[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
THE FEDERAL INFORMATION TECHNOLOGY REFORM ACT (FITARA) SCORECARD 3.0:
MEASURING AGENCIES IMPLEMENTATION
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
INFORMATION TECHNOLOGY
AND THE
SUBCOMMITTEE ON
GOVERNMENT OPERATIONS
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
DECEMBER 6, 2016
__________
Serial No. 114-171
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
______
U.S. GOVERNMENT PUBLISHING OFFICE
26-178 PDF WASHINGTON : 2017
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas TAMMY DUCKWORTH, Illinois
CYNTHIA M. LUMMIS, Wyoming ROBIN L. KELLY, Illinois
THOMAS MASSIE, Kentucky BRENDA L. LAWRENCE, Michigan
MARK MEADOWS, North Carolina TED LIEU, California
RON DeSANTIS, Florida BONNIE WATSON COLEMAN, New Jersey
MICK, MULVANEY, South Carolina STACEY E. PLASKETT, Virgin Islands
KEN BUCK, Colorado MARK DeSAULNIER, California
MARK WALKER, North Carolina BRENDAN F. BOYLE, Pennsylvania
ROD BLUM, Iowa PETER WELCH, Vermont
JODY B. HICE, Georgia MICHELLE LUJAN GRISHAM, New Mexico
STEVE RUSSELL, Oklahoma
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Jennifer Hemingway, Staff Director
Andrew Dockham, General Counsel
Troy D. Stock, Information Technology Subcmmittee Staff Director
Julie Dunne, Senior Counsel
Sharon Casey, Deputy Chief Clerk
David Rapallo, Minority Staff Director
Subcommittee on Information Technology
WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair ROBIN L. KELLY, Illinois, Ranking
MARK WALKER, North Carolina Minority Member
ROD BLUM, Iowa GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona TAMMY DUCKWORTH, Illinois
TED LIEU, California
Subcommittee on Government Operations
MARK MEADOWS, North Carolina, Chairman
JIM JORDAN, Ohio GERALD E. CONNOLLY, Virginia,
TIM WALBERG, Michigan, Vice Chair Ranking Minority Member
TREY GOWDY, South Carolina CAROLYN B. MALONEY, New York
THOMAS MASSIE, Kentucky ELEANOR HOLMES NORTON, District of
MICK MULVANEY, South Carolina Columbia
KEN BUCK, Colorado WM. LACY CLAY, Missouri
EARL L. ``BUDDY'' CARTER, Georgia STACEY E. PLASKETT, Virgin Islands
GLENN GROTHMAN, Wisconsin STEPHEN F. LYNCH, Massachusetts
C O N T E N T S
----------
Page
Hearing held on December 6, 2016................................. 1
WITNESSES
Mr. David A. Powner, Director, IT Management Issues, U.S.
Government Acountability Office
Oral Statement............................................... 5
Written Statement............................................ 8
The Hon. Chip Fulghum, Deputy Under Secretary of Management and
Chief Financial Officer, U.S. Department of Homeland Security
Oral Statement............................................... 31
Written Statement............................................ 33
Mr. Luke J. McCormack, Chief Information Officer, U.S. Department
of Homeland Security
Oral Statement............................................... 40
The Hon. Frontis B. Wiggins III, Chief Information Officer,
Bureau of Information Resource Management, U.S. Department of
State
Oral Statement............................................... 41
Written Statement............................................ 44
Mr. Douglas Pitkin, Director of Budget and Planning, U.S.
Department of State
Oral Statement............................................... 51
Written Statement............................................ 53
THE FEDERAL INFORMATION TECHNOLOGY REFORM ACT (FITARA) SCORECARD 3.0:
MEASURING AGENCIES IMPLEMENTATION
----------
Tuesday, December 6, 2016
House of Representatives,
Subcommittee on Information Technology, joint with
the Subcommittee on Government Operations,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittees met, pursuant to call, at 2:00 p.m., in
Room 2154, Rayburn House Office Building, Hon. Tim Walberg
presiding.
Present from the Subcommittee on Information Technology:
Representatives Hurd, Farenthold, Walker, Blum, Gosar, and
Kelly.
Present from the Subcommittee on Government Operations:
Representatives Walberg, Carter, Grothman, Connolly, Maloney,
Chaffetz and Plaskett.
Mr. Walberg. The Subcommittee on Information Technology and
the Subcommittee on Government Operations will come to order.
Without objection, the chair is authorized to declare a
recess at any time.
In fiscal year 2017, the Federal Government plans to invest
more than $89 billion on IT. This is a significant area of
Federal spending that requires Congress' attention. We focus so
much attention on Federal IT acquisition and management because
it's simply important to everything agencies do and because IT
acquisition remains on the GAO high-risk list.
I would like to acknowledge that there has been progress.
The GAO has reported that, as of October 2016, OMB and Federal
agencies have fully implemented about 46 percent of about 800
GAO recommendations that led to this area being put on the
high-risk list. Now this hearing continues this committee's
oversight of agencies' implementation of FITARA. In fact, this
is the third FITARA scorecard hearing, or, as we like to call
it, ``FITARA Scorecard 3.0.''
After today, we will have heard testimony from nine
agencies. The scorecard, which the committee developed with
assistance from GAO, continues to use the same key areas-- data
center consolidation, IT portfolio review savings, risk-
assessment transparency, and incremental development--for
purposes of measuring agencies FITARA implementation.
There has been progress in the grades: 12 agencies improved
their grade; 11 stayed the same; and 1 agency's grade declined.
I would also note that NASA, which was one of the agencies at
our May 2016 FITARA hearing, improved from two straight Fs to a
C-plus. DHS improved its FITARA grade from a C to a B-minus.
State's grade declined slightly from a D to a D-minus. In
fiscal year 2016, DHS spent $6.2 billion while State spent 2
billion on IT.
FITARA provides a critical tool to effectively manage these
IT investments. We'll continue our FITARA oversight in the next
Congress, and I commend Mr. Hurd for his leadership on this
oversight.
I now want to recognize Ms. Kelly, ranking member of the
Subcommittee on Information Technology, for her opening
statement.
Mr. Kelly. Thank you.
As this session of Congress draws to an end, I want to
thank Chairman Hurd, Chairman Meadows, and Ranking Member
Connolly for your leadership and partnership during the 2 years
our subcommittees have been working together to monitor how
Federal agencies manage their information technology projects.
In that timeframe, our subcommittee has held extensive hearings
that examine the state of IT at almost every Federal agency and
heard testimony from the majority of Federal chief information
officers on the challenges they face in overhauling the
management of IT resources.
Our subcommittees also worked together to develop our very
own scorecard for grading agency progress and implementing the
requirements of the Federal Information Technology Acquisition
Reform Act, or FITARA.
Last November, we released the first of these scorecards
and held our first hearing to discuss the grades of three
agencies. Since then, our subcommittees have released updated
scorecards at least twice a year and held hearings with
different agencies to hold them accountable for implementing
the FITARA provisions. Since we first began conducting
oversight over the 24 agencies FITARA covers, we have already
seen a marked improvement with several of those agencies.
For example, since the release of our last scorecard,
NASA's overall grade went from F to a C-plus. The Department of
Education and Energy also showed substantial improvement since
the last scorecard going from an F to a C. Overall, since May
of this year, 12 agencies have shown improvement in their
overall grades.
Looking beyond the grades, I am encouraged by the
responsiveness of most agencies and their progress to date in
FITARA implementation. Notably, governmentwide data center
consolidations alone have realized over 1.6 billion in savings.
These are all good first steps, but it's clear that there
remain obstacles to overcome in implementation. The new
scorecard shows that some agencies have hit roadblocks, that
some have fallen behind in implementation.
I believe that our oversight hearings have helped improve
accountability of IT management in Federal agencies. I believe
hearings like these will be as important next year, and I hope
there will be bipartisan interest in holding the next
administration to the same high standards we have held the
current administration.
The stakes are simply too high when it comes to improving
the efficiency and security of the Federal Government's IT
systems. The Federal Government's IT acquisition process isn't
just an inefficient use of taxpayers' money. It also poses a
security risk as too many agencies are still having to rely on
outdated legacy IT systems that, with each passing year, cost
more and more to secure and maintain.
I want to thank the witnesses for testifying today. I know
that an overhaul of your IT acquisition and management is not
an easy task, so I look forward to hearing how your agencies
are handling the challenges in implementing FITARA.
Thank you, Mr. Chair, and I yield back.
Mr. Walberg. I thank the gentlelady.
And now I recognize Mr. Connolly, ranking member of the
Subcommittee on Government Operations, for his opening
statement.
Mr. Connolly. Thank you, Mr. Chairman.
And I thank my co-collaborator, Ms. Kelly, for her
leadership, Mr. Hurd, and Mr. Meadows. The four of us have
tried to act as one in terms of oversight, and I think that's
been pretty effective, and we're going to continue to do the
same in the 115th Congress, so look forward to working with you
again, Ms. Kelly.
I think oversight by the two subcommittees of the Federal
Information Technology Acquisition Reform Act, better known as
Issa-Connolly, is really important because that didn't happen
in its predecessor legislation known as Clinger-Cohen. Our
bipartisan legislation represents the first major reform of
laws governing Federal IT management since 1996.
When I was chairman of Fairfax County just across the
river, I used to tell our staff we needed three things to be
successful: We needed a clear mission. We needed passion for
that mission. And we needed metrics to measure progress on that
mission.
With FITARA's passage, we clarified the mission, and these
scorecards, I believe, give us the metrics to try to see how
we're doing and to keep the pressure on ourselves to implement.
I'm pleased to see these subcommittees continuing to
exercise its oversight responsibility. Since our last hearing
in May, I, like Ms. Kelly, am encouraged by how quickly the
administration and the majority of Federal agencies have in
fact embraced the effort. I appreciate the leadership of
Federal CIO Tony Scott and the Office of Management and Budget,
and the GAO, Mr. Powner and Gene Dodaro in particular. I hope
for continued leadership in the new administration and a
renewed focus on implementation.
As I stated at that hearing in May, the results of the
scorecard should not be seen as some kind of scarlet letter on
the backs of agencies but rather a guidepost, a milestone on
the path toward self-improvement. The scorecard process ought
to be dynamic, continually incorporating stakeholder feedback
with the possibility of eventually including all seven pillars
of FITARA.
We received favorable feedback from agency CIOs on the
components of the scorecard, but we do recognize that there is
always room to improve the metrics that are used to determine
agency progress. The enormous amount of feedback we've received
has proved that agencies are taking FITARA seriously.
Charged by Congress to provide quarterly progress reports,
the GAO examined OMB's steps to consolidate data centers,
enhance agency transparency, and implement incremental
development. These metrics were selected because their
implementation will have a demonstrable benefit on IT
acquisition and operation, and this data is updated and
available on a quarterly basis.
The scorecard is a tool of both congressional oversight of
FITARA and CIO empowerment. FITARA requires CIOs to certify
that IT investments are adequately implementing incremental
development. We wanted to include CIO authorities in the
scorecard because this will tell us if CIOs are being given the
tools to succeed, and if they are not, then that becomes either
an issue of additional congressional oversight or a foothold
for CIOs to assert themselves under the law. It's important
that Congress continue its oversight and urge OMB to clarify
its guidance directing agencies to make information about major
IT investments publicly available.
On a related front, I was proud to join my friend Will Hurd
in introducing the Modernizing Government Technology Act. The
bill makes a significant upfront investment to retire
vulnerable large-scale legacy systems affecting multiple
agencies. The bill allows agencies to use savings generated
through FITARA and other reforms to make investments in cloud
transition.
The act passed easily through this committee and on the
House floor. Unfortunately, because of a last-minute CBO
scoring issue--the priesthood of the CBO, Mr. Chairman, is one
that mystifies all of us, and the infallibility we invest the
CBO with would make the Pope in Rome envious. I would like to
express some concern on a different issue with the lack of
perceived support for FITARA implementation many CIOs have
experienced within their agencies because of leadership
squishiness, if one could call it that.
I find it unacceptable for any of the agencies to be
working against the intent of FITARA. Secretaries of agencies
and division heads and likewise ignoring the critical role of
CIOs in FITARA implementation and in directing IT investment
defeats the very purpose of the law. We found that some
agencies are struggling to elevate the CIO position to its
appropriate management level.
I look forward to hearing from the Department of Homeland
Security and the Department of State today about their efforts
to streamline CIO reporting authorities, and this is an issue
that will carry through in the next Congress with the next
administration. It's not going to go away.
Finally, I was pleased to see that DHS surpassed its
savings goal by reporting $248 million from consolidation of
data centers. However, I have concern about the Department's
lack of a strategic plan. It was also disappointing to see that
the State Department reported zero savings from data center
consolidation or IT portfolio review. Strange, Mr. Wiggins and
Mr. Pitkin. We certainly look forward to an explanation of
that.
State has also underperformed in assessing the risk in its
major IT investments. I look forward to working with Mr.
Wiggins to improve that performance moving forward.
And, with that, Mr. Chairman, I yield back. Thank you.
Mr. Walberg. I thank the gentleman.
I'll hold the record open for 5 legislative days for any
members who would like to submit a written statement, but now
we recognize our panel of witnesses.
I'm pleased to welcome back in front of us, Mr. David
Powner, Director of IT Management Issues at the U.S. Government
Accountability Office; the Honorable Chip Fulghum, Deputy Under
Secretary of Management and Chief Financial Officer at the U.S.
Department of Homeland Security; Mr. Luke McCormack, Chief
Information Officer at the U.S. Department of Homeland
Security; the Honorable Frontis Wiggins, III, Chief Information
Officer at the Bureau of Information Resource Management at the
U.S. Department of State; and Mr. Douglas Pitkin, Director of
Budget and Planning at the U.S. Department of State.
Welcome to you all. Pursuant to committee rules, all
witnesses will be sworn in before they testify, so if you would
please rise and raise your right hands.
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth, and nothing
but the truth?
Thank you. You may be seated. Let the record reflect that
the witnesses all answered in the affirmative.
In order to allow time for discussion, we would appreciate
it if you would please limit your testimony to 5 minutes. Your
entire written statement will be made part of the record.
And so now it's my pleasure to recognize Mr. Powner for
your 5 minutes of testimony.
WITNESS STATEMENTS
STATEMENT OF DAVID A. POWNER
Mr. Powner. Chairman Walberg, Ranking Members Kelly,
Connolly, and Mr. Farenthold, I'd like to thank you and your
staff for your continued oversight on implementation of FITARA
with this third set of grades. Clearly, we have seen
improvements over the past 2 years from several agencies.
The 800 recommendations GAO has made on our IT high-risk
area are associated with many of the FITARA areas, are about 46
percent addressed. That's a substantial increase from last
year. Your latest set of grades has 12 agencies improving, 11
staying the same, and 1 lower. Your oversight has been critical
here.
Take, for example, NASA, one of your witnesses at your last
hearing for receiving the only F, now receiving a C-plus. NASA
has made great strides in the data optimization area, and Renee
Wynn deserves much credit.
I'd like to emphasize the criticality of the four areas
this committee is focused on. Although there has been progress,
we still have too many acquisitions that use a waterfall
approach; too many duplicative systems; transparency of IT
spending isn't as accurate as we need; and we have data centers
that are far from being optimized.
Let's look at the data center situation. For the first
time, we finally see inventory stabilizing around 10,000
centers. We have closed just over 4,300 centers. And five
agencies have closed more than 50 percent of their centers.
These are Ag, Justice, Treasury, GSA, and NASA. There are about
another 1,300 centers planned to be closed. Although the
closures look good, savings and meeting optimization metrics
don't.
Our last report in my testimony highlights the fact that
agencies have saved about $3 billion to date and another $5
billion was planned. New reporting required in FITARA and to
OMB is incomplete and only showing less than $500 million in
outyear savings, a tenth of what it should be.
Our ongoing work for this committee will be making
recommendations to address this to ensure that we save at least
$5 billion so that we can use this for critical modernization
needs. We actually believe there is more savings than the $5
billion, taking into account agencies' limited progress toward
meeting the five optimization metrics.
The new grading area associated with whether the CIO
reports to at least the DepSec is a good start towards delving
into CIO authorities more completely. In fact, agencies' CIO
self-assessments to OMB are higher on average if they report to
the agency head.
We have ongoing work for this committee on CIO authorities
that could further inform comprehensive grading and oversight
in this area. Clearly, CIO authority is still a mayor issue at
departments and agencies.
As we have discussed, Mr. Chairman, there is even more this
committee could do to help CIOs with their authorities. The
first is ensuring that CIOs have full support from the heads of
departments and agencies. We think your suggestion that the
heads of agencies be asked to testify at these FITARA hearings
in the next Congress is a good one.
The Comptroller General, Gene Dodaro, held a forum recently
on our IT high-risk area and FITARA that Chairman Hurd and
Ranking Member Connolly participated in that we thank you for,
along with former and current Federal and agency CIOs. We will
soon be publishing the results of this forum.
One of over 200 key things that came out of that session
was the need for top agency support regarding cyber and IT
issues. Another area that this committee should consider is the
IT workforce under the CIO. We issued a report 2 weeks ago for
this committee that showed agencies need to do a better job
assessing their IT staffing needs by performing gap assessments
and putting in place plans to bolster the IT workforce.
Enhancements to your scorecard and FITARA oversight in the next
Congress, we believe, should be focused on critical targeted
areas. This starts with ensuring CIOs have support from the
top.
Next, we need qualified and accountable CIOs. By
``accountable,'' we mean those that welcome the strength in CIO
authorities and this committee's oversight and assistance in
strengthening those authorities.
Then we need a stronger, more robust IT workforce under the
CIO. This would include the needed influx of private sector
talent that is more integrated into the Federal IT workforce
because at times the current efforts at the White House and GSA
are a bit too much of a we-versus-them mentality. So, in
addition to bolstering top support, strengthening CIO
authorities in the IT workforce, we believe there needs to be
better transparency, more incremental and agile development,
and more efficient legacy spending. On the legacy side, we
still need to focus on eliminating wasteful duplicative
spending and optimizing our data centers, which would include
far greater cloud adoption.
Despite the billions already saved, there are billions of
dollars still on the table that can be saved that are directly
tied to your scorecard. These savings can be used to modernize
and perhaps fill agencies' working capital funds that this
committee has introduced.
Thank you, again, for your oversight, and I look forward to
your questions.
[Prepared statement of Mr. Powner follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walberg. I thank the gentleman.
And now I recognize Mr. Fulghum for your 5 minutes of
testimony.
STATEMENT OF THE HONORABLE CHIP FULGHUM
Mr. Fulghum. Chairman Walberg, Ranking Member Kelly,
Ranking Member Connolly, and members of the subcommittee, thank
you for the opportunity to talk to you today about the progress
the Department of Homeland Security has made in implementing
FITARA. First, I'd like to say how proud I am of the expertise
and hard work of our employees, who have taken many steps to
ensure that FITARA is fully implemented.
It is my privilege to serve with such dedicated folks. I'm
proud to say that there is a true collaboration between myself
and Mr. McCormack who is a recognized leader in the Federal CIO
community. In addition, we also work closely with the CIOs and
CFOs at our components to increase integration throughout the
agency.
While we're pleased with our progress, we recognize much
more needs to be done to mature and strengthen our process.
Since the Department was stood up, we've been working toward
greater integration, transparency, and effectiveness of our IT
systems. For example, we have tracked IT investment in our
system of records since 2010 and worked closely with the CIO on
several major initiatives to improve the health of our IT
infrastructure. We saved money by focusing on more efficient
ways of doing business, consolidating when it makes sense, and
making strategic sourcing a priority.
I applaud FITARA for reinforcing good government
principles, ensuring accountability, and reenergizing our
efforts. IT is a critical important aspect of the DHS mission
space, and we are committing to get an A on the scorecard. With
your continued support and working together across the
Department, we'll get to the top of the class.
To improve, we will continue to incorporate and empower the
CIO in our resource planning and programming actions. IT is a
critical part of the DHS operation and touches most programs.
As such, CIO's input and insights are necessary throughout the
planning, programming, budgeting, and execution process.
The CIO exercises a significant role in resource
decisionmaking for all programs that include IT resources, and
we will continue to strengthen that role. This is also codified
in our Department's management directives.
During our annual program and budget review, component CFOs
and CIOs jointly provide a complete picture of IT spending and
their component. These inputs are aggregated at the Department
level in order to provide senior leadership with a
comprehensive picture of IT funding needs, making sure we use
the most of our limited resources efficiently and effectively.
Under the leadership of the Under Secretary for Management,
our integration is not just a close partnership between the CFO
and the CIO but also includes a chief human capital officer,
chief procurement officer, and the acquisition community both
at the headquarters and at the components. The Secretary's
Unity of Effort initiative focused our efforts on
institutionalizing former processes, procedures, and
operational structures that integrate component strengths in a
coordinated effort to protect our homeland. We built a strong
foundation through the Unity of Effort, and we'll use that
foundation to keep making improvements in the Department's
operations as well as its management.
Our CIO will continue to be consulted in any and all
situations where needed. Whether it's an issue to be negotiated
between the lines of business or components or a topic that
requires the Secretary's attention, our CIO is always a full
and trusted participant in any discussion that has an IT
element. Our CFO and CIO counsels work in close cooperation all
year long, not just at budget time.
Ultimately, we're institutionalizing how our lines of
business work together to strengthen resource requests and
demonstrate links to mission outcomes. Although we've made
significant progress, we will continue to collaborate closely
across communities to further strengthen our ability to
properly manage the Department's IT portfolio. We fully
recognize that IT is foundational to the success of our
mission.
Thank you, and I welcome the opportunity to answer any
questions you may have.
[Prepared statement of Mr. Fulghum follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walberg. Thank you, Mr. Fulghum.
I now recognize Mr. McCormack for your testimony.
STATEMENT OF LUKE J. MCCORMACK
Mr. McCormack. Chairman Meadows, Chairman Hurd, Ranking
Member Kelly, Ranking Member Connolly, and members of the
subcommittee, thank you for the opportunity to appear before
you today to share the Department of Homeland Security's
progress on implementation of the Federal Information
Technology Acquisition Reform Act.
I would like to start by providing you with some key
background on the management and oversight of Federal
information technology at the Department of Homeland Security.
In 2007, DHS instituted the information technology acquisition
review process, which enables the DHS CIO to review and
effectively guide all agency IT expenditures above $2.5 million
to ensure their alignment with DHS missions, goals, policy, and
guidelines. In 2011, DHS implemented an enterprise approach to
the delivery of IT services that leverage strategic sourcing
and shared services.
In 2014, simultaneous with Congress' work on FITARA, the
Office of the CIO began to adopt a new IT business model, which
was implemented in 2015 and has brought about initial results
throughout 2016. Rather than procure, engineer, and implement
our own products, we have begun to take advantage of emerging
service-based technologies and develop multiple strategy
partnerships, including with Federal shared service providers,
along with public and private cloud service providers.
This open-market strategy, which fosters continued
competition, allows all DHS to gain access to a variety of
world-class services while keeping costs low and time to market
short. FITARA is helping with all of this.
At DHS, we used a phased implementation approach for
FITARA. In 2015, our planning year, the DHS OCIO established a
comprehensive self-assessment report that indicated how well
DHS aligned to each of the core FITARA requirements, identified
current gaps, and outlined how DHS would ensure that all FITARA
requirements are fully executed. We also updated the DHS IT
strategic plan in 2015, which was in strong agreement with the
goals and objectives of FITARA.
This year, 2016, was the year of FITARA implementation at
DHS. To lead the Department through the FITARA transformation,
we strengthened the Office of the CIO. DHS now has a second
deputy CIO, a chief technology officer with elevated
responsibilities, and a newly formed DHS digital services team.
This talent, which was all obtained from the private sector,
has joined our leadership team, and they are playing a key role
in transforming how we deliver critical IT services.
FITARA places strong emphasis on maintaining workforce
skills in a rapidly developing IT environment and recruiting
and retaining IT talent. Efforts are under way at DHS to
identify gaps between current and future skill needs to ensure
employees are effectively developed. The Department is also
looking to maximize the appropriate use of hiring authorities
and flexibilities to attract diverse and highly skilled
candidates.
On July 27 and 28 of this year, OCIO partnered with both
the chief human capital officer and the chief security officer
communities across DHS as well as the Office of Personnel
Management to support the first ever Department-wide cyber and
technology hiring fare. This 2-day event generated more than
14,000 applications, and the Department made more than 400
prospective job offers.
DHS is in compliance with FITARA for conducting and
submitting risk assessments for its 92 major IT investments. We
proactively support these programs, and if any of them are
rated as high risk for 3 consecutive months, we conduct a
TechStat accountability session, which is a deep-dive review to
address the root cause and get programs back on track.
To advocate incremental development as the preferred
development approach for applications and projects, we
published the DHS Agile Instruction and Guidebook, established
the DHS Agile Center of Excellence, and are in the process of
conducting five pilots on programs in various stages of their
lifecycle and across multiple DHS operating components. These
pilots are helping the Department to mature best practices to
ensure we consistently and predictably deliver solutions that
meet our mission operator needs. In 2017, we will continue our
consolidation efforts, having consolidated and closed 41 of 102
data centers per the Federal Data Center Consolidation
Initiative inventory.
We are also working to provide key strategic sourcing
vehicles that allow and encourage access to modern technologies
and services. Two prime examples are ECS and FLASH. Through
Flexible Agile Support for the Homeland, or FLASH, we are able
provide DHS components with highly qualified agile teams
focused on deploying IT capabilities quickly and securely to
support their missions. Enterprise Computing Services, or ACS,
is designed to provide easy open-market access to leading cloud
technology providers. This will allow for components to
purchase infrastructure-as-a-service and platform-as-a-service
offerings in order to meet critical infrastructure needs in a
flexible and cost-effective fashion. ECS and FLASH form
significant building blocks for the Department service delivery
model.
In closing, while the Department continues to head in the
right direction, we recognize there is still work remaining to
achieve full implementation of FITARA. I would like to thank
you for your continued support and your commitment to helping
us achieve the goals of FITARA. DHS looks forward to working
with you and our partners to continue to increase the value of
IT acquisitions and better enable our mission through effective
and efficient implementation of FITARA. I am happy to answer
your questions.
Mr. Walberg. Thank you, Mr. McCormack.
I now recognize Mr. Wiggins for your testimony.
STATEMENT OF THE HONORABLE FRONTIS B. WIGGINS III
Mr. Wiggins. Chairman Hurd and Meadows, Vice Chairman
Walberg, Ranking Members Kelly and Connolly, and distinguished
members, thank you for inviting me to testify before the
committee on the Department of State's progress on its Federal
Information Technology Acquisition Reform Act implementation.
I want to start by expressing my appreciation for the
legislation. FITARA reinforces the Department's longstanding
efforts to be collaborative, transparent, and forward-thinking
in how we use and acquire information technology. These focus
areas are central to how the Department manages IT as a whole.
Today, I would like to share with you how the Department
approaches IT management and some recent successes. We will
continue our success with the right processes, people, and
tools in place, all of which are well aligned with FITARA's
provisions. However, we recognize that more can be done, and we
will build on these successes and apply lessons learned to
overall IT management.
Over the past 5 months in my new role as CIO, I am working
to strengthen the established relationships with my peers in
acquisitions, human resources, and budget and planning. My
focus has been on frequent and open communication,
collaboration, and transparency. This approach to IT management
helps us address the realities we face with fast-moving
technology, risk from cyber threats, and the ongoing need to
use our funding wisely.
Like all agencies, we must tailor our IT to best meet our
mission needs. We have a distinctive global foreign affairs
mission, which is reflected in the Department's organizational
structure. Within this environment, we mapped out an approach
to FITARA implementation that works best for us.
We work in a global environment, in places no other
civilian agency operates, including areas with limited access
to Internet. We maintain hundreds of applications and provide
around-the-clock IT services, domestically and abroad. We serve
275 posts worldwide, including 24 Federal agencies under Chief
of Mission authority.
More than 100,000 computers throughout the world are
connected to our networks, and 38,000 mobile devices allow on-
demand communications for users globally. We drive the
Department's IT programs and resources and maximize value to
our users who are increasingly mobile.
We just completed our IT strategic plan for fiscal years
2017 to 2019. We drafted the plan collaboratively with leaders
from throughout the Department. This collaboration is not
insignificant. It is the foundation for our approach to IT
management. Let me provide an example to illustrate how this
collaborative approach is benefitting our FITARA
implementation.
Our first step to FITARA involved close coordination
between the CIO's office and the Bureau of Budget and Planning.
We consciously focused on this first because it provides the
foundation for budget execution and acquisitions processes. I
am proud to highlight that we have made significant progress in
intertwining the budgeting process with IT management, both at
a high level and at the working level.
My office and the Bureau of Budget and Planning improved
visibility and IT spending, for example, and jointly certified
the fiscal year 2017 and fiscal year 2018 IT budget submission.
Additionally, the Bureau of Budget and Planning has become a
regular contributor to our internal FITARA working group
meetings, and we have partnered with them to strengthen
guidance for requesting IT resources.
My office also continues to strengthen its relationship
with the Office of Acquisition Management within our Bureau of
Administration. I work collaboratively with the chief
acquisition officer to bring IT management and acquisitions
management together through senior-level meetings and through
collaboration on IT governance.
The chief acquisition officer also dedicates staff to
personally work with us on IT requests. Together, we discuss
proposed IT solutions and coordinate with program offices to
determine the most appropriate acquisition approaches.
This increasing collaboration, empowered by FITARA, paves
the way for strategic sourcing, improved IT management, and
even more visibility in how we are using our limited resources.
Looking forward, I am committed to building on our successes,
applying lessons learned, enhancing our relationships
throughout the Department and with our external partners in the
spirit of FITARA.
Thank you for your time. I am happy to take any questions
you may have.
[Prepared statement of Mr. Wiggins follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walberg. We thank you, Mr. Wiggins.
And now, Mr. Pitkin, we recognize you.
STATEMENT OF DOUGLAS PITKIN
Mr. Pitkin. Good afternoon. Vice Chairs Walberg and
Farenthold, Chairman Hurd and Meadows, Ranking Members Kelly
and Connolly, and members of the subcommittees. Thank you for
the opportunity to appear before the committee today to provide
an update on the Department's implementation of FITARA,
particularly on its budget process. As the director of the
Bureau of Budget and Planning, I coordinate the development of
the Department's annual resource request that the Secretary
presents to OMB and Congress each year, and my Bureau is also
responsible for overseeing the allocation of funds provided by
Congress.
Throughout these efforts, my Bureau has sought to ensure
that the CIO and the Bureau of Information Resource Management
has both the funding and engagement that it needs to address
FITARA.
As reported on the IT Dashboard, the Department's 2017 IT
budget request is approximately $1.8 billion. The centerpiece
of that investment is our IT central fund, which provides
nearly $300 million for the development of enterprise-level
systems infrastructure. The remaining 1.5 billion resides in
other Department accounts to support both IRM's enterprise-
level operation and also Bureau-specific programs.
Both our Bureaus, BP and IRM, continuously seek to improve
coordination across the entire span of the IT portfolio. We are
committed to transparency and accountability in the management
of all aspects of our IT budgets, and this has been greatly
enhanced by the partnerships, as Frontis mentioned, between the
CIO and IT project and program managers and other bureaus.
I also echo his views on how we have made FITARA
implementation work at the Department of State for IT
management. From my perspective, FITARA did not superimpose a
brandnew budgeting process on the Department, rather helped
codify and strengthen existing IT management principles and
reinforce ongoing coordination efforts between our offices.
As an example of this collaboration, in forming the fiscal
year 2017 budget, my Bureau leveraged the CIO's project
performance and schedule information to help us jointly
determine the appropriate funding needed to support the
Department's electronic health records management project. This
ongoing collaboration has and will enable us to make better
informed resource decisions, manage IT investment risk, and
most importantly, deliver IT services and capabilities that
support the Department's mission.
My Bureau has also worked with the CIO's office to include
FITARA requirements at our annual budget formulation guidance,
which has improved Bureau supporting documentation for IT
funding, which now includes more analysis of cost-effectiveness
and long-term planning in Bureau IT requests.
Further, over the entire fiscal year, my Bureau works
closely with the CIO's team to review IT funding allocations
and actual spending, especially for major IT investments. Our
goal is to reduce duplication of efforts, share technology
across the Department, and deliver best value for the taxpayer.
In support of this effort, my Bureau is looking at how we
can further improve the transparency of IT budgets with the
CIO. As part of our Bureau's budget system modernization
project, we'll be implementing a commercial off-the-shelf
product to track our IT assets and costs in all phases of the
project lifecycle from formulation to financial plan and
including performance metrics as determined by the CIO. This
will improve the integration of IT portfolio management data
and budget data, would also promote information sharing across
the IT enterprise, foster more informed management decisions,
and help us do both of our jobs more effectively.
With Congress' continued support and robust collaboration
with our Federal and non-Federal stakeholders, we believe we
are on a path toward improved FITARA implementation at the
Department. We look forward to working with Congress to ensure
that our efforts not only comply with FITARA but also reflect
our collective desire to transform how the Department does its
business both domestically and overseas.
Thank you for your time, and I'm happy to answer any
questions.
[Prepared statement of Mr. Pitkin follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walberg. I thank each of the witnesses for your
testimony.
And now it gives me great pleasure to recognize the
chairman of the subcommittee, Mr. Hurd, for your opening
statement.
Mr. Hurd. Thank you, Mr. Walberg, and good afternoon
everyone. The technological change we are going to see in the
next 20 years is going to make the last 20 years look
insignificant. We are at a pivotal point in the development and
utilization of emerging technologies.
And the current state of IT at most Federal agencies is, in
most cases, decades behind the private sector. I want to be
clear: we have made progress. Some have complained that we are
not reflecting that in the scores, but we recognize there is
progress being made, but we have a long way to go to get where
we should be.
The new administration must prioritize IT management and
cybersecurity. As seen in the OPM breach, the consequences to
allowing our government to remain in the horse-and-buggy days
of technology implementation can be disastrous. This is not a
partisan issue. This is a security issue. We must come
together, not as Republicans or as Democrats, but as Americans
to solve this pressing challenge.
As I said in May when the committee released the Scorecard
2.0, the intent of grading agencies is not to shame agencies
but to provide an objective measurement of progress and
challenges so that we can facilitate the continued
implementation of FITARA. The grades improve overall from the
first scorecard to the second, and I'm pleased to see continued
improvement in the grades from the second scorecard to the one
released today.
The committee has made two key adjustments to the
scorecard. First, as I highlighted in the hearing in May, when
CIOs are reporting--who CIOs are reporting to is important.
This committee intends to ensure the men and women in these CIO
positions are qualified, accountable, and empowered to make
decisions and lead within their agencies.
Consequently, the FITARA Scorecard 3.0 final grades include
a plus if the CIO reports directly to the Secretary or Deputy
Secretary of the agency and a minus if the CIO does not report
to one of those two officials. Neither of the CIOs on today's
panel report directly to the Secretary or Deputy Secretary, and
I look forward to discussing the implications of the reporting
structures at their respective agencies.
Second, the portfolio review metric has been adjusted. For
a Scorecard 3.0, each agency's total portfolio stat savings was
divided by its total IT budget for the most recent fiscal
year--most recent 3 fiscal years, and then, as with the risk
assessment transparency grades, the resulting ratio was ranked
in the five agencies with the highest savings ratio received an
A, the next B, et cetera.
This tiered system is more accurate than the system used in
the first two scorecards, which benchmarked all agencies to one
outlier agency. Moving forward, the committee will continue to
evolve and adjust the scorecard as appropriate and, in doing
so, will help ensure successful implementation of FITARA.
I urge all agency CIOs to reach out to the committee staff
if you have questions or concerns about the scorecard generally
or about any aspect of their agency's grade, because remember,
this is all information you all have reported to us.
I thank the witnesses for being here today and for their
service to the Nation, and I look forward to the questions.
Thank you, Mr. Vice Chair, and I'll turn it over to you.
Mr. Walberg. Thank you, Mr. Chairman, and at your good
graces, I will now recognize myself for my 5 minutes of
questioning.
I would add, as what was just stated, that these hearings
are meant to be a partnership and support and encouragement,
and I think seeing some of the grades of those that have been
before us, we've seen some of that take place, and we want to
continue that.
And so I have an opportunity here today, as I begin my
questioning, talking concerning specifically to each of the
agencies, and I'll let you decide which or both that would want
to answer the questions. But I want to look at both DHS on data
centers received a grade of A, and State received an F. So we
have a complete spectrum there. So be interested to hear your
answers.
First of all, going to DHS, how many data centers does DHS
currently have?
Mr. McCormack. DHS, we have approximately 102.
Mr. Walberg. 102 data centers.
State, how many centers do you have?
Mr. Wiggins. We have 366 nontiered and 19 tiered, so about
380-some-odd.
Mr. Walberg. How many centers, DHS, did you close in the
last few years, and I guess respond beyond that, how many more
can we expect you to close by fiscal year 2019?
Mr. McCormack. And I apologize. I should have said we had
102. We have consolidated 40 of 102. I hesitate only because we
are, as I had said in my opening testimony, that we are in the
middle of shifting our model to not only consolidate into our
internal data centers, of which we have two core data centers,
but really shifting that consolidation to the public cloud. And
while we expect that to take a little bit of time, we have done
some--had some success with that already at great savings. We
expect that to ramp up very quickly.
So I would expect us, in 2019, if I had to have sort of
rough estimate, that we would have probably less than 25, maybe
less than a dozen at that point, and what I can't tell you
right now is how many of those are going to end up in our
internal consolidated core data centers versus out into the
cloud.
Mr. Walberg. Okay.
Mr. McCormack. We are still doing that analysis right now.
Mr. Walberg. Okay. But significant movement.
I turn to State, again, how many has State closed in the
last few years and how many more can we reasonably except to
see close because you have a significant number of centers?
Mr. Wiggins. Thank you for that question. Part of 2012, we
actually closed one. Since 2012, we closed six. We are
targeting an additional four, one tiered and three nontiered,
in coming before 2018. I think this also brings up an
interesting point and one we need to work with OMB and GAO on
very closely because the definition of a ``data center'' or as
is currently presented loops in a lot of our overseas posts,
and it's a challenge for us to look at closing what are
considered data centers at our posts due to our infrastructure.
I think the definition of the ``data center'' needs to be
reviewed, perhaps, in conjunction with OMB and GAO, because,
frankly, what most people consider data center is not what we
have at our embassies overseas. Some of them are actually
communications closets with a single rack of equipment, but
because they have got a UPS in that rack and there's a
generator in the courtyard for that embassy, it falls in the
definition of a ``data center,'' as narrowly defined. So we
need to work on that.
The target that has been given to us is about 220 data
centers to be closed in the next year and a half, which is
going to be an extreme stretch for us. To Congressman
Connolly's point, if you don't mind, I'll just address this as
well. You asked about data center savings. I'm not sure whether
to quote Pogo or Shakespeare, whether the fault is in ourselves
or our stars; or whether we have met the enemy, and it is us.
Mr. Walberg. Maybe both will work.
Mr. Wiggins. Yeah, exactly. We actually had about $35
million in data center closure cost savings, but our scorecard
shows zero, so that's on us. We have failed to report that
properly through the database and through the scorecard, so we
are getting credit for zero, and we should have about 35
million.
OMB had put us down for a target of 17.1, so we have
exceeded that by two times what the target was, but we have not
properly reported it. So when you talk about FITARA
refinements, some of it calls upon the individual agencies as
they report them.
So I do look forward to having continued conversation with
OMB and GAO in exactly how we define a data center, because,
again, I think the other thing the State perhaps doesn't get a
credit for is we provide a shared service for a lot of agencies
overseas. There are a number agencies that actually ride our
infrastructure, and we provide them service. They have
collapsed their data centers because we provide that over to
them. So we need to continue to refine and review that.
Mr. Connolly. Mr. Chairman, would you yield just for a
second?
Mr. Walberg. Yeah, while I'm chairman, I can yield for just
a second.
Mr. Connolly. Just to your point, I would hope that a
refined scorecard would reflect the data not reported but
recorded here, because the exercise again is to mark progress,
not to dig into you because you were late or something like
that. So I would hope we can incorporate that so the State
Department is credited for the progress it achieved.
Thank you, Mr. Chairman.
Mr. Walberg. I don't want to miss this point, so I want to
go to Mr. Powner. Could you comment on definition of ``data
center'' that was brought up by Mr. Wiggins?
Mr. Powner. Yeah, this gets back to, you know, we have had
many definitions of ``data centers.'' We started off with one.
When Steve Van Roekel was the CIO, he changed the definition to
include all these small closets. Now we are at a tiered,
nontiered. I think what's really important going forward is we
have these data center consolidation plans required in FITARA,
and I know DHS--Mr. McCormack, I know you are working on yours,
getting it in by the end of December--we are tracking those.
I think what's really important is that these issues and
those plans which go to OMB get resolved through OMB. We can be
part of those discussions to make sure that we're focused on
the right things, and if there are some closets and the whole
bit, we can acknowledge that moving forward. That's fair.
That's fair.
I think what's really important with the hearing here,
Ranking Member Connolly, to your point, is some of this
reporting that was one time to the Appropriation Committees is
now it's OMB, and not all the agencies were taking this serious
enough, and we just need to be consistent and serious so that
we get the right savings so that we can modernize more.
We need to root out these inefficiencies because there's a
lot of modernization that everyone has, and hopefully, we can
reinvest and do the right thing.
Mr. Walberg. Thank you. And my time is expired, and now I
have the privilege to recognize the ranking member as well as
the gentlelady who has the privilege of representing my
hometown, Ms. Kelly.
Mr. Kelly. Thank you. One of the things we've learned is
the importance of grading whether or not an agency CIO reports
directly to the Secretary or the Deputy Secretary of the
agency. Mr. Powner, in your assessment, why is it important to
the success of an agency's overall FITARA implementation plan
that there be a direct reporting relationship between the CIO
and the head of an agency?
Mr. Powner. So I think the higher up you report, the
better. Typically, that's associated with more authorities.
Now, can it work if you don't? Absolutely it can, but we've
seen plenty of situations in DHS--not going to revisit history
here--where that reporting arrangement wasn't great for the CIO
and the CIO wasn't really backed--not with the current folks.
But I think what's important is if you look at the FITARA
implementation plans that get reports, self-assessments by the
agencies, the self-assessments are higher for those CIOs that
report to the DepSec or higher. So CIOs are telling us that
their authorities are stronger the higher they report.
Mr. Kelly. And how did you go about evaluating whether each
of the agencies that were scored had a direct reporting
relationship between their CIO and Secretary or Deputy
Secretary?
Mr. Powner. We have ongoing work for this committee that
we're looking at CIO authorities, which include the reporting
structures, and honestly, a lot of this comes right off of the
agencies' and departments' Web sites, but we confirmed a lot of
that through our ongoing work that we're performing for this
committee.
Mr. Kelly. Thank you. In my opening I talked about there
were agencies that improved their letter grade. For example,
the current scorecard shows significant improvement from NASA
that went from an F to a C-plus. Since GAO first began working
with our subcommittee on a scorecard for monitoring agency
progress in FITARA, have you seen a steady improvement in the
overall grades?
Mr. Powner. I think there's some agencies that have had
excellent improvement. NASA, that was highlighted, not only did
Renee Wynn make remarkable improvements in the data center
area, on software licensing, she's also reporting tens of
millions of dollars in software licensing savings.
So I think having NASA up here at your last hearing
resulted in great improvements. Clearly, there are some
agencies that are in that D range that we need to get more
progress on. And to comment on the F, you know, Richard
McKinney at DOT is one of the best CIOs we have, but he has a
situation there at the Department of Transportation that's very
difficult that he inherited, but it's not from his efforts. And
even though he has an F, he deserves a lot of credit for what
he's done. I know he's been in front of this committee.
Mr. Kelly. And out of the four areas, which area has been
one that you've seen more improvement than others?
Mr. Powner. I think clearly data center consolidation has
been on a nice track with reported savings, and then clearly,
too, I think the adjustment that Chairman Hurd mentioned on the
portfolios that were--tiered it--that was an appropriate
adjustment. It was more fair to the agencies, and I think
that's part of the reason why you see an increase in a lot of
the grades too is because of the portfolio stat grades creeped
up.
Mr. Kelly. Thank you.
Mr. McCormack, DHS was among the agencies whose overall
score improved, going from C to B-minus. Can you briefly
explain what were the steps DHS has taken to improve its
success?
Mr. McCormack. It was in a portfolio review. We went up
significantly there. We spent a lot of attention on that,
worked very closely with GAO to make sure that we were doing
that correctly and thoroughly, and I think that's where we made
most of our strides in this particular round.
Mr. Kelly. And while we've seen agencies that have
improved, we have seen agencies that haven't or have stayed the
same.
Mr. Wiggins, can you explain what challenges the State
Department has been facing when it comes to FITARA
implementation that would account for its overall score
remaining so low?
Mr. Wiggins. Yes. Thank you for the question. I think, as I
outlined earlier, I think part of the challenge is, when we
don't do our own reporting properly, then we get a failing
grade in certain areas. But in other areas, there has been a
tendency on our part to perhaps get into analysis paralysis.
For example, when it comes to enterprise license agreement, we
have about $47 million in software savings we've already
realized, and there's another 43 that we're expecting to
realize, but we did not report it because we could not confirm
it 100 percent, so that's something we have to improve.
The other thing is when you look at incremental
development, for example, we did not have a mandatory use of
incremental development as part of our project management plan.
Since I have come into this office 5 months ago, I have made
that mandatory.
In addition, we did not have an office that focused on
workforce. We did have an IT strategic plan. We did not have a
cybersecurity strategy. We did not have a cybersecurity
tracker. All those things have been put in place since I've
assumed the role. So we have a lot of work to do to catch up. I
have set a stretch goal for my staff to get us to a B this
year, and I'll say on the record that I will accept a C, but I
would like to get us to a B. And I think we have a number of
processes in place to get us there. We just have to knuckle
down and do it.
We have an excellent partnership with our colleagues in the
old office of bureau--excuse me, Bureau of Budget and Planning,
as well as our other peers, like the chief of human resources
officer. We have to leverage those and kind of land the planes.
We've got a lot of very good planes in place. As Mr. Powner
mentioned, we've already undertaken our workforce review. Our
report was given to us in November. We are now going through
that. So there are a lot of things that have taken place in the
last few months. We just have to get those things and drill
into them.
Mr. Kelly. And in what ways can Congress help you with the
implementation?
Mr. Wiggins. Time. You know, the one thing that no one has
enough of. I think, in relation to your question earlier,
Congresswoman Kelly, I--again, this is coming from the new kid
on the block who got a D-minus, so, of course, this is going to
be a self-serving comment, but when you look at the CIO
authorities, I think, if I could offer a chance of refinement,
I think it's not so much what box reports to what box but what
you actually do with that opportunity.
So, for example, I don't report directly to the Deputy
Secretary or the Secretary of State, but I meet with the
Secretary four times a week, I meet with the Deputy Secretary
eight times a months. I have a direct tasking from her on
cybersecurity. I have a direct tasking from her on knowledge
management. An outcome from that was our overall cybersecurity
strategy, which we never had before, and the creation of a risk
officer for the first time ever in the Department.
So I would almost say quality of engagement, and even
quantity is one measure, obviously, but quantity and quality of
engagement is a little bit more nuanced than just a plus or a
minus. And, again, this is coming from a guy who got a minus,
so take that with a grain of salt.
Mr. Kelly. Thank you, and I yield back.
Mr. Hurd. [Presiding.] I'd now like to recognize the
distinguished gentleman from the great State of Texas, Mr.
Farenthold, for your questions.
Mr. Farenthold. Thank you, Mr. Chairman.
And I have some questions, but I want to start off with Mr.
Powner.
You mentioned in your testimony that there were billions of
dollars in low-hanging fruit of technology fixes we could do. I
don't want to let that remark just slide by. You want to share
a couple of pieces of low-hanging fruit? Anything we can do to
help the budget is a win.
Mr. Powner. I think the number one area for cost savings--
and it always has been the number one area--is data center
consolidation. We have $5 billion on the table, and honestly,
if you look at the optimization metrics at some of these
agencies, I think that $5 billion could be higher. That's the
biggest bucket. When you look at your scorecard here, we need
to keep the pressure on savings. The metrics are fine. We can
weave that in down the road, but there's a lot of money to be
saved
Mr. Farenthold. Anything else?
Mr. Powner. That's number one. Portfolio stats, some
duplicative spending, I could sit here and tell you stories of
agencies that still have component bureaus that refuse to go to
emails of service, even though it's can cheaper than their
current email. There's some low-hanging fruit there that we
could still fix with duplicative wasteful spending at agencies,
in the portfolio stat area.
Mr. Farenthold. All right. So, while your microphone is on,
and I'm going to address this to anybody else who wants to
answer it as well. What are we not measuring in FITARA that we
need to be measuring?
Mr. Powner. I think the people measurement is very, very
important. Clearly, these are four areas in the law--these are
four areas to save money, incremental development. No one is
going to argue that going small isn't the right thing, so you
need to continue to measure these areas. But if you look at the
people part of it, the CIO authorities, to be given the right
authorities with support from the top, that continues--should
be the focus of this committee. But, also, if you have support
from the top and a strong CIO but you have a workforce that has
a lot of holes in it, you're going to have a tough time.
So I think that people part at the top--and we just issued
a report that showed these gap assessments on IT skills, which
includes the cyber workforce. Agencies have big gaps that we
need to address more comprehensively.
Mr. Farenthold. I'll get to people in a second. Does
anybody else want to add a missing?
Okay. So let's go into people. You talked specifically
within the cyber. I want to talk with the workforce in general.
You can get the best technology in the world, but when you have
somebody who's used to doing things on a Windows XP or a, you
know, out-of-date BlackBerry or whatever, how are we addressing
the people issues and training? Do we have an adequate way to
look at that, and is that something we need to be focusing more
on?
I'll start with Mr. Wiggins. You're smiling over there, and
I know we've had some unrelated testimony in this committee on
something completely different about State Department
technology.
Mr. Wiggins. Thank you for the question. I am chafing at
the bit. As a former dean of our School of Applied Information
Technology at FSI and a former instructor, I'm a big believer
in the power of people. And if you allow me to wax
philosophically, I'm a guy who started as a GS-7 who worked my
way up to where I am. I paid my dues up full on the way, and
the only way I got there is to be a lifelong learner. Our gap
analysis is demonstrating that we--the Department of State has
significant needs in the areas of skills, specifically with
cyber, and since plagiarism is the sincerest form of flattery,
we're going after DHS' model of enhanced skills incentive pay.
Skills incentive pay actually started with the Department
of State when I was the dean, and now DHS has expanded on that
for cyber skills incentive pay to try andcapture and retain the
best talent out there, and we want do the same thing.
The other thing I think is important, it's not just the
technologists who are behind the equipment; it's the users.
It's the customers, and I always tell my folks we're a
customer-service organization. If we're not giving training to
our customers, we might as well be handing them bricks. And
this also gets in the cyber realm because, as I think everybody
knows, our biggest threat is--well, there is an insider threat
to a certain degree, obviously, but it's when our customers
click on that spear phishing link or click on the ransomware
that we've experience our greatest problems, and so it's that
education of the total workforce, not just the IT workforce,
that's very important.
In fact, we are getting ready to deploy this month--I won't
give the technology, because I don't it leveraged against us,
but an artificial intelligence learning tool to combat spear
phishing in particular, because we've been vulnerable to both
spear phishing and ransomware. So I take it to heart that the
technology training, both for the workforce and for the IT
workforce, larger workforce, is vital to us.
Mr. Farenthold. One more question as I'm running out of
time. Mr. Wiggins, I'll hit you with it, too. The State
Department is the only one that basically dropped in grade with
your minus. Is there anything unique about the State Department
that makes your challenges different from another agency?
Mr. Wiggins. Thank you for the question. I would say, as I
alluded to earlier, it's kind of our overseas posture and the
necessity of providing a shared service to all those missions I
discussed. It's also the fact that we had a complete turnover
in our senior management. It's not just me. It's every other
deputy chief information officer has been changed out in the
last 4 months with one exception. So we've got an entirely new
group that's looking at this. And so we're taking--it's an
opportunity to take a fresh look at everything, but it's also a
challenge to get us geared up and going forward, so that's
when----
Mr. Farenthold. Your staff are professional employees.
They're not political.
Mr. Wiggins. That's correct. And every one of my members,
including myself, we're professional members. We worked our way
up through the ranks.
Mr. Farenthold. Thank you, Mr. Chairman. I see my time is
expired.
Mr. Hurd. I'd like to now recognize my friend from the
Commonwealth of Virginia and the original cosponsor of the
Connolly-Issa bill, also known as FITARA, Mr. Connolly, for his
5 minutes of questioning.
Mr. Connolly. Thank you, Mr. Chairman. Thank for your
generosity there.
Just a parenthetical note, Mr. Wiggins, Mr. Pitkin,
compliance with FITARA and reporting under FITARA is not a
voluntary activity. I was on the floor yesterday passing a
truncated State Department authorization bill. Included in that
bill is my amendment requiring the State Department to comply
fully with the terms of FITARA.
So we are not going away, and we'll use--I happen to be on
that committee too. So one way or another, the State Department
is going to have to come to grips with reality here. Every
agency can claim, to Mr. Farenthold's question--I think it was
Mr. Farenthold--every agency is unique. Every agency has unique
missions, and you're no different than anybody else in that
regard.
Technology--the management of IT is potentially--and, Mr.
Wiggins, your testimony was welcomed, a welcome addition from
State Department--a transformative force for changing how we do
business, how we can improve efficiency and performance and
productivity, and do a better job of providing service to our
clients and our customers, as Mr. Wiggins indicates.
So it needs to be looked at in that way. I am concerned,
Mr. Wiggins, that your testimony about who you report to,
because, as Mr. Powner, we know this from our own experience,
and you mentioned DOT: It's got to come from the top. It's got
to have--that person, whoever is the Secretary of the agency,
has got to understand the transformative nature of IT, and oh,
by the way, the other side: What could go wrong if this goes
bad?
And I don't know how often we have to learn that in the
form of Web site collapses or cyber attacks that are
successful. But, you know, this is not something tangential to
the mission. It's actually integral to the mission. And I can
see you want to comment, Mr. Wiggins. I welcome your comment.
Mr. Wiggins. Thank you, Congressman Connolly, and can you
hear me? I'm sorry. First off, I wholeheartedly agree with your
evaluation of the transformative nature of IT. I like to say
that IT is a tool. It's a very powerful and expensive tool, but
that's just it; it's a tool. And that gets back to the whole
education piece of, if we're going to put those tools out
there, we have to make sure that people have the background to
leverage them.
On taking FITARA seriously and being passionate about it, I
can tell you that my concerns about our FITARA implementation
are such that I've identified five full-time employee positions
I'm conferring over from programmatic status to support FITARA
specifically so we can move forward on getting from a D to a
higher grade. Because whether it's the evaluation of
incremental development or any of the other budgetary pieces or
programmatic pieces, we have to focus on it, and I think by
putting additional FTEs against this, it will definitely help.
As far as the reporting structure, thank you for your
comments. As I said, I meet on a regular basis with the Deputy
Secretary. She is directly involved in a lot of the activities,
and it's almost a dotted line between me and her office--excuse
me--me and my office, excuse me. But the other nuance, if you
will, is that working with my other Assistant Secretaries, such
as Mr. Pitkin--you heard a lot about collaboration in my
testimony. That's kind of how I like to operate. I like to work
among peers. I don't like to work by fiat necessarily. I feel
I'm very effective in working collaboratively with my peers. In
having that dash line to the DepSec gives me that authority.
When I walk in and say, ``The DepSec has identified that we
have to do this,'' I get a lot of responses. So your point is
well-taken, though, and I will continue to review that.
In fact, there was an Office of the Inspector General
report recommending it. In reviewing it, both the Deputy
Secretary and Under Secretary conquered that the CIO position
should remain where it is, at least for the time being.
Mr. Connolly. Yeah. We want to elevate your position. We
didn't--in writing the legislation, we weren't overly
prescriptive. We were hoping that the situation--I mean, the
hierarchy would evolve to a more rational hierarchy. We have
250 people named CIO in 24 agencies. There is no private
corporation, no matter how big, that would have anything like
that.
In fact, it's one of my favorite hobbies to ask a CEO of a
major corporation, Fortune 500, ``How many CIOs have you got,''
you know, and I do it with a straight face. And they always
look at me quizzically, like, ``Well, one.'' And I go: ``Well,
let me tell you what we've got in the Federal Government.''
So we didn't do that, but we do expect that there is a
primus inter pares, somebody emerges as the chief CIO, and that
that person has the backing of the head of the agency, the head
of the agency, not 16 rungs down or 3 rungs, and the
alternative is we get prescriptive.
I mentioned in the beginning in my opening statement, the
four of us are not going away. We have been shepherding this,
and we are quite capable of writing bipartisan legislation. We
would prefer not to do that, but we've got to have cooperation
from the very top. And Mr. Powner mentioned a couple that,
``Well, we don't have it,'' and I don't know if you want to
comment on this, Mr. Powner, because my time is up, but on this
whole issue of CIO authority and how well or poorly it's
evolving.
Mr. Powner. Yeah, I think clearly reporting higher helps. I
think a key question we look, whether you have CIO authority of
not, is, are you in a position that you could halt or terminate
a troubled project? We have too many troubled projects, and we
continue to throw money at bad projects. And when CIOs attempt
to interject themselves, if they can interject appropriately
and halt, manage risk, do the right thing, then you have
authority. We don't have that across the board, and having
support from the top does help you do that.
Mr. Hurd. I would like to now recognize Mr. Blum for 5
minutes of questioning.
Mr. Blum. Thank you, Chairman Hurd. From the great State of
Iowa, I think you omitted that.
Welcome to the panelists today. I think it was a couple of
weeks ago, in our IT Subcommittee hearing, we had the Social
Security Administration sitting in your seats. In my
questioning of them, we stumbled upon the fact that, in 2006,
they undertook a massive IT project that lasted 7 years to
around 2013, 2014. And the end result was it was scrapped.
So I asked how much was spent. The answer was $340 million
was wasted on that IT project in the Social Security
Administration. I posted that in social media, and I can't
repeat some of the comments that I have received from the
people in the First District of Iowa about wasting $340 million
of the taxpayers' money.
The largest city in my district, Cedar Rapids, Iowa,
they've had two 500-year floods in the last 8 years. They need
$85 million for a flood wall. We wasted four times that, four
flood walls, in the Social Security Administration on a
scrapped IT project.
To add insult to injury, I asked, was the vendor paid,
Lockheed Martin? They were paid. I asked, was the CEO
terminated? He was reassigned, of course, of course.
So incremental software development makes a tremendous
amount of sense to me. And this question is for Mr. Powner and
Mr. McCormack and Mr. Wiggins. Is incremental software
development, A, is it working, and B, what are the challenges
to implementing it? Mr. Powner first.
Mr. Powner. I think clearly when you look at the historical
nature of incremental development--we did a report a few years
ago on successful IT acquisitions. There were seven that
agencies pointed to that were a success story deployed within--
somewhere within cost and schedule. Users liked this system.
Every one of them was an increment of a larger development
effort.
So I think when you look at incremental development,
there's no argument that's the right way to go. Agile
development incremental, we need to continue to go down that
path. I think we need to look real hard about funding projects
that you can't deliver something within that budget year. OMB
has a 6-month requirement on incremental development, but if
you can't deliver something within the budget year, we ought to
think real hard about whether we ought to be throwing money at
it.
Mr. Blum. Mr. McCormack.
Mr. McCormack. Thank you for the question. If I could
rewind--and indulge me for just a moment on the reporting
relationship situation. I've been a CIO of an operating
component. I've been a CIO at Department of Justice and now the
CIO at the Department of Homeland Security and the vice chair
of the executive council, and I will tell you the number one
thing, in my opinion, that makes this successful is what I call
goal congruence and a governance structure at the Department.
Mr. Connolly. Did you say--I'm sorry, I couldn't hear what
you just said.
Mr. McCormack. Goal congruence--and I'll explain that in a
minute--and a governance structure. Every CxO in the Department
of Homeland Security has the authority to sort of throw the
flag in and say, ``I've got a problem with that project,'' and
when I say ``CxO,'' I'm talking about the chief procurement
officer, the chief of human capital officer, certainly myself.
All of us together as sort of a board of directors have that
authority.
In regards to the agile development, and this is where the
goal congruence comes into play. It works, right. It's a
private sector best practice. If you go out and look at any
advanced private sector company that uses IT as a strategic
weapon, I'll call it, they are all developing in this kind of a
process. But you cannot do that unless you have the right
skills, which means you need your CHCOs to help you hire those
folks. You cannot do that unless you have the right
procurements in place.
Right, I talked about FLASH and ECS, which is our cloud-
based technology services and our agile software development
capability. Right, that's our chief procurement officer. If
they're not completely aligned with your movement, so to speak,
none of this happens. And so all those folks typically report
into--a lot of times it's not the Deputy Secretary. It's the
Under Secretary of Management, and that's what's really
important.
So if you're going to sort of move the ball forward on
whether it's security with FISMA, whether it's your digital
transformation effort, whether it's FITARA, you need to make
sure that the folks that are reporting to that individual are
on board, and particularly that person is on board. I think
that----
Mr. Blum. Are there documents signed off to make sure
those----
Mr. McCormack. Sorry?
Mr. Blum. Are there documents that are physically signed
off on to make sure the physical parties you just mentioned are
on board so that goals are congruent?
Mr. McCormack. Absolutely. We have----
Mr. Blum. In the private sector, we sign off on----
Mr. McCormack. --elements in their performance plans in
regards to the governance process. Every single gate review
gets certified and codified in writing and cannot go through
that process and has to be approved by every one of those
members in our acquisition review board going forward. That's
that governance structure I was talking about. Every one of the
CxOs are sort of board of directors of that governance
structure. It's run by, in this particular case, the Under
Secretary of Management.
But I think it's--I just wanted to point that out that I
think it's very important. While you can have the CIO report to
the Deputy Secretary, which is important and could be powerful,
if they're not associated to the individual that you're
reporting to, then you're still in negotiation, right, you're
constantly negotiating.
If that individual is on board and that individual says,
``Hey, we're going to move,'' then we're going to move, right,
and so that's just something that I would think this group
ought to think about and consider.
Mr. Blum. Mr. Chairman, can Mr. Wiggins answer my question?
Mr. Hurd. [Nonverbal response.]
Mr. Blum. Thank you. Mr. Wiggins.
Mr. Wiggins. Thank you for the time to answer. I just want
to echo both Mr. McCormack's comments and also Mr. Powner's in
getting to an earlier point. As the only CIO at the Department
of State, I have the ability, as the authorizing official, to
approve IT projects and kill IT projects. We have a governance
structure in place that's pretty comprehensive. We have an E-
Gov Program Board that meets on a quarterly basis, and then
you've got an E-Gov Advisory Board that meets on a monthly
basis. We also have a new cloud computing governance board that
started in May to review ongoing cloud efforts.
The governance structure is extremely important, and as I
mentioned earlier, when I was responding to Congressman
Connolly, excuse me, we've now added that incremental
development into the baseline change request for all IT
projects going forward. We also have something called Managing
State Projects for IT, MSPIT, that has control gates, and
there's a review process. Not only do you have to have a
sponsor for your project, but it goes through a regular control
gate, and agile development is a part of that.
There are two challenges I see with agile development.
Number one, the user interface and the user experience has to
be built into it. So we have what are called UX expertise that
we've gotten from U.S. Digital Services to help in that whole
usability phase of it and also for that agile loopback.
And the other thing I would say that is a challenge is that
when you, in our case, we use a firm-fixed-price contract, and
when you start to look at agile, oftentimes when you say to a
developer, who is oftentimes a contractor, ``Okay, I now want
you to go in a different direction,'' and they say, ``Fine,
that's a surge, and that's going to cost you X amount of money
in addition.'' So I think the contracting aspect of it too,
when you have a number of non-FTE who are doing contracting
development--or, excuse me, programming development is another
key component and a challenge. But absolutely, agility, agile
workforce--agile development is a key component. Thank you.
RPTR JOHNSON
EDTR CRYSTAL
[3:19 p.m.]
Mr. Blum. I yield back the time I don't have, and thank you
for your indulgence, Mr. Chairman.
Mr. Hurd. I would like to thank the gentleman for his
insightful questions.
Now I would like to recognize the distinguished gentleman
from America's Dairyland, Mr. Grothman, for 5 minutes of
questions.
Mr. Grothman. Very good. I hate to pick on Mr. McCormack
again, but I guess you're it. How many positions at DHS have
the title of CIO?
Mr. McCormack. Fifteen, including myself.
Mr. Grothman. Okay. And what is your relationship between
you and the others, daily or weekly or monthly or whatever?
Mr. McCormack. Depending on the CIO, it could be daily.
It's certainly weekly and monthly. We have regularly scheduled
CIO Council meetings. I have a dotted-line reporting
relationship. They all do. I have input into their performance
plans and I have the ultimate selection authority of all CIOs.
Mr. Grothman. So you supervise the other 14.
Mr. McCormack. Sure.
Mr. Grothman. And every part of DHS has a CIO assigned to
it?
Mr. McCormack. They do.
Mr. Grothman. Okay. Do you provide input on their
performance reviews?
Mr. McCormack. I do.
Mr. Grothman. Okay. Is there a lot of turnover in these
jobs? First of all, I should ask, how long have you had your
current position?
Mr. McCormack. This will be my third year.
Mr. Grothman. Okay. And you came, what was your position
before this?
Mr. McCormack. I was the CIO at the Department of Justice.
Mr. Grothman. Okay. A lot of turnover in these positions or
no?
Mr. McCormack. I'm sorry?
Mr. Grothman. Is there a lot of turnover in these
positions?
Mr. McCormack. I would say the average tenure is probably
3-plus years. There are some that have been there more than
that, maybe as long as 5. But it's fairly stable. That's one of
the things I spend a lot of time on, is making sure that we
have a good what I call leadership pipeline, including the
deputy CIOs, which I pay attention to quite a bit as well.
I am happy to say that we have very little vacancies right
now across our community. And we spend a lot of time paying
attention to that because that's just, I think, one of the
leadership responsibilities that we have, is to make sure that
we're filling that pipeline, paying attention to it, and
developing the future leaders.
Mr. Grothman. Okay. About what percentage of your budget is
spent on the cloud? Kind of switching gears.
Mr. McCormack. On the cloud it's about 4 percent right now.
Mr. Grothman. Okay. Has that increased over time?
Mr. McCormack. Yes. And that will increase significantly
with the implementation--we have been doing a lot of pilots,
which are really more than pilots, over the last year. I had
some significant successes there. We just recently awarded this
cloud contract, and we expect that to ramp up very quickly.
Mr. Grothman. Do you feel overall that'll decrease the
amount of money that's spent on information technology from the
government?
Mr. McCormack. Absolutely. Again, I hesitate only from the
standpoint is there is a lot of pent-up demand for capability
in the Federal Government. So right now all of us are making
choices based on different types of technology and different
costs associated to that.
What we have found through our cloud pilots is that we're
able to deliver capability, incrementally, at a fraction of the
cost and a fraction of the price.
Mr. Grothman. Okay.
Mr. McCormack. So it's been very interesting to see the
emerging technology and our ability to adopt it quickly and
deliver at a short amount of timeframe.
Mr. Grothman. Do you believe that means, in the end, less
personnel?
Mr. McCormack. I wouldn't say less personnel. I would say
different personnel, in many cases, again, simply because the
demand signal is very high in regards to the capabilities that
the operators need and want.
Mr. Grothman. Can you give me any specific example in which
as you put more and more into the cloud, any one of your
subgroups or whatever, that you have seen a savings? Just an
anecdotal piece of evidence that you can give this committee to
say this is how we can save money?
Mr. McCormack. Yeah. I mean, even with our traditional data
center delivery models that we would use compared to some of
the cloud-based delivery models, the cost is much less than the
cloud.
I will tell you in our open market strategy we've
reconstructed the contracts that we were using in our private
cloud data centers, which allowed the current vendors in those
data centers to sharpen their pencils because we have
requirements and needs at times to use a private cloud versus a
public cloud. But what we were trying to do is get the costs to
balance out. So we have been able to do that fairly
aggressively by reconstructing that.
I will tell you, by the way, this is why the partnership is
very important. That takes an extensive amount of work on our
staff to figure out how to do that and on our procurement
organization to put those contracts together. So that
partnership that I was talking about earlier, to hiring those
types of people that can do those types of negotiations, to
work with our procurement community, to work through those
capabilities, is very significant.
Mr. Grothman. Okay. I see my time is up. So thank you for
giving me my 5 minutes.
Mr. Hurd. Thank you, sir.
I would like to recognize myself now.
Mr. Pitkin, what's the IT budget for the State Department?
Mr. Pitkin. Sir, approximately $1.9 billion.
Mr. Hurd. $1.9 billion. How much of that does Mr. Wiggins
have responsibility over?
Mr. Pitkin. Approximately 50 percent.
Mr. Hurd. Fifty? Five-zero?
Mr. Pitkin. Five-zero.
Mr. Hurd. And what's the reason for not having
responsibility over the other 50 percent?
Mr. Pitkin. Another 25 percent is under the control or
falls under the Bureau of Consular Affairs. It's essentially
our visa and passport system. So they essentially have a very
large both a legacy system as well as systems they're
developing to modernize our visa passport systems. And the
other 25 percent is distributed among other bureaus. About 5
percent with our comptroller for payroll and the financial
system 5 percent.
Mr. Hurd. So does the Consular Bureau have a CIO? Who is
responsible for the implementation of their digital
infrastructure?
Mr. Pitkin. They have an information office, but it falls
within the overall authorities of the CIO. So they have their
own personnel, their own IT infrastructure but they report----
Mr. Hurd. Who has the ability to halt or terminate a
troubled project within the Consular Bureau?
Mr. Pitkin. Certainly the assistant secretary for consular
affairs would, as well as her management team, primarily the
deputy or her----
Mr. Hurd. Do you?
Mr. Pitkin. On my own authority I would not. Certainly I
can control the spigot of funds, but I would not make a
unilateral decision to halt funding for a project without
consultation with the CIO. So with the CIO I could make that
determination, but of course I would defer to Frontis'
expertise and whether it was truly a troubled project.
Mr. Hurd. Thanks for the perspective. That's why one of the
reasons that we asked the deputies of your two agencies to sit
and visit with us as well, to have this broader conversation.
And in future hearings we are going to be doing that.
Mr. Wiggins, the visa and passport system, is this the same
as the Consular Systems Modernization program?
Mr. Wiggins. I believe you are referring, yes, to Consular
One and the overall consular IT system, yes.
Mr. Hurd. And you've assigned--you've actually assigned a
medium risk rating for this IT investment. Is that right?
Mr. Wiggins. That's correct.
Mr. Hurd. And yet you have no budgetary control over this?
Mr. Wiggins. I would say I have budgetary collaboration on
it. We sit in on the Bureau of Consular Affairs budget review,
along with Mr. Pitkin, and I meet on a monthly basis with the
assistant secretary from Consular Affairs. Their principal
deputy assistant secretary also meets with my principal deputy
assistant secretary to review the investments and the overall
projects within IT. And I would say that that was recently--it
was at a 2 and it was upgraded to a 3.
Mr. Hurd. So about $50 million has roughly been put into
this project. Is that correct?
Mr. Wiggins. That's correct.
Mr. Hurd. Is there something working?
Mr. Wiggins. Yes. I believe that they overhauled part of
the combined consular database. And I know that there is a DVIS
system--I can't remember exactly what the acronym stands for--
but that's targeted to be replaced starting this year.
Mr. Hurd. And the additional $118 million that is going to
be spent this year, what is that going to get us?
Mr. Wiggins. Honestly, I do not know. I'd have to take that
back and get back to you.
Mr. Hurd. Good copy. Please do. I'd be interested in having
an insight on that.
Are you responsible for all the licensing?
Mr. Wiggins. Enterprise license agreements? Yes, sir, I am.
Mr. Hurd. You have software and operating systems that
stopped being supported back in 2010, and these are fairly well
known operating systems. Is it not included in your budget or
in the contract with those entities to upgrade those systems?
Mr. Wiggins. Yes. In fact we have a Global IT Modernization
office, which is referred to as GITM, that is responsible for
the overall upgrade of our systems. We are in the process of
upgrading our systems worldwide right now to BladeSystems. It's
called an enterprise converged platform. We are averaging about
five offices a month and five posts a month. We hope to get to
10 a month.
On the enterprise license agreement, we currently have five
ELAs or BPAs. They are with Microsoft, Oracle, VMware, Citrix,
and Adobe. We have realized about $47 million in savings so far
in the ELA for that and we anticipate another $43 million. And
in addition we do partner with the other bureaus through our
capital investment process to look at----
Mr. Hurd. So is the plan to upgrade all the systems, all
the operating systems?
Mr. Wiggins. Absolutely.
Mr. Hurd. And when is that going to happen?
Mr. Wiggins. I'd have to do my math very quickly, but if
not this fiscal year, by the next fiscal year.
Mr. Hurd. And that includes the Bureau of Consular Affairs?
Mr. Wiggins. That's correct.
Mr. Hurd. Gotcha.
Mr. Fulghum, what is the IT budget for the DHS?
Mr. Fulghum. Six billion.
Mr. Hurd. And how much does Mr. McCormack have?
Mr. Fulghum. He has oversight of all 6 billion during the
programming phase. You know, we execute budgets decentralized,
but he has gates throughout that process where he can exercise
oversight.
Mr. Hurd. Does he have the ability to terminate or halt a
troubled project?
Mr. Fulghum. So the chief acquisition officer in the
Department is the one who will halt a program. No program,
however, will move forward without his concurrence. So in
essence he does have veto power.
Mr. Hurd. Mr. McCormack, how often do you meet with the
Secretary or the deputy secretary?
Mr. McCormack. It depends on the subject. I would say, you
know, maybe once a month. A lot of times that's on
cybersecurity-related issues.
Mr. Hurd. How do I put this question? I don't want to get
anybody in trouble. That seems a little low. How about I just
make a statement. That seems a bit low.
And, ultimately, I do believe one of the most important
things that FITARA is giving us is to strengthen the CIO's
authorities. And the goal of our two committees is to make sure
you have all the tools you need so that we can ultimately hold
you and your other 14 CIOs in your Department accountable.
And that is why we stress this reporting, something as
simple as how many times do you report and who do you talk to,
because it's not an industry standard to have the CIO and the
CISO not report directly to someone within the C suites.
I am going to yield to Mr. Blum for a question.
Mr. Blum. Thank you, Chairman Hurd.
I just have one quick question. According to our report
here it says the following: ``FITARA requires OMB and agency
CIOs to annually review the IT investments of an agency to,
among other things, identify potential duplication and waste
and identify cost savings.''
So I will start with our two CIOs here, Mr. McCormack and
Mr. Wiggins. My questions are, first of all, have you done
exactly that every year? Secondly, is it in a report that I can
read? And thirdly, are the recommendations, assuming you did
it, being acted upon?
Mr. Wiggins, start with you.
Mr. Wiggins. Thank you for the question.
In the 5 months I have been in office, no, I have not. But
I will go back and check. I do know that since I became an
acting CIO I have been meeting on a regular basis with Tony
Scott. We have a regular meeting, the CIO Council, talking
about FITARA and implementation. I do not know factually if
that report has been reviewed by OMB. I will take that back and
review it.
Mr. Blum. But you are aware of the requirement
Mr. Wiggins. Oh, absolutely, yes.
Mr. Blum. Duplication, waste, cost savings, very, very
important.
Mr. Wiggins. I agree. I know that. I have been doing that
internally through our CCGB process and our various governance
processes. I am assuming that we are reporting that to OMB, but
I have to make sure that we actually have done so.
Mr. Blum. Mr. McCormack?
Mr. McCormack. Yes, we have done that analysis. We have
pulled that information together, done that analysis, and we do
report on that.
Mr. Blum. Are there savings? Are there duplication? Is
there waste? Is it substantial?
Mr. McCormack. I am sorry?
Mr. Blum. That number, what you have come up with in that
report, is it a substantial dollar amount of duplication,
waste, and cost savings?
Mr. McCormack. It was substantial. It's less substantial
now because we have done a lot of work to wring those cost
savings out, right? So we talked about the 40 data centers that
we have consolidated. And that's where a lot of our cost
savings came from. While we have, you know, there are 60 to go,
we are not going to get the same kind of savings opportunities
there simply because there is just not that much--as much
savings in there because of the nature of the types of data
centers.
We've put together over a dozen enterprise license
agreements based on this analysis that we had done with the
duplication and the opportunities there. We have wrung out
significant savings in those areas as well. And so while we
continue to do this analysis and go after these opportunities,
obviously over time they become less and less because the low-
hanging fruit has been pursued.
Mr. Blum. Let me ask you a follow-up question to your
answer. What incentives are there for Federal employees to seek
out, to find duplication, waste, cost savings? What incentives
are there? Are there any financial incentives? In the private
sector, where I come from, there is financial incentives
typically. Are there any in the Federal Government? Are there
any in the IT area in DHS?
Mr. McCormack. I would like to hope I am speaking on behalf
of every public servant that everyone wants to do the right
thing. I would say what would incentivize a component CIO,
particularly in the Department of Homeland Security and I think
other areas as well, we did this at DOJ, is what I call the
cut, cost, and reinvest, where if you give them the opportunity
to cut those costs and then reinvest it into these areas that
they need funding in versus just sweep it up and go buy Coast
Guard cutters or helicopters or whatever it is the agency
needs--and of course we make those decisions based on risk and
other things--but if there is an opportunity for them to use
those savings then there is always more incentive to pursue it.
And so that has worked really well for us.
Mr. Blum. But there is no personal financial incentive.
Mr. McCormack. There is no personal financial incentive for
it other than internal goodness to stretch the taxpayer's
dollar.
Mr. Blum. Would an idea to have personal financial
incentives, would that have some merit, do you think? Is there
a place for that in government?
Mr. McCormack. I would say personally no. That's not why
civil servants become Federal employees, right? I would say no.
Mr. Blum. What would you say to that, Mr. Wiggins? The same
question.
Mr. Wiggins. Yeah, first of all, it has been confirmed by
somebody smarter than me that we do report our cost savings to
OMB, and it is on the IT Dashboard. So I can confirm that we
have done that.
I would say we have taken a look at it from a slightly
different perspective. We have an award for IT innovation, it
stands for Sean Smith award. So we promote innovation, and
there is a cash incentive and an award for that.
In addition, we have something called the Thomas Morrison
award, which is for the IT manager of the year, and there is a
cash incentive for that, and that includes both innovation and
improvement in processes.
So we have a couple of ways of getting at it through
innovation. It is not necessarily a cost saving metric, but
oftentimes when we put innovation into place there is a cost
savings realized through that.
Mr. Blum. Just for the record, I come from the private
sector. I think personal financial incentives for employees are
good things, and I think we could use more of it in government.
Do you have a comment on that, Mr. Powner, before I yield
back, at all? I notice you are kind of smiling.
Mr. Powner. I think right now in the government it's not
set up that way.
I do think Mr. McCormack's point on the reinvest is very
important. If I'm at DHS, I want to reinvest money to better
secure the homeland. There's a lot of things we can't get to
that we need to get to and do a much better job to protect this
country. And that would be the incentive, to save money on
inefficiencies and do a better job on the mission side.
Mr. Blum. Thank you.
Thank you, Chairman Hurd. And I yield back.
Mr. Hurd. And, gentlemen, we hear you loud and clear. We
are trying to give you an additional tool to be able to use
that savings you realize. Unfortunately, it's likely to have to
wait until 2017 to pull that trigger.
I would now like to recognize Mr. Connolly again, round
two.
Mr. Connolly. Thank you, Mr. Chairman.
And I would say to my friend from Iowa, we are not entirely
lacking in incentives. Now, Mr. Hurd and I and Ms. Kelly and
others are actually--that's what the MGT Act does writ large in
rewarding agencies by reinvesting the savings. And our silly
system here with CBO is precluding us from doing it, frankly,
by double counting money. It's a very strange, Druidic
methodology, passive understanding. But at any rate we can talk
about that later.
But there are also some personal incentives. There are
rewards. Every agency has its own reward program. There are
bonuses, performance bonuses in Federal service, which they are
not as generous as the private sector. I was in the private
sector too for 20 years. But it's not nonexistent. And maybe we
should take a fresh look at this in terms of incentivizing
Federal employees a little bit more generously. God knows we
haven't been very generous to Federal employees in the last
number of years. But I think it's an idea worthy of merit, and
I thank my colleague from Iowa for bringing it up.
This subject of risk, I think one of the things, Mr.
Powner, we have discovered is it's really hard to get people to
identify high risk. One of the great achievements,
contributions GAO made was by putting IT projects on the high
risk list on your own really, which got the attention up here
and I think in some Federal agencies. But you looked at 95
specific IT projects. In your conclusion, 60 of the 95 were
kind of low balled. They were actually riskier than identified.
Is that correct?
Mr. Powner. That's correct.
Mr. Connolly. And to what do you attribute that?
Mr. Powner. That particular study, we looked at CIOs rated
60 investments as green, and we only agreed with 10 of those.
We thought 50 of the 60 should have been yellow or red. And it
was just based on the agency data.
And our point on that is you need to acknowledge risk to
effectively manage it. So that's why the dashboard, it's too
green right now. By nature a large of these large IT
investments are risky. A lot of them are moderate risk, just
what we are trying to do. Just acknowledge it so we can more
effectively manage that way.
Actually, both these agencies do a pretty decent job, both
DHS and State Department, on acknowledging risk. They are some
of our higher scores. And to their credit they have yellows and
reds appropriately.
Mr. Connolly. Correct me if I'm wrong. My memory says USAID
had no high risk projects, is that correct, identified?
Mr. Powner. That is correct.
Mr. Connolly. It was all green.
Mr. Powner. They got an F.
Mr. Connolly. Everything is just fine.
Mr. Powner. Yes.
Mr. Connolly. Nothing to look at here. Keep on moving by.
Mr. Powner. Everything is green, yes.
Mr. Connolly. Yeah.
Mr. Wiggins, does that make any sense? I mean, for 10 years
of my life I wrote the authorization in the Senate for USAID. I
traveled all over the world looking at their projects and doing
oversight. And I am deeply committed, actually, to our foreign
assistance program. But to say it's low risk doesn't pass the
giggle test.
What's going on, do you think, at USAID? And Iunderstand
it's a sister agency and it's not entirely within your
portfolio, but you are as close as we are going to get at this
table to them.
Mr. Wiggins. So as a proxy for Jay Mahanand, I would say
that as an outsider that needs to be looked at. I would say if
everything is green it's--historically, IT projects are very
high risk. Something in the neighborhood of 80 percent of them
failed. I know for a fact that we have about 77 percent of ours
that are on target. That leaves the other 23-odd percent. So
without throwing Jay under the bus, I would say I probably need
to have a conversation with him about that.
Mr. Connolly. And I would say if the motivation of some is
to cover up risk, actually now that we are making this a formal
metric you are putting yourself at risk if you call it green
and it turns out to collapse, I thought you said it was fine.
And so I think actually it's worthy of a second look by your
counterparts across the board, including at AID, to take a
fresh look at this, because I think it's a tool that can help
them and protect them and allow us to take some management
measures to shore it up. It's not designed to sort of give you
a bad grade because you're about to fail or what's wrong with
you for even undertaking a high risk project. That's not the
intent here. And I hope it will be seen for the management tool
it was intended.
Thank you, Mr. Chairman.
Mr. Hurd. Sure.
Mr. Fulghum, when you signed the DHS FITARA implementation
plan, was that as your role as CFO or acting CFO or your role
as the acting deputy under secretary?
Mr. Fulghum. As the CFO.
Mr. Hurd. As the CFO? And how much conversation did you
have with the Secretary and the deputy secretary on the
implementation of FITARA?
Mr. Fulghum. As it relates to FITARA?
Mr. Hurd. Uh-huh. The FITARA implementation plan
specifically.
Mr. Fulghum. I would say not routinely.
Mr. Hurd. Thank you.
Has Mr. McCormack ever halted or terminated a troubled
project?
Mr. Fulghum. Mr. McCormack has recommended pausing a
troubled program, yes.
Mr. Hurd. Was the program paused?
Mr. Fulghum. I'm sorry?
Mr. Hurd. Was the program paused?
Mr. Fulghum. Yes.
Mr. Hurd. Mr. McCormack, was there only one program that
should have been paused within DHS in your 3 years? Was there
only one program in your 3 years that you have been at DHS,
only one software or IT program that should have been paused or
halted?
Mr. McCormack. No, there was more.
Mr. Hurd. There was more?
Mr. McCormack. There was more than one that was paused.
Mr. Hurd. And so have you had difficulty in pausing or
terminating a troubled program?
Mr. McCormack. No, not at all.
Mr. Hurd. Good copy.
Mr. McCormack. Again, as I referred back to that
acquisition review board, not only the CIO, quite frankly, that
whole community has the ability to throw that flag in and say,
``I have concerns about this,'' in regards to a pause. So yeah,
we've paused more than one for a variety of reasons.
Mr. Hurd. Some of your peers have expressed concern with
the FITARA scorecard. I appreciate your all's open input not
only today, but meeting with staff on this issue. I would like
my last question to be any insights or suggestions that you all
have on how you would like to see this FITARA scorecard
implemented or things you would like to see on the FITARA
scorecard?
Because the reality is I think we ought to go beyond just
FITARA. We should be looking at the implementation of FISMA,
how are we implementing the Megabyte Act when it comes to
software licensing. It should be a scorecard on how you do good
digital system hygiene.
But I would welcome, Mr. McCormack, Mr. Wiggins, whoever
would like to go first, any feedback that you all may have.
Mr. McCormack. So I will take a crack at that. A couple
things.
One, I saw your alarm about the frequency in which I meet
with the leadership, whether it's once a month or two or three
times a month or a couple times a week. It varies.
I think what's more important, which is what I had pointed
out earlier, and I am not quite sure, I am looking over at GAO
here about how to measure it, but to me, and this is the same
discussion I had at the White House the other day, that you
have got to be able to measure that goal congruence issue with
the other CxOs for these different activities, whether it's
FISMA, whether it's the digital transformation activities,
whether it's FITARA. Somehow or another, you have to measure
more than what the CIO is doing.
What I had explained to the deputy under secretary, CIOs in
agencies in large part are completely dependent on their chief
acquisition officers. They are completely dependent.
Mr. Hurd. Should they though?
Mr. McCormack. What's that?
Mr. Hurd. Should they? Should they be responsible or should
you have that authority do that? You're the one responsible for
defending that system or making sure that system is working and
you should be responsible----
Mr. McCormack. Right, but I don't hold--I don't have
employees that work for me that hold a warrant, right? Unless
you're going to change those laws, then I am relying, and I
should be, on the chief acquisition officer, the chief human
capital officer. They're the only ones that can issue an offer
for employment to a Federal employee. I can't do that, right?
And so the point I'm trying to make there is that community
has to be aligned on these various goals and objectives. And
whoever that community reports to directly, that's what you
want to be measuring, right? And in this case, that's the
deputy under secretary of management. Over at DOJ, it was the
equivalent of that. It's different in different agencies.
But I think it is very important to figure out how to
incorporate that into the measurements. Not just the CIO, it's
a village that does these things. And it's typically that CxO
span that gets involved in this, particularly the CFO, the
CHCO, and the chief acquisition officer.
Mr. Fulghum. Sir, could I add to that? So I think in DHS
we're uniquely positioned with the under secretary for
management structure in that he gets and the other lines of
business get a lot of attention and, as he likes to say, goal
congruence in terms of making sure that each line of business
is supporting the other.
We have a set of integrated priorities which we get
together on a very routine basis and measure progress. And I
believe we have got numerous examples of how that structure is
working well for our Department. We have got more to do. But
that structure that we have in place, I believe, is one of the
reasons we have been as successful as we have been.
Mr. Hurd. Mr. Wiggins?
Mr. Wiggins. As I mentioned earlier, I think that one of
the things that would be helpful is if we go from a binary on
the reporting structure to a qualitative and quantitative,
frequency of meetings and what actually are the outcomes from
those meetings with senior leadership.
The other thing I would say from a FITARA perspective since
we are up to, is it, 3.0 now, is a FITARA cookbook of best
practices that have come out from the other agencies. Either
OMB can publish it or GAO. I would like to steal some of
Renee's work that she did to get NASA so far ahead. I do have
interaction with her through the CIO Council, but not as often
as I would like. If there were a step-by-step guide on some of
the most successful implementations of FITARA from some of the
other agencies, we could look to map that back, and in a very
cost-effective way.
The other thing I would suggest, and I am probably getting
into waters that are beyond my remit perhaps, but we haven't
really talked today about shadow IT and some of the issues that
confront agencies related to some of the rogue elements that
are out there doing things and is there a pejorative or
punitive element to when the CIO does become aware of shadow IT
and they try to loop it in, is there some way that either
people are going to be held more accountable or there is some,
as you said, kind of incentivization for the CIOs who do kind
of loop that in.
Right now we are going through a process of identifying all
the data centers, non-enterprise data centers out there as well
as well as non-enterprise dedicated Internet networks and non-
enterprise applications that are out there. We are trying to
get our hands around it. We are supposed to get a report the
middle of next month on exactly what's happening. That's been
driven by the deputy secretary in particular.
So once we get our hands around that and start marching
through those, FITARA gives us authority to do a lot of things.
I don't want to get into the punitive aspects of it, but that
might be helpful as well.
The other thing, of course, cyber is woven into a lot of
this, cybersecurity. It's not called out specifically in some
of the things we are currently measuring, but it touches just
about everything we are talking about, whether it's the
workforce or it's the status of our systems. So having some
kind of cybersecurity measure in there built into some of these
metrics would be helpful.
And lastly, and again preaching to the converted,
obviously, is this whole aspect of the workforce and gaining a
better measure on exactly how best practices are being taken in
different agencies to hire, train, retain, and recognize the
best workforce out there for IT so that government can be a
place that people want to come to. For example, in the
Department of State right now, we are doing a public-private
partnership. We are going to be sending people out to Silicon
Valley. I am paying for that out of my budget, for people to go
out for a 1-year sabbatical with Cisco. I am doing another one
with a partner agency up in Maryland. People will go and spend
18 months to 2 years up there to bring best practices back.
So if, again, there are best practices or a workforce
advisory piece that could be enhanced through FITARA that would
give us a little more leverage and more ideas, I think that
would be tremendously helpful. I think there are some
provisions there already, and we just need to flesh them out
and continue to refine them.
Mr. Hurd. Mr. Wiggins, if you find shadow IT, I think
you're going to be patted on the back, because in 4 months it's
very hard to say that that shadow IT existed during your
tenure.
Mr. Wiggins. If I can offer for the record as well, our
partnership with our chief acquisition officer has brought to
light in just in the last few months a $500,000 shadow IT
effort that we've currently blocked. So with our partnerships
through the budget and planning office and also our chief
acquisition officer we are finding these things. But like so
many things, when you kick over a rock you have to be careful
what you find.
Mr. Hurd. I would like to yield to the gentleman from
Virginia.
Mr. Connolly. I was just going to actually say to you, Mr.
Chairman, I agree with you that at some point we probably want
to broaden the scorecard. But I do think while we are still in
the embryonic stage of implementation of FITARA, we want to get
the fundamentals right. You look at data center consolidation,
and there is nothing about those metrics that would allow us to
conclude, well, we are pretty much over that one. In fact,
until very recently, we kept on discovering more of them. We
weren't shrinking them, we were actually getting apparently
more accurate in identifying them. And I think we went by a
factor of six or seven over the original estimate by Vivek
Kundra in the first year of this administration.
So, I mean, I would just hope we keep in mind what you
said, but that we also for now try to deal with the basics so
that we get the fundamentals in place that allow us to better
grapple with cyber threats and the like.
So thank you, Mr. Chairman.
Mr. Hurd. Crawl, walk, run.
And I know I said that was my last question, but this just
came to my mind. Mr. Wiggins and Mr. McCormack, you are the two
individuals within your agencies that can provide an ATO, an
authorization to operate. Is that correct?
Mr. Wiggins. That's correct.
Mr. Hurd. Mr. Pitkin, if Mr. Wiggins did not give or grant
an ATO, what would happen to that project?
Mr. Pitkin. We would look at reducing funding for it during
the budget process, either in formulation or execution. If
there were some other mitigating factor, of course, the subject
group would have a chance to raise that issue. But of course
the CIO would still have that ultimate authority.
Mr. Hurd. So is not giving an ATO, is that the equivalent
of trying to halt a program?
Mr. Pitkin. I am not an expert in the authorities, but
that's how I would interpret it. But he may have a better----
Mr. Hurd. Mr. Wiggins, do you have something to comment?
Mr. Wiggins. Yes, but there are a couple of ways we get at
that. We also have a capital investment process that looks at
individual projects as they are brought to us. There is a
preselect, select, control, and then review process. So we can
stop projects in their tracks right there. Also through the
advanced PIT process.
The ATO authority, as a DAA, the designated authority,
authorizing official, I can stop things in their tracks, and I
have done it, in particular with cloud offerings. There was a
big rush to the cloud, but we put in place governance, the
CCGB, as I mentioned earlier, and if something has not gone
through the CCGB I do not give it an ATO and it should not
exist either externally to our network in the cloud or
internally within any of our networks.
Mr. Hurd. Good copy. Mr.
Fulghum, how does the process work at DHS.
Mr. Fulghum. Depending on the circumstances surrounding, if
it's a renewal of an ATO or an initial issue of an ATO and what
he recommends, we would take corresponding budgetary action.
Mr. Hurd. Good copy.
I would like to thank our witnesses for taking the time
today to appear before us. I think this is our first hearing
that wasn't interrupted by votes, makes it our last one of the
year. If there is no further business, without objection, the
subcommittee stands adjourned.
[Whereupon, at 3:57 p.m., the subcommittees were
adjourned.]
[all]