Powner, we have discovered is it's really hard to get people to 
identify high risk. One of the great achievements, 
contributions GAO made was by putting IT projects on the high 
risk list on your own really, which got the attention up here 
and I think in some Federal agencies. But you looked at 95 
specific IT projects. In your conclusion, 60 of the 95 were 
kind of low balled. They were actually riskier than identified. 
Is that correct?
    Mr. Powner. That's correct.
    Mr. Connolly. And to what do you attribute that?
    Mr. Powner. That particular study, we looked at CIOs rated 
60 investments as green, and we only agreed with 10 of those. 
We thought 50 of the 60 should have been yellow or red. And it 
was just based on the agency data.
    And our point on that is you need to acknowledge risk to 
effectively manage it. So that's why the dashboard, it's too 
green right now. By nature a large of these large IT 
investments are risky. A lot of them are moderate risk, just 
what we are trying to do. Just acknowledge it so we can more 
effectively manage that way.
    Actually, both these agencies do a pretty decent job, both 
DHS and State Department, on acknowledging risk. They are some 
of our higher scores. And to their credit they have yellows and 
reds appropriately.
    Mr. Connolly. Correct me if I'm wrong. My memory says USAID 
had no high risk projects, is that correct, identified?
    Mr. Powner. That is correct.
    Mr. Connolly. It was all green.
    Mr. Powner. They got an F.
    Mr. Connolly. Everything is just fine.
    Mr. Powner. Yes.
    Mr. Connolly. Nothing to look at here. Keep on moving by.
    Mr. Powner. Everything is green, yes.
    Mr. Connolly. Yeah.
    Mr. Wiggins, does that make any sense? I mean, for 10 years 
of my life I wrote the authorization in the Senate for USAID. I 
traveled all over the world looking at their projects and doing 
oversight. And I am deeply committed, actually, to our foreign 
assistance program. But to say it's low risk doesn't pass the 
giggle test.
    What's going on, do you think, at USAID? And Iunderstand 
it's a sister agency and it's not entirely within your 
portfolio, but you are as close as we are going to get at this 
table to them.
    Mr. Wiggins. So as a proxy for Jay Mahanand, I would say 
that as an outsider that needs to be looked at. I would say if 
everything is green it's--historically, IT projects are very 
high risk. Something in the neighborhood of 80 percent of them 
failed. I know for a fact that we have about 77 percent of ours 
that are on target. That leaves the other 23-odd percent. So 
without throwing Jay under the bus, I would say I probably need 
to have a conversation with him about that.
    Mr. Connolly. And I would say if the motivation of some is 
to cover up risk, actually now that we are making this a formal 
metric you are putting yourself at risk if you call it green 
and it turns out to collapse, I thought you said it was fine. 
And so I think actually it's worthy of a second look by your 
counterparts across the board, including at AID, to take a 
fresh look at this, because I think it's a tool that can help 
them and protect them and allow us to take some management 
measures to shore it up. It's not designed to sort of give you 
a bad grade because you're about to fail or what's wrong with 
you for even undertaking a high risk project. That's not the 
intent here. And I hope it will be seen for the management tool 
it was intended.
    Thank you, Mr. Chairman.
    Mr. Hurd. Sure.
    Mr. Fulghum, when you signed the DHS FITARA implementation 
plan, was that as your role as CFO or acting CFO or your role 
as the acting deputy under secretary?
    Mr. Fulghum. As the CFO.
    Mr. Hurd. As the CFO? And how much conversation did you 
have with the Secretary and the deputy secretary on the 
implementation of FITARA?
    Mr. Fulghum. As it relates to FITARA?
    Mr. Hurd. Uh-huh. The FITARA implementation plan 
specifically.
    Mr. Fulghum. I would say not routinely.
    Mr. Hurd. Thank you.
    Has Mr. McCormack ever halted or terminated a troubled 
project?
    Mr. Fulghum. Mr. McCormack has recommended pausing a 
troubled program, yes.
    Mr. Hurd. Was the program paused?
    Mr. Fulghum. I'm sorry?
    Mr. Hurd. Was the program paused?
    Mr. Fulghum. Yes.
    Mr. Hurd. Mr. McCormack, was there only one program that 
should have been paused within DHS in your 3 years? Was there 
only one program in your 3 years that you have been at DHS, 
only one software or IT program that should have been paused or 
halted?
    Mr. McCormack. No, there was more.
    Mr. Hurd. There was more?
    Mr. McCormack. There was more than one that was paused.
    Mr. Hurd. And so have you had difficulty in pausing or 
terminating a troubled program?
    Mr. McCormack. No, not at all.
    Mr. Hurd. Good copy.
    Mr. McCormack. Again, as I referred back to that 
acquisition review board, not only the CIO, quite frankly, that 
whole community has the ability to throw that flag in and say, 
``I have concerns about this,'' in regards to a pause. So yeah, 
we've paused more than one for a variety of reasons.
    Mr. Hurd. Some of your peers have expressed concern with 
the FITARA scorecard. I appreciate your all's open input not 
only today, but meeting with staff on this issue. I would like 
my last question to be any insights or suggestions that you all 
have on how you would like to see this FITARA scorecard 
implemented or things you would like to see on the FITARA 
scorecard?
    Because the reality is I think we ought to go beyond just 
FITARA. We should be looking at the implementation of FISMA, 
how are we implementing the Megabyte Act when it comes to 
software licensing. It should be a scorecard on how you do good 
digital system hygiene.
    But I would welcome, Mr. McCormack, Mr. Wiggins, whoever 
would like to go first, any feedback that you all may have.
    Mr. McCormack. So I will take a crack at that. A couple 
things.
    One, I saw your alarm about the frequency in which I meet 
with the leadership, whether it's once a month or two or three 
times a month or a couple times a week. It varies.
    I think what's more important, which is what I had pointed 
out earlier, and I am not quite sure, I am looking over at GAO 
here about how to measure it, but to me, and this is the same 
discussion I had at the White House the other day, that you 
have got to be able to measure that goal congruence issue with 
the other CxOs for these different activities, whether it's 
FISMA, whether it's the digital transformation activities, 
whether it's FITARA. Somehow or another, you have to measure 
more than what the CIO is doing.
    What I had explained to the deputy under secretary, CIOs in 
agencies in large part are completely dependent on their chief 
acquisition officers. They are completely dependent.
    Mr. Hurd. Should they though?
    Mr. McCormack. What's that?
    Mr. Hurd. Should they? Should they be responsible or should 
you have that authority do that? You're the one responsible for 
defending that system or making sure that system is working and 
you should be responsible----
    Mr. McCormack. Right, but I don't hold--I don't have 
employees that work for me that hold a warrant, right? Unless 
you're going to change those laws, then I am relying, and I 
should be, on the chief acquisition officer, the chief human 
capital officer. They're the only ones that can issue an offer 
for employment to a Federal employee. I can't do that, right?
    And so the point I'm trying to make there is that community 
has to be aligned on these various goals and objectives. And 
whoever that community reports to directly, that's what you 
want to be measuring, right? And in this case, that's the 
deputy under secretary of management. Over at DOJ, it was the 
equivalent of that. It's different in different agencies.
    But I think it is very important to figure out how to 
incorporate that into the measurements. Not just the CIO, it's 
a village that does these things. And it's typically that CxO 
span that gets involved in this, particularly the CFO, the 
CHCO, and the chief acquisition officer.
    Mr. Fulghum. Sir, could I add to that? So I think in DHS 
we're uniquely positioned with the under secretary for 
management structure in that he gets and the other lines of 
business get a lot of attention and, as he likes to say, goal 
congruence in terms of making sure that each line of business 
is supporting the other.
    We have a set of integrated priorities which we get 
together on a very routine basis and measure progress. And I 
believe we have got numerous examples of how that structure is 
working well for our Department. We have got more to do. But 
that structure that we have in place, I believe, is one of the 
reasons we have been as successful as we have been.
    Mr. Hurd. Mr. Wiggins?
    Mr. Wiggins. As I mentioned earlier, I think that one of 
the things that would be helpful is if we go from a binary on 
the reporting structure to a qualitative and quantitative, 
frequency of meetings and what actually are the outcomes from 
those meetings with senior leadership.
    The other thing I would say from a FITARA perspective since 
we are up to, is it, 3.0 now, is a FITARA cookbook of best 
practices that have come out from the other agencies. Either 
OMB can publish it or GAO. I would like to steal some of 
Renee's work that she did to get NASA so far ahead. I do have 
interaction with her through the CIO Council, but not as often 
as I would like. If there were a step-by-step guide on some of 
the most successful implementations of FITARA from some of the 
other agencies, we could look to map that back, and in a very 
cost-effective way.
    The other thing I would suggest, and I am probably getting 
into waters that are beyond my remit perhaps, but we haven't 
really talked today about shadow IT and some of the issues that 
confront agencies related to some of the rogue elements that 
are out there doing things and is there a pejorative or 
punitive element to when the CIO does become aware of shadow IT 
and they try to loop it in, is there some way that either 
people are going to be held more accountable or there is some, 
as you said, kind of incentivization for the CIOs who do kind 
of loop that in.
    Right now we are going through a process of identifying all 
the data centers, non-enterprise data centers out there as well 
as well as non-enterprise dedicated Internet networks and non-
enterprise applications that are out there. We are trying to 
get our hands around it. We are supposed to get a report the 
middle of next month on exactly what's happening. That's been 
driven by the deputy secretary in particular.
    So once we get our hands around that and start marching 
through those, FITARA gives us authority to do a lot of things. 
I don't want to get into the punitive aspects of it, but that 
might be helpful as well.
    The other thing, of course, cyber is woven into a lot of 
this, cybersecurity. It's not called out specifically in some 
of the things we are currently measuring, but it touches just 
about everything we are talking about, whether it's the 
workforce or it's the status of our systems. So having some 
kind of cybersecurity measure in there built into some of these 
metrics would be helpful.
    And lastly, and again preaching to the converted, 
obviously, is this whole aspect of the workforce and gaining a 
better measure on exactly how best practices are being taken in 
different agencies to hire, train, retain, and recognize the 
best workforce out there for IT so that government can be a 
place that people want to come to. For example, in the 
Department of State right now, we are doing a public-private 
partnership. We are going to be sending people out to Silicon 
Valley. I am paying for that out of my budget, for people to go 
out for a 1-year sabbatical with Cisco. I am doing another one 
with a partner agency up in Maryland. People will go and spend 
18 months to 2 years up there to bring best practices back.
    So if, again, there are best practices or a workforce 
advisory piece that could be enhanced through FITARA that would 
give us a little more leverage and more ideas, I think that 
would be tremendously helpful. I think there are some 
provisions there already, and we just need to flesh them out 
and continue to refine them.
    Mr. Hurd. Mr. Wiggins, if you find shadow IT, I think 
you're going to be patted on the back, because in 4 months it's 
very hard to say that that shadow IT existed during your 
tenure.
    Mr. Wiggins. If I can offer for the record as well, our 
partnership with our chief acquisition officer has brought to 
light in just in the last few months a $500,000 shadow IT 
effort that we've currently blocked. So with our partnerships 
through the budget and planning office and also our chief 
acquisition officer we are finding these things. But like so 
many things, when you kick over a rock you have to be careful 
what you find.
    Mr. Hurd. I would like to yield to the gentleman from 
Virginia.
    Mr. Connolly. I was just going to actually say to you, Mr. 
Chairman, I agree with you that at some point we probably want 
to broaden the scorecard. But I do think while we are still in 
the embryonic stage of implementation of FITARA, we want to get 
the fundamentals right. You look at data center consolidation, 
and there is nothing about those metrics that would allow us to 
conclude, well, we are pretty much over that one. In fact, 
until very recently, we kept on discovering more of them. We 
weren't shrinking them, we were actually getting apparently 
more accurate in identifying them. And I think we went by a 
factor of six or seven over the original estimate by Vivek 
Kundra in the first year of this administration.
    So, I mean, I would just hope we keep in mind what you 
said, but that we also for now try to deal with the basics so 
that we get the fundamentals in place that allow us to better 
grapple with cyber threats and the like.
    So thank you, Mr. Chairman.
    Mr. Hurd. Crawl, walk, run.
    And I know I said that was my last question, but this just 
came to my mind. Mr. Wiggins and Mr. McCormack, you are the two 
individuals within your agencies that can provide an ATO, an 
authorization to operate. Is that correct?
    Mr. Wiggins. That's correct.
    Mr. Hurd. Mr. Pitkin, if Mr. Wiggins did not give or grant 
an ATO, what would happen to that project?
    Mr. Pitkin. We would look at reducing funding for it during 
the budget process, either in formulation or execution. If 
there were some other mitigating factor, of course, the subject 
group would have a chance to raise that issue. But of course 
the CIO would still have that ultimate authority.
    Mr. Hurd. So is not giving an ATO, is that the equivalent 
of trying to halt a program?
    Mr. Pitkin. I am not an expert in the authorities, but 
that's how I would interpret it. But he may have a better----
    Mr. Hurd. Mr. Wiggins, do you have something to comment?
    Mr. Wiggins. Yes, but there are a couple of ways we get at 
that. We also have a capital investment process that looks at 
individual projects as they are brought to us. There is a 
preselect, select, control, and then review process. So we can 
stop projects in their tracks right there. Also through the 
advanced PIT process.
    The ATO authority, as a DAA, the designated authority, 
authorizing official, I can stop things in their tracks, and I 
have done it, in particular with cloud offerings. There was a 
big rush to the cloud, but we put in place governance, the 
CCGB, as I mentioned earlier, and if something has not gone 
through the CCGB I do not give it an ATO and it should not 
exist either externally to our network in the cloud or 
internally within any of our networks.
    Mr. Hurd. Good copy. Mr.
    Fulghum, how does the process work at DHS.
    Mr. Fulghum. Depending on the circumstances surrounding, if 
it's a renewal of an ATO or an initial issue of an ATO and what 
he recommends, we would take corresponding budgetary action.
    Mr. Hurd. Good copy.
    I would like to thank our witnesses for taking the time 
today to appear before us. I think this is our first hearing 
that wasn't interrupted by votes, makes it our last one of the 
year. If there is no further business, without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 3:57 p.m., the subcommittees were 
adjourned.]

                                 [all]