[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


 HELP OR HINDRANCE? A REVIEW OF SBA'S OFFICE OF THE CHIEF INFORMATION 
                                OFFICER

=======================================================================

                                 HEARING

                               BEFORE THE

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD
                             JULY 12 , 2017

                               __________

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                               

            Small Business Committee Document Number 115-028
              Available via the GPO Website: www.fdsys.gov
              
                               __________


                    U.S. GOVERNMENT PUBLISHING OFFICE                    
26-248 PDF                  WASHINGTON : 2017                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].               
              
              
            
              
              
              
                   HOUSE COMMITTEE ON SMALL BUSINESS

                      STEVE CHABOT, Ohio, Chairman
                            STEVE KING, Iowa
                      BLAINE LUETKEMEYER, Missouri
                          DAVE BRAT, Virginia
             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
                        STEVE KNIGHT, California
                        TRENT KELLY, Mississippi
                             ROD BLUM, Iowa
                         JAMES COMER, Kentucky
                 JENNIFFER GONZALEZ-COLON, Puerto Rico
                          DON BACON, Nebraska
                    BRIAN FITZPATRICK, Pennsylvania
                         ROGER MARSHALL, Kansas
                      RALPH NORMAN, South Carolina
               NYDIA VELAZQUEZ, New York, Ranking Member
                       DWIGHT EVANS, Pennsylvania
                       STEPHANIE MURPHY, Florida
                        AL LAWSON, JR., Florida
                         YVETTE CLARK, New York
                          JUDY CHU, California
                       ALMA ADAMS, North Carolina
                      ADRIANO ESPAILLAT, New York
                        BRAD SCHNEIDER, Illinois
                                 VACANT

               Kevin Fitzpatrick, Majority Staff Director
      Jan Oliver, Majority Deputy Staff Director and Chief Counsel
                     Adam Minehardt, Staff Director
                            
                            
                            C O N T E N T S

                           OPENING STATEMENTS

                                                                   Page
Hon. Steve Chabot................................................     1
Hon. Nydia Velazquez.............................................     2

                                WITNESS

Ms. Maria Roat, Chief Information Officer, United States Small 
  Business Administration, Washington, DC........................     4

                                APPENDIX

Prepared Statement:
    Ms. Maria Roat, Chief Information Officer, United States 
      Small Business Administration, Washington, DC..............    21
Questions for the Record:
    None.
Answers for the Record:
    None.
Additional Material for the Record:
    None.

 
 HELP OR HINDRANCE? A REVIEW OF SBA'S OFFICE OF THE CHIEF INFORMATION 
                                OFFICER

                              ----------                              


                        WEDNESDAY, JULY 12, 2017

                  House of Representatives,
               Committee on Small Business,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 11:00 a.m., in Room 
2360, Rayburn House Office Building. Hon. Steve Chabot 
[chairman of the Committee] presiding.
    Present: Representatives Chabot, Luetkemeyer, Brat, Knight, 
Kelly, Blum, Bacon, Fitzpatrick, Norman, Velazquez, Evans, 
Murphy, Lawson, Adams, Espaillat, and Schneider.
    Chairman CHABOT. Good morning. The Committee will come to 
order.
    Before we get started, I wanted to take this opportunity to 
welcome our newest member here, Congressman Ralph Norman, who 
was sworn in a little over 2 weeks ago. He joins us from the 
beautiful State of South Carolina, and I know because my wife 
and I were just there a couple of days ago as a matter of fact, 
and it is a beautiful great state. My mom is from North 
Carolina. As a real estate developer, Congressman Norman brings 
real world experience, I think, to this Committee, knows an 
awful lot about small business, and we are looking forward to 
having him be a great contributing member of the Committee. So 
I think both sides would like to welcome you.
    Mr. NORMAN. Thank you so much.
    Chairman CHABOT. Thank you.
    We also welcome everyone else for being here today. The 
Committee is here today to examine the Small Business 
Administration's Office of the Chief Information Officer. This 
office is tasked with managing and overseeing the agency's IT 
investments and IT security. That is a big job and it is an 
important job. The Office of the Chief Information Officer must 
protect taxpayer dollars and small businesses' information 
while helping the agency run more efficiently and more 
effectively.
    Unfortunately, the Office of the Chief Information Officer 
has struggled over the past several years. It has experienced 
very high turnover at that position, in particular, the Chief 
Information Officer position. The SBA is on its eighth CIO 
since 2005. Let me repeat that, the eighth CIO since 2005. I 
was reminded by some of the local Redskins fans that that is 
about how many quarterbacks they have had over that same period 
of time. Of course, I am a Bengals fan, so I really do not 
care.
    But on the serious side, a high turnover rate, especially 
at the Chief Information Officer position, undermines the 
Office's ability to not just make improvements, but to even 
meet its basic obligations: its obligation to deliver effective 
IT products and initiatives, its obligation to ensure strong IT 
security, its obligation to manage IT spending, its obligation 
to reduce security risks, and on and on. In its annual 
Management Challenges report, the SBA Office of Inspector 
General listed the lack of IT leadership as one of SBA's top 
challenges for fiscal year 2017. The message from the OIG is 
that SBA cannot even begin to address its many IT weaknesses 
without strong and effective leadership, and that requires, in 
part, stability and continuity within the Office of the Chief 
Information Officer.
    Notably, this report was released just as Chief Information 
Officer Maria Roat, our witness here today, was starting at 
SBA. Prior to her arrival, her post had been vacant for over a 
year. The Committee welcomed her arrival then and continues to 
be hopeful about the positive change Ms. Roat is trying to 
bring about. From what the Committee has seen and heard so far, 
Ms. Roat is trying to strengthen the leadership and voice of 
her office, but this hearing will give us the opportunity to 
better understand what improvements she had made and what 
improvements she is still planning to make. As we know, there 
is plenty of room for improvement.
    I impress upon Ms. Roat the responsibility of both her and 
her office. It is important that she and her office be fully 
engaged in SBA's IT investment portfolio, overseeing the many 
ongoing IT projects and all the while guard against security 
breaches. SBA must do so to ensure that the office is running 
well and supporting the agency's operations and small 
businesses, as well as protecting taxpayer dollars.
    I want to thank Ms. Roat for being here today. We look 
forward to your testimony and obviously asking you some 
questions.
    And I would now like to yield to the Ranking Member, Ms. 
Velazquez, for her opening statement.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Of the committee's many responsibilities, one of our most 
critical is overseeing and examining the Small Business 
Administration. As the only federal agency charged specifically 
with helping small businesses grow and succeed, all of the 
SBA's functions should strengthen and preserve the 
entrepreneurial foundation of our economy. For small businesses 
to fully reap the benefits of SBA's programs, it is important 
for the agency to operate efficiently and effectively. In 
particular, the Office of the Chief Information Officer plays a 
critical role in promoting information technology to support 
and enhance business decisions and agency operations.
    Despite its critical role, historically, SBA--this is under 
Republican administration and Democratic administration--SBA 
has neglected to prioritize this office. This is evidenced by 
high turnover and an absence of a OIO for over a year. Such 
disregard not only wastes taxpayers' dollars, it weakens IT 
security, putting the government and small firms at risk.
    Cybersecurity vulnerabilities are always of tremendous 
concern, but are especially grave in light of events last year. 
Our intelligence community has concluded that Russia used 
cyberattacks in an attempt to influence last year's 
presidential and congressional elections. We can expect that 
Russia's intelligence services and other bad actors will 
continue seeking weaknesses in our IT security system for 
political gain and personal profit.
    As stories unfold now almost daily about Russia's digital 
meddling in our democratic process, we should expect every 
federal agency to make cybersecurity a top priority, so it is 
disconcerting that the OCIO has had such severe problems for so 
long. There have been numerous GAO and IG reviews of SBA's IT 
operations highlighting these deficiencies. In its 2015 review, 
GAO found that SBA had not prioritized long-term IT 
organizational transformation and had not conducted regular 
reviews of its IT investment to ensure they continue meeting 
agency needs.
    Additionally, the IG found that overseeing and addressing 
IT investment and security risks was one of the agency's most 
serious management challenges for this fiscal year. The reports 
indicate that some progress has been made in implementing 
recommendations from these evaluations. Over 30 remain 
outstanding. This is unacceptable.
    It has been noted Ms. Roat recently took the reins as CIO, 
and it is my hope that she will make oversight of the OCIO a 
priority. I look forward to working together to ensure SBA 
deploys adequate steps to strengthen IT security and management 
of the OCIO. Effective management of the agency's IT system 
helps ensure small businesses receive the assistance they need 
to grow and create jobs. Equally important, bolstering the 
agency's cybersecurity will ensure government and small 
businesses' sensitive data is safeguarded from those who have 
already conducted cyberattacks on our Nation and others who may 
have similar plans.
    I look forward to the witness' testimony on how these 
challenges are being tackled.
    Thank you, and I welcome you.
    Chairman CHABOT. Thank you very much. The gentlelady yields 
back.
    If Committee members have opening statements prepared, I 
would ask that they be submitted for the record.
    Now I will briefly explain our timing rules. Since we only 
have one witness it is pretty easy. We operate under the 5-
minute rule, and the lighting system will help you. The green 
light will be on for 4 minutes. The yellow light will come on 
to let you know you have a minute to wrap up. And then the red 
light, if you could wrap up, you know, at or near that time, we 
would greatly appreciate it.
    Now, we would like to introduce our witness here this 
morning. Our witness is Maria Roat. Ms. Roat is Chief 
Information Officer for the Small Business Administration, as 
we have mentioned a number of times already this morning. She 
has been in this post only since October of last year. Prior to 
accepting this position, Ms. Roat was the Chief Technology 
Officer at the Department of Transportation. Ms. Roat also 
served for 10 years at the Department of Homeland Security, and 
worked in the private sector gaining relevant information 
technology experience there. Lastly, and very impressively, Ms. 
Roat accumulated 26 years of active duty and reserve service 
before retiring from the United States Navy in 2007, and we 
appreciate your service to our country. We thank you again for 
your service. We welcome you here this morning. And you are 
recognized for 5 minutes.

  STATEMENT OF MARIA ROAT, CHIEF INFORMATION OFFICER, UNITED 
              STATES SMALL BUSINESS ADMINISTRATION

    Ms. ROAT. Thank you. Good morning, Chairman Chabot, Ranking 
Member Velazquez, and members of the Committee. Thank you for 
the opportunity to discuss the technology transformation 
underway at the Small Business Administration.
    I on-boarded as the CIO in October last year and began with 
a frank and honest conversation about the state of IT at the 
agency. Even before I arrived, it was clear that transformation 
was overdue. In November, we embarked on a fast-paced journey 
to change how the SBA builds, buys, and manages information 
technology to support small businesses and entrepreneurs. I was 
laser-focused about our targets through the end of 2017: 
stabilize and modernize. For the first 4 months, the CIO team 
inventoried, upgraded, and patched operating systems, software, 
and applications, and shut down approximately 170 servers in 
our primary data center. We launched an infrastructure 
modernization to lay the foundation for future capabilities. I 
eliminated duplicative software and cut unnecessary 
expenditures. I am leveraging our small business contractors to 
bring in solution architects and senior engineering expertise. 
We developed a cloud architecture model and are in the staging 
process to move our systems to the cloud.
    All of these activities will enable us to take an 
enterprise approach to business solutions and launch 
initiatives like virtual counseling that would help improve 
citizen-user experience with the SBA. We are standardizing and 
increasing our users' capability with an enterprise deployment 
of Windows 10, Office 2016, and One Drive later this summer. We 
turned on cloud-based collaboration tools internally and are 
piloting the capability externally with the Tech Coalition.
    We are collaborating with our stakeholders to introduce 
business intelligence capabilities and modernize enterprise 
reporting. We must be able to quickly generate and share 
interactive reports to visualize and analyze our data to better 
understand results and target SBA services to small businesses.
    We are aggressively modernizing, pushing the envelope, and 
testing new capabilities and security remains paramount. We are 
introducing advanced threat protection capabilities, 
encryption, and data loss prevention. We are approaching 
security by design, building it in, not bolting it on. While 
much of this work is behind the scenes, there are several 
public-facing activities underway. We are actively modernizing 
SBA's website to make information readily available and making 
it responsive to mobile devices. We are modernizing 
incrementally. Lender match is launching shortly and 
improvements in functionality with access points for 
counseling, events, and resources are launching later this 
year. The certify program continues to also incrementally 
deliver capabilities. The HUBZone Map launched last month and 
tools such as `Am I Eligible' help small businesses determine 
if the certification programs are a good fit for their 
businesses.
    Transparency is critical, and I hold monthly IT forums. We 
recently held the first CIO open house to provide a sneak peek 
at the tools and technologies that will be deployed in a few 
months. We also reimagined and modernized OCIO's internet site 
to share information and resources.
    Opportunities remain abundant. We must continue to attract, 
hire, and retain the right talent and develop the entire SBA IT 
workforce as we transition to an organization capable of 
supporting modern technology stacks, cloud-based platforms, and 
being an enabling partner to SBA's program offices. Over the 
next 12 to 18 months, IT management capabilities will continue 
to mature as we enhance governance and transparency and improve 
risk management of IT investments.
    To overcome the inherent inertia of the status quo, we are 
making a radical and difficult, but deeply considered and well-
planned turn, moving to an environment where the CIO is a 
partner to and enabler of the business of SBA. We have an 
opportunity to get this right. We are aggressively hiring the 
right team, modernizing our business and technology 
capabilities. We are introducing innovation, not just to 
support the SBA of today, but the SBA of the future.
    Thank you for the opportunity to speak with you today, and 
I look forward to your questions.
    Chairman CHABOT. Thank you very much. I will now recognize 
myself for 5 minutes to begin the questioning.
    According to the Inspector General's risk management report 
for 2017, the SBA had 39 open recommendations related to IT 
security, some dated back to fiscal year 2011. Do you know 
generally the status of those open investigations--excuse me, 
recommendations, and how many of them still remain? And what 
are you and your folks doing to ensure that the office meets 
its obligations under the Federal Information Security 
Modernization Act, FISMA?
    Ms. ROAT. Yeah, we did have quite a few that were old ones. 
I will say that we did close a couple of those old ones that 
were there. Over the last few months we have closed more than a 
half a dozen, and then we actually have a schedule of another 
half-dozen or so that will be closed through the end of this 
year. There are some that are low-hanging fruit that have been 
open for quite some time and so we are tackling those first, 
and there are some that are a little bit longer-term that we 
have scheduled to close through the end of this calendar year 
and into next year. So we acknowledge that there are more than 
40 that were open, closer to 50 with the new report that came 
out, and we are working through those now. It is a priority.
    Chairman CHABOT. Is there anything you could give us, an 
example of, you know, why something would be still open? Why it 
is particularly tough that you have to deal with?
    Ms. ROAT. For some of the older ones it was a matter of 
just taking action and documenting. Some of the things were 
already done, but it is a matter of coordinating with the IG's 
office. Nobody took the next step to say we did this and showed 
the evidence to say that this was done. In some cases that was 
all that was needed to be done. You have to prove it to the IG. 
You have to provide that evidence. And in some of those 
instances where we have been able to close them quickly, we 
have provided that evidence and said we have done the work.
    Chairman CHABOT. Thank you.
    Currently, what are the biggest challenges that your office 
is facing, and how are you working to overcome those 
challenges?
    Ms. ROAT. Walking in the door, the biggest challenge was 
really stabilizing the IT environment, just what we had. I also 
had a challenge around vacancies that I had coming in to make 
sure we filled the billets, get people on board, and getting 
our arms around the work the contractors were doing. But by 
far, the biggest thing was the workforce; getting the right 
people in and stabilizing the environment. And then modernizing 
it, which is the work we are doing right now. So this first 12 
months is critical to really setting the stage to move forward 
for the long term.
    Chairman CHABOT. Thank you.
    Do you believe that the SBA's enterprise IT architecture 
needs to be improved? What specifically, and how do you intend 
to go about improving it?
    Ms. ROAT. So the infrastructure overall, when you look at 
it from the network perspective, we have 120 circuits across 
all of SBA. More than a third of those were overloaded by the 
amount of data and traffic. They were just overloaded. We are 
modernizing the entire infrastructure to begin with to all of 
our field offices, and moving from a multitude of T1s and T3s 
to a pure Ethernet backbone, which is going to give us a lot 
more capability in the long run to roll out capabilities--
whether it is Skype or virtual counseling--or doing more things 
online where we are currently much more paper-based. So we are 
setting the capability for that. Moving to the cloud is also a 
big piece of that from an enterprise perspective, putting those 
services in place. Ultimately, this office needs to transition 
from being just an office that does computers to a service 
organization; so that as program offices want to grow their 
business, as they want to add more capabilities, we are there 
to be able to support that.
    Chairman CHABOT. Obviously, there has been a considerable 
high turnover rate, and I think that has had a pretty 
significant impact on the office. Could you comment on that? If 
you want to talk about the Redskins quarterback, we can do 
that, too, but we will stick with your office, I guess, at this 
time.
    Ms. ROAT. You know, I am fully aware of the turnover and 
the transition that has happened over the last 10 to 12 years. 
The CIOs and Acting CIOs with no deputy, that has really hurt 
the organization overall. And part of what I have done is put 
the leadership team in place so that we do not have those gaps. 
But it has hurt the organization having that turnover, the 
transition, not having that line of sight over the next couple 
of years, where the business of SBA needs to go rather than 
having stovepipes and silos. It has hurt the organization.
    Chairman CHABOT. Thank you. Well, we welcome you again 
aboard and we are expecting great things. And anything you need 
from the Committee, please let us know, or our staff, because 
we will definitely work with you to make improvements. And I am 
pleased to see that you have a positive attitude. I am not 
surprised after spending the time you did in such a tremendous 
organization as the U.S. Navy, and again, thank you for your 
service there.
    I will now yield back my time and recognize the Ranking 
Member for 5 minutes.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman. And welcome, Ms. 
Roat.
    We want to ensure that access to resources for small 
businesses of all demographic groups is important and recognize 
that SBA.gov serves as the primary source of such information. 
In the prior administration, there was a page on the site for 
LGBT small businesses outreach, and now it appears to no longer 
be available due to page updates. This information has been 
down since at least last January, and I would like to know when 
you plan to have this page back up and running?
    Ms. ROAT. So we have been doing a lot of work on 
modernizing SBA.gov. There were a number of pages that are not 
available, like you indicated. Some are coming back up online. 
I know Tech Coalition was one of those that was taken down, as 
well as some of the others. The Tech Coalition is back up 
online. So as we are working through with the front office and 
with the program offices, we are evaluating all of those pages 
and bringing them online.
    Ms. VELAZQUEZ. Okay. Recent government security breaches, 
such as the OPM breach and the Russian election hacking, have 
heightened the importance of continuously monitoring against 
outside threats. But in an annual evaluation of the SBA system 
and networks, the IG has found significant enterprise-wide 
vulnerabilities. How has the SBA responded to the threat of 
such risk?
    Ms. ROAT. I would say there are several things that we have 
done. One I mentioned earlier was the patching, the 
configuration management, and the inventory; understanding what 
we own and what we have, as well as modernizing all of those, 
getting them to current levels for operating systems and those 
kind of things. So those specifically have taken us a long way 
to address security. In addition, we are in phase one of 
deploying the DHS CDM, the Continuous Monitoring Diagnostic and 
Mitigation System, so we are deploying that right now. So that 
will give us future capabilities as well for monitoring. We do 
have a security operation center and a network operation center 
that are now working very closely together.
    Ms. VELAZQUEZ. So it is imperative that the tools SBA 
offers to facilitate access to capital operate at their optimum 
capacity, and I heard you mention that the rebranding of the 
lender match will be launched soon. How soon?
    Ms. ROAT. Tomorrow. We did the demo for the administrator 
yesterday.
    Ms. VELAZQUEZ. Very good. Ms. Roat, Kaspersky is a Moscow-
based firm and one of the biggest cybersecurity firms in the 
world. According to reports, its software has been procured by 
some federal agencies. This is very concerning in light of the 
threat Russia poses to our government and U.S. customers. Does 
SBA use this software? And are you coordinating with other 
agencies to mitigate cyber threats?
    Ms. ROAT. So we have been coordinating with DHS, as have 
the other Federal agencies, and we do not have any Kaspersky 
software installed in our environment.
    Ms. VELAZQUEZ. Very good. Last year, SBA established the 
Office of Digital Services to improve systems and capabilities. 
Can you please elaborate on the work this office performs and 
how the SBA determines the impact it has had?
    Ms. ROAT. So the Office of Digital Services was stood up a 
little over a year ago, almost a year and a half ago. They have 
taken on SBA.gov, the redesign and the rebuild of that. They 
have done a lot of work introducing agile methodology, new and 
modern tools, and technologies. They have also--where we had 
multiple GitHub sites across SBA, whether they were contractor 
managed--consolidated all of that work. So the Office of 
Digital Services has brought a lot of benefit to SBA as far as 
modernizing and bringing in additional capabilities.
    Ms. VELAZQUEZ. Very good. And given the fact that there is 
a history of a lot of turnover and eight CIOs since 2005, I 
would like to know what succession planning SBA engages in to 
ensure continuity in IT operations?
    Ms. ROAT. Well, for the first time, right now we have a CIO 
and a Deputy together, and I also, in January, hired a CTO as 
well. So when you look at succession planning, we go three deep 
right now.
    Ms. VELAZQUEZ. What would be key elements of that 
succession planning?
    Ms. ROAT. Being engaged and being a part of the entire 
modernization and moving forward in planning. The CTO right now 
is incredibly engaged with the businesses offices as we are 
taking the enterprise approach to SBA, so we work together as a 
team, the three of us as we lay the strategy moving forward for 
SBA.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman. I yield back.
    Chairman CHABOT. Thank you. The gentlelady yields back.
    The gentleman from California, Mr. Knight, who is the--
excuse me. Or is Mr. Kelly here? Mr. Knight, I apologize. Mr. 
Knight, who is Chairman of the Subcommittee on Contracting and 
Workforce, is recognized for 5 minutes. Thank you.
    Mr. KNIGHT. Thank you, Mr. Chairman. Mr. Kelly and I look 
alike so----
    Chairman CHABOT. You talk alike, too.
    Mr. KNIGHT. We do talk alike.
    I have some just basic questions. I appreciate your service 
in the military and information to the military is very 
important, but the control of that information is just as 
important. So I understand that your background will help with 
that. But my questions are very kind of simple. A lot of these 
questions have gone over the turnover of how many CIOs we have 
had over the last 5, 6, 7, 8 years, and how we continue the 
continuity moving forward. So can you give me an idea of--and I 
have heard, you know, in your statement of all of the things 
that are coming, all the things that have been in place, and 
the perfect answer to say that tomorrow is a great day, but how 
do we keep the continuity moving forward with your leadership?
    Ms. ROAT. That is really, really critical because walking 
in and walking into such a big vacancy within the Office of the 
CIO, it is imperative that I build the team that understands 
the modernization, the stabilization, where we are going as an 
agency. It is so important for the CIO, the Deputy, the CTO, 
and the team to be tied and understand the mission of SBA, why 
do we do what we do? And that is important to succession 
planning because it is not just about the technology. It is 
about the business of SBA. And until you have the Deputy in 
place, until you have a CTO and the rest of the leadership team 
that truly understands what that business is, then all we are 
going to be doing is deploying computers.
    We have to look at it from an enterprise-wide perspective 
across SBA and you have to have the team that is committed to 
that. And they are going to be part of the mission. They are 
not just there to deploy desktops or laptops.
    Mr. KNIGHT. And one of your answers was we are engineering 
this in instead of trying to replace and build on some of these 
types of things. Have you reached out to some of the business 
world and talked to them about what they do on a continuing 
basis? And not just smaller businesses that have to do with 
kind of some of these things that might be restrictive on how 
much money they can spend, but maybe some of the larger 
businesses that do this on a kind of day-to-day basis because 
they can and because they have to control their information?
    Ms. ROAT. Yeah, it is incredibly important to work with our 
partners, both the ones we have contracts with as well as 
understanding where technology is going in the long run. 
Security, building it in by design is really, really important 
because you cannot have a hard outer shell and a soft squishy 
inside. You have to build it in. So with our deployments, with 
the work we are doing now with partnering with Microsoft as we 
are moving to the cloud, working with other businesses and 
organizations, building that security in as we are doing the 
system development. Even our public-facing website, upgrading 
that, and working with other businesses is incredibly 
important; and working with small businesses as well that have 
that expertise, bringing them in.
    So I am actively engaged with the business community and 
the technology world. I meet with them regularly, whether it is 
events or meetings or with ACT-IAC and other organizations that 
are out there.
    Mr. KNIGHT. Well, I appreciate your first 10 months. I look 
forward to you staying in office, and I yield back, Mr. Chair.
    Chairman CHABOT. Thank you. The gentleman yields back.
    The gentleman from Pennsylvania, Mr. Evans, who is the 
Ranking Member of the Subcommittee on Economic Growth, Tax, and 
Capital Access, is recognized for 5 minutes.
    Mr. EVANS. Thank you, Mr. Chairman.
    A growing number of workers are teleworking, which saves 
commuting time and creates efficiencies. What percentage of SBA 
employees teleworked considering the past problems? Does this 
create any special problems for your oversight and operation of 
the SBA IT infrastructure?
    Ms. ROAT. So we have to make sure the environment is 
available and it is up and it is running for those workers who 
are teleworking. We just recently completed the deployment of 
another 1,200 laptops so that people can telework, so that they 
can work from home, because there are long commutes in many 
areas across the country. So putting the infrastructure in 
place is really important to enable the telework and having 
that mobile workforce. So a lot of the work we have done to 
date is stabilizing the current infrastructure that was there 
when I arrived, as well as adding capability and pushing out 
laptops and making sure that people can take their laptops home 
and telework because we do have a good number of our workforce 
that does telework.
    Mr. EVANS. From your testimony, it sounds like you have 
made some headway in testing systems and refining 
methodologies. Do you feel that you have adequate staffing in 
your office to continue to correct the deficiencies in the SBA 
IT infrastructure and continue to support the system's daily 
operation?
    Ms. ROAT. So between the Federal workforce being able to 
hire--coming in with--a fair number of vacancies--the right 
people that have that vision to be able to look forward, as 
well as leveraging our contractors saying this is the direction 
we are going and this is the direction we are headed, that is 
how we have been able to make headway in what we are doing. I 
could not do it without the team that we have today that we 
have built. They have been incredible. We have been very, as I 
said earlier, very laser-focused on what we are doing and where 
we are going, and have been very direct about where we are 
going on our strategic direction, especially these first 12 
months which are critical. So not only is it the Federal 
workforce, it is also the contractor staff that is on board as 
well.
    Mr. EVANS. I know this is very early and you have only been 
there for 10 months--and again, like the chairman, I want to 
thank you for the service that you have provided to the 
country, 10 months--and you had to kind of evaluate the 
situation, how would you evaluate it at this point?
    Ms. ROAT. I would say that by January we made just a huge 
amount of progress stabilizing the environment. We are now not 
just making incremental improvements. We are taking big steps 
to modernize right now. So the rollout we are doing, moving to 
the cloud, getting ready to shut down our data center, those 
are big steps.
    Over the last 3 months, we have already done our cloud 
architecture. We have done the migration planning. And we are 
doing the migration staging right now. We are getting ready by 
the end of the summer to migrate and get out of our failing 
data center that we currently have. So we are moving very fast 
and very hard.
    Mr. EVANS. Thank you for your service. I yield back the 
balance of my time. Thank you, Mr. Chairman.
    Chairman CHABOT. Thank you. The gentleman yields back. The 
gentleman from Mississippi, Mr. Kelly, who is Chairman of the 
Subcommittee on Investigations, Oversight, and Regulations, is 
recognized for 5 minutes.
    Mr. KELLY. Thank you, Mr. Chairman. You say Mr. Knight and 
I talk alike, have the same accent.
    Ms. Roat, in your testimony, you state that over 15 million 
people per year visit the SBA.gov. Obviously, in light of the 
growing number of security breaches at the Federal Government, 
IT security is becoming increasingly important. And I also 
appreciate your service in the United States Navy.
    And I think one of the things that our military services do 
pretty well is on cybersecurity. Although we have got to get 
better, I think it is one of the things that we probably 
sometimes are a little further ahead because I think, number 
one, we understand who the threats are. It is not just Russia. 
It is Russia, China, Korea, countries in South America. There 
is a litany of people who are trying to hack our systems and to 
get in there to gain value for whatever organization, whether 
it be a terrorist organization or a foreign country, you have 
been exposed to all that.
    That being said, as well as protecting our nets, we also 
have to have access to the right people to the net. And as a 
traditional guardsman, I find that many times our IT people 
deny the people who need access under the guise of security. So 
even though I may be a brigade commander and a colonel, I 
cannot access information because I do not have the right 
permissions and those kind of things.
    So I would like for you to talk a little bit about 
cybersecurity and what we are doing to reduce the risk of a 
security breach while also ensuring that we have access to the 
right person, whether that be permissions or whether that being 
separating nets that certain information you get on one net and 
others. What things are you doing there, Ms. Roat?
    Ms. ROAT. So there are a number of things. One, as you 
indicated, access permissions. We have done a sweep of who has 
administrator access across all of SBA to our systems and we 
have said, who has access? Who has a need to have access? So 
that is from an administrative perspective. So we have 
tightened down on that to make sure that only those that need 
it have it. That goes to access, access permissions for users. 
Do they have access to what they need to do to do their job? 
That is really important.
    There are also users at SBA who have been there for 30 and 
40 years that as they have moved jobs and changed jobs, they 
have carried their permissions along with them. They do not 
need access to what they needed to 10 years ago for their job 
today, so we also have to get our arms around what those 
permissions are.
    So as you said, you might not have access which you need 
to. You need that access to what you have to, right, to get 
your job done. You may not need access to somebody else's data, 
so we have to understand what that is. We need to understand 
your work environment, what systems you access, so that goes to 
the user experience. What do you need to do to do your job? So 
that is part of what we are doing, getting our arms around 
that. And that is so tied to security and making sure that the 
right people have the right access to the right data to do 
their jobs.
    In addition, we have been out there doing training for 
users so that when an email comes in, whether it is a malware, 
do not click on that; doing testing and those kind of things 
and that is so important that people understand spam and 
malware. If you see something that just does not look right, 
raise the question. Just ask somebody. So user training, not 
only is it from a technical perspective, but there is also the 
other side of it from the user side.
    Mr. KELLY. And then kind of as a follow-up, I agree with 
you, 10 months on the job, I think you are the right person. 
Okay, let us start with that. But I think it is also just as 
important that you get the right people around you that you 
choose who carry out not only your strategic vision and help 
you develop that strategic vision, but also help you execute it 
once it is figured out.
    How far are you along in making sure that if we do have a 
breach, number one, that you identify it, whether that be 
someone who does not have a permission is on a system that they 
should not be on? And number two, once you identify there is a 
breach, what steps have you put in place to mitigate those 
risks to the system then?
    Ms. ROAT. So there is a number of things that we have done. 
So one is our incident response procedure. So we went through 
those in January and February this year, updated all of our 
incident response procedures. So we have got a network and 
security operations center. If there is an indicator of 
something, they know what to do--all the steps are laid out. We 
updated all of those. We did a sweep of all of those.
    We actually used that document when WannaCry came out back 
in March. We walked through that to make sure that we were 
doing all the steps we needed to as we assessed our environment 
and did that. So putting the processes, the procedures in 
place, having the security operation center, as well as the 
network operation center, all of those things tie into being 
able to respond.
    And it is really important knowing what is on your network, 
understanding how your network operates normally. If you see a 
spike in something and you go, oh, that is not right, is that 
data exfiltration or is that somebody just doing an upload or a 
download or moving data somewhere? You have to understand your 
network environment and that is the environment we are getting 
to.
    So in the meantime, as we move to that and as we are being 
more aware of our network, we have the incident response 
procedures in our network and security operations center, 
tightening up the tools they use and the processes they are 
using.
    Mr. KELLY. Mr. Chairman, my time is expired. Thank you.
    Chairman CHABOT. Thank you very much. The gentleman's time 
has expired.
    The gentlelady from Florida, Ms. Murphy, who is the Ranking 
Member of the Subcommittee on Contracting and Workforce, is 
recognized for 5 minutes.
    Ms. MURPHY. Thank you so much for being here and for your 
service.
    I wanted to talk a little bit about the IT capabilities in 
the Federal Government. I come from the private sector and have 
some experiences as I have used some of the Federal 
Government's technology systems and have personally seen a 
significant difference. How do you respond to some of the 
concerns that the Federal Government lags in its IT 
capabilities as compared to what is available in the private 
sector?
    Ms. ROAT. Across the Federal Government?
    Ms. MURPHY. Well, specifically SBA.
    Ms. ROAT. For SBA, we are making very big steps to catch 
up. We have got a decade of turnover and transition to catch up 
on and we are doing that very fast. I am probably very forward-
leaning when it comes to technology. I am the co-chair for the 
Federal CIO Council Innovation Committee, working with the CTOs 
across the Federal Government. I have always been forward-
leaning as far as technology. Even with the team today I said, 
turn it on, try it. Let us test it within my office. Why not? 
And that is what they have heard me say time and time again, 
test it.
    Security is paramount, but why can we not turn on a 
capability? What is stopping us? Can we test advanced threat 
protection against our email? Turn it on. Let us try it. Let us 
try it for a small set of users and then deploy it further 
across SBA. So that is one of the things that as I am forward-
leaning, I do like to try things. I do like to test things. I 
am working that within my office before we roll it out 
enterprise-wide to kick the tires on it and make sure it is 
going to work.
    But as far as practices go, those are industry practices. 
You know, data loss prevention, advanced threat protection, all 
of those things we are putting in place are things industry is 
already doing.
    Ms. MURPHY. Do you find that the acquisitions processes, or 
any of the sort of the way that the government goes about 
procurement and things like that, inhibit your ability to 
acquire some of the most cutting-edge products that are on the 
market?
    Ms. ROAT. Like anybody else in the Federal Government, we 
have our acquisition processes. I think the work that has been 
done over the last year or 2 years around agile procurement, 
being able to do things faster. You know, within the FAR, you 
can do a lot of things and you can move very quickly. And I 
think applying those, you know, I am working with the 
Procurement Office, the acquisition folks at SBA to say, how do 
we move things along faster? How do we use agile acquisition 
methodologies? How do we do that to move things along instead 
of the traditional route moving paper? How do we be creative? 
So I am working with that office as well.
    Ms. MURPHY. And then from a recent hearing on SBA's--is it 
VERA/VSIP program, we learned about some of the agency's 
programmatic and demographic workforce challenges. 
Additionally, in general, in the Federal Government, there has 
been some challenges to recruiting and retaining competitive IT 
staff. Can you talk a little bit about some of the steps that 
the agency has taken to recruit and retain competitive IT 
staff?
    Ms. ROAT. So we have been using our direct hire authorities 
with the digital services team, certainly schedule A to bring 
people in directly, direct hires. With the CIO office, we have 
a big responsibility. I do not care what job you have around 
cybersecurity. So we have been using the direct hire authority 
for cybersecurity to bring in the right talent.
    People do not come into the Federal Government just to work 
for the Federal Government; they come in for the mission. They 
are not here for the money. They are in for the mission. It is 
like my father worked for a small business. You know, I saw 
what he went through; or my mother did or something like that.
    I found that people come in and they really want to work. 
The IT people come in and they really want to work because they 
are truly supportive of the mission. They get it. They 
understand it. They know somebody, and that is the talent that 
we are going after. Is it easy? No, but we are turning over the 
rocks and trying to recruit as much as we can.
    Ms. MURPHY. And on the retention of people like that, once 
you are able to recruit them in for the mission, what do you 
think causes them to stay? And are there things that can be 
done to ensure retention and that they are not hired away into 
the private sector?
    Ms. ROAT. I think the work we are doing now leaning 
forward, trying innovative things, not being status quo and 
just doing the same old, same old is drawing interest from 
people who want to be a part of that movement forward and to 
really modernize and really take SBA to the next level. So I 
think that is what is going to keep people there.
    Ms. MURPHY. That is great. Thanks so much, and I yield back 
the remainder of my time.
    Chairman CHABOT. Thank you very much. The gentlelady yields 
back. And now we have reached that big moment. Our newest 
member, the gentleman from South Carolina, Mr. Norman, is 
recognized for 5 minutes. Do not screw it up.
    Mr. NORMAN. That is a tall task. Thank you, Ms. Roat. I 
appreciate your time here.
    I know in the private sector, when you have people, and 
particularly, you have been on the job 10 months, what is your 
opinion of having a self-assessment of the members there to get 
an idea of problem employees that from their peers are judged 
in not so good of a light?
    And my second question is, and we have got constituents in 
my hometown in South Carolina where the universities play a big 
part in the SBA, is there an outreach to them or are they 
coming to you to reach out to play a part with SBA loans?
    Ms. ROAT. So for the first part of your question around the 
employees and how they are doing and working, you know, we did 
put in place performance management. That is very important for 
the employees, making sure that this is what we are doing this 
year and that people are on board. If they need training, we 
make sure to offer them training; performance management is a 
big deal to make sure that we are all on the same bus, we are 
all moving in the same direction, and that if people need 
training, we offer it and making sure they are working.
    For the universities, I would have to defer to our HR 
office, as well as the capital access folks and some of the 
others that are working much more closely with the universities 
and some of the others on the loans.
    Mr. NORMAN. Okay. And I guess back to one of the previous 
questions, for the training and staying up to speed on the 
changing world of technology, you feel comfortable with what 
you have now and what you see for the future?
    Ms. ROAT. So especially for what we are doing moving into 
the cloud right now, it is really, really important that the 
operations folks and the security folks really understand cloud 
architecture, and not just from a technical perspective, but 
monitoring and managing, and how do you offer those services 
across SBA to those program offices that may need different 
environments, test-dev and things like that. That training is 
really important, so we have had offsite sessions.
    We do weekly Lunch and Learns as well. There are other 
opportunities across SBA just around agile training 
methodologies that we have done. And it is not just around 
agile development, but around agile methodologies as a whole. 
So we are offering all of those kinds of training from Lunch 
and Learn to formal, paid training classes.
    Mr. NORMAN. I appreciate you taking the task and, from your 
testimony, you are up to the task and we appreciate your 
willingness to do this.
    I yield the time to the chairman.
    Chairman CHABOT. Thank you. The gentleman yields back. And 
in the opinion of the chair, the gentleman did just fine. So 
thank you very much. Looking for great things from you.
    And now we move to the gentlelady from North Carolina, Ms. 
Adams, who is the Ranking Member of the Subcommittee on 
Investigations, Oversight, and Regulations, for 5 minutes.
    Ms. ADAMS. Thank you, Chairman, and Ranking Member 
Velazquez, thank you as well. And thank you for your testimony. 
Thank you for being here, and thank you for your service to our 
country. We appreciate it.
    Your statement shows that you have made remarkable strides 
since you became CIO, reducing the vacancy rate from 30 percent 
to now 15. That is pretty impressive and we appreciate that.
    You identify developing the right workforce as one of the 
remaining challenges of SBA, so have you submitted or do you 
plan to submit a plan to the SBA to outline how you can better, 
as you put it, determine need competencies and develop and 
sustain a workforce that can use, deliver, and support not just 
the technologies, but those of the future? Not the technologies 
of today, but those of the future?
    Ms. ROAT. So one of the things that was put in place prior 
to my arrival was putting in a workforce plan. There are 170 IT 
specialists across SBA and part of the FITARA implementation 
was to have an actual IT workforce plan that really looked at 
that roadmap for the workforce. We are actually just getting 
ready to do a kickoff on that within the next month to lay out 
where we need to go for a workforce because it is not just my 
office that I have responsibility for in the IT, it is all of 
the IT personnel across all of SBA. So part of this work that 
we are kicking off in the next few weeks will be putting in 
place a long-term strategy for the workforce, looking at those 
skills, looking at those companies.
    It is so important that we get the right people, that they 
understand the environment, that we are not doing the same old, 
same old that we have been doing for a long time. So this 
workforce plan is really going to assess our as-is and set the 
stage for where we are going in the long run.
    Ms. ADAMS. Right. Thank you.
    With over 30 outstanding recommendations, as well as many 
planned initiatives, how does SBA prioritize its IT improvement 
efforts?
    Ms. ROAT. So for those things that were open from the IG, 
we tackled the low-hanging fruit first, right? Those things we 
could address very quickly that needed to be closed, that 
needed to be addressed. We are also looking--it is very 
important from a security perspective--what were those findings 
from the IG that we needed to address? Have we taken care of 
that over the last 10 months, and what are we going to do to 
close out the rest of those? Because some of them, again, we 
can resolve very quickly. Some of those are a little bit longer 
term. So we are prioritizing all of those.
    We understand that some of those are a little bit longer 
term, but there are steps to be taken. You lay out a project 
plan. How are we going to get to 12 months from now for a 
couple of those that are going to take a year? So here are the 
steps. Here are the major milestones. And here is what we are 
going to do. It is not about, well, we are going to do it next 
September. It is going to be what is the plan to get it done?
    Ms. ADAMS. Okay. So the low-hanging fruit, you feel that 
you have already accomplished that?
    Ms. ROAT. We have addressed quite a few of those. Yes.
    Ms. ADAMS. Great. Thank you very much. Mr. Chair, I yield 
back.
    Chairman CHABOT. Thank you. The gentlelady yields back.
    The gentleman from Iowa, Mr. Blum, who is the Chairman of 
the Agriculture, Energy, and Trade Subcommittee, is recognized 
for 5 minutes.
    Mr. BLUM. Thank you, Mr. Chairman. And I would also like to 
commend Representative Adams on her lovely hat today as normal. 
Very nice.
    Thank you, Ms. Roat, for your service to our country and 
for being here today.
    I come from the private sector. I was CEO of a publicly 
traded company, so I am very interested in management. Were you 
aware--I am sure you were--when you interviewed for the job 
that there were eight different CIOs in 12 years?
    Ms. ROAT. I was very aware.
    Mr. BLUM. Very aware. So I am sure, and you strike me as 
somebody who is very intelligent, you probably asked, what was 
the problem? That would be a logical question, would it not?
    Ms. ROAT. Correct.
    Mr. BLUM. And the reason I ask this is know it is in the 
past, and I think you are going to change the future, but if we 
do not know why it happened, then how do we know how to change 
it? What were you told when you asked that question?
    Ms. ROAT. I think there was not a focus on the role of the 
CIO, what needed to be done, understanding, you know, 
technology is changing and that the CIO absolutely has to be 
tied to the business, understand the business of the 
organization. I think that was lost somewhere along the line. I 
think the program offices just went and kind of did their own 
thing. You know, no fault of their own. They had to do 
something around technology.
    When I asked the question, I think the IG report last year, 
as well as some of the GAO reports that came out, really honed 
in about a year ago that said, wow, we have got a problem. And 
even before, you know, when I was approached about the job, I 
did my homework. I looked at the IG reports. I looked at the 
GAO reports. You do not walk into a job like this with blinders 
on. And I did my homework.
    And I did ask those questions, and it was really having a 
leadership perspective that really understood what it took to 
be a CIO, how the CIO is tied to the business of an 
organization, that they are not just there to deploy laptops 
and those kind of things. They are there to be a true enabler 
of the business and really manage and have oversight and 
governance over the IT investments of the agency. So I asked a 
lot of those hard questions before I came on board.
    Mr. BLUM. So do you think they made poor hires in the past 
or do you think there is or was a structural problem within the 
SBA that caused these people to subsequently leave shortly 
after starting?
    Ms. ROAT. I am not sure that I can answer the question on 
the people that were in the role. I know some of them and they 
are very smart people. I think there may have been some 
leadership challenges structurally within SBA.
    Mr. BLUM. Inherent in the SBA?
    Ms. ROAT. Inherent in SBA. That is my opinion and I think 
last year----
    Mr. BLUM. Are some of those still there?
    Ms. ROAT. I think that as of last year, with the prior 
administration, and even the current administration, has been 
incredibly supportive of turning the agency around as far as 
the role of the CIO. I have an incredible amount of support 
right now and the runway that I have been afforded over the 
last 10 months to make things happen and affect change, I could 
not have done that without leadership support.
    Mr. BLUM. It is good to hear. It is good to hear. Because 
oftentimes things are structural. They are embedded and they 
have been there for a long time and change does not happen 
quickly in Washington, as you are well aware. And if those 
things are still there, you can be a very bright person and do 
an excellent job and we are still going to have issues. So you 
need to be looking for that within the organization that you 
control, that is for sure. And in the private sector, sometimes 
you need to clean house, correct?
    Ms. ROAT. Correct.
    Mr. BLUM. Speaking of the OIG, they criticized SBA's 
organizational structure for potentially undermining IT 
investment oversight and they talked specifically about chief 
digital officer perhaps as duplicative with your role. Do you 
report to the deputy COO?
    Ms. ROAT. So I report to the chief operating officer. The 
position of the chief digital services officer, or the chief 
digital officer, does not exist anymore. That position was 
hired as a political appointee roughly a year and a half ago, 
and with the change of the administration, that person left. 
The digital services team that was stood up about a year ago, 
they work very closely with my office, and part of the work 
that we have done earlier this year was to request a 
reorganization so that the digital service team reports 
directly into my office.
    Mr. BLUM. Good to hear. So you report to the COO?
    Ms. ROAT. That is correct. And then I have monthly meetings 
with the administrator that are scheduled. Bi-weeklies with the 
chief of staff as well.
    Mr. BLUM. Excellent. Good to hear.
    Last question. The OIG once again last reported there were 
39 open recommendations related to IT security, some dating 
back to 2011. Are these recommendations still valid in your 
estimation? And are we giving them the priority that they 
deserve and require?
    Ms. ROAT. So some of those recommendations we have closed 
already, in particular the oldest ones we closed a couple of 
months ago. So we have tackled a lot of those. It was a matter 
of documenting what we did. Some of the recommendations, when 
you look back 3 or 4 years, they are really OBE because of 
technology changes, whether it is moving email to the cloud. So 
we are addressing those specifically with the IG.
    So we are actually tackling those, and we have closed more 
than a half a dozen of those in the last couple of months, and 
we have another half-dozen or so that we are scheduled to close 
through the end of this fiscal year, and we have a plan to work 
on the rest of them as well.
    Mr. BLUM. Very good. My time is expired, but welcome to the 
SBA administration, and I personally think you are going to do 
an absolutely splendid job.
    Ms. ROAT. Thank you.
    Mr. BLUM. I yield my time, Mr. Chairman.
    Chairman CHABOT. Thank you very much. The gentleman's time 
is expired. And unless we are joined by any other members, the 
last questioner today will be the gentleman from Florida, Mr. 
Lawson, who is the Ranking Member of the Subcommittee on Health 
and Technology.
    Mr. LAWSON. Thank you, Mr. Chairman. And thanks for giving 
me 10 minutes.
    Mr. Chairman and Ranking Member Velazquez, I am honored 
that you all would host this meeting today. And I want to thank 
you for only 6 months on the job and the tremendous progress 
that has been made with the SBA.
    And one of the questions, I do not want it to be a 
duplicate, but I wanted to know about it. You might have 
already answered it. With 6 months into the administration, 
what roadblocks and challenges have you seen so far that are 
blocking the OCIO from implementing some of the recommendations 
and changes from the OIG and the GAO reports?
    Ms. ROAT. So a lot of the OIG recommendations were really 
technology focused as far as audit logs and access controls and 
all those kinds of things. So those are the ones that we are 
tackling right away, moving through those.
    Some of the broader ones around investment management, 
governance, dealing with IT investments across all of SBA, 
there is an Investment Review Board that I co-chair. So part of 
addressing some of GAO's concerns specifically was around, you 
know, the CIO's role in managing those IT investments, the 
oversight, having that governance authority. So I do co-chair 
the Investment Review Board that looks at all the investments 
across SBA, as well as working very closely with the CFO and 
the COO on those things.
    So I think the work around that we are doing with the 
Investment Review Board, with the Architecture Review Board, 
with the COO, with the CFO, is taking us a long way to 
addressing the concerns, particularly around the management of 
the IT investments across SBA.
    Mr. LAWSON. And are you satisfied with the recommendation 
concerning cybersecurity that you all are implementing?
    Ms. ROAT. The specific recommendations?
    Mr. LAWSON. Right.
    Ms. ROAT. So the ones that came out most recently, they 
were very specifically technically focused. Some of the broader 
ones were under management. I think we are making a lot of 
strides and a lot of headway in that progress as far as from a 
management perspective, getting our arms around all the 
cybersecurity. Security is layered throughout an organization 
and we are addressing it all the way through. So we are 
building it in as we go.
    Mr. LAWSON. Okay. A couple of months ago I was at a 
business roundtable in Jacksonville, Florida, and some of the 
concerns that were expressed there from some of the business 
leaders, or the small business people in there, is that they 
did not feel like they really knew a lot of things that were 
going on in SBA. And I know that you have field operations all 
over the place. How do you go about communicating to those 
field operations to let the businesses know that you are 
available for them and that they can access a lot of the 
information and have access to capital and so forth?
    Ms. ROAT. So I do work closely with the Office of Field 
Operations. They do have weekly calls with the field, so I do 
participate in those. And when there are questions that arise 
as far as what information could be available on the SBA 
website, you know, we are acting on that. So the team is 
working very closely with the field operations as well as 
capital access to make sure that the information is available 
on the website for one, and consolidating the information. I 
know that the information historically has been very hard to 
find on the website, so we have been working hard at 
consolidating events to make that available.
    I do participate in the weekly calls with the field 
operations, so as anything bubbles up. I also participate with 
the Tech Coalition, which partners with industry as well. So 
hearing their concerns and making sure that we are responsive 
to them.
    Mr. LAWSON. And since women-owned businesses are the 
fastest-growing small businesses in America, how are you all 
catering more towards them to make sure that they feel 
comfortable in accessing the information from you?
    Ms. ROAT. So I think there is an event coming up in the 
next few weeks, GCBD, with women entrepreneurs and women 
business owners coming up. I think it is the end of the month, 
the 26th or 27th. So there is a lot of outreach going out and 
very targeted to those communities, whether it is small 
business, the women-owned. So that event is one example of how 
SBA is targeting those groups.
    Mr. LAWSON. And I would like for you to send my office some 
information on that because I would like to make sure that we 
find out everything we possibly can because I am always 
approached by some of the women in business.
    And with that, Mr. Chairman, I yield back.
    Chairman CHABOT. Thank you very much. The gentleman yields 
back.
    I would just conclude by saying, Ms. Roat, the office that 
you now hold has obviously struggled in recent years and I 
would say that based upon the testimony that you have given us 
and the answers to the questions that both sides have asked, I 
would say that I am encouraged. I think a lot of other members 
are as well, that you will work to improve your office in order 
to better fulfill the requirements of the SBA and how they 
serve small businesses all across the country.
    We would encourage you to keep the Committee updated on the 
progress that you make. And if you run into any problems, 
please let us know, either us or our staff, so that we can 
assist you in doing the best job that you can for those small 
businesses. So thank you very much for your testimony today.
    I would ask unanimous consent that members have 5 
legislative days to submit statements and supporting materials 
for the record.
    Without objection, so ordered.
    And if there is no further businesses to come before the 
Committee, we are adjourned. Thank you.
    [Whereupon, at 12:03 p.m., the Committee was adjourned.]
                           
                           A P P E N D I X


                        STATEMENT OF MARIA ROAT


                       CHIEF INFORMATION OFFICER


                   U.S. SMALL BUSINESS ADMINISTRATION


                               BEFORE THE


                      COMMITTEE ON SMALL BUSINESS


                     U.S. HOUSE OF REPRESENTATIVES


                               HEARING ON


 HELP OR HINDRANCE? A REVIEW OF SBA'S OFFICE OF THE CHIEF INFORMATION 
                                OFFICER


                             JULY 12, 2017


    Chairman Chabot, Ranking Member Velazquez, and Members of 
the Committee, thank you for the opportunity to discuss how the 
Small Business Administration (SBA) is improving its leadership 
roles in overseeing and addressing information technology (IT) 
investments and security risks. I would like to share with you 
today where SBA is in the process of rationalizing its IT 
infrastructure, and stabilizing and modernizing to drive 
standardization, consolidation, and integration across its IT 
portfolio.

    In October 2016, the Office of the Inspector General issued 
its ``Report on the Most Serious Management and Performance 
Challenges in Fiscal Year 2017.'' The reports' Challenge 2 
focused on the Office of the Chief Information Officer (OCIO) 
and the need to improve its leadership roles in overseeing and 
addressing IT and security risks. Since 2005, SBA has had 8 
Chief Information Officers and frequent turnover in key IT 
positions ``adversely affecting the ability for SBA to make 
lasting improvements in its IT investments and security in 
multiple areas.''\1\ I am here to tell you about how the Office 
of the Chief Information Officer is transforming to help the 
agency and support its mission of delivering services to small 
business owners.
---------------------------------------------------------------------------
    \1\ https://www.sba.gov/sites/default/files/oig/
FY--2017---
--Management--Challenges---
--10--14--16--7.pdf

    I on-boarded SBA on October 3, 2016 as the Chief 
Information Officer, after having served as the Chief 
Technology Officer at the US Department of Transportation for 
more than two years. By mid-November, I completed an initial 
assessment of the overall operating environment and identified 
stabilization and modernization targets to reach by the end of 
the fiscal year. It is necessary to pivot OCIO from a reactive, 
fire-fighting, technical support operation to a more proactive 
services organization that is innovative and responsive to the 
business and technology needs of SBA's mission. After I 
arrived, the OCIO began moving aggressively to address its 
network, systems, applications and overall operational 
challenges, move its primary data center to the cloud, address 
---------------------------------------------------------------------------
security deficiencies and decrease its personnel vacancy rate.

    When I arrived, SBA's heating, ventilation, and air 
conditioning (HVAC) units in its data center were experiencing 
weekly incidents with temperatures rising to 120 degrees or 
more causing frequent outages and system degradation. SBA's 
inventory of network, servers, software, and applications was 
incomplete, resulting in ineffective management of the entire 
network. Program offices were operating in silos with some 
network segments firewalled from OCIO visibility for monitoring 
and management. Further, operating systems were long past end-
of-life, and others nearing end-of-life, introducing 
significant security risks into the environment.

    SBA's network infrastructure was not adequately architected 
to support SBA's requirements. Specifically, one third of all 
network circuits are overloaded, and the environment has aging 
voice equipment, single points of failure, inconsistent end-
point management, and separate voice and data wide area 
networks (WANs). Gaps existed in the areas of configuration 
management, and a lack of a mature enterprise architecture 
capability has led to a fragmented technology stack with 
deficiencies in standardization, and duplicative or overlapping 
tools deployed across SBA.

    Strategies to Stabilize and Modernize

    It is imperative to modernize SBA's infrastructure and 
build in security as a design principle to support a mobile 
workforce. To address the WAN performance issues, immediate 
actions were taken to make configurations changes to move 
certain traffic loads to off-hours. With its service provider, 
OCIO developed plans to migrate from a Time-Division Multiplex 
(TDM) to a converged, Ethernet IP based network that will 
result in reduced network latency, improved application 
performance, address security gaps, and introduce scalability 
and resiliency. In working with the service provider, I 
provided direction that the effort must be cost-neutral--no 
additional funding was available. Orders for 111 circuits were 
placed and the first 20 circuits are on-line today.

    Of primary importance was stabilizing the primary data 
center's environment. By December, the OCIO team conducted a 
detailed data center inventory from the physical devices to the 
applications. The inventory was produced with about 85% 
accuracy, and provided sufficient initial data to identify what 
could be shut down, upgraded, and/or moved to the cloud. The 
OCIO team made a determination to either upgrade systems or 
shut down unnecessary equipment in preparation for 
transitioning to the cloud. By March, the team shut down 170 
servers directly resulting in HVAC stabilization, and a 
tangible reduction in power usage. Upgrades to operating 
systems and applications significantly reduced vulnerabilities 
and improved SBA's security posture. Because of my direction 
that no new hardware would be purchased or placed in the data 
center, SBA is the first federal agency to deploy the 
Continuous Mitigation and Diagnostic system in a cloud 
environment, with Phase I starting in March.

    SBA migrated e-mail to Microsoft O365 in May 2016 due to 
failing on-premise e-mail servers; however, no other subsequent 
migration actions were planned to take advantage of the O365 
platform's capabilities. As the data center stabilization tiger 
teams stood down, cloud tiger teams stood up to migrate the 
data center to Microsoft's Azure cloud and O365. The teams 
follow agile methodologies with daily stand-ups, releases and 
sprints, and all activities tracked in JIRA. The cloud 
architecture design was completed in March, migration planning 
is nearing completion, migration staging begins in July, and 
actual migration starts in August. Migration to SharePoint 
Online has been completed for those applications that could be 
migrated, and assessment is underway for remaining SharePoint 
applications to either be upgraded or considered for 
replatforming, consolidating or transitioning to commercial off 
the shelf (COTS) or other software as service applications.

    Prior end-user environments were deployed inconsistently 
across SBA with no standard image, resulting in security 
vulnerabilities, inconsistencies, and multiple versions of 
software installed on the desktops. Upgrades to Windows 10, 
Office 2016 and OneDrive for the entire SBA enterprise are 
underway. Deployment to pilot users was completed in May and 
OCIO-wide roll-out begins in July. SBA-wide upgrades will begin 
at the end of the fiscal year.

    The Deputy CIO and I reviewed and evaluated all purchase 
requisitions for reduction or elimination based on duplication, 
overlap, gaps, and need as the transition to O365 and the cloud 
is underway. Additionally, OCIO leadership reviewed all service 
contracts and identified opportunities to eliminate duplicative 
services and address gaps.

    Pivoting from a functionally siloed organization to a 
customer-centric and service-optimized structure requires an 
understanding of the customer's requirements. Operational 
credibility is key to IT taking on a more strategic role within 
the enterprise. Improved support from the IT Service Desk 
including closing outstanding issues, implementing tiered 
support processes and receiving and incorporating customer 
feedback is improving customer satisfaction. Further, the data 
center stabilization efforts significantly reduced incoming 
calls to the Service Desk.

    Improving SBA's IT Governance Structure

    The Federal Information Technology Acquisition Reform Act 
(FITARA) provides the tools needed to transform how we manage 
IT. It is imperative that the CIO, Chief Human Capital Officer, 
Chief Financial Officer and Senior Procurement Executive work 
collaboratively to understand SBA's business needs and drive 
informed decisions. Over the last year, SBA has initiated a 
review of its IT portfolio and actively uses the agency's 
Investment Review Board (IRB), co-chaired by the CIO and Chief 
Financial Officer. The IRB has oversight responsibility for 
major programs and is working to institutionalize its ability 
to deliver successful programs and mature SBA's governance 
capabilities and improve transparency.

    Through a stronger governance model, the CIO has greater 
visibility to improve planning, identify cost savings 
opportunities and to better understand current and planned IT 
resources to support program objectives. This includes 
leveraging Enterprise Architecture as the roadmap to improve, 
integrate and streamline processes and systems, and requiring 
CIO approval for acquisition plans for all new IT contracts 
above the simplified acquisition threshold to safeguard against 
the procurement of duplicative and/or non-compatible 
technologies and services, and ensure alignment with SBA's 
technology standard and strategic direction. I conducted four 
deep dives on major investment to review milestones, technology 
capabilities, funding and risks: Capital Access Financial 
Systems; Disaster Credit Management Modernization; Small 
Business Innovation Research Program; and Certify.sba.gov. 
Additionally, I conducted a TechStat on the Certify.sba.gov IT 
investment in June to examine program data with a focus on 
delivered and planned functionality that will lead to concrete 
actions to improve overall program performance and reduce risk.

    Leveraging IT to Support Mission Outcomes

    SBA delivers loans, loan guarantees, contracts, counseling 
sessions and other forms of assistance to small businesses. The 
agency's primary public website (sba.gov) is visited by over 15 
million people per year, but the agency has struggled with 
meeting the needs of these current and prospective small 
business owners. Information has been buried in confusing 
language and layers of navigation, and has been hard to access 
on mobile and table devices. Approximately 31% of SBA's web 
site traffic comes from mobile devices and 5% from tablets, and 
mobile traffic grew by 2.5% last year. In 2016, a Digital 
Service team was stood up and on-boarded a team of digital 
experts to lead a modernization effort for sba.gov. The Digital 
Service team moved sba.gov to a new Content Management System, 
established a modernization roadmap and is systematically 
changing the site to greatly improve SBA's customer experience. 
The agency's Leveraging Information and Networks to access 
Capital (LINC) capability will receive a major refresh and re-
launch later this month to help connect small business 
borrowers with participating SBA lenders. As part of the 
modernization effort, the tool will be renamed to Lender Match 
for ease of communicating its purpose and value. Prospective 
borrowers complete a short online questionnaire, and the 
responses are forwarded to participating lenders that operate 
within the small business' county. If lenders are interested in 
the referral, the lender and prospective borrower's contact 
information will be exchanged.

    The OCIO is collaborating with the Office of 
Entrepreneurial Development to replace its legacy system, and 
the Office of Investment and Innovation to upgrade the SBIC Web 
technology stack and to transition the systems monitoring and 
management to OCIO. These outward facing systems that support 
mission objectives, such as partnering with Small Business 
Development Centers and Veterans Business Outreach Centers, and 
facilitating the flow of long-term capital to America's small 
businesses must be secure.

    Developing SBA's IT Workforce

    To be successful with cloud adoption, the OCIO must make 
fundamental changes to its organizational mission and roles. 
All IT personnel across SBA and functional areas, including 
security, infrastructure and operations, must maintain their 
relevance as technology evolves and OCIO transitions to support 
Development and Operations (DevOps), and a software centric 
organizations that incorporates hybrid cloud solutions. To keep 
up with rapid technology changes, typical organizational 
structures and the IT workforce must evolve to operating within 
small, autonomous teams that cross-collaborate to work on fast-
flowing ideas, opportunities and improvements. Further, a risk-
tolerant environment that allows for the exploration of ideas 
can accelerate the value delivered to the SBA.

    The OCIO's vacancy rate was 30% in October 2016 and was 
reduced to 15% by February 2017. Ten employees were hired 
including a Deputy CIO, Chief Technology Officer, Director of 
Operations, Enterprise Data Manager, Section 508 Program 
Manager, Branch Chiefs for Information Security Operations and 
Compliance, and other staff positions. SBA initiated a 
reorganization to realign the Digital Service team into the 
OCIO and merge it with the existing development team. OCIO will 
hire 10 additional staff to fill existing vacancies. OCIO is 
hiring not for the organization of today, but for the 
organization that can support future capabilities. For example, 
an Enterprise Data Manager was hired to create business value 
through data and analytics and rethink how information as an 
asset can take a more active and dynamic role in the activities 
of SBA.

    As SBA continues its efforts to implement FITARA, the CIO 
and CHCO are committed to developing a holistic approach to 
build a strategic workforce plan for all SBA IT professionals. 
Attracting and developing IT staff is critically important to 
long-term success as legacy systems are modernized and shifted 
to the cloud, and an enterprise approach to IT is implemented. 
SBA has approximately 170 IT specialists and digital service 
experts, of which 70 are directly assigned to the OCIO. 
Workforce planning requires significant improvement and SBA 
will initiate strategic workforce planning by the end of the 
fiscal year. SBA has a strong mission draw for IT and 
cybersecurity professionals and we must partner with the CHCO 
to better market ourselves.

    Challenges Remain and Opportunities Exist

    Even with the progress outlined above, challenges related 
to the fiscal environment have put pressure on IT 
organizations. Internal and external customers and stakeholders 
expect SBA to deploy services and technology on par with their 
personal use and interaction with private sector firms. The 
need for speed and agility in acquisition is vital to deliver 
products and services.

    Develop the Right Organization and Workforce - SBA must 
determine needed competencies and develop and sustain a 
workforce that can use, deliver and support not just the 
technologies of today, but those of the future. Recruiting the 
right people into the federal government with the right skills 
and the capacity to freely and quickly change and innovate is 
difficult at best. The ability to leverage and integrate with 
trusted private sector partners to supplement the federal IT 
workforce is more critical than ever.

    Build the flexibility to implement IT best practices - 
SBA's program office applications and systems were generally 
developed in silos. Customer information, for example, is 
duplicated across systems and information sharing is limited. 
Program offices are looking for modern, easy-to-use 
applications that can be quickly deployed, while OCIO 
concurrently takes a strategic approach to standardizing on a 
limited set of application suites to minimize integration 
issues, maximize security and reduce IT costs. Further, 
implementing shared services will evolve over time, and 
consolidating contracting of commodity IT requires flexible, 
agile acquisition practices and will result in increased value 
of the services to the business.

    Increase Visibility into IT Planned Expenditures - Data 
concerning planned and actual spending must be readily 
available, and capable to drive SBA's ability to identify 
opportunities to improve leverage and operational cost. Further 
maturity in this area will ensure that information is accurate 
and that evidence based decision making is properly integrated 
with the governance process.

    Mature Cybersecurity Capabilities - Cybersecurity is 
critical in a modern information infrastructure that includes 
data virtualization, separation of storage, compute, and cloud-
based data persistence. SBA must modernize to keep its IT 
systems current and secure with a clear understanding of risks 
to availability and reliability.

    Conclusion

    Information technology is a key enabler of digital 
transformation, and we are taking a multi-pronged approach that 
leverages current technologies while looking ahead to the 
future to proactively address the agency's needs. We are 
focused on building a strong foundation that is robust, 
scalable, secure and responsive to changing business needs. 
Together with SBA's program offices, we will build on this 
foundation to create and deliver digital solutions that will 
not only improve the public's experiences with SBA's services, 
but will also improve our internal customer experience. Actions 
to consolidate and update support contracts will continue, and 
areas such as system development and program support will be 
strengthened as OCIO transitions to a services-oriented 
organization. A robust enterprise governance that has 
leadership alignment will drive progress and ensure IT programs 
and projects are selected and managed to ensure SBA's needs are 
met in an effective manner while minimizing unnecessary 
duplication. The CIO is a key stakeholder in driving horizontal 
and vertical collaboration to ensure that the right authority, 
with the right information, at the right time makes the best 
possible decision to effectively deliver IT programs. Thank you 
for the opportunity to speak with you today and I look forward 
to your questions.

                                 [all]