b'<html>\n<title> - HELP OR HINDRANCE? A REVIEW OF SBA\'S OFFICE OF THE CHIEF INFORMATION OFFICER</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n HELP OR HINDRANCE? A REVIEW OF SBA\'S OFFICE OF THE CHIEF INFORMATION \n                                OFFICER\n\n=======================================================================\n\n                                 HEARING\n\n                               BEFORE THE\n\n                      COMMITTEE ON SMALL BUSINESS\n                             UNITED STATES\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n                             JULY 12 , 2017\n\n                               __________\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                               \n\n            Small Business Committee Document Number 115-028\n              Available via the GPO Website: www.fdsys.gov\n              \n                               __________\n\n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n26-248 PDF                  WASHINGTON : 2017                     \n          \n----------------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="086f7867486b7d7b7c606d6478266b676526">[email&#160;protected]</a>               \n              \n              \n            \n              \n              \n              \n                   HOUSE COMMITTEE ON SMALL BUSINESS\n\n                      STEVE CHABOT, Ohio, Chairman\n                            STEVE KING, Iowa\n                      BLAINE LUETKEMEYER, Missouri\n                          DAVE BRAT, Virginia\n             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa\n                        STEVE KNIGHT, California\n                        TRENT KELLY, Mississippi\n                             ROD BLUM, Iowa\n                         JAMES COMER, Kentucky\n                 JENNIFFER GONZALEZ-COLON, Puerto Rico\n                          DON BACON, Nebraska\n                    BRIAN FITZPATRICK, Pennsylvania\n                         ROGER MARSHALL, Kansas\n                      RALPH NORMAN, South Carolina\n               NYDIA VELAZQUEZ, New York, Ranking Member\n                       DWIGHT EVANS, Pennsylvania\n                       STEPHANIE MURPHY, Florida\n                        AL LAWSON, JR., Florida\n                         YVETTE CLARK, New York\n                          JUDY CHU, California\n                       ALMA ADAMS, North Carolina\n                      ADRIANO ESPAILLAT, New York\n                        BRAD SCHNEIDER, Illinois\n                                 VACANT\n\n               Kevin Fitzpatrick, Majority Staff Director\n      Jan Oliver, Majority Deputy Staff Director and Chief Counsel\n                     Adam Minehardt, Staff Director\n                            \n                            \n                            C O N T E N T S\n\n                           OPENING STATEMENTS\n\n                                                                   Page\nHon. Steve Chabot................................................     1\nHon. Nydia Velazquez.............................................     2\n\n                                WITNESS\n\nMs. Maria Roat, Chief Information Officer, United States Small \n  Business Administration, Washington, DC........................     4\n\n                                APPENDIX\n\nPrepared Statement:\n    Ms. Maria Roat, Chief Information Officer, United States \n      Small Business Administration, Washington, DC..............    21\nQuestions for the Record:\n    None.\nAnswers for the Record:\n    None.\nAdditional Material for the Record:\n    None.\n\n \n HELP OR HINDRANCE? A REVIEW OF SBA\'S OFFICE OF THE CHIEF INFORMATION \n                                OFFICER\n\n                              ----------                              \n\n\n                        WEDNESDAY, JULY 12, 2017\n\n                  House of Representatives,\n               Committee on Small Business,\n                                                    Washington, DC.\n    The Committee met, pursuant to call, at 11:00 a.m., in Room \n2360, Rayburn House Office Building. Hon. Steve Chabot \n[chairman of the Committee] presiding.\n    Present: Representatives Chabot, Luetkemeyer, Brat, Knight, \nKelly, Blum, Bacon, Fitzpatrick, Norman, Velazquez, Evans, \nMurphy, Lawson, Adams, Espaillat, and Schneider.\n    Chairman CHABOT. Good morning. The Committee will come to \norder.\n    Before we get started, I wanted to take this opportunity to \nwelcome our newest member here, Congressman Ralph Norman, who \nwas sworn in a little over 2 weeks ago. He joins us from the \nbeautiful State of South Carolina, and I know because my wife \nand I were just there a couple of days ago as a matter of fact, \nand it is a beautiful great state. My mom is from North \nCarolina. As a real estate developer, Congressman Norman brings \nreal world experience, I think, to this Committee, knows an \nawful lot about small business, and we are looking forward to \nhaving him be a great contributing member of the Committee. So \nI think both sides would like to welcome you.\n    Mr. NORMAN. Thank you so much.\n    Chairman CHABOT. Thank you.\n    We also welcome everyone else for being here today. The \nCommittee is here today to examine the Small Business \nAdministration\'s Office of the Chief Information Officer. This \noffice is tasked with managing and overseeing the agency\'s IT \ninvestments and IT security. That is a big job and it is an \nimportant job. The Office of the Chief Information Officer must \nprotect taxpayer dollars and small businesses\' information \nwhile helping the agency run more efficiently and more \neffectively.\n    Unfortunately, the Office of the Chief Information Officer \nhas struggled over the past several years. It has experienced \nvery high turnover at that position, in particular, the Chief \nInformation Officer position. The SBA is on its eighth CIO \nsince 2005. Let me repeat that, the eighth CIO since 2005. I \nwas reminded by some of the local Redskins fans that that is \nabout how many quarterbacks they have had over that same period \nof time. Of course, I am a Bengals fan, so I really do not \ncare.\n    But on the serious side, a high turnover rate, especially \nat the Chief Information Officer position, undermines the \nOffice\'s ability to not just make improvements, but to even \nmeet its basic obligations: its obligation to deliver effective \nIT products and initiatives, its obligation to ensure strong IT \nsecurity, its obligation to manage IT spending, its obligation \nto reduce security risks, and on and on. In its annual \nManagement Challenges report, the SBA Office of Inspector \nGeneral listed the lack of IT leadership as one of SBA\'s top \nchallenges for fiscal year 2017. The message from the OIG is \nthat SBA cannot even begin to address its many IT weaknesses \nwithout strong and effective leadership, and that requires, in \npart, stability and continuity within the Office of the Chief \nInformation Officer.\n    Notably, this report was released just as Chief Information \nOfficer Maria Roat, our witness here today, was starting at \nSBA. Prior to her arrival, her post had been vacant for over a \nyear. The Committee welcomed her arrival then and continues to \nbe hopeful about the positive change Ms. Roat is trying to \nbring about. From what the Committee has seen and heard so far, \nMs. Roat is trying to strengthen the leadership and voice of \nher office, but this hearing will give us the opportunity to \nbetter understand what improvements she had made and what \nimprovements she is still planning to make. As we know, there \nis plenty of room for improvement.\n    I impress upon Ms. Roat the responsibility of both her and \nher office. It is important that she and her office be fully \nengaged in SBA\'s IT investment portfolio, overseeing the many \nongoing IT projects and all the while guard against security \nbreaches. SBA must do so to ensure that the office is running \nwell and supporting the agency\'s operations and small \nbusinesses, as well as protecting taxpayer dollars.\n    I want to thank Ms. Roat for being here today. We look \nforward to your testimony and obviously asking you some \nquestions.\n    And I would now like to yield to the Ranking Member, Ms. \nVelazquez, for her opening statement.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    Of the committee\'s many responsibilities, one of our most \ncritical is overseeing and examining the Small Business \nAdministration. As the only federal agency charged specifically \nwith helping small businesses grow and succeed, all of the \nSBA\'s functions should strengthen and preserve the \nentrepreneurial foundation of our economy. For small businesses \nto fully reap the benefits of SBA\'s programs, it is important \nfor the agency to operate efficiently and effectively. In \nparticular, the Office of the Chief Information Officer plays a \ncritical role in promoting information technology to support \nand enhance business decisions and agency operations.\n    Despite its critical role, historically, SBA--this is under \nRepublican administration and Democratic administration--SBA \nhas neglected to prioritize this office. This is evidenced by \nhigh turnover and an absence of a OIO for over a year. Such \ndisregard not only wastes taxpayers\' dollars, it weakens IT \nsecurity, putting the government and small firms at risk.\n    Cybersecurity vulnerabilities are always of tremendous \nconcern, but are especially grave in light of events last year. \nOur intelligence community has concluded that Russia used \ncyberattacks in an attempt to influence last year\'s \npresidential and congressional elections. We can expect that \nRussia\'s intelligence services and other bad actors will \ncontinue seeking weaknesses in our IT security system for \npolitical gain and personal profit.\n    As stories unfold now almost daily about Russia\'s digital \nmeddling in our democratic process, we should expect every \nfederal agency to make cybersecurity a top priority, so it is \ndisconcerting that the OCIO has had such severe problems for so \nlong. There have been numerous GAO and IG reviews of SBA\'s IT \noperations highlighting these deficiencies. In its 2015 review, \nGAO found that SBA had not prioritized long-term IT \norganizational transformation and had not conducted regular \nreviews of its IT investment to ensure they continue meeting \nagency needs.\n    Additionally, the IG found that overseeing and addressing \nIT investment and security risks was one of the agency\'s most \nserious management challenges for this fiscal year. The reports \nindicate that some progress has been made in implementing \nrecommendations from these evaluations. Over 30 remain \noutstanding. This is unacceptable.\n    It has been noted Ms. Roat recently took the reins as CIO, \nand it is my hope that she will make oversight of the OCIO a \npriority. I look forward to working together to ensure SBA \ndeploys adequate steps to strengthen IT security and management \nof the OCIO. Effective management of the agency\'s IT system \nhelps ensure small businesses receive the assistance they need \nto grow and create jobs. Equally important, bolstering the \nagency\'s cybersecurity will ensure government and small \nbusinesses\' sensitive data is safeguarded from those who have \nalready conducted cyberattacks on our Nation and others who may \nhave similar plans.\n    I look forward to the witness\' testimony on how these \nchallenges are being tackled.\n    Thank you, and I welcome you.\n    Chairman CHABOT. Thank you very much. The gentlelady yields \nback.\n    If Committee members have opening statements prepared, I \nwould ask that they be submitted for the record.\n    Now I will briefly explain our timing rules. Since we only \nhave one witness it is pretty easy. We operate under the 5-\nminute rule, and the lighting system will help you. The green \nlight will be on for 4 minutes. The yellow light will come on \nto let you know you have a minute to wrap up. And then the red \nlight, if you could wrap up, you know, at or near that time, we \nwould greatly appreciate it.\n    Now, we would like to introduce our witness here this \nmorning. Our witness is Maria Roat. Ms. Roat is Chief \nInformation Officer for the Small Business Administration, as \nwe have mentioned a number of times already this morning. She \nhas been in this post only since October of last year. Prior to \naccepting this position, Ms. Roat was the Chief Technology \nOfficer at the Department of Transportation. Ms. Roat also \nserved for 10 years at the Department of Homeland Security, and \nworked in the private sector gaining relevant information \ntechnology experience there. Lastly, and very impressively, Ms. \nRoat accumulated 26 years of active duty and reserve service \nbefore retiring from the United States Navy in 2007, and we \nappreciate your service to our country. We thank you again for \nyour service. We welcome you here this morning. And you are \nrecognized for 5 minutes.\n\n  STATEMENT OF MARIA ROAT, CHIEF INFORMATION OFFICER, UNITED \n              STATES SMALL BUSINESS ADMINISTRATION\n\n    Ms. ROAT. Thank you. Good morning, Chairman Chabot, Ranking \nMember Velazquez, and members of the Committee. Thank you for \nthe opportunity to discuss the technology transformation \nunderway at the Small Business Administration.\n    I on-boarded as the CIO in October last year and began with \na frank and honest conversation about the state of IT at the \nagency. Even before I arrived, it was clear that transformation \nwas overdue. In November, we embarked on a fast-paced journey \nto change how the SBA builds, buys, and manages information \ntechnology to support small businesses and entrepreneurs. I was \nlaser-focused about our targets through the end of 2017: \nstabilize and modernize. For the first 4 months, the CIO team \ninventoried, upgraded, and patched operating systems, software, \nand applications, and shut down approximately 170 servers in \nour primary data center. We launched an infrastructure \nmodernization to lay the foundation for future capabilities. I \neliminated duplicative software and cut unnecessary \nexpenditures. I am leveraging our small business contractors to \nbring in solution architects and senior engineering expertise. \nWe developed a cloud architecture model and are in the staging \nprocess to move our systems to the cloud.\n    All of these activities will enable us to take an \nenterprise approach to business solutions and launch \ninitiatives like virtual counseling that would help improve \ncitizen-user experience with the SBA. We are standardizing and \nincreasing our users\' capability with an enterprise deployment \nof Windows 10, Office 2016, and One Drive later this summer. We \nturned on cloud-based collaboration tools internally and are \npiloting the capability externally with the Tech Coalition.\n    We are collaborating with our stakeholders to introduce \nbusiness intelligence capabilities and modernize enterprise \nreporting. We must be able to quickly generate and share \ninteractive reports to visualize and analyze our data to better \nunderstand results and target SBA services to small businesses.\n    We are aggressively modernizing, pushing the envelope, and \ntesting new capabilities and security remains paramount. We are \nintroducing advanced threat protection capabilities, \nencryption, and data loss prevention. We are approaching \nsecurity by design, building it in, not bolting it on. While \nmuch of this work is behind the scenes, there are several \npublic-facing activities underway. We are actively modernizing \nSBA\'s website to make information readily available and making \nit responsive to mobile devices. We are modernizing \nincrementally. Lender match is launching shortly and \nimprovements in functionality with access points for \ncounseling, events, and resources are launching later this \nyear. The certify program continues to also incrementally \ndeliver capabilities. The HUBZone Map launched last month and \ntools such as `Am I Eligible\' help small businesses determine \nif the certification programs are a good fit for their \nbusinesses.\n    Transparency is critical, and I hold monthly IT forums. We \nrecently held the first CIO open house to provide a sneak peek \nat the tools and technologies that will be deployed in a few \nmonths. We also reimagined and modernized OCIO\'s internet site \nto share information and resources.\n    Opportunities remain abundant. We must continue to attract, \nhire, and retain the right talent and develop the entire SBA IT \nworkforce as we transition to an organization capable of \nsupporting modern technology stacks, cloud-based platforms, and \nbeing an enabling partner to SBA\'s program offices. Over the \nnext 12 to 18 months, IT management capabilities will continue \nto mature as we enhance governance and transparency and improve \nrisk management of IT investments.\n    To overcome the inherent inertia of the status quo, we are \nmaking a radical and difficult, but deeply considered and well-\nplanned turn, moving to an environment where the CIO is a \npartner to and enabler of the business of SBA. We have an \nopportunity to get this right. We are aggressively hiring the \nright team, modernizing our business and technology \ncapabilities. We are introducing innovation, not just to \nsupport the SBA of today, but the SBA of the future.\n    Thank you for the opportunity to speak with you today, and \nI look forward to your questions.\n    Chairman CHABOT. Thank you very much. I will now recognize \nmyself for 5 minutes to begin the questioning.\n    According to the Inspector General\'s risk management report \nfor 2017, the SBA had 39 open recommendations related to IT \nsecurity, some dated back to fiscal year 2011. Do you know \ngenerally the status of those open investigations--excuse me, \nrecommendations, and how many of them still remain? And what \nare you and your folks doing to ensure that the office meets \nits obligations under the Federal Information Security \nModernization Act, FISMA?\n    Ms. ROAT. Yeah, we did have quite a few that were old ones. \nI will say that we did close a couple of those old ones that \nwere there. Over the last few months we have closed more than a \nhalf a dozen, and then we actually have a schedule of another \nhalf-dozen or so that will be closed through the end of this \nyear. There are some that are low-hanging fruit that have been \nopen for quite some time and so we are tackling those first, \nand there are some that are a little bit longer-term that we \nhave scheduled to close through the end of this calendar year \nand into next year. So we acknowledge that there are more than \n40 that were open, closer to 50 with the new report that came \nout, and we are working through those now. It is a priority.\n    Chairman CHABOT. Is there anything you could give us, an \nexample of, you know, why something would be still open? Why it \nis particularly tough that you have to deal with?\n    Ms. ROAT. For some of the older ones it was a matter of \njust taking action and documenting. Some of the things were \nalready done, but it is a matter of coordinating with the IG\'s \noffice. Nobody took the next step to say we did this and showed \nthe evidence to say that this was done. In some cases that was \nall that was needed to be done. You have to prove it to the IG. \nYou have to provide that evidence. And in some of those \ninstances where we have been able to close them quickly, we \nhave provided that evidence and said we have done the work.\n    Chairman CHABOT. Thank you.\n    Currently, what are the biggest challenges that your office \nis facing, and how are you working to overcome those \nchallenges?\n    Ms. ROAT. Walking in the door, the biggest challenge was \nreally stabilizing the IT environment, just what we had. I also \nhad a challenge around vacancies that I had coming in to make \nsure we filled the billets, get people on board, and getting \nour arms around the work the contractors were doing. But by \nfar, the biggest thing was the workforce; getting the right \npeople in and stabilizing the environment. And then modernizing \nit, which is the work we are doing right now. So this first 12 \nmonths is critical to really setting the stage to move forward \nfor the long term.\n    Chairman CHABOT. Thank you.\n    Do you believe that the SBA\'s enterprise IT architecture \nneeds to be improved? What specifically, and how do you intend \nto go about improving it?\n    Ms. ROAT. So the infrastructure overall, when you look at \nit from the network perspective, we have 120 circuits across \nall of SBA. More than a third of those were overloaded by the \namount of data and traffic. They were just overloaded. We are \nmodernizing the entire infrastructure to begin with to all of \nour field offices, and moving from a multitude of T1s and T3s \nto a pure Ethernet backbone, which is going to give us a lot \nmore capability in the long run to roll out capabilities--\nwhether it is Skype or virtual counseling--or doing more things \nonline where we are currently much more paper-based. So we are \nsetting the capability for that. Moving to the cloud is also a \nbig piece of that from an enterprise perspective, putting those \nservices in place. Ultimately, this office needs to transition \nfrom being just an office that does computers to a service \norganization; so that as program offices want to grow their \nbusiness, as they want to add more capabilities, we are there \nto be able to support that.\n    Chairman CHABOT. Obviously, there has been a considerable \nhigh turnover rate, and I think that has had a pretty \nsignificant impact on the office. Could you comment on that? If \nyou want to talk about the Redskins quarterback, we can do \nthat, too, but we will stick with your office, I guess, at this \ntime.\n    Ms. ROAT. You know, I am fully aware of the turnover and \nthe transition that has happened over the last 10 to 12 years. \nThe CIOs and Acting CIOs with no deputy, that has really hurt \nthe organization overall. And part of what I have done is put \nthe leadership team in place so that we do not have those gaps. \nBut it has hurt the organization having that turnover, the \ntransition, not having that line of sight over the next couple \nof years, where the business of SBA needs to go rather than \nhaving stovepipes and silos. It has hurt the organization.\n    Chairman CHABOT. Thank you. Well, we welcome you again \naboard and we are expecting great things. And anything you need \nfrom the Committee, please let us know, or our staff, because \nwe will definitely work with you to make improvements. And I am \npleased to see that you have a positive attitude. I am not \nsurprised after spending the time you did in such a tremendous \norganization as the U.S. Navy, and again, thank you for your \nservice there.\n    I will now yield back my time and recognize the Ranking \nMember for 5 minutes.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman. And welcome, Ms. \nRoat.\n    We want to ensure that access to resources for small \nbusinesses of all demographic groups is important and recognize \nthat SBA.gov serves as the primary source of such information. \nIn the prior administration, there was a page on the site for \nLGBT small businesses outreach, and now it appears to no longer \nbe available due to page updates. This information has been \ndown since at least last January, and I would like to know when \nyou plan to have this page back up and running?\n    Ms. ROAT. So we have been doing a lot of work on \nmodernizing SBA.gov. There were a number of pages that are not \navailable, like you indicated. Some are coming back up online. \nI know Tech Coalition was one of those that was taken down, as \nwell as some of the others. The Tech Coalition is back up \nonline. So as we are working through with the front office and \nwith the program offices, we are evaluating all of those pages \nand bringing them online.\n    Ms. VELAZQUEZ. Okay. Recent government security breaches, \nsuch as the OPM breach and the Russian election hacking, have \nheightened the importance of continuously monitoring against \noutside threats. But in an annual evaluation of the SBA system \nand networks, the IG has found significant enterprise-wide \nvulnerabilities. How has the SBA responded to the threat of \nsuch risk?\n    Ms. ROAT. I would say there are several things that we have \ndone. One I mentioned earlier was the patching, the \nconfiguration management, and the inventory; understanding what \nwe own and what we have, as well as modernizing all of those, \ngetting them to current levels for operating systems and those \nkind of things. So those specifically have taken us a long way \nto address security. In addition, we are in phase one of \ndeploying the DHS CDM, the Continuous Monitoring Diagnostic and \nMitigation System, so we are deploying that right now. So that \nwill give us future capabilities as well for monitoring. We do \nhave a security operation center and a network operation center \nthat are now working very closely together.\n    Ms. VELAZQUEZ. So it is imperative that the tools SBA \noffers to facilitate access to capital operate at their optimum \ncapacity, and I heard you mention that the rebranding of the \nlender match will be launched soon. How soon?\n    Ms. ROAT. Tomorrow. We did the demo for the administrator \nyesterday.\n    Ms. VELAZQUEZ. Very good. Ms. Roat, Kaspersky is a Moscow-\nbased firm and one of the biggest cybersecurity firms in the \nworld. According to reports, its software has been procured by \nsome federal agencies. This is very concerning in light of the \nthreat Russia poses to our government and U.S. customers. Does \nSBA use this software? And are you coordinating with other \nagencies to mitigate cyber threats?\n    Ms. ROAT. So we have been coordinating with DHS, as have \nthe other Federal agencies, and we do not have any Kaspersky \nsoftware installed in our environment.\n    Ms. VELAZQUEZ. Very good. Last year, SBA established the \nOffice of Digital Services to improve systems and capabilities. \nCan you please elaborate on the work this office performs and \nhow the SBA determines the impact it has had?\n    Ms. ROAT. So the Office of Digital Services was stood up a \nlittle over a year ago, almost a year and a half ago. They have \ntaken on SBA.gov, the redesign and the rebuild of that. They \nhave done a lot of work introducing agile methodology, new and \nmodern tools, and technologies. They have also--where we had \nmultiple GitHub sites across SBA, whether they were contractor \nmanaged--consolidated all of that work. So the Office of \nDigital Services has brought a lot of benefit to SBA as far as \nmodernizing and bringing in additional capabilities.\n    Ms. VELAZQUEZ. Very good. And given the fact that there is \na history of a lot of turnover and eight CIOs since 2005, I \nwould like to know what succession planning SBA engages in to \nensure continuity in IT operations?\n    Ms. ROAT. Well, for the first time, right now we have a CIO \nand a Deputy together, and I also, in January, hired a CTO as \nwell. So when you look at succession planning, we go three deep \nright now.\n    Ms. VELAZQUEZ. What would be key elements of that \nsuccession planning?\n    Ms. ROAT. Being engaged and being a part of the entire \nmodernization and moving forward in planning. The CTO right now \nis incredibly engaged with the businesses offices as we are \ntaking the enterprise approach to SBA, so we work together as a \nteam, the three of us as we lay the strategy moving forward for \nSBA.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman. I yield back.\n    Chairman CHABOT. Thank you. The gentlelady yields back.\n    The gentleman from California, Mr. Knight, who is the--\nexcuse me. Or is Mr. Kelly here? Mr. Knight, I apologize. Mr. \nKnight, who is Chairman of the Subcommittee on Contracting and \nWorkforce, is recognized for 5 minutes. Thank you.\n    Mr. KNIGHT. Thank you, Mr. Chairman. Mr. Kelly and I look \nalike so----\n    Chairman CHABOT. You talk alike, too.\n    Mr. KNIGHT. We do talk alike.\n    I have some just basic questions. I appreciate your service \nin the military and information to the military is very \nimportant, but the control of that information is just as \nimportant. So I understand that your background will help with \nthat. But my questions are very kind of simple. A lot of these \nquestions have gone over the turnover of how many CIOs we have \nhad over the last 5, 6, 7, 8 years, and how we continue the \ncontinuity moving forward. So can you give me an idea of--and I \nhave heard, you know, in your statement of all of the things \nthat are coming, all the things that have been in place, and \nthe perfect answer to say that tomorrow is a great day, but how \ndo we keep the continuity moving forward with your leadership?\n    Ms. ROAT. That is really, really critical because walking \nin and walking into such a big vacancy within the Office of the \nCIO, it is imperative that I build the team that understands \nthe modernization, the stabilization, where we are going as an \nagency. It is so important for the CIO, the Deputy, the CTO, \nand the team to be tied and understand the mission of SBA, why \ndo we do what we do? And that is important to succession \nplanning because it is not just about the technology. It is \nabout the business of SBA. And until you have the Deputy in \nplace, until you have a CTO and the rest of the leadership team \nthat truly understands what that business is, then all we are \ngoing to be doing is deploying computers.\n    We have to look at it from an enterprise-wide perspective \nacross SBA and you have to have the team that is committed to \nthat. And they are going to be part of the mission. They are \nnot just there to deploy desktops or laptops.\n    Mr. KNIGHT. And one of your answers was we are engineering \nthis in instead of trying to replace and build on some of these \ntypes of things. Have you reached out to some of the business \nworld and talked to them about what they do on a continuing \nbasis? And not just smaller businesses that have to do with \nkind of some of these things that might be restrictive on how \nmuch money they can spend, but maybe some of the larger \nbusinesses that do this on a kind of day-to-day basis because \nthey can and because they have to control their information?\n    Ms. ROAT. Yeah, it is incredibly important to work with our \npartners, both the ones we have contracts with as well as \nunderstanding where technology is going in the long run. \nSecurity, building it in by design is really, really important \nbecause you cannot have a hard outer shell and a soft squishy \ninside. You have to build it in. So with our deployments, with \nthe work we are doing now with partnering with Microsoft as we \nare moving to the cloud, working with other businesses and \norganizations, building that security in as we are doing the \nsystem development. Even our public-facing website, upgrading \nthat, and working with other businesses is incredibly \nimportant; and working with small businesses as well that have \nthat expertise, bringing them in.\n    So I am actively engaged with the business community and \nthe technology world. I meet with them regularly, whether it is \nevents or meetings or with ACT-IAC and other organizations that \nare out there.\n    Mr. KNIGHT. Well, I appreciate your first 10 months. I look \nforward to you staying in office, and I yield back, Mr. Chair.\n    Chairman CHABOT. Thank you. The gentleman yields back.\n    The gentleman from Pennsylvania, Mr. Evans, who is the \nRanking Member of the Subcommittee on Economic Growth, Tax, and \nCapital Access, is recognized for 5 minutes.\n    Mr. EVANS. Thank you, Mr. Chairman.\n    A growing number of workers are teleworking, which saves \ncommuting time and creates efficiencies. What percentage of SBA \nemployees teleworked considering the past problems? Does this \ncreate any special problems for your oversight and operation of \nthe SBA IT infrastructure?\n    Ms. ROAT. So we have to make sure the environment is \navailable and it is up and it is running for those workers who \nare teleworking. We just recently completed the deployment of \nanother 1,200 laptops so that people can telework, so that they \ncan work from home, because there are long commutes in many \nareas across the country. So putting the infrastructure in \nplace is really important to enable the telework and having \nthat mobile workforce. So a lot of the work we have done to \ndate is stabilizing the current infrastructure that was there \nwhen I arrived, as well as adding capability and pushing out \nlaptops and making sure that people can take their laptops home \nand telework because we do have a good number of our workforce \nthat does telework.\n    Mr. EVANS. From your testimony, it sounds like you have \nmade some headway in testing systems and refining \nmethodologies. Do you feel that you have adequate staffing in \nyour office to continue to correct the deficiencies in the SBA \nIT infrastructure and continue to support the system\'s daily \noperation?\n    Ms. ROAT. So between the Federal workforce being able to \nhire--coming in with--a fair number of vacancies--the right \npeople that have that vision to be able to look forward, as \nwell as leveraging our contractors saying this is the direction \nwe are going and this is the direction we are headed, that is \nhow we have been able to make headway in what we are doing. I \ncould not do it without the team that we have today that we \nhave built. They have been incredible. We have been very, as I \nsaid earlier, very laser-focused on what we are doing and where \nwe are going, and have been very direct about where we are \ngoing on our strategic direction, especially these first 12 \nmonths which are critical. So not only is it the Federal \nworkforce, it is also the contractor staff that is on board as \nwell.\n    Mr. EVANS. I know this is very early and you have only been \nthere for 10 months--and again, like the chairman, I want to \nthank you for the service that you have provided to the \ncountry, 10 months--and you had to kind of evaluate the \nsituation, how would you evaluate it at this point?\n    Ms. ROAT. I would say that by January we made just a huge \namount of progress stabilizing the environment. We are now not \njust making incremental improvements. We are taking big steps \nto modernize right now. So the rollout we are doing, moving to \nthe cloud, getting ready to shut down our data center, those \nare big steps.\n    Over the last 3 months, we have already done our cloud \narchitecture. We have done the migration planning. And we are \ndoing the migration staging right now. We are getting ready by \nthe end of the summer to migrate and get out of our failing \ndata center that we currently have. So we are moving very fast \nand very hard.\n    Mr. EVANS. Thank you for your service. I yield back the \nbalance of my time. Thank you, Mr. Chairman.\n    Chairman CHABOT. Thank you. The gentleman yields back. The \ngentleman from Mississippi, Mr. Kelly, who is Chairman of the \nSubcommittee on Investigations, Oversight, and Regulations, is \nrecognized for 5 minutes.\n    Mr. KELLY. Thank you, Mr. Chairman. You say Mr. Knight and \nI talk alike, have the same accent.\n    Ms. Roat, in your testimony, you state that over 15 million \npeople per year visit the SBA.gov. Obviously, in light of the \ngrowing number of security breaches at the Federal Government, \nIT security is becoming increasingly important. And I also \nappreciate your service in the United States Navy.\n    And I think one of the things that our military services do \npretty well is on cybersecurity. Although we have got to get \nbetter, I think it is one of the things that we probably \nsometimes are a little further ahead because I think, number \none, we understand who the threats are. It is not just Russia. \nIt is Russia, China, Korea, countries in South America. There \nis a litany of people who are trying to hack our systems and to \nget in there to gain value for whatever organization, whether \nit be a terrorist organization or a foreign country, you have \nbeen exposed to all that.\n    That being said, as well as protecting our nets, we also \nhave to have access to the right people to the net. And as a \ntraditional guardsman, I find that many times our IT people \ndeny the people who need access under the guise of security. So \neven though I may be a brigade commander and a colonel, I \ncannot access information because I do not have the right \npermissions and those kind of things.\n    So I would like for you to talk a little bit about \ncybersecurity and what we are doing to reduce the risk of a \nsecurity breach while also ensuring that we have access to the \nright person, whether that be permissions or whether that being \nseparating nets that certain information you get on one net and \nothers. What things are you doing there, Ms. Roat?\n    Ms. ROAT. So there are a number of things. One, as you \nindicated, access permissions. We have done a sweep of who has \nadministrator access across all of SBA to our systems and we \nhave said, who has access? Who has a need to have access? So \nthat is from an administrative perspective. So we have \ntightened down on that to make sure that only those that need \nit have it. That goes to access, access permissions for users. \nDo they have access to what they need to do to do their job? \nThat is really important.\n    There are also users at SBA who have been there for 30 and \n40 years that as they have moved jobs and changed jobs, they \nhave carried their permissions along with them. They do not \nneed access to what they needed to 10 years ago for their job \ntoday, so we also have to get our arms around what those \npermissions are.\n    So as you said, you might not have access which you need \nto. You need that access to what you have to, right, to get \nyour job done. You may not need access to somebody else\'s data, \nso we have to understand what that is. We need to understand \nyour work environment, what systems you access, so that goes to \nthe user experience. What do you need to do to do your job? So \nthat is part of what we are doing, getting our arms around \nthat. And that is so tied to security and making sure that the \nright people have the right access to the right data to do \ntheir jobs.\n    In addition, we have been out there doing training for \nusers so that when an email comes in, whether it is a malware, \ndo not click on that; doing testing and those kind of things \nand that is so important that people understand spam and \nmalware. If you see something that just does not look right, \nraise the question. Just ask somebody. So user training, not \nonly is it from a technical perspective, but there is also the \nother side of it from the user side.\n    Mr. KELLY. And then kind of as a follow-up, I agree with \nyou, 10 months on the job, I think you are the right person. \nOkay, let us start with that. But I think it is also just as \nimportant that you get the right people around you that you \nchoose who carry out not only your strategic vision and help \nyou develop that strategic vision, but also help you execute it \nonce it is figured out.\n    How far are you along in making sure that if we do have a \nbreach, number one, that you identify it, whether that be \nsomeone who does not have a permission is on a system that they \nshould not be on? And number two, once you identify there is a \nbreach, what steps have you put in place to mitigate those \nrisks to the system then?\n    Ms. ROAT. So there is a number of things that we have done. \nSo one is our incident response procedure. So we went through \nthose in January and February this year, updated all of our \nincident response procedures. So we have got a network and \nsecurity operations center. If there is an indicator of \nsomething, they know what to do--all the steps are laid out. We \nupdated all of those. We did a sweep of all of those.\n    We actually used that document when WannaCry came out back \nin March. We walked through that to make sure that we were \ndoing all the steps we needed to as we assessed our environment \nand did that. So putting the processes, the procedures in \nplace, having the security operation center, as well as the \nnetwork operation center, all of those things tie into being \nable to respond.\n    And it is really important knowing what is on your network, \nunderstanding how your network operates normally. If you see a \nspike in something and you go, oh, that is not right, is that \ndata exfiltration or is that somebody just doing an upload or a \ndownload or moving data somewhere? You have to understand your \nnetwork environment and that is the environment we are getting \nto.\n    So in the meantime, as we move to that and as we are being \nmore aware of our network, we have the incident response \nprocedures in our network and security operations center, \ntightening up the tools they use and the processes they are \nusing.\n    Mr. KELLY. Mr. Chairman, my time is expired. Thank you.\n    Chairman CHABOT. Thank you very much. The gentleman\'s time \nhas expired.\n    The gentlelady from Florida, Ms. Murphy, who is the Ranking \nMember of the Subcommittee on Contracting and Workforce, is \nrecognized for 5 minutes.\n    Ms. MURPHY. Thank you so much for being here and for your \nservice.\n    I wanted to talk a little bit about the IT capabilities in \nthe Federal Government. I come from the private sector and have \nsome experiences as I have used some of the Federal \nGovernment\'s technology systems and have personally seen a \nsignificant difference. How do you respond to some of the \nconcerns that the Federal Government lags in its IT \ncapabilities as compared to what is available in the private \nsector?\n    Ms. ROAT. Across the Federal Government?\n    Ms. MURPHY. Well, specifically SBA.\n    Ms. ROAT. For SBA, we are making very big steps to catch \nup. We have got a decade of turnover and transition to catch up \non and we are doing that very fast. I am probably very forward-\nleaning when it comes to technology. I am the co-chair for the \nFederal CIO Council Innovation Committee, working with the CTOs \nacross the Federal Government. I have always been forward-\nleaning as far as technology. Even with the team today I said, \nturn it on, try it. Let us test it within my office. Why not? \nAnd that is what they have heard me say time and time again, \ntest it.\n    Security is paramount, but why can we not turn on a \ncapability? What is stopping us? Can we test advanced threat \nprotection against our email? Turn it on. Let us try it. Let us \ntry it for a small set of users and then deploy it further \nacross SBA. So that is one of the things that as I am forward-\nleaning, I do like to try things. I do like to test things. I \nam working that within my office before we roll it out \nenterprise-wide to kick the tires on it and make sure it is \ngoing to work.\n    But as far as practices go, those are industry practices. \nYou know, data loss prevention, advanced threat protection, all \nof those things we are putting in place are things industry is \nalready doing.\n    Ms. MURPHY. Do you find that the acquisitions processes, or \nany of the sort of the way that the government goes about \nprocurement and things like that, inhibit your ability to \nacquire some of the most cutting-edge products that are on the \nmarket?\n    Ms. ROAT. Like anybody else in the Federal Government, we \nhave our acquisition processes. I think the work that has been \ndone over the last year or 2 years around agile procurement, \nbeing able to do things faster. You know, within the FAR, you \ncan do a lot of things and you can move very quickly. And I \nthink applying those, you know, I am working with the \nProcurement Office, the acquisition folks at SBA to say, how do \nwe move things along faster? How do we use agile acquisition \nmethodologies? How do we do that to move things along instead \nof the traditional route moving paper? How do we be creative? \nSo I am working with that office as well.\n    Ms. MURPHY. And then from a recent hearing on SBA\'s--is it \nVERA/VSIP program, we learned about some of the agency\'s \nprogrammatic and demographic workforce challenges. \nAdditionally, in general, in the Federal Government, there has \nbeen some challenges to recruiting and retaining competitive IT \nstaff. Can you talk a little bit about some of the steps that \nthe agency has taken to recruit and retain competitive IT \nstaff?\n    Ms. ROAT. So we have been using our direct hire authorities \nwith the digital services team, certainly schedule A to bring \npeople in directly, direct hires. With the CIO office, we have \na big responsibility. I do not care what job you have around \ncybersecurity. So we have been using the direct hire authority \nfor cybersecurity to bring in the right talent.\n    People do not come into the Federal Government just to work \nfor the Federal Government; they come in for the mission. They \nare not here for the money. They are in for the mission. It is \nlike my father worked for a small business. You know, I saw \nwhat he went through; or my mother did or something like that.\n    I found that people come in and they really want to work. \nThe IT people come in and they really want to work because they \nare truly supportive of the mission. They get it. They \nunderstand it. They know somebody, and that is the talent that \nwe are going after. Is it easy? No, but we are turning over the \nrocks and trying to recruit as much as we can.\n    Ms. MURPHY. And on the retention of people like that, once \nyou are able to recruit them in for the mission, what do you \nthink causes them to stay? And are there things that can be \ndone to ensure retention and that they are not hired away into \nthe private sector?\n    Ms. ROAT. I think the work we are doing now leaning \nforward, trying innovative things, not being status quo and \njust doing the same old, same old is drawing interest from \npeople who want to be a part of that movement forward and to \nreally modernize and really take SBA to the next level. So I \nthink that is what is going to keep people there.\n    Ms. MURPHY. That is great. Thanks so much, and I yield back \nthe remainder of my time.\n    Chairman CHABOT. Thank you very much. The gentlelady yields \nback. And now we have reached that big moment. Our newest \nmember, the gentleman from South Carolina, Mr. Norman, is \nrecognized for 5 minutes. Do not screw it up.\n    Mr. NORMAN. That is a tall task. Thank you, Ms. Roat. I \nappreciate your time here.\n    I know in the private sector, when you have people, and \nparticularly, you have been on the job 10 months, what is your \nopinion of having a self-assessment of the members there to get \nan idea of problem employees that from their peers are judged \nin not so good of a light?\n    And my second question is, and we have got constituents in \nmy hometown in South Carolina where the universities play a big \npart in the SBA, is there an outreach to them or are they \ncoming to you to reach out to play a part with SBA loans?\n    Ms. ROAT. So for the first part of your question around the \nemployees and how they are doing and working, you know, we did \nput in place performance management. That is very important for \nthe employees, making sure that this is what we are doing this \nyear and that people are on board. If they need training, we \nmake sure to offer them training; performance management is a \nbig deal to make sure that we are all on the same bus, we are \nall moving in the same direction, and that if people need \ntraining, we offer it and making sure they are working.\n    For the universities, I would have to defer to our HR \noffice, as well as the capital access folks and some of the \nothers that are working much more closely with the universities \nand some of the others on the loans.\n    Mr. NORMAN. Okay. And I guess back to one of the previous \nquestions, for the training and staying up to speed on the \nchanging world of technology, you feel comfortable with what \nyou have now and what you see for the future?\n    Ms. ROAT. So especially for what we are doing moving into \nthe cloud right now, it is really, really important that the \noperations folks and the security folks really understand cloud \narchitecture, and not just from a technical perspective, but \nmonitoring and managing, and how do you offer those services \nacross SBA to those program offices that may need different \nenvironments, test-dev and things like that. That training is \nreally important, so we have had offsite sessions.\n    We do weekly Lunch and Learns as well. There are other \nopportunities across SBA just around agile training \nmethodologies that we have done. And it is not just around \nagile development, but around agile methodologies as a whole. \nSo we are offering all of those kinds of training from Lunch \nand Learn to formal, paid training classes.\n    Mr. NORMAN. I appreciate you taking the task and, from your \ntestimony, you are up to the task and we appreciate your \nwillingness to do this.\n    I yield the time to the chairman.\n    Chairman CHABOT. Thank you. The gentleman yields back. And \nin the opinion of the chair, the gentleman did just fine. So \nthank you very much. Looking for great things from you.\n    And now we move to the gentlelady from North Carolina, Ms. \nAdams, who is the Ranking Member of the Subcommittee on \nInvestigations, Oversight, and Regulations, for 5 minutes.\n    Ms. ADAMS. Thank you, Chairman, and Ranking Member \nVelazquez, thank you as well. And thank you for your testimony. \nThank you for being here, and thank you for your service to our \ncountry. We appreciate it.\n    Your statement shows that you have made remarkable strides \nsince you became CIO, reducing the vacancy rate from 30 percent \nto now 15. That is pretty impressive and we appreciate that.\n    You identify developing the right workforce as one of the \nremaining challenges of SBA, so have you submitted or do you \nplan to submit a plan to the SBA to outline how you can better, \nas you put it, determine need competencies and develop and \nsustain a workforce that can use, deliver, and support not just \nthe technologies, but those of the future? Not the technologies \nof today, but those of the future?\n    Ms. ROAT. So one of the things that was put in place prior \nto my arrival was putting in a workforce plan. There are 170 IT \nspecialists across SBA and part of the FITARA implementation \nwas to have an actual IT workforce plan that really looked at \nthat roadmap for the workforce. We are actually just getting \nready to do a kickoff on that within the next month to lay out \nwhere we need to go for a workforce because it is not just my \noffice that I have responsibility for in the IT, it is all of \nthe IT personnel across all of SBA. So part of this work that \nwe are kicking off in the next few weeks will be putting in \nplace a long-term strategy for the workforce, looking at those \nskills, looking at those companies.\n    It is so important that we get the right people, that they \nunderstand the environment, that we are not doing the same old, \nsame old that we have been doing for a long time. So this \nworkforce plan is really going to assess our as-is and set the \nstage for where we are going in the long run.\n    Ms. ADAMS. Right. Thank you.\n    With over 30 outstanding recommendations, as well as many \nplanned initiatives, how does SBA prioritize its IT improvement \nefforts?\n    Ms. ROAT. So for those things that were open from the IG, \nwe tackled the low-hanging fruit first, right? Those things we \ncould address very quickly that needed to be closed, that \nneeded to be addressed. We are also looking--it is very \nimportant from a security perspective--what were those findings \nfrom the IG that we needed to address? Have we taken care of \nthat over the last 10 months, and what are we going to do to \nclose out the rest of those? Because some of them, again, we \ncan resolve very quickly. Some of those are a little bit longer \nterm. So we are prioritizing all of those.\n    We understand that some of those are a little bit longer \nterm, but there are steps to be taken. You lay out a project \nplan. How are we going to get to 12 months from now for a \ncouple of those that are going to take a year? So here are the \nsteps. Here are the major milestones. And here is what we are \ngoing to do. It is not about, well, we are going to do it next \nSeptember. It is going to be what is the plan to get it done?\n    Ms. ADAMS. Okay. So the low-hanging fruit, you feel that \nyou have already accomplished that?\n    Ms. ROAT. We have addressed quite a few of those. Yes.\n    Ms. ADAMS. Great. Thank you very much. Mr. Chair, I yield \nback.\n    Chairman CHABOT. Thank you. The gentlelady yields back.\n    The gentleman from Iowa, Mr. Blum, who is the Chairman of \nthe Agriculture, Energy, and Trade Subcommittee, is recognized \nfor 5 minutes.\n    Mr. BLUM. Thank you, Mr. Chairman. And I would also like to \ncommend Representative Adams on her lovely hat today as normal. \nVery nice.\n    Thank you, Ms. Roat, for your service to our country and \nfor being here today.\n    I come from the private sector. I was CEO of a publicly \ntraded company, so I am very interested in management. Were you \naware--I am sure you were--when you interviewed for the job \nthat there were eight different CIOs in 12 years?\n    Ms. ROAT. I was very aware.\n    Mr. BLUM. Very aware. So I am sure, and you strike me as \nsomebody who is very intelligent, you probably asked, what was \nthe problem? That would be a logical question, would it not?\n    Ms. ROAT. Correct.\n    Mr. BLUM. And the reason I ask this is know it is in the \npast, and I think you are going to change the future, but if we \ndo not know why it happened, then how do we know how to change \nit? What were you told when you asked that question?\n    Ms. ROAT. I think there was not a focus on the role of the \nCIO, what needed to be done, understanding, you know, \ntechnology is changing and that the CIO absolutely has to be \ntied to the business, understand the business of the \norganization. I think that was lost somewhere along the line. I \nthink the program offices just went and kind of did their own \nthing. You know, no fault of their own. They had to do \nsomething around technology.\n    When I asked the question, I think the IG report last year, \nas well as some of the GAO reports that came out, really honed \nin about a year ago that said, wow, we have got a problem. And \neven before, you know, when I was approached about the job, I \ndid my homework. I looked at the IG reports. I looked at the \nGAO reports. You do not walk into a job like this with blinders \non. And I did my homework.\n    And I did ask those questions, and it was really having a \nleadership perspective that really understood what it took to \nbe a CIO, how the CIO is tied to the business of an \norganization, that they are not just there to deploy laptops \nand those kind of things. They are there to be a true enabler \nof the business and really manage and have oversight and \ngovernance over the IT investments of the agency. So I asked a \nlot of those hard questions before I came on board.\n    Mr. BLUM. So do you think they made poor hires in the past \nor do you think there is or was a structural problem within the \nSBA that caused these people to subsequently leave shortly \nafter starting?\n    Ms. ROAT. I am not sure that I can answer the question on \nthe people that were in the role. I know some of them and they \nare very smart people. I think there may have been some \nleadership challenges structurally within SBA.\n    Mr. BLUM. Inherent in the SBA?\n    Ms. ROAT. Inherent in SBA. That is my opinion and I think \nlast year----\n    Mr. BLUM. Are some of those still there?\n    Ms. ROAT. I think that as of last year, with the prior \nadministration, and even the current administration, has been \nincredibly supportive of turning the agency around as far as \nthe role of the CIO. I have an incredible amount of support \nright now and the runway that I have been afforded over the \nlast 10 months to make things happen and affect change, I could \nnot have done that without leadership support.\n    Mr. BLUM. It is good to hear. It is good to hear. Because \noftentimes things are structural. They are embedded and they \nhave been there for a long time and change does not happen \nquickly in Washington, as you are well aware. And if those \nthings are still there, you can be a very bright person and do \nan excellent job and we are still going to have issues. So you \nneed to be looking for that within the organization that you \ncontrol, that is for sure. And in the private sector, sometimes \nyou need to clean house, correct?\n    Ms. ROAT. Correct.\n    Mr. BLUM. Speaking of the OIG, they criticized SBA\'s \norganizational structure for potentially undermining IT \ninvestment oversight and they talked specifically about chief \ndigital officer perhaps as duplicative with your role. Do you \nreport to the deputy COO?\n    Ms. ROAT. So I report to the chief operating officer. The \nposition of the chief digital services officer, or the chief \ndigital officer, does not exist anymore. That position was \nhired as a political appointee roughly a year and a half ago, \nand with the change of the administration, that person left. \nThe digital services team that was stood up about a year ago, \nthey work very closely with my office, and part of the work \nthat we have done earlier this year was to request a \nreorganization so that the digital service team reports \ndirectly into my office.\n    Mr. BLUM. Good to hear. So you report to the COO?\n    Ms. ROAT. That is correct. And then I have monthly meetings \nwith the administrator that are scheduled. Bi-weeklies with the \nchief of staff as well.\n    Mr. BLUM. Excellent. Good to hear.\n    Last question. The OIG once again last reported there were \n39 open recommendations related to IT security, some dating \nback to 2011. Are these recommendations still valid in your \nestimation? And are we giving them the priority that they \ndeserve and require?\n    Ms. ROAT. So some of those recommendations we have closed \nalready, in particular the oldest ones we closed a couple of \nmonths ago. So we have tackled a lot of those. It was a matter \nof documenting what we did. Some of the recommendations, when \nyou look back 3 or 4 years, they are really OBE because of \ntechnology changes, whether it is moving email to the cloud. So \nwe are addressing those specifically with the IG.\n    So we are actually tackling those, and we have closed more \nthan a half a dozen of those in the last couple of months, and \nwe have another half-dozen or so that we are scheduled to close \nthrough the end of this fiscal year, and we have a plan to work \non the rest of them as well.\n    Mr. BLUM. Very good. My time is expired, but welcome to the \nSBA administration, and I personally think you are going to do \nan absolutely splendid job.\n    Ms. ROAT. Thank you.\n    Mr. BLUM. I yield my time, Mr. Chairman.\n    Chairman CHABOT. Thank you very much. The gentleman\'s time \nis expired. And unless we are joined by any other members, the \nlast questioner today will be the gentleman from Florida, Mr. \nLawson, who is the Ranking Member of the Subcommittee on Health \nand Technology.\n    Mr. LAWSON. Thank you, Mr. Chairman. And thanks for giving \nme 10 minutes.\n    Mr. Chairman and Ranking Member Velazquez, I am honored \nthat you all would host this meeting today. And I want to thank \nyou for only 6 months on the job and the tremendous progress \nthat has been made with the SBA.\n    And one of the questions, I do not want it to be a \nduplicate, but I wanted to know about it. You might have \nalready answered it. With 6 months into the administration, \nwhat roadblocks and challenges have you seen so far that are \nblocking the OCIO from implementing some of the recommendations \nand changes from the OIG and the GAO reports?\n    Ms. ROAT. So a lot of the OIG recommendations were really \ntechnology focused as far as audit logs and access controls and \nall those kinds of things. So those are the ones that we are \ntackling right away, moving through those.\n    Some of the broader ones around investment management, \ngovernance, dealing with IT investments across all of SBA, \nthere is an Investment Review Board that I co-chair. So part of \naddressing some of GAO\'s concerns specifically was around, you \nknow, the CIO\'s role in managing those IT investments, the \noversight, having that governance authority. So I do co-chair \nthe Investment Review Board that looks at all the investments \nacross SBA, as well as working very closely with the CFO and \nthe COO on those things.\n    So I think the work around that we are doing with the \nInvestment Review Board, with the Architecture Review Board, \nwith the COO, with the CFO, is taking us a long way to \naddressing the concerns, particularly around the management of \nthe IT investments across SBA.\n    Mr. LAWSON. And are you satisfied with the recommendation \nconcerning cybersecurity that you all are implementing?\n    Ms. ROAT. The specific recommendations?\n    Mr. LAWSON. Right.\n    Ms. ROAT. So the ones that came out most recently, they \nwere very specifically technically focused. Some of the broader \nones were under management. I think we are making a lot of \nstrides and a lot of headway in that progress as far as from a \nmanagement perspective, getting our arms around all the \ncybersecurity. Security is layered throughout an organization \nand we are addressing it all the way through. So we are \nbuilding it in as we go.\n    Mr. LAWSON. Okay. A couple of months ago I was at a \nbusiness roundtable in Jacksonville, Florida, and some of the \nconcerns that were expressed there from some of the business \nleaders, or the small business people in there, is that they \ndid not feel like they really knew a lot of things that were \ngoing on in SBA. And I know that you have field operations all \nover the place. How do you go about communicating to those \nfield operations to let the businesses know that you are \navailable for them and that they can access a lot of the \ninformation and have access to capital and so forth?\n    Ms. ROAT. So I do work closely with the Office of Field \nOperations. They do have weekly calls with the field, so I do \nparticipate in those. And when there are questions that arise \nas far as what information could be available on the SBA \nwebsite, you know, we are acting on that. So the team is \nworking very closely with the field operations as well as \ncapital access to make sure that the information is available \non the website for one, and consolidating the information. I \nknow that the information historically has been very hard to \nfind on the website, so we have been working hard at \nconsolidating events to make that available.\n    I do participate in the weekly calls with the field \noperations, so as anything bubbles up. I also participate with \nthe Tech Coalition, which partners with industry as well. So \nhearing their concerns and making sure that we are responsive \nto them.\n    Mr. LAWSON. And since women-owned businesses are the \nfastest-growing small businesses in America, how are you all \ncatering more towards them to make sure that they feel \ncomfortable in accessing the information from you?\n    Ms. ROAT. So I think there is an event coming up in the \nnext few weeks, GCBD, with women entrepreneurs and women \nbusiness owners coming up. I think it is the end of the month, \nthe 26th or 27th. So there is a lot of outreach going out and \nvery targeted to those communities, whether it is small \nbusiness, the women-owned. So that event is one example of how \nSBA is targeting those groups.\n    Mr. LAWSON. And I would like for you to send my office some \ninformation on that because I would like to make sure that we \nfind out everything we possibly can because I am always \napproached by some of the women in business.\n    And with that, Mr. Chairman, I yield back.\n    Chairman CHABOT. Thank you very much. The gentleman yields \nback.\n    I would just conclude by saying, Ms. Roat, the office that \nyou now hold has obviously struggled in recent years and I \nwould say that based upon the testimony that you have given us \nand the answers to the questions that both sides have asked, I \nwould say that I am encouraged. I think a lot of other members \nare as well, that you will work to improve your office in order \nto better fulfill the requirements of the SBA and how they \nserve small businesses all across the country.\n    We would encourage you to keep the Committee updated on the \nprogress that you make. And if you run into any problems, \nplease let us know, either us or our staff, so that we can \nassist you in doing the best job that you can for those small \nbusinesses. So thank you very much for your testimony today.\n    I would ask unanimous consent that members have 5 \nlegislative days to submit statements and supporting materials \nfor the record.\n    Without objection, so ordered.\n    And if there is no further businesses to come before the \nCommittee, we are adjourned. Thank you.\n    [Whereupon, at 12:03 p.m., the Committee was adjourned.]\n                           \n                           A P P E N D I X\n\n\n                        STATEMENT OF MARIA ROAT\n\n\n                       CHIEF INFORMATION OFFICER\n\n\n                   U.S. SMALL BUSINESS ADMINISTRATION\n\n\n                               BEFORE THE\n\n\n                      COMMITTEE ON SMALL BUSINESS\n\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n\n                               HEARING ON\n\n\n HELP OR HINDRANCE? A REVIEW OF SBA\'S OFFICE OF THE CHIEF INFORMATION \n                                OFFICER\n\n\n                             JULY 12, 2017\n\n\n    Chairman Chabot, Ranking Member Velazquez, and Members of \nthe Committee, thank you for the opportunity to discuss how the \nSmall Business Administration (SBA) is improving its leadership \nroles in overseeing and addressing information technology (IT) \ninvestments and security risks. I would like to share with you \ntoday where SBA is in the process of rationalizing its IT \ninfrastructure, and stabilizing and modernizing to drive \nstandardization, consolidation, and integration across its IT \nportfolio.\n\n    In October 2016, the Office of the Inspector General issued \nits ``Report on the Most Serious Management and Performance \nChallenges in Fiscal Year 2017.\'\' The reports\' Challenge 2 \nfocused on the Office of the Chief Information Officer (OCIO) \nand the need to improve its leadership roles in overseeing and \naddressing IT and security risks. Since 2005, SBA has had 8 \nChief Information Officers and frequent turnover in key IT \npositions ``adversely affecting the ability for SBA to make \nlasting improvements in its IT investments and security in \nmultiple areas.\'\'\\1\\ I am here to tell you about how the Office \nof the Chief Information Officer is transforming to help the \nagency and support its mission of delivering services to small \nbusiness owners.\n---------------------------------------------------------------------------\n    \\1\\ https://www.sba.gov/sites/default/files/oig/\nFY<INF>--</INF>2017<INF>--</INF>-\n<INF>--</INF>Management<INF>--</INF>Challenges<INF>--</INF>-\n<INF>--</INF>10<INF>--</INF>14<INF>--</INF>16<INF>--</INF>7.pdf\n\n    I on-boarded SBA on October 3, 2016 as the Chief \nInformation Officer, after having served as the Chief \nTechnology Officer at the US Department of Transportation for \nmore than two years. By mid-November, I completed an initial \nassessment of the overall operating environment and identified \nstabilization and modernization targets to reach by the end of \nthe fiscal year. It is necessary to pivot OCIO from a reactive, \nfire-fighting, technical support operation to a more proactive \nservices organization that is innovative and responsive to the \nbusiness and technology needs of SBA\'s mission. After I \narrived, the OCIO began moving aggressively to address its \nnetwork, systems, applications and overall operational \nchallenges, move its primary data center to the cloud, address \n---------------------------------------------------------------------------\nsecurity deficiencies and decrease its personnel vacancy rate.\n\n    When I arrived, SBA\'s heating, ventilation, and air \nconditioning (HVAC) units in its data center were experiencing \nweekly incidents with temperatures rising to 120 degrees or \nmore causing frequent outages and system degradation. SBA\'s \ninventory of network, servers, software, and applications was \nincomplete, resulting in ineffective management of the entire \nnetwork. Program offices were operating in silos with some \nnetwork segments firewalled from OCIO visibility for monitoring \nand management. Further, operating systems were long past end-\nof-life, and others nearing end-of-life, introducing \nsignificant security risks into the environment.\n\n    SBA\'s network infrastructure was not adequately architected \nto support SBA\'s requirements. Specifically, one third of all \nnetwork circuits are overloaded, and the environment has aging \nvoice equipment, single points of failure, inconsistent end-\npoint management, and separate voice and data wide area \nnetworks (WANs). Gaps existed in the areas of configuration \nmanagement, and a lack of a mature enterprise architecture \ncapability has led to a fragmented technology stack with \ndeficiencies in standardization, and duplicative or overlapping \ntools deployed across SBA.\n\n    Strategies to Stabilize and Modernize\n\n    It is imperative to modernize SBA\'s infrastructure and \nbuild in security as a design principle to support a mobile \nworkforce. To address the WAN performance issues, immediate \nactions were taken to make configurations changes to move \ncertain traffic loads to off-hours. With its service provider, \nOCIO developed plans to migrate from a Time-Division Multiplex \n(TDM) to a converged, Ethernet IP based network that will \nresult in reduced network latency, improved application \nperformance, address security gaps, and introduce scalability \nand resiliency. In working with the service provider, I \nprovided direction that the effort must be cost-neutral--no \nadditional funding was available. Orders for 111 circuits were \nplaced and the first 20 circuits are on-line today.\n\n    Of primary importance was stabilizing the primary data \ncenter\'s environment. By December, the OCIO team conducted a \ndetailed data center inventory from the physical devices to the \napplications. The inventory was produced with about 85% \naccuracy, and provided sufficient initial data to identify what \ncould be shut down, upgraded, and/or moved to the cloud. The \nOCIO team made a determination to either upgrade systems or \nshut down unnecessary equipment in preparation for \ntransitioning to the cloud. By March, the team shut down 170 \nservers directly resulting in HVAC stabilization, and a \ntangible reduction in power usage. Upgrades to operating \nsystems and applications significantly reduced vulnerabilities \nand improved SBA\'s security posture. Because of my direction \nthat no new hardware would be purchased or placed in the data \ncenter, SBA is the first federal agency to deploy the \nContinuous Mitigation and Diagnostic system in a cloud \nenvironment, with Phase I starting in March.\n\n    SBA migrated e-mail to Microsoft O365 in May 2016 due to \nfailing on-premise e-mail servers; however, no other subsequent \nmigration actions were planned to take advantage of the O365 \nplatform\'s capabilities. As the data center stabilization tiger \nteams stood down, cloud tiger teams stood up to migrate the \ndata center to Microsoft\'s Azure cloud and O365. The teams \nfollow agile methodologies with daily stand-ups, releases and \nsprints, and all activities tracked in JIRA. The cloud \narchitecture design was completed in March, migration planning \nis nearing completion, migration staging begins in July, and \nactual migration starts in August. Migration to SharePoint \nOnline has been completed for those applications that could be \nmigrated, and assessment is underway for remaining SharePoint \napplications to either be upgraded or considered for \nreplatforming, consolidating or transitioning to commercial off \nthe shelf (COTS) or other software as service applications.\n\n    Prior end-user environments were deployed inconsistently \nacross SBA with no standard image, resulting in security \nvulnerabilities, inconsistencies, and multiple versions of \nsoftware installed on the desktops. Upgrades to Windows 10, \nOffice 2016 and OneDrive for the entire SBA enterprise are \nunderway. Deployment to pilot users was completed in May and \nOCIO-wide roll-out begins in July. SBA-wide upgrades will begin \nat the end of the fiscal year.\n\n    The Deputy CIO and I reviewed and evaluated all purchase \nrequisitions for reduction or elimination based on duplication, \noverlap, gaps, and need as the transition to O365 and the cloud \nis underway. Additionally, OCIO leadership reviewed all service \ncontracts and identified opportunities to eliminate duplicative \nservices and address gaps.\n\n    Pivoting from a functionally siloed organization to a \ncustomer-centric and service-optimized structure requires an \nunderstanding of the customer\'s requirements. Operational \ncredibility is key to IT taking on a more strategic role within \nthe enterprise. Improved support from the IT Service Desk \nincluding closing outstanding issues, implementing tiered \nsupport processes and receiving and incorporating customer \nfeedback is improving customer satisfaction. Further, the data \ncenter stabilization efforts significantly reduced incoming \ncalls to the Service Desk.\n\n    Improving SBA\'s IT Governance Structure\n\n    The Federal Information Technology Acquisition Reform Act \n(FITARA) provides the tools needed to transform how we manage \nIT. It is imperative that the CIO, Chief Human Capital Officer, \nChief Financial Officer and Senior Procurement Executive work \ncollaboratively to understand SBA\'s business needs and drive \ninformed decisions. Over the last year, SBA has initiated a \nreview of its IT portfolio and actively uses the agency\'s \nInvestment Review Board (IRB), co-chaired by the CIO and Chief \nFinancial Officer. The IRB has oversight responsibility for \nmajor programs and is working to institutionalize its ability \nto deliver successful programs and mature SBA\'s governance \ncapabilities and improve transparency.\n\n    Through a stronger governance model, the CIO has greater \nvisibility to improve planning, identify cost savings \nopportunities and to better understand current and planned IT \nresources to support program objectives. This includes \nleveraging Enterprise Architecture as the roadmap to improve, \nintegrate and streamline processes and systems, and requiring \nCIO approval for acquisition plans for all new IT contracts \nabove the simplified acquisition threshold to safeguard against \nthe procurement of duplicative and/or non-compatible \ntechnologies and services, and ensure alignment with SBA\'s \ntechnology standard and strategic direction. I conducted four \ndeep dives on major investment to review milestones, technology \ncapabilities, funding and risks: Capital Access Financial \nSystems; Disaster Credit Management Modernization; Small \nBusiness Innovation Research Program; and Certify.sba.gov. \nAdditionally, I conducted a TechStat on the Certify.sba.gov IT \ninvestment in June to examine program data with a focus on \ndelivered and planned functionality that will lead to concrete \nactions to improve overall program performance and reduce risk.\n\n    Leveraging IT to Support Mission Outcomes\n\n    SBA delivers loans, loan guarantees, contracts, counseling \nsessions and other forms of assistance to small businesses. The \nagency\'s primary public website (sba.gov) is visited by over 15 \nmillion people per year, but the agency has struggled with \nmeeting the needs of these current and prospective small \nbusiness owners. Information has been buried in confusing \nlanguage and layers of navigation, and has been hard to access \non mobile and table devices. Approximately 31% of SBA\'s web \nsite traffic comes from mobile devices and 5% from tablets, and \nmobile traffic grew by 2.5% last year. In 2016, a Digital \nService team was stood up and on-boarded a team of digital \nexperts to lead a modernization effort for sba.gov. The Digital \nService team moved sba.gov to a new Content Management System, \nestablished a modernization roadmap and is systematically \nchanging the site to greatly improve SBA\'s customer experience. \nThe agency\'s Leveraging Information and Networks to access \nCapital (LINC) capability will receive a major refresh and re-\nlaunch later this month to help connect small business \nborrowers with participating SBA lenders. As part of the \nmodernization effort, the tool will be renamed to Lender Match \nfor ease of communicating its purpose and value. Prospective \nborrowers complete a short online questionnaire, and the \nresponses are forwarded to participating lenders that operate \nwithin the small business\' county. If lenders are interested in \nthe referral, the lender and prospective borrower\'s contact \ninformation will be exchanged.\n\n    The OCIO is collaborating with the Office of \nEntrepreneurial Development to replace its legacy system, and \nthe Office of Investment and Innovation to upgrade the SBIC Web \ntechnology stack and to transition the systems monitoring and \nmanagement to OCIO. These outward facing systems that support \nmission objectives, such as partnering with Small Business \nDevelopment Centers and Veterans Business Outreach Centers, and \nfacilitating the flow of long-term capital to America\'s small \nbusinesses must be secure.\n\n    Developing SBA\'s IT Workforce\n\n    To be successful with cloud adoption, the OCIO must make \nfundamental changes to its organizational mission and roles. \nAll IT personnel across SBA and functional areas, including \nsecurity, infrastructure and operations, must maintain their \nrelevance as technology evolves and OCIO transitions to support \nDevelopment and Operations (DevOps), and a software centric \norganizations that incorporates hybrid cloud solutions. To keep \nup with rapid technology changes, typical organizational \nstructures and the IT workforce must evolve to operating within \nsmall, autonomous teams that cross-collaborate to work on fast-\nflowing ideas, opportunities and improvements. Further, a risk-\ntolerant environment that allows for the exploration of ideas \ncan accelerate the value delivered to the SBA.\n\n    The OCIO\'s vacancy rate was 30% in October 2016 and was \nreduced to 15% by February 2017. Ten employees were hired \nincluding a Deputy CIO, Chief Technology Officer, Director of \nOperations, Enterprise Data Manager, Section 508 Program \nManager, Branch Chiefs for Information Security Operations and \nCompliance, and other staff positions. SBA initiated a \nreorganization to realign the Digital Service team into the \nOCIO and merge it with the existing development team. OCIO will \nhire 10 additional staff to fill existing vacancies. OCIO is \nhiring not for the organization of today, but for the \norganization that can support future capabilities. For example, \nan Enterprise Data Manager was hired to create business value \nthrough data and analytics and rethink how information as an \nasset can take a more active and dynamic role in the activities \nof SBA.\n\n    As SBA continues its efforts to implement FITARA, the CIO \nand CHCO are committed to developing a holistic approach to \nbuild a strategic workforce plan for all SBA IT professionals. \nAttracting and developing IT staff is critically important to \nlong-term success as legacy systems are modernized and shifted \nto the cloud, and an enterprise approach to IT is implemented. \nSBA has approximately 170 IT specialists and digital service \nexperts, of which 70 are directly assigned to the OCIO. \nWorkforce planning requires significant improvement and SBA \nwill initiate strategic workforce planning by the end of the \nfiscal year. SBA has a strong mission draw for IT and \ncybersecurity professionals and we must partner with the CHCO \nto better market ourselves.\n\n    Challenges Remain and Opportunities Exist\n\n    Even with the progress outlined above, challenges related \nto the fiscal environment have put pressure on IT \norganizations. Internal and external customers and stakeholders \nexpect SBA to deploy services and technology on par with their \npersonal use and interaction with private sector firms. The \nneed for speed and agility in acquisition is vital to deliver \nproducts and services.\n\n    Develop the Right Organization and Workforce - SBA must \ndetermine needed competencies and develop and sustain a \nworkforce that can use, deliver and support not just the \ntechnologies of today, but those of the future. Recruiting the \nright people into the federal government with the right skills \nand the capacity to freely and quickly change and innovate is \ndifficult at best. The ability to leverage and integrate with \ntrusted private sector partners to supplement the federal IT \nworkforce is more critical than ever.\n\n    Build the flexibility to implement IT best practices - \nSBA\'s program office applications and systems were generally \ndeveloped in silos. Customer information, for example, is \nduplicated across systems and information sharing is limited. \nProgram offices are looking for modern, easy-to-use \napplications that can be quickly deployed, while OCIO \nconcurrently takes a strategic approach to standardizing on a \nlimited set of application suites to minimize integration \nissues, maximize security and reduce IT costs. Further, \nimplementing shared services will evolve over time, and \nconsolidating contracting of commodity IT requires flexible, \nagile acquisition practices and will result in increased value \nof the services to the business.\n\n    Increase Visibility into IT Planned Expenditures - Data \nconcerning planned and actual spending must be readily \navailable, and capable to drive SBA\'s ability to identify \nopportunities to improve leverage and operational cost. Further \nmaturity in this area will ensure that information is accurate \nand that evidence based decision making is properly integrated \nwith the governance process.\n\n    Mature Cybersecurity Capabilities - Cybersecurity is \ncritical in a modern information infrastructure that includes \ndata virtualization, separation of storage, compute, and cloud-\nbased data persistence. SBA must modernize to keep its IT \nsystems current and secure with a clear understanding of risks \nto availability and reliability.\n\n    Conclusion\n\n    Information technology is a key enabler of digital \ntransformation, and we are taking a multi-pronged approach that \nleverages current technologies while looking ahead to the \nfuture to proactively address the agency\'s needs. We are \nfocused on building a strong foundation that is robust, \nscalable, secure and responsive to changing business needs. \nTogether with SBA\'s program offices, we will build on this \nfoundation to create and deliver digital solutions that will \nnot only improve the public\'s experiences with SBA\'s services, \nbut will also improve our internal customer experience. Actions \nto consolidate and update support contracts will continue, and \nareas such as system development and program support will be \nstrengthened as OCIO transitions to a services-oriented \norganization. A robust enterprise governance that has \nleadership alignment will drive progress and ensure IT programs \nand projects are selected and managed to ensure SBA\'s needs are \nmet in an effective manner while minimizing unnecessary \nduplication. The CIO is a key stakeholder in driving horizontal \nand vertical collaboration to ensure that the right authority, \nwith the right information, at the right time makes the best \npossible decision to effectively deliver IT programs. Thank you \nfor the opportunity to speak with you today and I look forward \nto your questions.\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'