[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


  THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT (FITARA) 
                             SCORECARD 4.0

=======================================================================

                              JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                AND THE

                            SUBCOMMITTEE ON
                         GOVERNMENT OPERATIONS

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 13, 2017

                               __________

                           Serial No. 115-27

                               __________

Printed for the use of the Committee on Oversight and Government Reform


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


         Available via the World Wide Web: http://www.fdsys.gov
                       http://oversight.house.gov
                       
                       
                                __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
26-560 PDF                  WASHINGTON : 2017                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].                        
                       
                       
              Committee on Oversight and Government Reform

                  Trey Gowdy, South Carolina, Chairman
John J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, 
Darrell E. Issa, California              Ranking Minority Member
Jim Jordan, Ohio                     Carolyn B. Maloney, New York
Jason Chaffetz, Utah                 Eleanor Holmes Norton, District of 
Mark Sanford, South Carolina             Columbia
Justin Amash, Michigan               Wm. Lacy Clay, Missouri
Paul A. Gosar, Arizona               Stephen F. Lynch, Massachusetts
Scott DesJarlais, Tennessee          Jim Cooper, Tennessee
Blake Farenthold, Texas              Gerald E. Connolly, Virginia
Virginia Foxx, North Carolina        Robin L. Kelly, Illinois
Thomas Massie, Kentucky              Brenda L. Lawrence, Michigan
Mark Meadows, North Carolina         Bonnie Watson Coleman, New Jersey
Ron DeSantis, Florida                Stacey E. Plaskett, Virgin Islands
Dennis A. Ross, Florida              Val Butler Demings, Florida
Mark Walker, North Carolina          Raja Krishnamoorthi, Illinois
Rod Blum, Iowa                       Jamie Raskin, Maryland
Jody B. Hice, Georgia                Peter Welch, Vermont
Steve Russell, Oklahoma              Matt Cartwright, Pennsylvania
Glenn Grothman, Wisconsin            Mark DeSaulnier, California
Will Hurd, Texas                     John P. Sarbanes, Maryland
Gary J. Palmer, Alabama
James Comer, Kentucky
Paul Mitchell, Michigan

                   Jonathan Skladany, Staff Director
                  Rebecca Edgar, Deputy Staff Director
                    William McKenna General Counsel
   Troy Stock, Subcommittee Staff Director for Information Technology
                      Julie Dunne, Senior Counsel
                         Kiley Bidelman, Clerk
                 David Rapallo, Minority Staff Director
                 Subcommittee on Information Technology

                       Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair  Robin L. Kelly, Illinois, Ranking 
Darrell E. Issa, California              Minority Member
Justin Amash, Michigan               Jamie Raskin, Maryland
Blake Farenthold, Texas              Stephen F. Lynch, Masschusetts
Steve Russell, Oklahoma              Gerald E. Connolly, Virginia
                                     Raja Krishnamoorthi, Illinois
                                 ------                                

                 Subcommittee on Government Operations

                 Mark Meadows, North Carolina, Chairman
Jody B. Hice, Georgia, Vice Chair    Gerald E. Connolly, Virginia, 
Jim Jordan, Ohio                         Ranking Minority Member
Mark Sanford, South Carolina         Carolyn B. Maloney, New York
Thomas Massie, Kentucky              Eleanor Holmes Norton, District of 
Ron DeSantis, Florida                    Columbia
Dennis A. Ross, Florida              Wm. Lacy Clay, Missouri
Rod Blum, Iowa                       Brenda L. Lawrence, Michigan
                                     Bonnie Watson Coleman, New Jersey
                           
                           C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 13, 2017....................................     1

                               WITNESSES

Mr. David A. Powner, Director, IT Management Issues, U.S. 
  Government Accountability Office
    Oral Statement...............................................     6
    Written Statement............................................     8
Ms. Beth Killoran, Deputy Assistant Secretary for IT, Chief 
  Information Officer, U.S. Department of Health and Human 
  Services
    Oral Statement...............................................    35
    Written Statement............................................    37
Ms. Sheila Conley, Deputy Assistant Secretary, Acting Chief 
  Financial Officer, U.S. Department of Health and Human Services
Dr. Rick Holgate, Research Director, Gartner, Inc
    Oral Statement...............................................    47
    Written Statement............................................    49

                                APPENDIX

Questions for the Record for Mr. David Powner, submitted by Ms. 
  Kelly..........................................................    72
Questions for the Record for Dr. Rick Holgate, submitted by Ms. 
  Kelly..........................................................    75

 
  THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT (FITARA) 
                             SCORECARD 4.0

                              ----------                              


                         Tuesday, June 13, 2017

                  House of Representatives,
Subcommittee on Information Technology, joint with 
         the Subcommittee on Government Operations,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittees met, pursuant to call, at 2:03 p.m., in 
Room 2154, Rayburn House Office Building, Hon. William Hurd 
[chairman of the Subcommittee on Information Technology] 
presiding.
    Present from Subcommittee on Information Technology: 
Representatives Hurd, Mitchell, Issa, Russell, Kelly, Lynch, 
Connolly, and Krishnamoorthi.
    Present from Subcommittee on Government Operations: 
Representatives Meadows, Jordan, Massie, Blum, Connolly, and 
Maloney.
    Also Present: Representative Gowdy.
    Mr. Hurd. The Subcommittee on Information Technology and 
the Subcommittee on Government Operations will come to order. 
And without objection, the chair is authorized to declare a 
recess at any time.
    And I think we are good on votes later in the afternoon, 
right, so that is a plus for once.
    Good afternoon. Thank you all for being here. You know, 
nearly two years ago today, we released the first FITARA 
scorecard, or what some refer to as Issa-Connolly, is that 
right, Mr. Connolly? This bipartisan committee product, 
produced with GAO assistance, has been intended to drive 
technology reform across all of our Federal agencies.
    Today, the committee released the fourth FITARA scorecard. 
And the committee, in coordination with GAO, has adjusted the 
calculation and added new metrics for each version of the 
scorecard since the beginning. For example, the FITARA 
Scorecard 3.0, the final grade included a plus to indicate that 
the CIO reports to the Secretary or Deputy Secretary of the 
agency and a minus to indicate if the CIO does not report to 
these officials. That system remains in place for Scorecard 
4.0, and I strongly urge that all agencies with a minus to 
adjust their reporting structure. This is any easy fix that 
will help agencies continue to move towards 21st century IT 
practices.
    For Scorecard 4.0, the committee made two adjustments to 
the grading. First, we simplified the calculation for the 
incremental developmental area to capture more incremental 
projects. Second, we incorporated OMB data center optimization 
metrics into the data center grade so that half the grade is 
now based on savings as a result of consolidation, and half the 
grade is based upon meeting optimization metrics. OMB published 
these optimization metrics last year, so they should not be a 
surprise to agencies. And we did this based on feedback from 
the agencies.
    The committee is also previewing a new grading area related 
to the FITARA and MEGABYTE Act requirements on software license 
management inventories and the effectiveness of software 
licenses. There is absolutely no excuse for agencies not to 
have an accurate inventory of the software licenses they have. 
This is basic IT management.
    From Scorecard 3.0 to Scorecard 4.0, four agencies' grades 
have improved, 15 agencies' grades have stayed the same, and 
five agencies have declined. Notably, the Department of Defense 
grade declined from a D to an F. The committee reduced DOD's 
grade due to a lack of transparency on IT spending. DOD appears 
to have reclassified a significant percentage of its IT 
spending as national security systems, which are not covered by 
FITARA. This lack of transparency is unacceptable. My 
colleagues and I will be following up with the DOD on this 
issue.
    We also have our first ever ``A'' on this scorecard. USAID, 
after receiving D's on each of the first three scorecards, 
significantly improved its scores, particularly in the areas of 
incremental developmental transparency and risk management. I 
applaud the work of the office of the USAID CIO to address the 
score and encourage other agencies to look to them as an 
example in these areas.
    Today's hearing features witnesses from HHS, which has 
received D's on all four versions of the scorecard, and 
currently has 44 open GAO recommendations related to high-risk 
IT acquisitions and operations. I look forward to hearing HHS' 
plan to close out those recommendations and turn those grades 
around.
    Before I close, I want to take a moment to acknowledge and 
thank Chairman Chaffetz. The prioritization of IT and 
cybersecurity issues on the Oversight Committee has been an 
integral aspect of this committee's success, and I am thankful 
for Chairman Chaffetz's leadership on these issues. The 
Congress and the country are better off because of his service 
as chairman of the Oversight Committee. I thank Chairman 
Chaffetz for his service and leadership, and I look forward to 
working with Chairman Gowdy as he leads the committee forward.
    Thank you, and I look forward to hearing from all of our 
witnesses today.
    And now, it is my pleasure to recognize my friend and the 
ranking member of the Subcommittee on IT for her opening 
statement. Ms. Kelly, you are now recognized.
    Ms. Kelly. Thank you, Mr. Chairman.
    And thank you, Chairman Meadows and Ranking Member 
Connolly, for your leadership and the leadership you have shown 
our subcommittees continuing to work together to oversee 
Federal information technology systems.
    Key to this oversight has been the scorecard our committees 
have developed for grading agency progress and fulfilling the 
requirements of the Federal Information Technology Acquisition 
Reform Act, or FITARA, or Issa-Connolly. The latest FITARA 
scorecard shows that President Trump's hiring freeze and plan 
for imposing deep workforce reductions to agencies may have 
already begun to reverse the gains many agencies have been 
making under the prior administration. In January, President 
Trump ordered a freeze on the hiring of Federal civilian 
employees, preventing agencies from fulfilling vacancies or 
creating new positions.
    This past April, the Office of Management and Budget issued 
a new directive mandating that the agencies reduce their 
civilian workforce. Under the OMB directive, agencies are now 
required to, and I quote, ``begin taking immediate actions to 
achieve near-term workforce reduction,'' the President's plan 
for reducing the Federal workforce to make it even more 
difficult for agencies to hire the most skilled, tech-savvy 
workforce needed to fully implement FITARA.
    This past March, our subcommittees held a hearing on the 
challenges the Federal Government is facing in Federal IT 
acquisition and heard from some of the leading IT experts in 
the private sector. Many of these experts agree that one of the 
most critical challenges to modernizing government IT 
operations is the need to hire more IT professionals. As the 
new scorecard shows, several agencies have hit roadblocks, and 
some, like the Department of Health and Human Services, which 
is here today, continue to fall behind in meeting the 
requirements of FITARA. Forcing these agencies to make across-
the-board cuts to their workforces on top of the hiring freeze 
can make it more difficult for them to fulfill the 
requirements.
    It wasn't always this way. Prior scorecards showed steady 
progress among agencies. But for the first time since our 
committee began measuring compliance, the new scorecard shows 
that overall agency progress has stalled under this 
administration. More specifically, the new scorecard indicates 
that the grades of only four agencies improved, 15 agencies had 
no improvement whatsoever, and the grades for five agencies 
actually went down. In contrast, when the subcommittees 
released their scorecard this past December, three times as 
many agencies showed improvement in their scores, and only one 
agency had a decrease in their grades. The new scorecard 
highlights the fact that the Trump administration's Federal 
workforce policies are harmful and counterproductive.
    As I pointed out at the hearing our subcommittee held this 
past December on FITARA, I hope there will be bipartisan 
interest in holding the Trump administration to the same high 
standards to which we held the last administration.
    I want to thank the witnesses for testifying and thank the 
chair again.
    Mr. Hurd. Thank you, Ranking Member.
    Now, I would like to recognize the chairman of the 
Subcommittee on Government Operations, the gentleman from North 
Carolina, Mr. Meadows, for his opening remarks.
    Mr. Meadows. Thank you, Mr. Chairman. I just want to say 
thank you for your leadership on this critical area. You have 
forgotten more about IT than I ever knew, and I appreciate your 
leadership. And certainly, for the Issa-Connolly law or, as the 
gentleman from Virginia would love to call it, the Connolly-
Issa law, thank you both for your leadership as we look at 
moving forward.
    I want to thank all of you for being here. Some of this may 
be not so pleasant. At the same time, it is becoming critically 
important that we address these issues. And as you will see, in 
a bipartisan fashion, we are taking this extremely seriously, 
and it will have implications from a standpoint of 
appropriations in other areas that if our IT CIOs don't take it 
as seriously, they will see other areas that potentially could 
be impacted because of their inaction.
    And with that, I yield back, Mr. Chairman.
    Mr. Hurd. The chairman yields back.
    Now, it is a pleasure to recognize the gentleman from the 
Commonwealth of Virginia, Mr. Connolly, for his opening 
remarks.
    Mr. Connolly. Thank you, Mr. Chairman. And let me thank you 
and my friend Mr. Meadows and my dear friend Robin Kelly from 
Illinois for the bipartisan leadership of these two 
subcommittees. I think one of the big differences between this 
period--and of course my co-author is here with us today as 
well--we have handled this on a bipartisan basis. There is no 
daylight between us or among us on this issue. And I think 
sending that message to the executive branch is critical.
    What was lacking under Clinger-Cohen was any continuity or 
any robust follow-up because Mr. Clinger retired, Mr. Cohen 
became Secretary of Defense. That is not the case here. We are 
still here and we mean it. And we are going to continue to 
press for progress on the implementation of FITARA, also known 
as Issa-Connolly.
    We are also, I hope, going to introduce legislation shortly 
to extend the sunset provisions, which I think is one of the 
recommendations of the GAO, and Mr. Powner may elaborate on 
that today. But we don't want to lose progress by having those 
provisions expire prematurely, and we need more time for 
implementation, not forever, but we need more time.
    I echo all of the sentiments my colleagues have shared in 
their opening statements, and I want to first begin by citing 
what the chairman cited, which is the progress at AID. Here is 
an agency that began at a fairly low score and decided, you 
know what, we can't settle for that. What did they do? They 
reached out to GAO and they said what can we do to improve our 
performance? And you know what, they listened to advice, and 
they implemented it. And they now have the highest score and 
the greatest progress of any Federal agency, AID.
    So, when some agencies say, well, it is too complicated, et 
cetera, AID has proved that is not true. If there is the 
political way, if there is a managerial desire to self-improve 
and to come into the 21st century, you will have congressional 
support, you will have GAO support, and you will have a nice 
grade.
    On the other hand, at the other end of the spectrum is a 
recalcitrant, arrogant management style at the Department of 
Defense. Don't bother us with these troublesome requirements or 
standards, we are exempt from everything, we will police 
ourselves, and we will set our own goals and objectives and 
metrics. The fact that they, of course, fall short of everybody 
else's is immaterial. And what is so disturbing about that is 
they are the big budget.
    And I know when we met with GAO, we were very disappointed 
in DOD's performance, and all of us agreed, again, on a 
bipartisan basis, to insist that they improve their 
performance, that they come into compliance like every other 
Federal agency. And the burden is on them even greater because 
they have the dollars. They have the biggest budget of anybody, 
and they are about to get bigger. So, it is incumbent upon the 
Department of Defense to ``get right with the Lord,'' and we 
are going to help them along on a bipartisan basis.
    I believe the scorecard is a terribly important tool for 
measuring progress, and I thank GAO for working with us and 
coming up with it. I repeat what I have always said. It is not 
designed to be a scarlet letter on anyone's back. It is 
designed to prod senior management to provide the wherewithal 
for a CIO in a reporting sequence but also empowerment so there 
is accountability, there is transparency, there is 
responsibility. And it is the taxpayer who benefits.
    So, you know, we have set metrics against which we believe 
people can be fairly measured, and we think it is working, not 
as fast as we would like. And the slow pace of naming a 
permanent CIO with the transition and new administration has 
cost us some progress, and that is why we want to extend the 
sunset provisions, not the only reason, but that is a primary 
driver so that we can make up for that time and keep the goals 
in front of us.
    So, I look forward to this hearing. It is one of my 
favorite every year. I don't know why there aren't klieg lights 
and cameras all over the room, but I do think this is a 
terribly important subject, and I thank again my colleagues for 
their support and their commitment.
    I yield back.
    Mr. Hurd. I would like to thank the gentleman. And I am 
going to hold the record open for five legislative days for any 
members who would like to submit a written statement.
    And we are now going to recognize our panel of witnesses. I 
am pleased to welcome a repeat visitor of this chamber, I think 
one of the few people none of us have yelled at in the Federal 
Government, Mr. David Powner, the director of IT Management 
Issues, the U.S. Government Accountability Office; Ms. Beth 
Killoran, deputy assistant secretary for IT, chief information 
officer, the U.S. Department of Health and Human Services. 
Thank you for being here. Ms. Sheila Conley, the deputy 
assistant secretary, acting chief financial officer at HHS; and 
Dr. Rick Holgate, the research director at Gartner, 
Incorporated, and former CIO of the Bureau of Alcohol, Tobacco, 
Firearms, and Explosives. Welcome to you all.
    And pursuant to committee rules, all witnesses will be 
sworn in before they testify. Please rise and raise your right 
hands, please.
    [Witnesses sworn.]
    Mr. Hurd. Thank you. Please be seated.
    Let the record reflect that the witnesses answered in the 
affirmative.
    In order to allow time for discussion, we would appreciate 
it if you would please limit your testimony to five minutes. 
Your entire written statement will be made part of the record.
    And I would like to recognize Mr. Powner for his opening 
remarks for five minutes.

                       WITNESS STATEMENTS

                  STATEMENT OF DAVID A. POWNER

    Mr. Powner. Chairman Hurd, Meadows, Ranking Members Kelly, 
Connolly, and members of the subcommittees, I'd like to thank 
you and your staff for your continued oversight on the 
implementation of FITARA with this fourth set of grades.
    This is the first time we've seen overall grades not 
improve with only four grades higher, five lower, and 15 
holding steady. I would attribute this in part to transitioning 
administrations and also to your expansion of the scoring 
methodology. For example, data centers now include how agencies 
report on five optimization metrics in addition to cost 
savings. This has resulted in data center grades going down 
because only EPA and SSA report good progress on these metrics.
    The transparent reporting on data center progress that 
FITARA requires needs to continue beyond the October 2018 date 
since there are significant expected savings beyond 2018. 
Extending FITARA's sunset date and realizing these out-year 
savings is especially important given the MGT Act and this 
committee's oversight on modernizing old, insecure legacy 
systems.
    Another change to the scorecard is on incremental 
development where we now capture more software development 
projects. This change was suggested by several CIO shops, and 
I'd like to add that we have had good scorecard discussions 
with almost half of the CIOs or their staff. Although we've 
seen progress in the areas scored to date--incremental 
development, data center optimization, and investment 
transparency--we think there is great room for improvement on 
reducing duplicative business or administrative systems under 
the PortfolioStat initiative.
    Your preview of agencies' efforts to better manage software 
licenses, a major area of FITARA not scored today, is eye-
opening. Your preliminary grades would be two A's, one C, and 
21 F's, and if this area was incorporated into the overall 
grades, we would have three agencies going up and 12 down 
instead of the four up and five down currently.
    Only three agencies--Education, GSA, and USAID--have 
complete inventories of their software licenses. This is 
completely unacceptable, especially considering this 
committee's follow-up on FITARA with the passage of the 
complementary MEGABYTE Act. We need better management and more 
cost-savings in this area. Again, this is another opportunity 
area to fill the working capital funds proposed in the MGT Act.
    Next, I'd like to turn, Mr. Chairman, to CIO authorities 
and our ongoing work to this committee on CIO budget 
visibility, contract approval, and incremental development. The 
good news is we are hearing that FITARA is improving the 
relations between chief financial officers and chief 
acquisition officers. But these improved relations are going to 
take time to resolve in the outcomes we need. We are still 
finding CIOs with limited visibility into IT spending, IT 
contracts and acquisitions not being approved by CIOs, CIOs not 
certifying that all major acquisitions are taking an 
incremental approach, despite all these areas being required in 
FITARA. We plan to have these reports ready for your fifth 
scorecard, Mr. Chairman.
    The reason these authorities are needed is simple: because 
we need CIOs governing over all IT. We recently found another 
example of a failed IT acquisition with the Coast Guard's 
electronic health record that illustrates why CIO authorities 
need strengthened. Tens of millions of dollars were wasted, 
nothing was delivered, and when I recently with the admiral in 
charge, I asked this simple question: Was the CIO involved? The 
answer: Not then, but they are now with the new EHR 
acquisition. This is exactly why FITARA and strengthening CIO 
authorities are so critically important to have better delivery 
of Federal IT acquisitions and to more efficiently manage 
Federal IT operations.
    Although there have been some encouraging efforts with the 
current administration that highlight the importance of 
delivering technologies more effectively--namely, the Office of 
Innovation and the American Tech Council--agency CIOs and the 
Federal CIO are key to carrying out these high-level agendas. 
In fact, history tells us that the best progress we've seen on 
managing Federal IT is when the Federal CIO takes an active and 
aggressive role. This was a major theme that also emerged from 
the comptroller general's IT forum that we recently held with 
current and Federal CIOs. Currently, the Federal CIO and eight 
Department CIO positions are vacant, and although we have seen 
several capable individuals filling in, this lack of permanent 
leadership will negatively impact the progress we are making on 
FITARA. Your scorecard, Mr. Chairman, highlighting these 
vacancies will hopefully help draw appropriate attention to 
these critical positions.
    Chairmen Hurd, Meadows, Ranking Members Connolly and Kelly, 
thank you again for your continued leadership and oversight of 
Federal IT.
    [Prepared statement of Mr. Powner follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hurd. Thank you, Mr. Powner.
    Now, I have been told that HHS has one statement, is that 
correct, in who will be delivering it?
    Ms. Killoran, you are recognized for your opening remarks.

                   STATEMENT OF BETH KILLORAN

    Ms. Killoran. Thank you. Good afternoon, Chairman Hurd, 
Chairman Meadows, Ranking Members Kelly and Connolly. Thank you 
for allowing the Department of Health and Human Services to 
come before you today.
    Since the passage of FITARA, HHS has been committed to 
making sure that we are cost-effective, provide high-quality IT 
that benefits the American citizens and the services by which 
we provide. This is a shared commitment both by the HHS CFO, 
our chief acquisition officer, our chief human capital officer, 
our mission programs, and myself. Together, we understand HHS's 
IT budget totals $14 billion and that the spending across our 
entire portfolio compromises--consists of a number of major 
investments at our operating divisions and our staff divisions.
    The leadership team strives every day to make sure that 
we're strategically leveraging IT to fulfill our mission and to 
make sure that we're providing health and human services that 
foster advances in medicine, public health, and social services 
so needed by our nation.
    As a result of this effort, so far, our implementation 
plan, we are actually able to accomplish 34 of the 39 
milestones set forward in our implementation plan and actually 
five additional ones just within the last month.
    One of the FITARA successes we've had is the establishment 
of a process and criteria for delegating authority to the 
operating division CIOs. As a large federated organization, we 
have to be able to identify, prioritize, validate, and verify 
our nonmajor IT acquisitions. I'm happy to say that, through 
the criteria that we've established, we've delegated 10 
different delegations to those operating division CIOs, and on 
a year basis I am personally responsible for providing input 
into the performance of those CIOs, and we evaluate that 
delegation on a year basis.
    We also have been able to increase our use of agile 
development. We seek to deliver IT-enabled functionality every 
six months. And this has been able to be accomplished through a 
process of improving our governance and integration, solving 
collaboration efforts through development teams, and by making 
sure that we integrate at all aspects with our customers.
    Over the last two years, the CFO and I have jointly held IT 
budget reviews to review, approve, or reject the IT budgets 
across our organization. The purpose of these budgets is to 
review and discuss how each of our operating divisions is 
looking at their IT budget and how they're prioritizing, 
addressing risk within their programs, aligning those IT 
dollars to agency priorities, and making sure that we 
understand not just the operating division proprieties but the 
enterprise ones as well.
    Two key accomplishments in this area to date is being able 
to increase the ability to add funding for our cybersecurity 
initiatives, which we have been able to over the last three 
years increase and has dramatic success; changing our budget 
from 1 percent overall to 5 percent in cybersecurity since 
2015.
    We also have been also making sure that we are looking at 
our legacy systems and making sure each of our organizations 
are prioritizing those legacy systems and how they are making 
initiatives and decisions to make the necessary changes to 
those systems to keep them secure and viable for those 
missions.
    Also in the stewardship, we're making sure that we are 
looking at planning, proactively managing our risk across our 
organization, and to continue to mature our risk management 
process and evaluation techniques as we update our IT 
dashboard. We conduct portfolio reviews at individual programs, 
and this year, we actually did one at Operating Division 
looking at the totality of their IT programs, which we will 
adopt and continue to improve and implement across the 
organization.
    For data center consolidation, we continue to make sure 
that we are looking at the outcome metrics, but we have a 
challenge around the continuing change in definition and the 
changing of the goals and requirements.
    We'll make sure that we are also adopting cloud technology 
as part of our strategy, and I will say that we have had 
success in this area, increasing our funding in cloud from $135 
million in 2015 to $600 million last year, and we think we'll 
have three-quarters of a billion dollars in cloud this year 
alone.
    In addition, we have to make sure we're looking at our 
workforce, and so I have partnered with our chief human capital 
officer to make sure that we're looking at our requirements to 
make sure we are--have the ability to attract, develop, and 
retain IT talent.
    Currently, we have 1,400 positions in our organization, 
3,000 of them overall, but we actually have an over-30-percent 
vacancy rate, which makes it critical for us to understand how 
to do this job better to have those resources.
    Finally, as HHS continues to move forward with 
implementation of FITARA, the Department has built a 
collaborative, integrated business foundation that promotes 
comprehensive governance across the Department where we can 
optimize our mission, make sure we provide secure IT services 
that meet the advances needed for effective and meaningful 
outcomes for citizens. Thank you.
    [Prepared statement of Ms. Killoran follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hurd. Thank you.
    Dr. Holgate, you are up, five minutes.

                   STATEMENT OF RICK HOLGATE

    Mr. Holgate. Thank you, Chairmen Hurd and Meadows, Ranking 
Members Kelly and Connolly, and distinguished members of the 
committee. Thank you for inviting Gartner to discuss the FITARA 
scorecard.
    As the former CIO of the Naval Criminal Investigative 
Service and the Bureau of Alcohol, Tobacco, Firearms, and 
Explosives, I'm keenly aware of the challenges faced by Federal 
agencies in managing information technology. Both through my 
involvement with ACT-IAC and most recently as a research 
director at Gartner, an IT research and advisory firm assisting 
98 percent of the Fortune 100 serving over 10,000 global 
institutions and drawing on the experience of over 60,000 IT 
leaders in making smarter IT decisions, I've gained broad 
perspectives on more effective ways of using IT to further 
agency missions.
    Effective use of IT delivers strategic value and is viewed 
as a competitive differentiator. Successful organizations 
integrate their personnel and processes, including IT, to 
ensure the success of all of their initiatives, and they treat 
cybersecurity as part of an executive-level risk management 
program.
    With ever-accelerating changes and innovation, the 
commercial technology market, not to mention new and evolving 
cybersecurity threats, Federal agencies must get faster and 
better at acquiring, integrating, and maximizing the value of 
best-in-class technologies. FITARA is certainly a step in the 
right direction, but CIOs can only do so much on their own.
    First, the Federal Government must treat IT more 
strategically and engage agency leadership. Innovative and 
successful companies involve CIOs early and often on the front 
end of strategic planning to ensure that they are able to 
acquire the technology that enables their organizations to 
succeed. CIOs must be given the opportunity to shape and 
influence how IT enables the agency strategy early on.
    Second, improve acquisition, budget, and funding practices. 
Acquisition, budgeting, and funding can be impediments if they 
are too focused on inflexible compliance and risk aversion, as 
opposed to delivering business and mission outcomes. Adequate 
resourcing is also a concern. Transformational investments make 
up only around 21 percent of the Federal IT budget, while 
private sector firms spend about 30 percent. The average legacy 
system in the Federal Government is 14 years old compared with 
10 years in the private sector.
    Accelerating adoption of new technology is essential. 
Modernizing acquisition practices is equally important. Federal 
agencies must stop thinking of their IT as simply a call center 
and reimagine it as an engine for innovation and transformation 
and have the discipline to avoid instinctive cuts during 
periods of austerity.
    Agencies must also be better at using available funds. 
CIOs, program managers, acquisition personnel, and budget 
offices must work together in a better and more unified fashion 
to avoid delays and bad outcomes. Government-specific reforms 
such as increased access to multiyear funding, shared 
accountability models under FITARA, and meaningful maturity 
model reports to OMB and Congress could also improve government 
outcomes.
    Third, achieve greater visibility into agency activities. 
CIOs need better visibility into the business and contracting 
operations of the agency. The committee should consider 
clarifying FITARA's scope. Using an objective, proven 
rationalization methodology at both the infrastructure and 
application levels can reduce system duplication, achieve 
economies in savings, and improve commonality and 
interoperability. Adding commodity IT measures to the FITARA 
scorecard and empowering CIOs to undertake these activities and 
work further with shadow or business unit IT could 
substantially optimize IT costs and manage security risks while 
enhancing productivity.
    Fourth and finally, improve organizational competence. 
There are many men and women working for the Federal Government 
who are doing their best to manage a variety of IT systems from 
multiple generations to achieve agency goals. Still, we must 
improve overall competence. Successful businesses rapidly 
discard outdated technologies while hiring and empowering smart 
IT managers. In the Federal Government, we often see legacy 
technologies operating far beyond their end of life, while 
talented IT managers rotate too quickly to make any appreciable 
impacts. Capitalizing on expanded and improved human capital 
flexibilities can provide greater access to talent and better 
cross-disciplinary development opportunities.
    In addition, CIOs in the IT workforce require a high-
functioning team of finance, acquisition, H.R., security, and 
legal professionals for effective IT leadership. The absence of 
committed and skilled resources across all of these disciplines 
places an organization and its IT initiatives at elevated risk.
    Congress has a role to play here, too, in ensuring that 
agency planning, acquisitions, and funding are all unified. 
Initiatives such as the MEGABYTE Act, PMIAA, and the pending 
MGT Act all have productive solutions to offer, and I urge you 
to consider how each of these bills, as well as FITARA, 
integrate to make agencies smarter, more agile, and more cost-
effective.
    FITARA is a positive first step, and I encourage its 
extension and expansion. I suggest three particular additional 
steps: encouraging agency heads to articulate a clear strategy 
for leveraging IT to improve business and mission outcomes, 
including optimizing enterprise, not just IT costs; adjusting 
scoring metrics and methods to incentivize desired behaviors, 
and creating an integrated and streamlined approach for 
assessing progress and across the diverse reporting demands 
placed on agencies.
    Thank you for the opportunity, and I look forward to your 
questions.
    [Prepared statement of Mr. Holgate follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hurd. Thank you, Dr. Holgate.
    I would like to now recognize the chairman, Chairman 
Meadows, for his first round of questions.
    Mr. Meadows. I thank you, Chairman.
    Thank each of you for your insightful testimony. Ms. 
Killoran or Ms. Conley, let me come to you. Out of the I guess 
it was $14 billion that you spend in IT, how much of that 
actually is grants to States?
    Ms. Killoran. Seven-point-two billion.
    Mr. Meadows. All right. So out of the $7.2 billion to 
States, which States are doing the best job of implementing 
that money?
    Ms. Killoran. So that--we would have to get back with you 
through our grants program because that is automatically done 
through our grants and is not actually part of what the CIO and 
CFO look at ----
    Mr. Meadows. So, you have no idea which State is doing-- do 
you not see a problem with that?
    Ms. Killoran. Well, the way that the FITARA works--and we 
actually asked for clarification when the bill came out--is is 
whether agencies should be responsible for the grants funding 
or not. And the guidance we got from OMB is that grants would 
be excluded from the oversight.
    Mr. Meadows. I agree with that. So, you are not having to 
focus on this $7.2 billion according to FITARA, is that 
correct?
    Ms. Killoran. That is correct, sir.
    Mr. Meadows. All right. So, let me ask you the follow-up 
question because I thought that is where we were going. If you 
are only having to look at the remaining balance, why are we at 
D's across the board? Why are we not making better progress? 
Because, you know, I can understand if it is a big number. Why 
are we not making better progress?
    Ms. Killoran. So, within the large Federal agencies--so, 
this is my third federated agency--so started at Treasury and 
then spent nine years and 11 years at DHS and now here. When 
you're in a large federated agency, it takes us a little bit of 
time to establish those foundations.
    Mr. Meadows. So, assuming that it takes a little bit of 
time, when are we going to see an improved score?
    Ms. Killoran. So, you'll actually see--when we talk a 
little bit, we actually have some cost savings that we have. We 
actually have a plan for the data centers. So, we ----
    Mr. Meadows. So, when are we going to see an improved 
score?
    Ms. Killoran.--expect--we're expecting to see some scores 
change within the next 12 to 18 months.
    Mr. Meadows. All right. So, Mr. Powner, let me come to you. 
Is their plan aggressive enough based on other agencies? Should 
we be expecting more?
    Mr. Powner. Yes, I think you should. So, I--clearly, they 
have a FITARA implementation plan they've made progress on, as 
Ms. Killoran has said. I think when you have the large Federal 
agencies, federated agencies, there's a real opportunity to go 
after that commodity IT because a lot of those components, 
there's an opportunity to look at duplication across those 
components.
    The other thing is when you look at the data for HHS on 
data centers, they've actually closed a lot of data centers and 
done a decent job on that, but there's not much in related 
savings. So, we need to look real hard at the related savings 
and also at their optimization ----
    Mr. Meadows. So, Ms. Conley, what happened to the money?
    Ms. Conley. Thank you very much for your question. Thank 
you very much for your question.
    In terms of what's happened to the money, at HHS, Beth 
mentioned we're a large federated organization.
    Mr. Meadows. Yes, I have only got five minutes.
    Ms. Conley. Yes. Okay.
    Mr. Meadows. Just what happened to the money?
    Ms. Conley. In many cases with these data center 
consolidations we have gaps in IT spending, meaning there are 
things that we need to do within our IT portfolio, and 
oftentimes, the savings that are realized through these 
different consolidation efforts and modernization efforts are 
plowed back into those respective systems and infrastructure to 
provide things that we know need to be done to provide secure, 
reliable ----
    Mr. Meadows. So, without oversight of Congress you are just 
reprogramming the dollars?
    Ms. Conley. So, many of those dollars are re-plowed into 
the very same systems and infrastructure ----
    Mr. Meadows. So, let me understand. You close down a data 
center and you plow it back into the same data center?
    Ms. Conley. Well, if I might give you an example with our 
financial systems modernization effort that we just upgraded 
our financial management systems in 2016. We moved to the cloud 
implementation. As part of doing that, we saved some money, but 
at the--and maintained our operations and maintenance costs at 
the same level, yet we were able to provide things like 
disaster recovery ----
    Mr. Meadows. All right. So ----
    Ms. Conley.--and more to--better value to the government --
--
    Mr. Meadows. So, Ms. Conley, Ms. Killoran, let me be 
specific. We are looking very closely at these numbers, and it 
is going to have implications from an appropriations 
standpoint. So, let me come back to you, Mr. Powner. How much 
does DOD spend on IT annually?
    Mr. Powner. So, it's about close to 45 percent of the 
spend, which is $95 billion, so it's well into $40 billion 
range.
    Mr. Meadows. So about $40 billion, and I notice they got an 
F on the transparency and IT dashboard. I mean, why is that?
    Mr. Powner. So, what happened recently is there were about 
$15 billion that was on the dashboard that just went away. And 
what we understand is that it's been classified, we believe, 
under the national security system umbrella. And it's okay 
because there is an exemption for national security systems, 
but to have $15 billion magically appear under that umbrella 
doesn't seem right and ----
    Mr. Meadows. Well, it doesn't seem right to me either, and 
so here is what I would ask for you to do, and I will close 
with the chairman's indulgence. We are being asked to fund DOD 
above this $603 billion that the President has requested. In 
fact, some in our conference want it to be $640 billion. Take 
the message back to them, unless they get their heart right on 
this, there will be no support for increasing that. And I don't 
know how to make it any clearer. I will let my colleagues on 
the other side of the aisle talk about perhaps HHS and some of 
the others. But with DOD, it is going to require Republican 
votes to increase it, and I for one, unless they get their 
heart right on the transparency, am not going to be very 
supportive if you will take that to them if you would.
    Mr. Powner. Will do.
    Mr. Meadows. Thank you. I will yield back.
    Mr. Hurd. Ms. Kelly, you are now recognized for five 
minutes.
    Ms. Kelly. Thank you very much.
    In my opening statement, I talked about the hiring freeze 
that was ordered, and in April, the Office of Management and 
Budget issued a memorandum to all agencies requiring them to 
reduce their civilian workforces. The OMB memorandum fulfills a 
key objective of the President, and I quote, ``the long-term 
plan to reduce the size of the Federal Government's workforce 
through attrition.''
    Mr. Powner, is retention a critical factor in maintaining 
an effective IT workforce, and how so if so?
    Mr. Powner. Yes, clearly, you need to retain the good 
employees we have, but also, too, we have significant gaps when 
you look at the IT workforce not only from a cyber perspective 
but also with some of the other key disciplines, systems 
engineers and architects and the like. So that's always been a 
big challenge in the Federal Government.
    Ms. Kelly. I know we have talked about that before, and do 
we attribute it to just the lack of a pool to pick from and 
also the salaries we might not pay?
    Mr. Powner. Yes, that's true, and I think that's why it's 
critical that when you look at your IT workforce as a whole and 
some of the challenges with the salary challenges the Federal 
Government faces, you need to supplement that appropriately and 
be really strategic about how you do that with contractors 
because that can be done with contractors, and that right mix 
is what you really want to obtain.
    Ms. Kelly. Okay. Thank you.
    Dr. Holgate, in your assessment, can agencies make the 
necessary improvements under FITARA if they don't have the 
flexibility to hire new employees or replace vacancies?
    Mr. Holgate. Well, certainly, it's highly dependent on the 
approach that agencies take in responding to OMB M-17-22. 
There's latitude given in that memorandum and actually an 
encouragement for agencies to explore technology-enabled 
operational efficiencies and effectiveness. If agencies are 
adequately creative about their response to that memo, they 
should have the flexibility to be more creative and use IT more 
effectively in their response.
    The danger, frankly, is if they take a more reactionary 
tactical approach and treat it more as a cost-cutting exercise, 
in which case it can result in relatively haphazard across-the-
board reductions without that strategic foresight, without that 
projection for longer-term opportunities that they may be 
foregoing. So that's the danger in the memorandum itself is 
just the nature of the response by the agencies themselves. We 
haven't seen those responses yet in terms of how agencies are 
thinking about those challenges, but that's the key issue there 
is how are agencies going to actually shape their response.
    Ms. Kelly. Well, off the top of your head can you give an 
example of what being creative means, what that could mean or 
could look like?
    Mr. Holgate. Yes, so, for example, you know, leveraging the 
IT talent that they already have and possibly supplementing it 
with additional talent in the near term to enable them to 
automate traditional tasks or mission space, to be more 
creative across agency boundaries, to reimagine the way 
agencies deliver services. There are opportunities like that 
that require a certain amount of creativity and are critically 
dependent on IT to enable those types of opportunities.
    So, if agencies--again, if agencies treat this more as a 
cost-cutting exercise and in an across-the-board fashion, they 
may sacrifice those long-term opportunities just by virtue of, 
you know, reducing cost in the short term.
    Frankly, Gartner's written a lot of research on cost 
optimization at the enterprise level and the opportunities that 
IT can present with those opportunities. We've also written a 
fair amount about the risks of cost-cutting, in particular by 
taking a blanket approach and foregoing the future 
opportunities.
    Ms. Kelly. Thank you. Ms. Killoran, in your written 
testimony you state, ``Recently, HHS conducted an IT workforce 
inventory and we found that workforce shortages and ever-
increasing workload often create an imbalance that hinders 
employees' ability to attend training or obtain 
certification.'' This seems like a serious problem because, as 
your written testimony states, many of HHS's 3,000 IT workers, 
and I quote, ``do not have the diverse expertise necessary to 
support current Federal IT needs, including IT project and 
program management, architecture, or cybersecurity.'' Did I 
hear you correctly?
    Ms. Killoran. That is correct.
    Ms. Kelly. What are some of the gaps in skills in staffing 
that you attribute to the shortage in IT expertise at your 
agency that you mention in your written testimony?
    Ms. Killoran. So, we have--as Mr. Powner indicated, we have 
significant decreases of our needs in cybersecurity, enterprise 
architecture, systems engineering are the predominant areas 
where we have the most significant shortfalls, and then 
obviously programmatics as well.
    We actually have worked with our chief human capital 
officer to start building true capability and roadmaps on 
competencies that needed to be done for each of these areas all 
the way from a GS-5 up to what an SES would be. We have 
identified over 25 different critical positions at this point 
and have roadmaps for 11 of them.
    OMB and OPM have determined that this is a great model. We 
are actually helping to do the Federal CIO workforce community 
at this, and OPM is trying to adopt that model Federal-wide at 
this time.
    Ms. Kelly. I see my time is up, so I yield back.
    Mr. Hurd. I thank the gentlelady.
    Now, I would like to recognize the gentleman from 
California, Mr. Issa. You are recognized for five minutes.
    Mr. Issa. Thank you, Mr. Chairman.
    And I am going to follow up maybe just quickly. My question 
is one of timing. I am hearing people say we don't have enough 
resources, we don't have enough time. You know, I came to 
Congress in 2000, or was elected in 2000, sworn in first 
January 3rd of 2001. Basically, I was elected when Amazon was 
founded. In 2006, you know--well, I will give you 2009 Uber was 
founded, Instagram in 2012, Snapchat in 2014. In 2014, we took 
an $82 billion spending and said we were going to deliver to 
the CIOs real authority to do a job that it had previously not 
had budget authority, often--and at least in the case of the 
Affordable Care Act--had three nonprofessionals each pointing 
at the other saying they didn't have the ability to stop a bad 
project.
    We did that after we had written off in Dayton $1 billion 
at the Air Force, the Department of Defense, on a project where 
they simply got to the end of $1 billion in spending and said 
it won't procure parts accurately.
    So, I think this first question will be for the GAO. Mr. 
Powner, tell me, why is it I should accept that companies today 
will launch on Amazon and be world-class, global with apps that 
allow for tremendous ability to take labor out and put 
efficiency into things as complex as a million cars around the 
world being there when you want one? Why is it I have to accept 
that it takes four years and the progress is minuscule?
    Mr. Powner. Well, we shouldn't accept it. I mean, we spend 
now for the fiscal year 2018 budget that's north of $95 billion 
on IT, and we all know that a lot of that goes towards the old 
O and M. But 20 percent of ----
    Mr. Issa. We know the cost of a NOOK has gone down ----
    Mr. Powner. Yes.
    Mr. Issa.--if you are buying a desktop.
    Mr. Powner. But 20 percent of $95 billion is a lot of 
money. And here's the interesting thing is we do see pockets 
where we do it right, so we don't--I don't--we don't want to 
hear that you can't do it right. I mean, we see pockets within 
DOD, within the intelligence community. The weather satellite 
that we just launched that provides great weather warnings, I 
mean, yes, it took a little longer and maybe a little more 
money, but there are these pockets of success, so we need to 
continue to replicate that, hold CIOs and the agencies and 
actually agency heads accountable. I think some of the CIOs 
need some help from the agency heads to write these CIO 
authorities. And going back to the DOD story, I think DOD is 
the last organization in the world that should be exempt from 
FITARA. If any organization needs a private sector-type CIO, 
it's DOD.
    Mr. Issa. Oh, trust me, we negotiated to try to get less 
exemptions, and they have their own little world. Quite 
frankly, they said they had already fixed it with their earlier 
bill. And yes, we need to have less exemptions.
    But, Ms. Killoran, let me ask you a question, having been 
with three agencies and now as a CIO of this one. We gave you 
budget authority; we gave you the ability to work with your 
peers to look for, if you will, interagency opportunities. Have 
you taken advantage of any interagency opportunities where you 
looked at your other CIOs and said let's do this together? 
Let's go up on an Amazon cloud and have one common software 
platform that we can share for certain types of uses, whether 
it's H.R. or other areas?
    Ms. Killoran. So, at this time, not across the Federal 
agencies, but we ----
    Mr. Issa. But why not? Do you lack authority?
    Ms. Killoran. The--no, it's not a lack of authority. It's 
understanding what we have within our department first and 
understanding what we have and where those opportunities might 
be across the Federal Government. So, what we have done 
internally is trying to get our own house in order in 
understanding what we have first, and then that allows us to be 
able to start interacting better with the other Federal 
agencies.
    Mr. Issa. So, following up on that, cataloguing all the 
software and characterizing it is an element for CIOs to 
evaluate each other, right?
    Ms. Killoran. Yes, sir.
    Mr. Issa. And the potential cost savings if one agency is 
up on a cloud with a next-generation software that does 
something and the others are using, I don't know, a DEC Alpha 
or something, that means that you can get immediate savings if 
you only knew, right?
    Ms. Killoran. I think if there's a--that's a ``yes but'' 
because sometimes there are capabilities but then they have to 
be modified and altered based on security requirements and 
interfaces that different agencies need, but at least it would 
be nice to understand what's available.
    Mr. Issa. Well, once the student loan program gets fixed 
with its interface with the IRS, hopefully, it will be world-
class, so I agree with you that sometimes there are security 
problems.
    Let me just close with one question. When I hear that $7.5 
billion in grants and similar money at many other agencies were 
determined by the Office of Management and Budget not to be for 
the CIO to oversee in any way, shape, or form and thus, you 
know, basically avert the intention of FITARA, which was to 
give budget authority and financial control, just an opinion 
but I would like to hear your opinion. Should we speak to OMB 
and see if, in fact, they would rethink that?
    Ms. Killoran. I think understanding again that realm of 
possibility, and so just as you mentioned ----
    Mr. Issa. Because the act doesn't say it. That is an 
interpretation.
    Ms. Killoran. That's correct. But, I mean, to your point of 
realm of possibility, there are a number of capabilities and 
services that the grantees are given that might also help not 
only our Federal agency but others that are doing similar-like 
services. So being able to have some, especially when you're 
interfacing and having some commonality of services, if each of 
them is doing them in silos, it makes it very difficult to show 
those capabilities.
    Mr. Issa. Thank you. And, Mr. Chairman, that is not an 
original though. Many of us remember when the Affordable Care 
Act gave many, many billions of dollars to various States, who 
essentially stood up the exact same platform but each one 
inventing it, some succeeding and some failing. This was part 
of the genesis for Mr. Connolly and I working on this.
    So, thank you for your indulgence. I yield back.
    Mr. Hurd. The gentleman from the Commonwealth of Virginia 
is now recognized.
    Mr. Connolly. I thank the chair. And just to follow up on 
Mr. Issa's point, obviously, if 100 percent of that $7.2 
billion in grants were designed to support 50-year-old legacy 
systems, and that is all it did, we would be very bothered by 
that and we wouldn't want you to persist in that investment. We 
would want you to pressure those grantees to upgrade their IT. 
So, at some point we are concerned about that, and you need to 
be, too. So, I echo what Mr. Issa had to say.
    Mr. Powner--and by the way, Dr. Holgate, thank you. Your 
testimony was terrific. I mean, I think you laid out a very 
powerful strategic framework for why this bill was passed and 
what we intend for it to achieve. And I just want to thank you. 
I think it was one of the best articulations of what we are 
about from a witness in a long time, so thank you.
    Mr. Powner, and thank you for all of the work you and GAO 
have done. You have done a marvelous job in making this not 
only a high-risk item but at the very top of the agenda. It is 
not sexy, but, Lord, can it lead to savings and more 
importantly, make us so much more efficient in delivering 
services to the people we serve. That is really what this is 
about.
    Why is data center consolidation so important? From your 
point of view, why is it such a high priority in the Issa-
Connolly bill?
    Mr. Powner. Well, we have very inefficient data centers 
that are out there. Remember, we got into this in 2010 because 
the average server in the Federal Government was utilized about 
10 percent. That metric now, the target is 60 percent of our 
servers, so we have underutilized equipment, underutilized 
facilities, and frankly, some of them are so old we could do a 
lot to improve our security posture, too, by upgrading these 
centers.
    And I do think, back to your sunset comment earlier, I 
mean, there's at least $1.5 billion that we're aware of that is 
on the table beyond 2018, and I think if you really press DOD 
and some of the other large organizations, there's probably a 
lot more.
    Mr. Connolly. In your 2016 report on this subject, you said 
that the consolidation plans could save taxpayers more than $8 
billion by 2019. Is that correct?
    Mr. Powner. That's correct.
    Mr. Connolly. How much has been saved to date?
    Mr. Powner. So, it's been about $3 billion of the $8 
billion has been saved to date, so pretty good progress.
    Mr. Connolly. Real money?
    Mr. Powner. Real money.
    Mr. Connolly. Bigger than the entire grant program of HHS, 
$8 billion, I mean.
    Mr. Powner. That's right.
    Mr. Connolly. I mean, my colleague Mr. Meadows made the 
point that we got to get our arms around the savings. If you're 
effectuating savings but we're not accounting for it, you know, 
the risk is people call it zero. So, Mr. Powner, could you 
comment on Ms. Killoran's explanation for why we have 
underreported or underachieved data center savings at HHS even 
though they are, in fact, doing their job; they are 
consolidating?
    Mr. Powner. Yes, I--there's been consolidations. The 
dollars are minimal when you look at the millions of dollars 
that have been reported there. It sounds like there's probably 
more that's not reported that are getting reinvested.
    I think the important thing here is the transparency, and 
back to the MGT Act, you want to create these working capital 
funds at departments and agencies for reinvestment. Let's make 
darn sure that the reinvestment is on the priorities, and if 
you don't have transparency, there's no assurance that it's on 
the priorities.
    Mr. Connolly. I would hope, Ms. Killoran--and it sounds 
like you would--you might sort of following the footsteps of 
USAID and reach out to GAO so we have a better mechanism for 
capturing the actual good work you are doing and the savings 
they are effectuating, but also that we in fact--where we are 
reinvesting, we are reinvesting in the priorities that Mr. 
Powner just talked about. Are you willing to do that?
    Ms. Killoran. So, thank you for the question, sir. We 
actually talked before the hearing to do just that.
    Mr. Connolly. Okay. Great. My final question because I know 
I am going to run out of time, Mr. Powner, why is DOD so 
obstinate? Why are they so resistant? And you heard Mr. Meadows 
say from a Republican point of view take back a message. I 
don't speak for all Democrats, but I think most of us on our 
side of the aisle would echo his sentiments. The enormous 
frustration that that is the biggest single appropriation of 
the Federal Government and it is getting bigger, and they seem 
to inoculate themselves from all norms of accountability. And 
it is very frustrating. For example, OMB directed agencies to 
submit plans for detailing data center consolidations, is that 
correct?
    Mr. Powner. Correct.
    Mr. Connolly. And what is the Department of Defense's plan?
    Mr. Powner. They didn't get it in on time. It recently did 
come in, but they were very, very late. By the time we wrote 
that report, it was not in.
    Mr. Connolly. So, were there other agencies also failing to 
submit?
    Mr. Powner. No, they were the only remaining one.
    Mr. Connolly. They were the only agency. And aren't they 
also the only agency yet to achieve what is called an 
unqualified audit of their books?
    Mr. Powner. That's correct. The comptroller general has 
testified ----
    Mr. Connolly. And don't they exempt themselves from what 
other civilian agencies subscribe to in terms of a GSA list of 
sort of off-the-shelf generic products that can be purchased at 
a lower cost?
    Mr. Powner. Yes, there's some of that.
    Mr. Connolly. Isn't this special? And didn't we have a 
hearing a few weeks ago in this committee about $125 billion, 
billion with a B, wasted by the Department of Defense that GAO 
uncovered?
    Mr. Powner. Yes. Yes.
    Mr. Connolly. A hundred and twenty-five billion, right? So, 
my final question, I am sorry, but why the resistance?
    Mr. Powner. I think when you look at the DOD accountability 
and organization structures, it's spread over too many 
organizations. You have the CIO shop, you got the management 
organization, you have the acquisition shop, and it's spread 
over those different organizations. And I think other than the 
CIO shop, IT doesn't get the right importance and visibility.
    When you look at the data center consolidation, at one time 
DOD alone was about $4.8 billion in savings. They backed off of 
that significantly. I think you really need to look at their IT 
spend. Look at embedded IT at DOD, weapons systems, satellite 
systems. I think a CIO type would really benefit some of those 
large acquisitions at DOD and help with the cost overruns and 
the lack of delivery.
    We've had some discussions recently with folks on the 
Senate side on--in terms of their authorization committee, and 
the--we just laid it on the table that when you look at 
embedded IT and other things at DOD, it would benefit from a 
private sector-like CIO type.
    Mr. Connolly. Thank you, Mr. Chairman.
    Mr. Hurd. The distinguished gentleman from the great State 
of Michigan is now recognized for his five minutes of 
questioning.
    Mr. Mitchell. Let me start, Ms. Killoran, as much 
entertainment as it would be to have the Department of Defense 
be here, and truly, I think everyone would be thrilled to have 
a discussion with them about their score, I would like to chat 
with you a little about your testimony. You indicated that 34 
of the 39 goals that you had set up for your implementation 
plan had been achieved or were on target. Is that accurate?
    Ms. Killoran. Yes, sir.
    Mr. Mitchell. Then how is it that you still have a D-minus 
score?
    Ms. Killoran. So, the goals that we have go to the 
different elements that are in the FITARA guidance provided by 
OMB, making sure that we are putting forward the things such as 
establishing delegations of authority ----
    Mr. Mitchell. Okay.
    Ms. Killoran.--reviewing our IT budgets.
    Mr. Mitchell. Mr. Powner, can you give me any guidance as 
to what you think that score will be shortly? Because a D-minus 
is not exactly stellar.
    Mr. Powner. Well, clearly, when you look--incremental 
development, they had a high score, so they're--HHS doing a 
good job there. The savings to--the two areas we score on 
savings, very low scores because of the reported savings on 
commodity IT and data centers. And then another thing, when you 
look at their dashboard, they're quite green. Only about 14 
percent of their investment dollars is red or yellow. That's 
really--that's not a lot of risk when you look at their 
investments, and they've got a lot of risky investments there. 
That's why they get a low score there.
    Mr. Mitchell. So, what do we expect--I appreciate that. You 
didn't give me much indication of what we expect their score to 
be in a year from now. I think we need to have an idea where we 
expect these agencies--what they expect of themselves to be 12 
months from now.
    Mr. Powner. Well, I would hope when we get the reported 
savings that within six months to a year we see an improvement 
in the score.
    Mr. Mitchell. I spent 35 years in private business. Only in 
government do we say things like we hope to see improvement, 
which, with all due respect, doesn't answer the question I 
asked, which was what do we think, what do we believe the score 
will be? I am talking about HHS; they are here. What do we 
believe it is going to be? Ms. Killoran, do you have an answer 
for me in what your target is for that score a year from now?
    Ms. Killoran. So, as I indicated, we are working to make 
sure that we are updating and working with GAO on our numbers. 
So, for example, one problem we have is around the savings. One 
is around the fact that, as Ms. Conley indicated, we are 
reinvesting those, so working with GAO how to capture the 
savings as we are reinvesting to show that at least we did save 
them in these particular areas. We are getting ready to post an 
$85 million savings in data centers onto the dashboard today. 
We are also working to make sure that we are modifying our 
investment capability to improve our acquisitions.
    Mr. Mitchell. Well, let me express this. I appreciate that. 
And it is obviously not just HHS. If this sheet came up at our 
monthly management meeting or my quarterly meeting with my 
board of directors, we wouldn't have been in business anymore. 
That much red and yellow--and we used the same scorecard, red, 
yellow, green--and obviously, paying attention to what is red 
and what is yellow was critically important. And we had goals 
in terms of when we were going to move those. And the problem I 
have across the board is we don't have dates, we don't have are 
we going to be green on this within the next year or yellow on 
this. It is we just hope to see improvement. And that is--in my 
opinion, to get improvement is wholly inadequate.
    Dr. Holgate, let me ask you a question real quickly because 
I am running out of time as well. You talk about cultural 
change needs that are needed in these agencies in order to see 
meaningful gains. One of the things I note in, again, the 
scoresheet is in many cases the agencies that have particularly 
bad scores--poor scores, let's put it that way--the CIO does 
not report to the Secretary or the Deputy Secretary. Now, let 
me explain to you, in my company the chief technology officer 
reported to me, and believe it or not, I knew where to find him 
24/7 because we couldn't get hacked with student data records. 
We could not have that happen.
    Give me some examples of how you think we--what we need to 
do to get the culture changes from these agencies so in fact it 
gets the attention it warrants?
    Mr. Holgate. Well, so one aspect I alluded to in my 
testimony about inviting agency heads to come in to explain to 
the committee what their attitude is toward IT on behalf of 
their CIO as an important enabler of business and mission 
outcomes that IT represents. And the question is do agency 
heads fully embrace that as an opportunity that they need to 
capitalize on, or do they treat IT as an afterthought and 
expense that must be minimized? And that's the cultural change 
I'm referring to because, frankly, most Federal agencies treat 
IT not as a strategic asset; they treat it as a headache that 
they need to minimize.
    Mr. Mitchell. Well, and because of that, correlated to that 
is because they treat it as an issue like that, we also get 
inadequate cybersecurity. The two go hand-in-hand. The cost of 
acquisitions and how we efficiently acquire technology is one 
thing, but if you are treating it basically as a nuisance, 
guess what, we have security risks on our IT, and we have seen 
them across the Federal Government.
    Mr. Holgate. Absolutely. And contrary to the private sector 
that treats cybersecurity as an enterprise risk issue, as I 
alluded to, that's a distinct cultural difference that the 
Federal Government hasn't adjusted to yet. We've seen repeated 
encouragement that the Federal Government has gotten to treat 
cybersecurity as an enterprise risk issue. We've seen some 
recent evidence of that in the cybersecurity executive order 
that was just recently issued, but we haven't seen that fully 
adopted yet at the Federal level.
    Mr. Mitchell. Well, I thank you. My time is expired.
    And, Mr. Chair, I would like to have a conversation with 
you at some time about how it is we mandate some structural 
change to these departments so that the CIO gets the attention 
it warrants. Thank you.
    Mr. Hurd. I am going to recognize myself for a little bit 
of time.
    I would like to start off by thanking the minority staff 
for the suggestion of Dr. Holgate to this panel because I think 
it has been very valuable.
    And, Dr. Holgate, am I paraphrasing you correctly when I 
say that agencies can make their IT centers not a cost center 
but something that drives business and mission outcomes?
    Mr. Holgate. Yes.
    Mr. Hurd. And is it fair to say that in order to achieve 
that, that the agency head needs to recognize the importance of 
cybersecurity, of how their IT networks drive business and 
mission outcomes?
    Mr. Holgate. Absolutely.
    Mr. Hurd. And would that also mean that having the CIO 
report directly to the agency head, isn't that an important 
step?
    Mr. Holgate. It's certainly relevant. It's not necessarily 
necessary based on the relationship that the agency head has 
with the CIO, but it would certainly be an indicator that the 
agency head has taken that much more seriously.
    Mr. Hurd. An indicator, great.
    Ms. Conley, you are the deputy assistant secretary, and you 
are the acting CFO?
    Ms. Conley. I'm not longer the acting CFO. We have another 
individual that's come in as part of the new administration 
that is the acting CFO. I'm the deputy assistant secretary for 
finance, as well as the deputy CFO.
    Mr. Hurd. So that is the position you are going to be in 
for some time?
    Ms. Conley. I believe so.
    Mr. Hurd. And you had previous experience in the private 
sector in helping provide financial management strategies to 
private sector companies, public sector?
    Ms. Conley. That's correct.
    Mr. Hurd. And how long have you been at HHS?
    Ms. Conley. Eleven years at HHS now.
    Mr. Hurd. So, Ms. Killoran does not report directly to the 
deputy or the agency head. I think that is a problem. Would you 
agree or disagree with that?
    Ms. Conley. I--it depends I think I would say. How do you 
like ----
    Mr. Hurd. Well ----
    Ms. Conley.--that pause? But I would say--so if I may ----
    Mr. Hurd. So, let me rephrase the question.
    Ms. Conley. Yes.
    Mr. Hurd. Why wouldn't Ms. Killoran report directly to you 
or the agency head?
    Ms. Conley. So, we actually--Beth and I are actually peers. 
We're both deputy assistant secretaries. She's in charge of 
information technology; I'm in charge of finance. And we have a 
suite of what we would call our CXO suite. So, it covers 
finance, it covers ----
    Mr. Hurd. So, who is your boss?
    Ms. Conley. My boss is the assistant secretary for 
financial resources, who then reports ----
    Mr. Hurd. And who is her boss?
    Ms. Conley. The assistant secretary for administration.
    Mr. Hurd. And who is the boss of the assistant secretary 
for administration?
    Ms. Conley. Both of those assistant secretaries report to 
the deputy secretary ----
    Mr. Hurd. And then the deputy secretary's boss is?
    Ms. Conley. The secretary.
    Mr. Hurd. If my count is right, that is like three people 
----
    Ms. Conley. Right.
    Mr. Hurd.--right, in between the IT center and the C suite 
or the head of the organization. Would you have ever advised a 
private sector company to organize their organization that way?
    Ms. Conley. Well, it would depend upon the span of control. 
So, if you have an organization that's headed up and the 
deputy, you look at the span of ----
    Mr. Hurd. Mr. Powner, does that make sense?
    Mr. Powner. I think if we want to have, as Dr. Holgate 
said, CIOs as strategic partners, you've got to report to the 
box at the top. And I think a key question is for the agencies 
at the head is what are the three things we're doing to 
transform our departments or agencies? Technology will be 
involved in that. And what's the role of the CIO in helping us 
get there? And I don't think you get the right answers to those 
questions, Chairman Hurd.
    Mr. Hurd. Ms. Killoran, $14.2 billion, that is the IT 
spend?
    Ms. Killoran. Thereabouts, sir, yes.
    Mr. Hurd. Seven-point-two billion is these grants ----
    Ms. Killoran. Yes, sir.
    Mr. Hurd.--which you don't have to oversee, so that is $7 
billion. How much control do you have of that $7 billion?
    Ms. Killoran. Of the grants, none.
    Mr. Hurd. No, the $7 billion.
    Ms. Killoran. Of the internal?
    Mr. Hurd. Yes.
    Ms. Killoran. So, through the delegation, I have authority 
over all of it.
    Mr. Hurd. So, you can stop any program ----
    Ms. Killoran. Yes, sir.
    Mr. Hurd.--from happening, and you could buy anything that 
you need to put on your system?
    Ms. Killoran. They would have to go through the 
organizations to--the appropriations go directly to our 
operating divisions.
    Mr. Hurd. So why do you not know what all software you have 
on your system?
    Ms. Killoran. So, for example, just in prepping for this 
hearing, over the last year just in Microsoft alone we have 
over 170 contracts that bought Microsoft products. And as you 
go through them, you have to go through individual resellers. 
To fix that problem, we're using the cybersecurity continuous 
diagnostics and mitigation capabilities so that we can 
inventory ourselves ----
    Mr. Hurd. So are you telling me that there is not software 
out there that would go out and figure all this out and spit 
back a ----
    Ms. Killoran. Yes, sir. And that's what I'm saying. That's 
what we're actually putting in place, and we'll be in some ----
    Mr. Hurd. Okay. And how long does that take?
    Ms. Killoran. So, we're putting that in place before the 
end of the year. So, we've done the hardware capability, and by 
the end of this fiscal year, we're putting in software ----
    Mr. Hurd. And what is taking six months to do that, to 
implement it?
    Ms. Killoran. So, the reasons is that there have been 
challenges with working with DHS in getting the license we need 
and the capabilities because we far under-scaled what we 
thought we would need, and so making that gap so that we have 
the totality of the licenses we need to deploy.
    Mr. Hurd. Ms. Conley, does it make good financial sense to 
not know how many software licenses an organization has?
    Ms. Conley. No, sir, it doesn't, and that is something that 
we recognize the need to get control over so that we can make 
this a far more efficient process. It's very important. All the 
software we run in the Department is running off of software 
with licenses. That is a real opportunity for us to begin to 
consolidate and have greater sight across the organization to 
make better use of our licenses.
    Mr. Hurd. Ms. Killoran, how many times have you met with 
the good director of HHS?
    Ms. Killoran. The Secretary, sir?
    Mr. Hurd. Secretary, excuse me.
    Ms. Killoran. Since his appointment, three times.
    Mr. Hurd. And you have been in the position since 2014?
    Ms. Killoran. I started--in this position I started in 
December of 2015 and actually became the permanent CIO last 
July.
    Mr. Hurd. And how many times have you met with the number 
two?
    Ms. Killoran. Currently, obviously, our number two is 
vacant. The previous ----
    Mr. Hurd. The acting number two?
    Ms. Killoran. I have not met with the acting number two. 
Previous, though, the previous acting deputy secretary, we met 
almost biweekly, and I did also go to the secretary's quarterly 
meetings with all of the operating division heads.
    Mr. Hurd. Have either one of you all suggested to the new 
leadership team of HHS a reorganization of HHS to ensure that 
the CIO reports closer than three layers down from the 
Secretary of HHS?
    Ms. Conley. Well, as you may know, agencies are going 
through and implementing this new executive order and giving 
thoughts to ways in which we can reorganize our organizations 
to make them ----
    Mr. Hurd. Have you all come to a conclusion of where the 
CIO should sit?
    Ms. Conley. There has--it's still predecisional in terms of 
the results of those discussions.
    Mr. Hurd. Predecisional, I love that word. So, are you 
providing guidance, insight, perspective on where that should 
be?
    Ms. Killoran. So, the way that we're--the Department is 
looking at it is they actually looked at the totality of the 
work and how we do that better. I was personally involved in 
some of those working groups and made recommendations through 
that process.
    Mr. Hurd. And what were the recommendations?
    Ms. Killoran. So, they were around how to change the 
culture ----
    Mr. Hurd. Let me rephrase the question.
    Ms. Killoran.--and how to change ----
    Mr. Hurd. I am trying hard not to be like--your 
recommendation should be the CIO reports to the agency head or 
the true number two, all right? This is pretty standard 
practice in industry. It should be standard practice across the 
government. And if agency heads are supposed to be responsible 
for the ultimate protection of the digital infrastructure, the 
person that has the authorities to do that should be directly 
under them. So, this isn't complicated, so let's stop making it 
complicated. And since we are in a period of this new 
implementation with the perspective that the White House on 
this, which is right, suggests that you report directly to the 
person that is--where the buck stops. This isn't hard. This 
isn't hard. So forward it. And maybe we need to write a letter 
to them and say, hey, just everybody do this because this is 
ridiculous. And the fact that it is going to take six months to 
figure out all the licensing that you have makes zero sense.
    My last is--anybody else? Yes, Robin Kelly.
    Mr. Connolly. Oh, I am sorry.
    Ms. Kelly. This is not even really IT related, but, Mr. 
Powner, I know you have something to do with all the agencies 
under the Federal Government, and I was just saying to my 
colleague, it just sounds like there is just a lack of 
management structure, period, nothing to do with IT. Are all 
the agencies like this, like trying to decide who reports to 
whom or what the pecking order is?
    Mr. Powner. Well, it differs. I mean, there's--have of them 
report to the box, half don't, right? Some of them that report 
to the box still don't have authorities, some that don't report 
to the box do. I mean, it is so mixed, but I think the key is 
if you have a major--Chairman Hurd, back to your point. If you 
have a major cybersecurity breach at an agency, who are you 
going to call up in front of Congress for--to answer why. It's 
going to probably be that dep secretary, along with a few 
others. But I don't know why a dep secretary would not want to 
rely on a CIO to transform the agency and to secure an agency 
because if something happens, they're going to be the ones up 
here answering. Look what happened at OPM. It was the director 
of OPM that was up here answering questions, and it didn't fair 
very well for them.
    So, I think the focus on--keep pushing with your grades. I 
tell you what one thing that happened with your grades--I know 
you released them last night and there was some media 
articles--we have four agency CIO shops call GAO this morning 
and wanted to talk about the grades. That's good. That's a good 
thing. So, I'd say keep pushing.
    Ms. Kelly. And I am just asking because before I came here, 
I was the chief administrative officer of Cook County, and I 
know, you know, there were people that reported directly to me 
about what was going on. I had like 10 agencies under me. So, 
it just sounds so confusing. I am not blaming you. It just 
sounds so confusing and you need some advice from Dr. Holgate 
or something. It just sounds very confusing. Thank you.
    Mr. Hurd. Mr. Connolly.
    Mr. Connolly. I was just going to offer to cooperate with 
you, Mr. Chairman. I like your idea of maybe what we do is kind 
of inventory outstanding issues that could have been handled 
administratively and write a fairly comprehensive letter to our 
former colleague Mr. Mulvaney. He was a member of the 
committee. He is familiar with these issues. I think he would 
be receptive. And I would be glad to work with you, and I know 
Ms. Kelly would, too, I am sure on a bipartisan basis to get 
that done.
    Mr. Hurd. Yes, because when the next--thank you. I am going 
to recognize myself again. When the next cyber attack happens, 
right, and we have gone through all these conversations, guess 
what? We are dragging everybody up in front here. If we have to 
use subpoenas, we will. We have done it before; we will do it 
again. And I want to make sure that you have all the 
authorities you can. That is why we are working hard to get MGT 
because instead of putting some of that money back into some 
of--you know, buying services you may not need, why not use 
that money that you realize and that savings on the highest-
priority issues within your organization? That is the point of 
all this.
    And, Mr. Powner, why are the grades so bad when it comes to 
software licensing?
    Mr. Powner. That's a tough one because--we issued a report 
several years ago that--we had 22 of the 24 agencies had 
complete inventories. We've only had one uptick with three. 
Now, to be fair to the agencies, like at NASA there's a partial 
inventory that Renee Wynn there, their CIO, has used to achieve 
some savings. I think a key thing why we don't have complete 
inventories is the CIO authorities. I think there's pockets 
within these federated agencies that CIOs cannot--they don't 
have good visibility into what's going on. And I think it's a 
direct reflection on the CIO authorities why we don't have 
comprehensive software license inventories.
    Mr. Hurd. Good question. Ms. Killoran, my last question. 
You have roughly 3,000 employees within the IT shop. Do we have 
job descriptions for all of them?
    Ms. Killoran. There are job descriptions, but they vary. 
That's one of the things that we're working with both 
internally within HHS and now at a Federal level to try to have 
standard job descriptions for the same types of work. It has 
been a potential issue.
    Mr. Hurd. I didn't write my note down. You named it 
something.
    Ms. Killoran. So, we actually have competency roadmaps for 
each of our workforce, and we've done 11 of these competency 
roadmaps for particular IT series from a GS-5 all the way to--
up to an SES, including what certificates and skills they 
should have at each step.
    Mr. Hurd. And you are comfortable OPM can take what you all 
are doing and export that to other agencies?
    Ms. Killoran. Yes. We're actually in the process of doing 
that as we speak.
    Mr. Hurd. Do you have an idea of when that process should 
be completed?
    Ms. Killoran. So, the first step of that they are expecting 
to have done I think it's the first quarter of 2018. So, 
they're taking those 13 and trying to requalify them, yes.
    Mr. Hurd. Okay. That is really helpful on the next project 
we are trying to work on, so we have got to know what our gaps 
are in our IT staff.
    So, seeing no further business, without objection, the 
subcommittees stand adjourned. Thank you all for being here.
    [Whereupon, at 3:21 p.m., the subcommittees were 
adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]