b"<html>\n<title> - THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT (FITARA) SCORECARD 5.0</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n       THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT\n\n\n                         (FITARA) SCORECARD 5.0\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         INFORMATION TECHNOLOGY\n\n                                AND THE\n\n                            SUBCOMMITTEE ON\n                         GOVERNMENT OPERATIONS\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           NOVEMBER 15, 2017\n\n                               __________\n\n                           Serial No. 115-55\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                       http://oversight.house.gov\n                       \n                       \n                       \n                            _________ \n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n 29-502 PDF              WASHINGTON : 2018       \n____________________________________________________________________\n For sale by the Superintendent of Documents, U.S. Government Publishing Office,\nInternet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800\n  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                            \n                       \n                       \n              Committee on Oversight and Government Reform\n\n                  Trey Gowdy, South Carolina, Chairman\nJohn J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, \nDarrell E. Issa, California              Ranking Minority Member\nJim Jordan, Ohio                     Carolyn B. Maloney, New York\nMark Sanford, South Carolina         Eleanor Holmes Norton, District of \nJustin Amash, Michigan                   Columbia\nPaul A. Gosar, Arizona               Wm. Lacy Clay, Missouri\nScott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts\nBlake Farenthold, Texas              Jim Cooper, Tennessee\nVirginia Foxx, North Carolina        Gerald E. Connolly, Virginia\nThomas Massie, Kentucky              Robin L. Kelly, Illinois\nMark Meadows, North Carolina         Brenda L. Lawrence, Michigan\nRon DeSantis, Florida                Bonnie Watson Coleman, New Jersey\nDennis A. Ross, Florida              Stacey E. Plaskett, Virgin Islands\nMark Walker, North Carolina          Val Butler Demings, Florida\nRod Blum, Iowa                       Raja Krishnamoorthi, Illinois\nJody B. Hice, Georgia                Jamie Raskin, Maryland\nSteve Russell, Oklahoma              Peter Welch, Vermont\nGlenn Grothman, Wisconsin            Matt Cartwright, Pennsylvania\nWill Hurd, Texas                     Mark DeSaulnier, California\nGary J. Palmer, Alabama              Jimmy Gomez,California\nJames Comer, Kentucky\nPaul Mitchell, Michigan\nGreg Gianforte, Montana\n\n                     Sheria Clarke, Staff Director\n                  Robert Borden, Deputy Staff Director\n                    William McKenna, General Counsel\n   Troy Stock, Subcommittee on Information Technology Staff Director\n                         Kiley Bidelman, Clerk\n                 David Rapallo, Minority Staff Director\n                 Subcommittee on Information Technology\n\n                       Will Hurd, Texas, Chairman\nPaul Mitchell, Michigan, Vice Chair  Robin L. Kelly, Illinois, Ranking \nDarrell E. Issa, California              Minority Member\nJustin Amash, Michigan               Jamie Raskin, Maryland\nBlake Farenthold, Texas              Stephen F. Lynch, Massachusetts\nSteve Russell, Oklahoma              Gerald E. Connolly, Virginia\n                                     Raja Krishnamoorthi, Illinois\n                                 ------                                \n\n                 Subcommittee on Government Operations\n\n                 Mark Meadows, North Carolina, Chairman\nJody B. Hice, Georgia, Vice Chair    Gerald E. Connolly, Virginia, \nJim Jordan, Ohio                         Ranking Minority Member\nMark Sanford, South Carolina         Carolyn B. Maloney, New York\nThomas Massie, Kentucky              Eleanor Holmes Norton, District of \nRon DeSantis, Florida                    Columbia\nDennis A. Ross, Florida              Wm. Lacy Clay, Missouri\nRod Blum, Iowa                       Brenda L. Lawrence, Michigan\n                                     Bonnie Watson Coleman, New Jersey\n                                     \n                                     \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on November 15, 2017................................     1\n\n                               WITNESSES\n\nMr. Dave Powner, Director of IT Management Issues, Government \n  Accountability Office\n    Oral Statement...............................................     4\n    Written Statement............................................     6\nMr. Max Everett, Chief Information Officer, Department of Energy\n    Oral Statement...............................................    41\n    Joint Written Statement......................................    43\nMs. Alison Doone, Acting Chief Financial Officer, Department of \n  Energy.........................................................    53\nMr. John Bashista, Director of Acquisition Management, Department \n  of Energy......................................................    58\nMs. Barbara Helland, Associate Director of Advanced Scientific \n  Computing Research, Department of Energy.......................    58\n\n                               Panel II:\n\nMr. Dave Powner, Director of IT Management Issues, Government \n  Accountability Office\n    Oral Statement...............................................    60\nMr. Wade Warren, Acting Deputy Administrator, U.S. Agency for \n  International Development\n    Oral Statement...............................................    60\n    Written Statement............................................    62\nMr. Jay Mahanand, Chief Information Officer, U.S. Agency for \n  International Development......................................    67\nMr. Reginald Mitchell, Chief Financial Officer, U.S. Agency for \n  International Development......................................    68\n\n                               Panel III:\n\nMr. Dave Powner, Director of IT Management Issues, Government \n  Accountability Office\n    Oral Statement...............................................    74\nMs. Althea Coetzee Leslie, Deputy Administrator, Small Business \n  Administration\n    Oral Statement...............................................    75\n    Written Statement............................................    77\nMs. Maria Roat, Chief Information Officer, Small Business \n  Administration.................................................    82\nMr. Tim Gribben, Chief Financial Officer, Small Business \n  Administration.................................................    84\n\n                                APPENDIX\n\nOpening Statement of Ranking Member Gerald E. Connolly...........    86\nMemo from Mr. Max Everett to the Secretary of the Department of \n  Energy regarding the designation of the CIO as direct report to \n  the Secretary, submitted by Chairman Hurd......................    89\n\n\n       THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT\n\n\n\n                         (FITARA) SCORECARD 5.0\n\n                              ----------                              \n\n\n                      Wednesday, November 15, 2017\n\n                  House of Representatives,\n Subcommittee on Information Technology Joint with \n             Subcommittee on Government Operations,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The subcommittees met, pursuant to call, at 2:45 p.m., in \nRoom 2154, Rayburn House Office Building, Hon. Will Hurd \n[chairman of the Subcommittee on Information Technology] \npresiding.\n    Present: Representatives Hurd, Amash, Massie, Gianforte, \nBlum, Kelly, Connolly, Norton, and Krishnamoorthi.\n    Mr. Hurd. The Subcommittee on Information Technology and \nthe Subcommittee on Government Operations will come to order.\n    Without objection, the chair is authorized to declare a \nrecess at any time.\n    And I now recognize myself for 5 minutes for my opening \nremarks.\n    Good afternoon. I appreciate you all being here today. \nToday's hearing is part of this committee's continuing \noversight of Federal IT. This began with GAO's high-risk report \nand the designation of IT acquisition on that report back in \nFebruary of 2015, and it's been a priority of ours ever since.\n    And due to the importance we place on this issue, our \ncommittee staffs worked with GAO to develop a scorecard to \nassess agencies' FITARA implementation efforts. This bipartisan \nscorecard has been issued every 6 months, beginning 2 years ago \non November 4, 2015.\n    The scorecard has evolved each iteration in response to GAO \nrecommendations and stakeholder feedback. Scorecard 5.0 adds a \nfifth graded category to assess agencies' management of \nsoftware licenses. We previewed this category as part of \nscorecard 4.0. For scorecard 6.0, a measure of whether agencies \nhave established working capital funds as authorized by the MGT \nAct, which I was pleased to see included in the final NDAA, \nwill be made a part of the scorecard.\n    Ultimately, I'd like to see the scorecard evolve beyond \nFITARA implementation to more of a digital hygiene score for \nagencies. Adding megabyte implementation to this scorecard is a \nstep in that direction.\n    The inclusion of software licensing had a negative overall \nimpact on the grades. Since the last scorecard, 3 agencies' \ngrades increased, 15 agency grades stayed the same, and 6 \ndecreased. If software licensing were not included, 8 agencies' \ngrades would have increased, 14 would have stayed the same, and \n2 would have decreased. So progress is being made, just not as \nquick as it should be and needs to be.\n    Legacy IT is a continuing fiscal and cybersecurity risk to \nour Nation. Those 17 agencies received an F on this new metric \nfor the FITARA scorecard 5.0. It is worth noting that each of \nthese agencies has efforts underway to create and use an \ninventory of software licenses.\n    I hope to hear from each agency today how they plan to \nimprove their score in this area. I also hope to hear from Mr. \nPowner, his thoughts on where we will be governmentwide on this \nmetric in 6 months for scorecard 6.0.\n    Today's hearing features three panels, with officials from \nthe Department of Energy, the United States Agency for \nInternational Development, and the Small Business \nAdministration. Their grades are a D-plus, A-minus, and C-\nminus.\n    As always, I'm honored to be exploring these issues in a \nbipartisan fashion with my friend and ranking member, the \nHonorable Robin Kelly, from Illinois. I'm also pleased to be \njoined by Chairman Meadows and Ranking Member Connolly from the \nGovernment Operations Subcommittee. I could not have asked for \nbetter partners in the effort to modernize technology in the \nFederal Government. And I thank my colleagues and the witnesses \nand all who have joined us in person, and for those folks who \nare watching online, for participating today.\n    I now recognize my friend, the ranking member of the \nInformation Technology Subcommittee, Ms. Kelly, for 5 minutes \nand her opening statement.\n    Ms. Kelly. Before we begin today's hearing, I also want to \nthank you, Chairman Hurd, Chairman Meadows, and Ranking Member \nConnolly, for your steadfast leadership as our subcommittees \ncontinue working together to oversee the improvement of Federal \nIT systems. I'm glad to have such great partners in this \nendeavor.\n    Improving the efficiency and security of the Federal \nGovernment's IT systems is essential to our Nation's security. \nCrucial to that effort is the ongoing oversight conducted by \nour subcommittees to hold agencies accountable for implementing \nkey aspects of the Federal Information Technology Acquisition \nReform Act. An important part of that oversight has been the \nscorecard our subcommittees developed for grading agency \nprogress and meeting the FITARA requirements.\n    Today, our subcommittee released the fifth version of the \nscorecard. It's been 2 years since we released the first one \nand held our first hearing on this issue. Since that time, \nwe've strengthened the role of the CIO at many agencies, \nincreased transparency in project management, and we've saved \nbillions of taxpayer dollars. I'm proud of the work we've \naccomplished together so far.\n    The new scorecard, however, shows that progress is \ndifficult and that we still have a long way to go. For example, \nas the chairman talked about, while some agencies like the U.S. \nAgency for International Development has done well, going from \na D in 2015 to an A-minus today, others like the SBA has fallen \nbehind and gone from D in 2015 to a C-minus today.\n    Overall, the grades for only three agencies went up on the \nscorecard, 15 stayed the same, and 6 actually went down. The \nscorecard makes clear that agencies still have a long way to go \nto address the challenge of reducing the growing number of \nFederal data centers.\n    The FITARA Enhancement Act that was introduced by Ranking \nMember Connolly earlier this year would extend the timeline for \nagencies to close any unneeded data centers. The bill will also \nprovide greater support to agency CIOs in their effort to \neliminate and consolidate large numbers of data centers.\n    Since the release of the last scorecard, the subcommittees \nhave added software licensing as a metric of performance to \nthis one. The overall grades in this category indicate that \nagencies are struggling when it comes to the management of \ntheir software licenses.\n    I am concerned about this most recent scorecard \nperformance, and look forward to hearing from today's agencies \non the struggles and challenges they are facing in FITARA \nimplementation and how Congress can be more helpful.\n    There is simply too much at stake when it comes to FITARA. \nThis isn't just about saving taxpayer money; it's about \nimproving the overall general hygiene of the Federal \nGovernment, and the scored metrics here are the basics of \nrunning any shop.\n    I want to thank the witnesses for testifying today.\n    Mr. Powner, you might just be the most popular witness on \nthe Hill. This is your fifth hearing with us on FITARA. I'm \nalso looking forward to hearing from all the agencies here \ntoday. Thank you so much.\n    Thank you, Mr. Chair.\n    Mr. Hurd. Thank you, Ranking Member.\n    And when the other members get here and want to do opening \nremarks, we can do that at the next panel. But let's go ahead \nand get into our first panel.\n    I'd like to introduce the witnesses. As the gentlewoman \nfrom Illinois recognized, Mr. Dave Powner, one of probably--\nholds the record of number of times coming before this \ncommittee, the director of IT management issues at the \nGovernment Accountability Office.\n    Max Everett, chief information officer at the Department of \nEnergy; Ms. Alison Doone, acting chief financial officer at the \nDepartment of Energy; and Mr. John Bashista, director of \nacquisition management, also at DOE; and Ms. Barbara Helland, \nassociate director of advanced scientific computing research at \nthe Department of Energy. Appreciate you all being here.\n    And pursuant to committee rules, all witnesses will be \nsworn before you testify, so please rise and raise your right \nhand.\n    Do you solemnly swear or affirm that the testimony you're \nabout to give is the truth, the whole truth, and nothing but \nthe truth, so help you God?\n    Thank you.\n    Let the record reflect all witnesses answered in the \naffirmative.\n    In order to allow time for discussion, please limit your \ntestimony to 5 minutes, and your entire written statement will \nbe made part of the record. As a reminder, the clock in front \nof you shows your remaining time. The light will turn yellow \nwhen you have 30 seconds left, and the red is when your time is \nup. Please also remember to push the button to turn on your \nmicrophone before speaking.\n    And now I'd like to recognize Mr. Dave Powner for his \nopening remarks.\n\n                       WITNESS STATEMENTS\n\n                    STATEMENT OF DAVE POWNER\n\n    Mr. Powner. Chairman Hurd, Ranking Member Kelly, and \nmembers of the subcommittees, I would like to thank you and \nyour staff for your continued oversight on the implementation \nof FITARA with this fifth set of grades.\n    We've added a fifth category to grades, software licensing, \nat your request, so now the FITARA scorecard covers five of the \nseven major areas of this law. Overall, three agencies' grades \nwent up: Education, OPM, and SBA; 6 went down; and 15 remained \nthe same. Of the six that went down--Energy, DHS, HUD, \nTransportation, EPA, and Justice--none had a software license \ninventory, and received Fs in this subcategory.\n    Regarding the software license area, 6 months ago when you \npreviewed this area with scorecard 4.0, only three agencies had \ncomplete inventories. Now, seven do. And six of these seven \nreport savings in this area: Ag, Education, GSA, NASA, VA, and \nUSAID. Those six received As for this. Labor gets a C, and 17 \nagencies without inventories receive Fs. Progress, but clearly \nnot enough, given that this was a major section of FITARA and \nwas followed up with the MEGABYTE Act.\n    Another area where significant progress needs to be made is \noptimizing data centers. SSA, EPA, and GSA report solid \nprogress against the five optimization metrics. Education and \nHUD are out of the data center business, as they no longer have \nany agency-owned data centers. The other 19 agencies have a \nways to go to optimize these centers.\n    The key point here is that additional and substantial \nsavings can still be realized as we see better utilization of \nthese facilities and equipment.\n    I'd like to conclude this overview by thanking this \ncommittee, Chairman Hurd and Meadows, and Ranking Members Kelly \nand Connolly, and your dedicated staff, not only for your \nconsistent and thorough oversight of FITARA, but also for your \nfollowup with the FITARA extension and the MGT Act to give \nagencies more time to implement more completely and to provide \nadditional avenues for reinvesting savings in modernization \npriorities.\n    Now turning to the Department of Energy. Energy plans to \nspend about $1.8 billion on IT this year. About half of this \nspending is for IT programs at the National Nuclear Security \nAdministration. Energy's grades have fluctuated over the five \nscorecards between Fs and Cs, and their current grade is a D-\nplus.\n    The plus here is of major significance, and I would very \nmuch like to commend Max Everett and the Department's \nleadership as Energy is the only agency that has elevated their \nCIO reporting since FITARA was enacted.\n    Another positive note is in the area of incremental \ndevelopment where they received an A. This is consistent with \nthe report that we just issued on this topic where Energy was \nonly one of four agencies that had incremental certification \npolicy consistent with OMB guidance in FITARA.\n    Turning to areas where Energy needs to improve, let's start \nwith CIO tenure. Since 2004, the average CIO tenure at Energy \nhas only been 1.7 years. This is a major issue and reason why \nIT has not been effectively managed.\n    On data centers, Energy is reported saving $21 million \nbetween 2012 and 2017. However, they report not meeting any of \nthe five metrics and have no additional planned savings. Their \nclosures will fall short of OMB's goals for both small and \nlarge centers. The bottom line here is that if you're short on \nmetrics, there is likely more closures and savings to be had.\n    Energy's software license inventory is not complete. It \ncovers CIO-controlled licenses, and they're working on \ncompleting the inventory for the other components.\n    Finally, I'd like to note that our work for this committee \non IT budgeting and CIO authorities shows that Energy's CIO has \nchallenges in the area of IT budgeting and execution, meaning \nthat there needs to be more visibility into the IT budget and \nbetter governance over their important system acquisitions.\n    Mr. Chairman, this concludes my comments on the Department \nof Energy.\n    [Prepared statement of Mr. Powner follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n        \n    Mr. Hurd. Thank you, Mr. Powner.\n    Now every agency is going to provide one oral remark, and I \nbelieve, Mr. Everett, you're going to do that for Department of \nEnergy. So now you're recognized for 5 minutes.\n\n                    STATEMENT OF MAX EVERETT\n\n    Mr. Everett. Good afternoon, Chairman Hurd and Ranking \nMember Meadows, Ranking Member Kelly, and Ranking Member \nConnolly, and distinguished members of the committee.\n    On behalf of the Secretary and deputy secretary, I want to \nthank you for inviting me to testify about the Department of \nEnergy's implementation of FITARA. FITARA and its cybersecurity \ncomplement, FISMA, provide me the authority I need to manage \nDOE's information technology resources and cybersecurity \nprogram.\n    I would also like to just mention, my colleagues have come \nup here who are helping us, that you introduced, they are going \nto be a critical part of telling you about the progress we're \nmaking at the Department.\n    I would also like to acknowledge the dedicated career and \ncontractor IT and cybersecurity professionals across the \nDepartment whose critical efforts transcend changes in \nadministration. The team provided me a strong baseline from \nwhich to build, specifically, Mr. Robby Green, who did an \noutstanding job as the acting DOE CIO prior to my appointment.\n    In order to effectively exercise FITARA responsibilities, I \nnow report directly to the Secretary and deputy secretary, as \nMr. Powner noted. They recognize not only the statutory \nrequirement for this, but the best practice for public and \nprivate sector organizations to have technology leadership \nrepresented at the executive level.\n    This change originated with a secretarial memorandum, and \nis reflected in the DOE organizational chart. I have regular \nmeetings with the deputy secretary who every month calls to \norder the Department's senior leadership to evaluate progress \non DOE's IT and cybersecurity strategic goals. My reporting and \nworking relationships with them are evidence of the success of \nthis FITARA requirement. Direct access to senior leadership is \ncritical to effective IT management at the program office level \nas well.\n    My office is developing guidance to program offices with \nembedded CIOs or officials with CIO-like functions, that they \nfollow the FITARA reporting model and elevate these officials \nto a direct reporting relationship with their respective senior \nleadership.\n    The deputy secretary has instructed that my office should \nbe engaged in the hiring process for any IT management series \n2210s across the Department. Both at DOE and throughout Federal \nGovernment, the traditional outdated model of an IT worker is a \nchallenge. We need professionals with multidisciplinary skills, \nnot just the coding and network and typical skills that we look \nat for IT professionals.\n    With respect to consolidation and optimization of data \ncenters, we've closed 84 data centers since 2010, resulting in \nsavings of approximately $21 million, and plan to shutter \nanother 11 more by the end of fiscal year 2018. That said, we \nneed to do more in this area, which is why we're examining ways \nto effectively accelerate that process.\n    One catalyst for optimizing DOE data centers is our \nexpanded use of cloud services. Our diverse department with 97 \nsites in 27 States can see significant value from increasing \nour use of cloud computing.\n    The National Labs are an integral component of the \ndepartment, and as CIO, I engage with the labs through a number \nof means, including the annual laboratory planning and \nappraisal reviews. I have the opportunity to comment on \nNational Lab IT activities and can refocus our efforts to \naddress our concerns through development of performance \nevaluation and measurement plans, which define notable outcomes \nthat the labs must meet in the coming year. I have regular \nmeetings with our National Lab CIOs. I also speak regularly \nwith the National Lab directors, as well as the lab operating \nboard and participate in their governance meetings.\n    DOE is closely monitoring the pending MGT Act to leverage \nany benefits that come out of that. We intend to use FITARA as \nwell to continue to be more granular and transparent in our IT \ncost in order to prioritize the digital transformation that we \nneed to undertake as a department.\n    In detailing the changes, improvements, and the many \nchallenges that I have seen, it's been my aim to demonstrate \nthat our department is moving in the right direction. The \nDepartment's IT and cybersecurity governance mechanisms are \ninclusive, transparent, and we're seeking to facilitate timely \nperformance of our diverse mission.\n    I firmly believe we're continuing to advance and improve, \nwhich would not be possible without the authorities granted by \nFITARA. I'm encouraged by the interest and the efforts of this \ncommittee and the efforts as well shown by our leadership at \nthe Department, and I look forward to achieving those shared \ngoals.\n    It's been my distinct honor to testify here today. And I \nwould be pleased now to address your questions. Thank you.\n    [Prepared joint statement of Mr. Everett, Ms. Doone, Mr. \nBashista, and Ms. Helland follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Mr. Hurd. Thank you, Mr. Everett.\n    Now I'm going to recognize the gentleman from Montana, Mr. \nGianforte, for 5 minutes of questions.\n    Mr. Gianforte. Thank you, Mr. Chairman and Ranking Member \nKelly.\n    I'm new on the Hill. I spent my career in the private \nsector doing IT deployments for large organizations, including \ndeployments at 170 Federal agencies. So I very much appreciate \nyou each being here.\n    I wanted to focus on three specific things: First, for Mr. \nPowner generally and then Mr. Everett specifically at DOE, \naround some best practices that are used in the private sector \nand to what extent they're present. You've already mentioned \none, Mr. Everett, the movement to the cloud. Why don't we start \nthere.\n    I'm curious, Mr. Powner, to what extent is movement to the \ncloud a priority within the agencies that you work with and \naudit? And do you have any metrics around percentage of \nenterprise applications moved into cloud facilities?\n    Mr. Powner. I don't have good metrics on those percentages, \nbut we have tracked movement to the cloud as a percentage of \ntheir IT budget. That's been somewhere in like--on average, \nit's about 4 to 5 percent when you look at agencies' IT budget.\n    So the bottom line on this is clearly there needs to be \nmore movement to the cloud. You know, we started this years \nago, and the security was the big concern, and then you had the \nintel community going to the cloud. Folks felt more comfortable \nwith that. We clearly need to go more to the cloud.\n    I think when you look at the data center situation, there \nare about at least a third of the agencies that project they're \ngoing to be nowhere near optimizing their centers, and they \nought to be looking to outsource that and go towards the cloud, \nyou know, for many of those data centers and everything.\n    A couple agencies are already out of the business. We \nprobably need a few more of them if they can't manage this more \neffectively.\n    Mr. Gianforte. And when you say cloud, do you mean \nconsolidated data centers or are you actually moving to more \ncommercial, multi-tenant applications?\n    Mr. Powner. It's all the over the board. There's--you know, \ninfrastructure is a service. You've also got software as a \nservice. So it's both the infrastructure and some of the \napplications.\n    Clearly, when you look at the commodity or business \nsystems, there is--that's kind of a no-brainer. In a lot of \nthose areas we ought to be going more towards cloud services. \nThere is some big applications, electronic health records, I \nknow we've talked to the chairman about this a lot, with the VA \nand DOD going to the common electronic health record. There's \ncommercial products that are out there.\n    Mr. Gianforte. Mr. Everett, at DOE.\n    Mr. Everett. Sure. So I would certainly address, across the \nFederal Government, I think the numbers are disappointing. At \nDOE, I think they're--you know, having come in, I think they're \nvery disappointing. We need to be moving much more quickly on--\nagain, I think you hit on that--the commodity IT activities we \nneed to move more quickly to the cloud. I think that will help \nus certainly with data center. I think there is some value to \nmoving out of Federal data centers into hosted environments, \nnot as an end goal, but I think that starts to break some of \nthe workforce and cultural challenges we have.\n    We've got to have the right skill sets to make a move to a \ncloud. It's a different--it is different skill sets. It's much \nmore about managing services, managing service levels, rather \nthan managing people and sort of the turning dials. We've got \nto do a lot of work around that. Those things have to go \ntogether. I believe they can go together in peril.\n    In some cases, you know--frankly, my hope is that we just \nfind some things and rip the Band-Aid and just move things. \nWe've got a lot of commodity things that should, frankly, be \nable to move very quickly to the cloud.\n    Mr. Gianforte. Yeah. As we talk about these scorecards, it \nmight be interesting to look at what percentage have we moved \nto the cloud. I know in our own experience doing these \nenterprise deployments, an off-the-shelf cloud deployment \ntypically can speed deployment by 5X and typically reduces \noperating cost by 80 percent over the life of the system, and \nthat's just good for taxpayers and it's better from a security \nperspective.\n    The second area I want to talk on, you mentioned the \nshortage of labor, particularly in the cybersecurity area. One \nof the practices in the private sector is the use of commercial \nthird-party firms for either cybersecurity audits or \npenetration testing. To what extent is that a general practice, \nMr. Powner, and then specifically at DOE?\n    Mr. Powner. I think when you start looking at contractors \nand third parties, it's pretty heavy in the Federal Government. \nI think the challenge in the Federal Government is having \nenough of an IT workforce to oversee those contractors. I mean, \nbecause we've got prime contracts and then you've got program \nmanagement that's being outsourced to private sector firms. \nClearly, the security penetration tests and all that, that's \ngoing out.\n    So the challenge, I think, in the government is having \nenough of qualified IT workforce to oversee those key contracts \nwhere we don't have the internal skills.\n    Mr. Gianforte. Okay. Mr. Everett, we have about 30 seconds.\n    Mr. Everett. I would concur with that. I think one of our \nchallenges is we're, you know--frankly, we're very contractor \nheavy. We depend on the skills that our contractors bring, but \nwe need--our Federal workforce has got to have some skills in \nterms of, again, managing them, managing business requirements, \nmanaging the budgets around that. I think those are a critical \nelement to doing that. And we've got--and, again, that takes \nsome of the Federal workforce. They have to know the right \nquestions. They have to be looking for the right solutions to \nthen bring in the proper contracting and talent and capability.\n    And I think you know that recruiting, you know from your \nprivate sector experience as I do, that's an extraordinary \nchallenge we face right now.\n    Mr. Gianforte. Yeah. Okay. Thank you.\n    I yield back, Mr. Chairman.\n    Mr. Hurd. The gentleman yields back.\n    I now recognize Ms. Kelly for 5 minutes of questions.\n    Ms. Kelly. Thank you, Mr. Chair.\n    The committee's scorecard shows that since the release of \none of its last scorecards, June 2017, many agencies appear to \nhave hit roadblocks in their progress under FITARA. For \nexample, as we've talked about, the current scorecard shows \nthat the overall letter grades for 15 agencies stayed the same, \n6 went down, and only 3 increased.\n    Mr. Powner, in which of the five key areas of FITARA that \nwas scored has GAO found agencies are struggling the most?\n    Mr. Powner. Well, clearly, when you look back on the 4.0, I \nthink the data center optimization, because we added the \nmetrics category there, it wasn't just based on savings, and \nthat was at the request of a lot of folks.\n    And, again, there's about--there's 2 agencies that are out \nof the data center business, 3 agencies doing a decent job, and \n19 that I would say are doing poorly, and that's a big reason \nwhy the grades went down. And then now with 5.0, when you have \n17 agencies getting Fs because they don't have a software \nlicense inventory, that's a key reason. So those are the two \nbig ones.\n    Ms. Kelly. And so what accounts for the challenges? Is it \njust the software license, or what's accounting for the \nchallenges?\n    Mr. Powner. I think when you look at the data centers, I do \nthink it's--given where we were at, for instance, on server \nutilization, to try to go from a 9 to 12 percent to 65 percent \nmetric that OMB has, okay, that's a big leap.\n    The software licensing, I have a hard time understanding \nthat. We did a report 4 years ago that told agencies that they \nshould get software licenses. It was in FITARA. It's one of the \nseven sections. You followed up with MEGABYTE. I think it's \ninexcusable that we do not have software license inventories at \nthis point in time.\n    Ms. Kelly. Thank you.\n    Mr. Everett, the Department of Energy was one of the three \nagencies whose letter grade actually went down. What are the \nchallenges you're facing?\n    Mr. Everett. There's a number, as you can clearly see. I \nthink, look, the reality is our scorecard accurately represents \nsome significant challenges we have. And Mr. Powner hit on, \nfrankly, two of them. One of them is we have too many data \ncenters that we don't have a handle around, and we need to more \naggressively--again, part of this is we're--on the data centers \nwe're doing some things around DCIM, which gives us some better \nmeasurements of actually how we're using those existing data \ncenters.\n    I think that will drive some business requirements and some \nbusiness cases to close some and help us actually use them \nbetter. But the better answer to that is move to the cloud. \nAgain, for things that are a simple commodity, the answer is \nwe've got to get to the cloud and we've got to do it faster.\n    I can't disagree either on--you know, look, some of my \nnontechnical colleagues at the Department have asked me, why \ndon't we have a software asset inventory. And they're right. It \nshouldn't be that hard.\n    Now, I will say that we did a data call. We have, I think, \nover 64,000 lines within the database we collected of that. We \nhave a significant inventory. It's not complete, and we're not \ngoing to represent it as complete until it is. The vast \nmajority of that that came back was, in fact, provided \nelectronically, so that exists in pockets in parts of our \ndepartment.\n    We have a number of gaps in the Department, areas that \ndon't have that capability. So one of the things we're doing is \nleveraging. We're going back and looking at CDM. We have gaps \nin our CDM deployment, and we're actually going back and trying \nto line that up and find out, all right, where do we have gaps \nwithin programs and offices that need help at the enterprise \nlevel from my office to come back and fill the gaps so that we \ncan have a complete software asset inventory.\n    And, again, I just want to add, the software asset \ninventory is valuable not just to have it; it drives--you know, \nas I work with our acquisition team and work in conjunction \nwith them, it's going to save us money. We know that for a \nfact.\n    It's going to help us reduce our threat surface because \nit's going to tell us what kind of software we have or don't \nhave. And then it's going to help us drive our IT \ntransformation as we can see the gaps in capability or, \nfrankly, where we have overlap in capability where we probably \nhave people buying two or three different of the same \ncapability in different software packages. That just needs to \nbe eliminated.\n    So there's no painting it any other way. Again, I \nunderstand many people are failing at it, but I don't--it's not \nrocket science. It's not hard. And we are pushing rapidly \nthrough those means to get it fixed.\n    Ms. Kelly. And do you have any, not saying everything all \nat once, but any time projections or what do you see?\n    Mr. Everett. So with respect to--certainly with the \nsoftware inventory piece, we're in the process right now, we've \nbrought somebody into actually to help us be strategic about \nCDM. And, again, our focus there is what are the gaps.\n    We have a lot of people that have really great capabilities \nthat meet many of the CDM requirements and needs. What we're \nlooking for is where are the gaps. And then as an enterprise, \nas a department, how do we come in and help them fill those \ngaps.\n    And, again, because we have a number--we have a very \nfederated, diverse department, we have a lot of good best \npractices. We've got a lot of labs and other folks who have \ngreat tools in place. We're working with them to get actually \nwhat's working for them and try and replicate that or build it \nacross the Department.\n    I'll say on, again, on data centers, one of the immediate \nthings we're working on is we've had some folks working on this \nDCM pilot. And, again, our labs have actually led the way. A \nnumber of our labs have put DCM tools in place and have worked \nwith my team to share best practices that we can do across the \nDepartment. So our next step there is a pilot that we expand \nacross the Department. That's going to give us a more accurate \npicture. And I think what it's going to show is that we have a \nlot of data centers. We just don't need anymore.\n    Ms. Kelly. Thank you.\n    Mr. Hurd. My first question's actually for Mr. Powner, but \nyou're going to have to look for something. Towards the end of \nyour statement, you talked about budget and system acquisition. \nI want you to pull that up. And while you're looking for that, \nI'm going to go to Mr. Everett.\n    Mr. Everett, take about 30 seconds and tell me how your \nposition changed from to reporting to directly to the agency \nhead or the deputy agency head.\n    Mr. Everett. Sure. Well, I--as I walked to the Department \nin July, you know, obviously I'd done a little research before \nI walked in. I knew that was the case. I've been around Federal \nGovernment and private sector the last number of years, so I \nwas very aware that this is a challenge across government. And \nI knew walking in the door that that was something I was going \nto immediately have changed.\n    The good news for me was I have a Secretary and a deputy \nsecretary, both of whom have seen in public and private sector \nthat that was valuable and important. They understood, without \nreally any argument from me, that that was simply a best \npractice. And so, literally, it probably would have even \nhappened faster. It just took a while to get the memo written \nand get it passed up to the front office.\n    But for our office, I'll simply tell you that our \nleadership understood that it wasn't even really a question. It \nwas an expectation that IT would be part of the leadership and \npart of this process.\n    Mr. Hurd. I would like to attribute that to Secretary \nPerry's training at the illustrious Texas A&M University for \ngiving him that understanding.\n    And without objection, I'd like to introduce into the \nrecord a memo from Max Everett to the Secretary of Department \nof Energy about the designation of the CIO as a direct report \nto the Secretary, deputy secretary.\n    So ordered.\n    Mr. Hurd. For those that are going to read about this on \nFedScoop, and CIOs that are not reporting directly to an agency \nhead or deputy agency head, they should see this memo. And \nunfortunately, there is still 12 departments or agencies where \nthe Federal CIO doesn't report directly.\n    I just want to clarify a point, Mr. Everett, because I \nthink you addressed it fairly well. Can you answer that you \nknow 100 percent of what's on your network?\n    Mr. Everett. Right now, I would have to tell you the answer \nis no. I think the vast majority of people who tell you that, \nI'm not sure that they're being accurate.\n    Mr. Hurd. Gotcha. Because my assumption is, if you have a \nnumber of agencies that don't understand what software they \nhave on their system, they also don't know what hardware they \nhave on their system. And that introduction of unknown \nvulnerabilities is scary.\n    Mr. Powner, did you find the quote I was looking for?\n    Mr. Powner. Yes, I did.\n    Mr. Hurd. Can you repeat that statement, please?\n    Mr. Powner. ``Finally, I'd like to note that our work for \nthis committee on IT budgeting and CIO authority shows that \nEnergy CIO is challenged in the areas of IT budgeting in \nexecution, meaning that there needs to be better visibility \ninto the IT budget and better governance over their system \nacquisitions.''\n    Mr. Hurd. Ms. Doone, you're the CFO, correct, acting CFO?\n    Ms. Doone. Yes.\n    Mr. Hurd. What are you going to do to help Mr. Everett with \nthat problem?\n    Ms. Doone. We have been working--the CFO office has been \nworking with CIO since the enactment of FITARA to do just that, \nto improve the alignment of the IT portfolio with the budgeting \nprocess.\n    Even before the OMB guidance was issued back in 2015 for \nthe fiscal year 2017 budget cycle, we issued guidance out to \nall the program offices to have them identifying their IT spend \nby program activity and by project. CIO did the likewise, so \nthat their IT portfolio would start delineating the IT across \nthe entire department.\n    Mr. Hurd. Ms. Doone, do you have responsibility--financial \nresponsibilities over the National Laboratories as well?\n    Ms. Doone. The National Laboratories financial \nresponsibility is managed by the program offices. So they \nreport and they submit their budget request up through the \nprogram offices, who put their budgets included in their \nprogram office budgets that come to CFO.\n    Mr. Hurd. So as the CFO of Department of Energy, you have \nthe similar challenges that your colleague, Mr. Everett, has \nwith these siloed activities by the National Labs, that even \nthough you're responsible for all the Department of Energy, \nthat you may not have the greatest insight into that. Is that \nan accurate statement?\n    Ms. Doone. It is an accurate statement, but I would suggest \nthat it's getting better. With the expansion of the IT \nportfolio over the last couple of years, we and CIO have \nexpanded the number of data elements that the program offices \nare providing us. So we are now able to reconcile the IT \nportfolio with the budget submission that we are getting from \nthe program offices.\n    And I think one of the biggest benefits that we've had--we \nstarted working directly with CIO from the very beginning of \nthe enactment of FITARA. I think the biggest accomplishment has \nbeen the budget and financial management staff in the program \noffices and their IT counterparts working closely together for \nthe first time. And I think that's where we're going to begin \nto see more visibility and better transparency, and it's been \nboth at the Federal program office level and at the National \nLaboratory level.\n    Mr. Hurd. Thank you.\n    The gentleman from the Commonwealth of Virginia is now \nrecognized for his 5 minutes of questions.\n    Mr. Connolly. I thank the chair, and welcome to the panel.\n    By the way, I would say to my friend from Montana, as \nsomeone who also spent 20 years in the private sector before \ncoming here, in the technology sector, one might look for \nmetrics. If you want to know how you're doing in cloud, look at \nthe data on data center consolidation, because you're not \nmoving to the cloud if that's not being consolidated. If you're \nconsolidating it, you are moving to the cloud, because you have \nto.\n    Now, Mr. Everett, let me just say, I believe you get it and \nI believe you are an agent of change. And I think the memo the \nchairman cited gives evidence of that. So don't take this \nhostilely, but your words are welcome, but you got an F in data \ncenter consolidation. Your score went down, not up, which \nsuggests regression.\n    And it is the Department of Energy, the National Labs, that \nkind of in the dead of night went to the U.S. Senate and got an \nexemption for themselves. The ink wasn't even dry in FITARA. \nLast time I checked, that's under your purview, which would \nsuggest resistance to change, to trying to get this right.\n    So why should we believe, you notwithstanding, all of you \nbeing sincere human beings, why should we not believe that, \nfrankly, the Department of Energy is retrograde, they're not \nwith the program, they're not cooperating, they're treading \nwater in the hopes we'll give up and stop looking, and \nprogress, you know, is just not in the forecast?\n    Mr. Everett. Well, we have to make that change.\n    Mr. Connolly. I can't hear you.\n    Mr. Everett. Apologies. Ranking Member, I think the answer \nis we have to make that change. I hope that you don't give up.\n    Mr. Connolly. Oh, we won't give up.\n    Mr. Everett. I know you won't, but, you know, even beyond \nmy tenure, I hope that you don't give up. One of the reasons \nthat Ms. Helland is up here is, I can tell you, in my 4\\1/2\\ \nmonths at the Department, her work in the Office of Science has \nbeen a huge help and a huge part of correcting some of those \nissues.\n    I can tell you that our approach, and this starts directly \nwith my Secretary and deputy secretary, and I have been in \ntheir presence when they told this directly to the lab \ndirectors was that there is one department. That is their \nexpectation. That is the expectation they have given to me. \nThat is the expectation I repeat on a regular basis.\n    And so I believe that's--you know, history aside, I believe \nthat's a starting point. I'm glad that Ms. Helland joined us, \nbecause, again, she has been an ally to me. I think she can \ntalk about some of the work she's actually been doing to help \nus build some of the reporting mechanisms around CPIC, around \nFITARA, around how we hold the labs to a level of \naccountability that we expect for everyone in the Federal \nGovernment.\n    Mr. Connolly. And I want to hear that from Ms. Helland, \nbut--just one more--but you got an F in data center \nconsolidation, which is the heart and sole of FITARA. It's how \nwe save money. It's how we reinvest in ourselves. It's how--\nit's an actual metric whereby we measure are we making progress \nor not. Tell me why you got an F.\n    Mr. Everett. Because we haven't done the job. I mean, there \nis no way around it.\n    Mr. Connolly. All right. Have you set metrics for yourself \ninternally?\n    Mr. Everett. We have.\n    Mr. Connolly. Okay. How many data centers are there in the \nDepartment of Energy?\n    Mr. Everett. I'll pull it up here, but there are----\n    Mr. Connolly. All right. Take you time while we listen to \nMs. Helland.\n    Mr. Everett. 289.\n    Mr. Connolly. 289, okay. He's telling the truth, right? No. \nSo 289. Have you set a goal for yourself that by, you know, a \nyear from now or the next report card there will be 289 minus \nX?\n    Mr. Everett. The existing goal is 11, is to reduce it by \n11.\n    Mr. Connolly. By 11?\n    Mr. Everett. By 11.\n    Mr. Connolly. Well, that's a pretty modest goal.\n    Mr. Everett. I think that's exceedingly modest.\n    Mr. Connolly. So can we be a little more robust in our goal \nsetting?\n    Mr. Everett. We will be more robust. We are pulling \ntogether and working hard. I want to be thoughtful. I don't \nwant to give a number I can't back up.\n    Mr. Connolly. I understand.\n    Mr. Everett. But at the same time, no, the answer is 11 is \na pittance.\n    Mr. Connolly. But so I would just say, also again to my \nfriend from Montana, and I think he would agree, I have \nexperience both in the public sector and the private sector. If \nyou don't set heroic goals, stretch goals, nothing happens. \nNow, not impossible goals, because then nothing happens either, \nbut stretch goals. And so 11 is hardly a stretch goal. And I \nhope when you come back here, you're able to say, well, we said \n11 and it's 110. We got it off by a zero.\n    My time is going to run out, but, Ms. Helland, I want to \ngive you an opportunity to comment on the National Labs.\n    Ms. Helland. Thank you. We actually started in 2015, July \nof 2015, working with the Office of Science labs. And at that \ntime, we also had three Energy labs that we were working with \nto look at our lab planning and appraisal process, which is a \nway that we actually included CIOs in that process so that we \ncould see--we asked them to report on their current IT spending \nand their current research computing, so that this instrument \nbecame effective for the other program office--or other program \noffices in the Office of Science.\n    Mr. Connolly. Well, I just want to say in closing that I \necho what the chairman and Ms. Kelly said. What makes me feel \nbetter about your score is you, because I think you are \ncommitted to making this happen, and the reporting sequence is \nnow right. And when you're in that kind of position, you can \nmake things happen, and it's pretty clear you're committed to \ndoing that. And so we'll back you up. We'll help you. We're not \ngoing away.\n    And I applaud my colleague, Mr. Hurd, on the Republican \nside of the aisle, for absolutely--and Mr. Meadows is near, but \nthe four of us, you know, are just not going to give up. And \nwe're here to try to both nudge and support and use it to your \nadvantage. Thank you so much.\n    Thank you, Mr. Chairman.\n    Mr. Hurd. Now it's my pleasure to recognize the \ndistinguished gentlewoman from the District of Columbia, Ms. \nEleanor Holmes Norton, for her 5 minutes of questioning.\n    Ms. Norton. I thank my friend for yielding, and I thank him \nfor this hearing, and our witnesses for their informative \ntestimony.\n    This is a hearing about the Federal Information Technology \nReform Act, the act itself. I'm trying not to use letters and \nacronyms. And it's essentially about IT and the progress we are \nmaking at a time when that can determine, in private industry, \ngo or stop. I regard it as just as important for the Federal \nGovernment.\n    I was intrigued by the work of the chief information \nofficers that GAO looked at how enhanced authority was \nassisting the chief information officers in certifying major IT \ninvestments. And here's where I need clarification. They said, \nand I'm quoting here, ``adequately implementing incremental \ndevelopment.'' I got intrigued, what in the world is that, and \nhad staff look it up, and discovered that adequately \nimplementing incremental development is for the investment to \ndeliver functionality every 6 months.\n    So in order for me to understand what that meant, I took as \nan example, since you were testifying here today, Department of \nEnergy, because it was among the agencies that achieved an A \nscore on this particular--in this particular category.\n    What was responsible--you make me understand incremental \ndevelopment. If you apply it to the Department of Energy, and \nmake me understand how the Department of Energy earned an A \nrating for incremental development.\n    Mr. Everett. So I'd love to take all the credit for that, \nbut that I think has been a historical strength of the \nDepartment. And, again, some of our career folks have been a \nkey component of keeping that going.\n    The focus of that is around--I don't think it's a secret to \nmany of us who have been around D.C. that, historically, when \ndepartments engage in long, multiyear projects, those tend to \nhave significant problems in financial management and delivery.\n    So the--I think it's a very good thing to be measuring \nthat, because the importance of that is, when you're actually \ndelivering capability--you know, this is--you know, in the \nprivate industry, it would typically cause sort of agile \ndevelopment. You're constantly adding showing capability. \nYou're demonstrating that you're actually producing something.\n    The flip side of that would be if we did some large, \nmultiyear development and said, we'll start here, 2 years \nlater, we'll see what happens, historically that has been a \nvery poor management technique in IT and certainly in the \nFederal Government.\n    What I've observed so far at the Department of Energy is I \nthink we're deserving of that grade, because I think there's a \nlot of focus on, again, that incremental movement to make sure \nwe're delivering something in sort of bite-sized manageable \nchunks.\n    Ms. Norton. That really does make me understand it. It \ncertainly makes me understand why this every 6 months. And for \nIT, clearly every 6 months is important.\n    But since you already are looking every 6 months, what will \nyou suggest for those who don't have--I mean, you're looking at \nthem every 6 months too. So what do they need to do so that \nevery 6 months--do we need a shorter timeframe for people who \ndon't have A scores, for example?\n    Mr. Everett. Yeah. I mean, I think you--you've got to \nstart--you know, you may start to drive the metric a little \nshorter. You may not necessarily have delivery. But finding \nways to measure that--again, the goal of it is just practically \nto be intermittently actually watching and seeing what's----\n    Ms. Norton. Well, does it, in fact, result in increases in \nthe score?\n    Mr. Everett. Oh, yeah, it does. I mean, it certainly has \nfor us.\n    Ms. Norton. By looking every 6 months, even with those who \nhaven't received this A rating, then their ratings tend to go \nup because you're looking every 6 months.\n    Mr. Everett. Yeah. I think you've constantly got to watch \nthat and measure it and make sure that they really are showing \nactual measurable deliverables and improvements.\n    Ms. Norton. Mr. Powner, did you have anything to add to \nthat?\n    Mr. Powner. No. I think it's clearly a best practice to go \nwith shorter deliveries instead of longer deliveries. I do \nthink--you know, when we measure this, we know where all the \nwarts are looking under the covers here. So the one thing is \nthis is how they plan. If you look closely at whether they \ndeliver against the plan, it might be a little less so we \nshouldn't get too comfortable.\n    The other thing that I would like to say is, as we \nunderstand more what we actually spend on IT, there's probably \nmore software development projects that should get listed under \nthis category, and it might not look so rosy.\n    So I don't want to rain on the parade, but I do think it's \nimportant to make sure we understand that there's still work \nfor some of the those agencies that have As. Go small and it's \nmuch better.\n    Ms. Norton. Appreciate that criticism.\n    And thank you, Mr. Chairman.\n    Mr. Hurd. Thank you.\n    A couple of quick questions for you, Ms. Doone, and you, \nMs. Helland.\n    Ms. Doone, what are you going to do to help Mr. Everett \npopulate the Working Capital Fund that we are going to create \nwith a successful implementation of the MGT Act?\n    Ms. Doone. Well, once the MGT is enacted, we'll have to \ntake a look at the structure of the Working Capital Fund.\n    DOE has an existing Working Capital Fund, and there are \nseveral line items in our current Working Capital Fund that are \nmanaged by CIO. The most significant one is a cybersecurity \ninvestment of about $35 million, which is intended for \nenterprise-wide cybersecurity. So we already leverage our \nexisting Working Capital Fund to support his efforts in a \nnumber of areas, including network support as well.\n    Mr. Hurd. So the Working Capital Funds created by MGT is \nsomething that only the CIO can touch, and it's to put money \nthat is saved from doing things like transitioning into the \ncloud, getting your software licensing under control, because \nthe savings that they're going to realize, they're not going to \nbe able to use in that calendar year.\n    How do we make sure that that's captured so that by the end \nof next fiscal year, that money is transferring to that \naccount?\n    Ms. Doone. Yeah. That would be something that we would have \nto look at. And, yes, if this were a mechanism totally \ndedicated to capturing the savings from the variety of IT \nsavings, then that would be something that we could do and \nperhaps look at that and see if that could then support it. \nBecause that would be a mechanism that would target that money, \nthose savings directly recouping them and allowing CIO to \ninvest into much-needed enterprise IT modernization.\n    Mr. Hurd. Do you think we can do that within a calendar \nyear, 12 months? There's only one answer to that, by the way.\n    Ms. Doone. It's certainly a very straightforward request to \nrecapture savings. The challenge is identifying those savings \nand getting them captured and moving them over to----\n    Mr. Hurd. As long as you're in this position, are you \ncommitted to helping Mr. Everett do that?\n    Ms. Doone. Oh, absolutely.\n    Mr. Hurd. Mr. Bashista, are you involved too?\n    Mr. Bashista. Yes, sir. A number of initiatives that we're \nsupporting the CIO, as we discussed, the CFO and CIO in \nprocurement and contracting, we face a lot of the same \nchallenges being decentralized. So on a programmatic basis----\n    Mr. Hurd. I get it. But are you going to help Mr. Everett \nmake sure we capture that savings when he improves the software \nlicensing, introduces CDM, and figures out their technology \ndoesn't have, and he saves money, are you going to help us make \nsure and work with Ms. Doone in getting that in an MGT Working \nCapital Fund?\n    Mr. Bashista. Absolutely.\n    Mr. Hurd. Awesome.\n    Ms. Helland, the National Laboratory CIO's council, who \ndoes that report to?\n    Ms. Helland. It actually reports to--I mean, it was formed \nby the National Lab--the CIOs at the National Labs for them to \nidentify common practices and best practices across the labs so \nthat they could work together. Technically, I'm not sure it \nreports to anybody, but we certainly--both Max and I sit on the \nexecutive board.\n    Mr. Hurd. Mr. Everett, do you have a response to that?\n    Mr. Everett. So the NL CIO council reports to the--I \nbelieve it's to the National Lab director's executive council.\n    Mr. Hurd. Do you have insight into the types of things the \nCIOs at the National Labs are putting on their network?\n    Mr. Everett. We do. And we're--so we don't have full--\nagain, and I tell you, in all honesty, I don't have that fully \non our current network. We are in the process. And, again, at \nthe direction of our deputy secretary, within 2 weeks of his \njoining, we put forward a memo under his name that I am \nresponsible for as part of our iJC3, which is for our \nenterprise SOC, that all elements of the Department, including \nall laboratories, sites, Federal program offices, everybody is \ngoing to be responsible. And we're working right now to deliver \ncertain data that I have put together a taxonomy on that will \ncome up for us in a consolidated manner so that we have--and, \nagain, that's an initial visibility across every network in the \nDepartment.\n    The move from that will be to then incorporate the CDM \ncapabilities, to your point, so that we can see hardware, \nsoftware, all the other pieces, so that we can have that \nvisibility of our cybersecurity posture across the entire \nDepartment, labs included.\n    Mr. Hurd. Great. And, Mr. Powner, I'm looking forward to \nGAO reviewing and ensuring that is moving in that direction.\n    I want to thank our witnesses for appearing before us.\n    Mr. Connolly. Mr. Chairman?\n    Mr. Hurd. Yes, sir.\n    Mr. Connolly. Just a footnote to----\n    Mr. Hurd. I yield to my gentleman--my friend from the \nCommonwealth.\n    Mr. Connolly. I thank my friend.\n    Just I was listening to your questioning of Ms. Doone, if \nyou're looking for more savings, maybe you might expand that \ngoal of 11 data centers being consolidated. I was just doing a \nlittle quick math on the back of my envelope, and with that--if \nthat's our annual goal, it's going to take 27 years to address \nthe total number of data centers you've got at the Department \nof Energy.\n    So, I mean, I do think there's some real room for expansion \nthere that would have big payoff, and the MGT legislation \nrewards it. And, oh, by the way, working with Mr. Powner and my \ncolleagues, the FITARA extension bill that extends the sunsets, \nincluding a data center consolidation, is, as we speak, on its \nway to the President for his signature.\n    So there will be several more years of scrutiny over data \ncenter consolidation. So use that time and effectuate those \nsavings, especially in anticipation of the authority you're \ngoing to get, especially through the leadership of my friend \nMr. Hurd, in the MGT legislation.\n    Thank you, Mr. Chairman.\n    Mr. Hurd. Thank you.\n    I'd like to thank our witnesses for appearing before us \ntoday. The subcommittees will now have a very, very brief \nrecess, 2 minutes, to set up for our second panel.\n    The subcommittee stands in recess, subject to the call of \nthe chair.\n    [Recess.]\n    Mr. Hurd. The subcommittees will come to order.\n    I'm pleased to introduce our second panel. Again, the \nillustrious Dave Powner; Mr. Jay Mahanand, the CIO for the U.S. \nAgency for International Development; Mr. Reginald Mitchell, \nCFO for USAID; and Mr. Wade Warren, acting deputy \nadministration at USAID. Welcome to you all.\n    And pursuant to committee rules, all witnesses will be \nsworn in before they testify, so please rise and raise your \nright hand.\n    Do you solemnly swear or affirm the testimony you're about \nto give is the truth, the whole truth, and nothing but the \ntruth, so help you God?\n    Thank you.\n    Let the record reflect all witnesses answered in the \naffirmative.\n    Again, in order to allow time for discussion, please limit \nyour testimony to 5 minutes. The entire written statement will \nbe made part of the record.\n    Again, as a reminder, the clock in front of you, when it \nturns yellow, you have 30 seconds; when it turns red, your time \nis up. And please turn on and off your microphone.\n    I now recognize Mr. Powner for an abbreviated statement.\n\n                           PANEL II:\n\n                    STATEMENT OF DAVE POWNER\n\n    Mr. Powner. Thank you, Mr. Chairman.\n    USAID plans to spend about $40 million on IT this year. \nEighty-two percent of this is used for operational systems, \nleaving just over $25 million for new development. One of the \nlargest investments is its financial management system that is \nused to manage and report on foreign assistance funds. Last \nyear, over $13 million was spent on the system, and over the \nyears, over $225 million has been spent on this critical \nsystem.\n    USAID's overall grade jumped from three straight Ds with \nyour first three scorecards to an A the last two. They are the \nonly agency to receive an A on the FITARA scorecard.\n    There are lots of positives here. Their CIO tenure is \nbetter than most. They have had only two CIOs since 2009. They \nhave As in four of the five areas. They report the second \nhighest portfolio stat savings as a percentage of their overall \nspend. Management of their software licenses has been \ncentralized since 2004, resulting in an A in this area.\n    The one area where we did not see an A is on data center \noptimization. USAID still needs to meet the server utilization \nmetrics for its 80-plus nontiered or smaller data centers.\n    Finally, I'd like to note that our work for this committee \non CIO authorities shows that there is still some work to do on \nIT budgeting and execution, especially on improving governance \nover its IT acquisitions.\n    Mr. Chairman, this concludes my comments on USAID.\n    Mr. Hurd. Thank you, sir.\n    Again, only one person is going to provide remarks for \nUSAID. Who is that going to be?\n    Mr. Warren, you're now recognized for 5 minutes.\n\n                    STATEMENT OF WADE WARREN\n\n    Mr. Warren. Thank you.\n    Thank you, Chairman Hurd and Ranking Member Kelly and \nmembers of the subcommittee, for inviting me here to testify \ntoday regarding USAID's progress on FITARA. We're grateful for \nyour support on this effort.\n    I brought with me today my colleagues, Regi Mitchell, who \nis USAID's chief financial officer; and Jay Mahanand, who is \nour chief information officer. They have both been very \ninstrumental in our technology reform efforts, and I'm happy to \nhave them with me here today and to help answer questions.\n    As you know, USAID is a global agency. Our work is often \ndone under the most difficult circumstances, from a tent in \nMexico City after the recent earthquake, to a small mission in \nEast Timor where the internet connection is less than reliable, \nto a refugee camp in Jordan.\n    Strong and effective information technology systems are \nessential to USAID achieving its mission in a modern world. And \nso USAID is proud to have received the first A rating ever \ngiven under the FITARA scorecard. But it hasn't always been \nthis way at USAID.\n    Eight years ago, USAID's IT was in disarray. In Washington, \nwe spent hundreds of thousands of dollars every year acquiring \nnew equipment and on powering and cooling our data center. What \nwe got for it were regular outages and a system that left \nemployees tethered to their desks.\n    In the field, the situation was even worse. USAID often \noperates in countries with low bandwidth, and our old email \nsystem did not function well in this environment, leaving many \nstaff waiting for long periods of time for email messages to \nload, if they were able to access email at all.\n    Seven years ago, in February 2010, we realized that the \nstatus quo was not sustainable, and we began taking steps that \nultimately gave USAID a cloud-based email system. And over the \nlast few years, the Agency has developed into the leading \nFederal agency for cloud computing.\n    So today, I would like to share with you what we view as \nthe four keys to our success. First, we accepted that updating \nour IT system would be risky, that we would run into problems, \nand that we would not get everything right the first time. We \nknew that we needed to improve, and we were willing to take \nthose risks. We embraced change.\n    Second, we had real buy-in from agency leadership. We \nrealized that for USAID to remain the world's premier \ninternational development agency, modernizing our technology \nhad to be a top priority. We committed significant financial \nand human resources to this effort and championed it from the \ntop down.\n    Third, we continue to improve, plan for what we know will \ncome, and deliver results. Today, we have embraced a culture of \nincremental progress. And we regularly make small investments \nin our information systems that keep them from going out of \ndate or losing interoperability. And I'm proud to say that \nbecause of these investments, USAID is not operating a single \nlegacy system.\n    And fourth, we committed to hiring experts at a senior \nlevel who have the technical know-how to implement these \nchanges and keep us ahead of the curve. We worked hard to \nrecruit knowledgeable, experienced staff, and provide training \nand support for the staff we have.\n    All of this hard work has led to important increases in \nefficiency for our workforce and significant cost savings that \ntoday we are using to reinvest in our platforms.\n    Mr. Warren. Moving forward, we will ensure that we continue \nto remain ahead of the curve and lead the U.S. Government in \nour embrace and effective use of modern information technology.\n    To further optimize data center operations, the agency is \nin the process of migrating our already outsourced data center \nto a cloud environment, and USAID is taking steps to actively \nmanage the cybersecurity risks that we all are aware of today.\n    So in conclusion, we are committed to maintaining our \nstatus as a Federal leader in IT space. We look forward to \ncollaborating with you to address future challenges and new \nopportunities for reform.\n    Thank you for your time, and thank you for your support of \nour efforts.\n    [Prepared statement of Mr. Warren follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n     \n    Mr. Hurd. Well, Mr. Warren, thank you for not taking all of \nyour time, number one. And I also want to say thank you for \nwhat your organization does. I had the honor of serving \nalongside many of the men and women in USAID, and I know the \nwork that you do and saw it up close and personal. And, Mr. \nMitchell and Mr. Mahanand, you facilitate that activity. So \nwhat you do is very important, not only for our country, but \nfor the countries that we are working in. So I am a supporter \nof your organization.\n    That being said, Mr. Warren, my first question is why does \nMr. Mahanand not report directly to you or Ambassador Green?\n    Mr. Warren. Thank you. We have--in our agency, we have an \nassistant administrator for management, and she has \nresponsibility for the CFO function, the CIO function, the \nfacilities management, and the budget of the operational budget \nfor the agency. She reports to me. But the CIO and the CFO both \nhave a dotted line to the administrator. They are free to go to \nhim directly when they have issues that are of concern to them. \nAnd that's the way we've been managing ourselves over the--over \nthe last number of years.\n    You may be aware, however, that we are in a redesigned \neffort with the State Department now to look at how the State \nDepartment and USAID work together and how we can change our \nprocedures internally to make them more effective and looking \nat the reporting relationships of the CIO and the CFO was part \nof what we are looking at now.\n    Mr. Hurd. Mr. Powner, do you have any opinion?\n    Mr. Powner. I think clearly it's much better if you report \nup to the box. Right? And I think as long as there's access. \nWe've seen sometimes where there's this management guru in \nbetween, and we've heard this. The key question is whether that \naccess is consistent and enough to the top when you need to get \nthe right decisions and the right support.\n    Mr. Hurd. Mr. Mahanand, I'm going to assume that since \nthere's only been two CIOs--since when Mr. Powner?\n    Mr. Powner. Since 2009.\n    Mr. Hurd. --since 2009, I'm assuming you have a positive \nopinion of your access to senior leaders within your \norganization.\n    Mr. Mahanand. Yes, I do. I mean, I've--any time there's a \nneed to escalate, I will do that. But in the current structure, \nthere is no need. The--as far as the system administrator for \nmanagement, I mean, my daily op--my daily interaction is with \nher. And so I've not--don't have the need to actually go to \nher--or go to the administrator. Most of my activities go \nthrough her.\n    Mr. Hurd. Can you answer with 100 percent certainty that \nyou know everything's on your network?\n    Mr. Mahanand. Maybe 99.9 percent. On our network, we do \nhave--we do have monitoring software. I'm talking about the \nphysical network here. So we do have port security. We have--\nanything that actually touches the network, we are notified of \nthat.\n    What we're not--what I'm not really sure about is really \nthe services that's purchased outside and not necessarily \nconnected in the network. That is something that we actually \ntrack in terms of looking into software, but there's--you know, \nthere's a potential in shadow IT within the agency, and that is \nthe only thing that I'm not positive about.\n    Mr. Hurd. How do you do CDM?\n    Mr. Mahanand. CDM, right now, we're in phase I, and it's \nscheduled to be deployed February of 2018.\n    Mr. Hurd. Deployed in 2018. So complete within 4 months?\n    Mr. Mahanand. Yes. I mean, we actually started about 2 \nyears ago. We've piloted CDM, and so the final deployment is in \nFebruary of 2018.\n    Mr. Hurd. So the pilot deployment, do you have the \nenforcement mode engaged?\n    Mr. Mahanand. I believe so.\n    Mr. Hurd. Can you get me an answer?\n    Mr. Mahanand. Yes, I can.\n    Mr. Hurd. Thank you.\n    Mr. Mitchell, how are you going to help Mr. Mahanand create \na Working Capital Fund once MGT is complete, so when he is able \nto get a complete insight into his network and saves money, he \nhas access to that Working Capital Fund?\n    Mr. Mitchell. We would--I will be able to support our chief \ninformation officer by setting up this fund and working with \nthem to develop the procedures and policies governing the \noperations of this particular fund.\n    I think it's important to note that the budget per se does \nnot fall under my purview, but I do have budget execution. And \nI do work with Mr. Mahanand and his staff as far as providing \nthem with real-time data, executional data, so that he can \nbetter have decision-making capabilities.\n    Mr. Hurd. So if their budget doesn't fall under CFO, who \ndoes the budget fall under?\n    Mr. Mitchell. The operation budget, including the capital \ninvestment fund, falls under the office of management policy, \nbudget, and planning office, and that office is located in the \nManagement Bureau.\n    Mr. Hurd. And, Mr. Warren, that is this person you \ndescribed----\n    Mr. Warren. Yes. This assistant administrator for \nmanagement has responsibility for the CFO, the CIO, and the \noperational budget.\n    Mr. Hurd. So, Mr. Warren, in my remaining 15 seconds, what \nare you going to do to help to make sure Mr. Mahanand has the \nMGT Working Capital Fund so he can use that at the end of next \nfiscal year?\n    Mr. Warren. Well, as I stated, the senior leaders of the \nAgency, both the career and the political staff, are very \nsupportive of the IT function. We recognize that we can't do \nour work around the world without it. And we--I--Jay and Reggie \nand I work closely to ensure that our IT needs are met, so I'd \nbe very supportive.\n    Mr. Hurd. Ms. Kelly, you're recognized for 5 minutes.\n    Ms. Kelly. Thank you.\n    The IT Dashboard is a public website that allows Federal \nagencies, industry, and the general public to see the details \nabout Federal information technology investments and their \nrisks. Those risks are submitted by the CIO for those agencies.\n    Mr. Powner, can you briefly explain why the IT Dashboard \nexists and what factors affect scoring?\n    Mr. Powner. So the IT Dashboard is there to make sure we \nhave visibility into the major investments. We look at the \nroughly $100 billion that we spend, so that's roughly half of \nwhat was on these major larger investments. So we know what \nthey are, and we also have some costs and schedule performance. \nBut a key part of that is the CIO rating.\n    So, for instance, USAID has 87 major investments. \nInterestingly, they get an A in this area because they don't \nhave a single green on the Dashboard, everything's red or \nyellow, where they acknowledge risk. You could do that \ndifferent ways. We like to see the acknowledgement of risk \nbecause these things are typically difficult and you want to \nadmit the risk so that they can be effectively managed.\n    Ms. Kelly. And you talked about USAID, but the other \nagencies in general, are they doing a good job, accurately \nreporting, not doing a good job? And what are the implications \nfor not accurately reporting?\n    Mr. Powner. I think over time, especially with your \nscorecard, we see more risk acknowledged on that dashboard, so \nthat's been a good thing. There's some agencies that had a \ncomplete flip. They were all green, and then all of a sudden, \nthey're, you know, heavy on the reds and yellows, which that's \na more accurate reporting.\n    So we've seen improvements in these areas. There's still \nsome concern.\n    Yeah. The other area of concern is sometimes some large \ninvestments are categorized as nonmajors, and that's one way to \nhide visibility on the Dashboard. And again, we know who those \nagencies are, and we're kind of watching some of those larger \nnonmajors.\n    Ms. Kelly. Okay. Thank you.\n    Mr. Mahanand, in the category of transparency, USAID \nreceived transparency in risk management an A. Can you briefly \nexplain how USAID goes about determining the levels of risk \nfacing its major IT projects?\n    Mr. Mahanand. Sorry. For us, we have five major business \ncases. Three of them is in operations. And so--but they provide \ncritical function for the Agency. And so what we look--we take \na look at--we start previously taking a look at the mid rating \nhere, as far as the risk is concerned. So, you know, we look at \nthe projects that's being executed. We looked at the overall \nimportance of the specific program, and we make a determination \nof what is happening to--specifically in activities in those \nareas.\n    And so when the--quarterly when the report comes to me, I \ntake a look at it. We review it with the program staff. I make \na determination exactly where we feel that the risk grading \nshould reside. For the most part, we start with a three. We \nusually start with a five, because some of these business cases \nwere in operations, and we didn't think necessarily that is \nsomething we need to really worry about.\n    But given the fact, you know, we heard from GAO in terms of \nwe want to see the risk grading realized, and actually we \nthought what we were doing and then started a three. And then \nwe would make decisions based on where we are with those \nprojects within those business cases or investments. We would \nmake a decision whether or not the project is risky or not \nrisky. But we continued this to start at a three and then we \nare way back and forth between a three, between a one and a \nfive.\n    Ms. Kelly. Just out of curiosity, because you have done so \nwell with you're a ratings, do other agencies ever call and \nfind out what you've done or what your secret is?\n    Mr. Mahanand. Yeah. We've actually--we've gotten calls from \nthree--about five agencies. We've spoken to them. We've \nactually spoken to the specific working group for GSA and some \nof the things we've done.\n    I mean, just from a history perspective, some of the things \nwe've done before previously, like the data center \nconsolidation. We got rid of our data center NRB in 2011. We \njust didn't get credit for it as we move along, because we \nstarted really early in that. And from our perspective is that \nwe just wanted to make sure that the data itself and the \ninformation and the reason behind the specific intent of each \none of these scores.\n    And so we looked at that--because I thought we did really \nwell. We continue to do well, and I wanted to make sure that, \nyou know, our progress, our performance reflects the scoring. \nThat's where we actually found out there were some errors in \nhow we were reporting. And so we--we basically worked with GAO \nand figure out what those areas are, corrected it, and \nbasically provide the evidence that, you know, we are where we \nare with those scores. And that's why you saw from a D to an A.\n    Mr. Warren. If I could just add a thought. Our approach and \nattitude about IT risk, I think, is part of a broader agency \nperspective on risk. And we work in some dangerous, risky \nplaces around the world. And so we try as an agency to be very \naware of and forthright about the risk that we're facing. And \nReggie and I actually lead an agencywide risk assessment \nprocess every year that looks at IT risks, financial risks, \nphysical security risks. And so the sort of transparency that \nwe bring to the IT risk, I think, is part of a broader culture \nin the agency about confronting risk.\n    Ms. Kelly. I yield back.\n    Mr. Hurd. The gentleman from Montana is recognized.\n    Mr. Gianforte. Thank you, Mr. Chairman.\n    Mr. Warren, I understand from your testimony that you've \nmoved 100 percent to the cloud. Is that correct?\n    Mr. Mahanand. I would say, again, maybe 99.9 percent.\n    Mr. Gianforte. Let me congratulate you on your \naggressiveness adoption of these newer technologies.\n    I'm curious, in that transition, how much work was done to \nmove from, let's say, more custom software to more commercial \noff-the-shelf software, and where would you be in that \ntransition?\n    Mr. Mahanand. So as far as moving to the cloud, there's \nspecific things that we have in terms of infrastructure as a \nservice, platform as a service, or software as a service. Every \napplication we look at we basically make a determination. We go \nback to the cloud first policy. Any new application that comes \nup, we look at it, we basically said whether or not there is a \nsurface--a service offering out there that we can actually use.\n    So, for instance, we--when we were modernizing our internet \non our internet, we basically look at the--look at the specific \nservices, and we actually went with cloud services instead of \ngoing with, you know, commercial off-the-shelf software. So \nthose are the types of decisions we make when we actually look \nat software or look at renewed software.\n    Mr. Gianforte. And, Mr. Powner, is there, in your \nobservations--I mean, we know that when we send a committee off \nto design a piece of software and we tell them we want a horse, \nwe often get a camel as a result, because there's so many \nrequirements that are included. And this--when we build custom \nsoftware, it just drives up the cost and increases brittleness \nof integrations and these sorts of things.\n    In your observations from working with the agencies, how do \nyou--where are we in this transition from custom designing \neverything to the bias that Mr. Mahanand has expressed towards \ncommercial off-the-shelf software?\n    Mr. Powner. Collectively as a government, we still custom \ndesign way too much than we need to. And the problem there is \nin the government changing your business process to adapt to \ncommercial products is, is we're way behind, especially when \nyou compare that to the private sector. There's such an \nunwillingness to adapt those business processes and adopt to \ncommercial software. So we need more and more of that going \nforward.\n    Mr. Gianforte. But you believe that a bias towards \ncommercial off-the-shelf would be a best practice and it would \nreduce cost?\n    Mr. Powner. Absolutely. Absolutely. And change our business \nprocesses. Look at these financial management systems that we \ntry to put in place. Why do some folks implement them right out \nof the box and others we try to modify 3 years to implement a \ncommercial financial management system?\n    Mr. Gianforte. Yeah. Mr. Mitchell, in this transition, how \nmuch money has been saved moving to the cloud?\n    Mr. Mitchell. I would have to defer to our chief \ninformation officer.\n    Mr. Mahanand. I think we'd have to look at each specific \noffering. For example, our data centers, we--from 2013 to 2016, \nwe saved about $8 million, but each--we haven't--I don't think \nwe have accumulated the number of our savings. I think it's \nabout for the last--if we calculated, about maybe 60--I don't \nknow, $50 to $60 million for the last 3 or 4 years.\n    Mr. Gianforte. Just to put that in perspective, what \npercentage is that of your total budget?\n    Mr. Mahanand. So our budget is about $100 million in OE and \nabout $25 in DME, so that would actually be about 60 percent.\n    Mr. Gianforte. Sixty percent savings from moving to the \ncloud?\n    Mr. Mahanand. Yeah.\n    Mr. Gianforte. Okay. And what have you experienced from a \nsystem reliability and security perspective? Has system \nreliability and security gotten better or is it harder in the \ncloud?\n    Mr. Mahanand. I think its gotten better. I mean, I think, \nas Mr. Warren said, when we first moved emails to the cloud, I \nthink we had outages daily. We moved to a cloud email system, I \nthink we were the second in the Federal Government to do that. \nAnd I can't remember being down for more than an hour till now. \nAnd this happened in 2011, I think we started.\n    Mr. Gianforte. And from a security perspective?\n    Mr. Mahanand. You know, they go through the same controls \nas far as testing is concerned. So, you know, we look at their \nCNA packages; you know, we give it an ATO. So, you know, we \nhave a part to play in of basically looking at the security \nprofile of each one of these cloud vendors. So we are pretty \nconfident the security is actually--I would say much better \nthan, you know, having a system administrator in all these \ndifferent places, not necessarily looking at what they're \ndoing.\n    So within the cloud, there's a single administrator. We \ncontrol that administrator. So I think security is enhanced as \nwell.\n    Mr. Gianforte. Just to play back what I've heard, a 60 \npercent reduction in costs, increase--dramatic increase in \nreliability, better security; sounds like it's a win.\n    Mr. Mahanand. We think so.\n    Mr. Gianforte. Okay. Thank you.\n    I yield back.\n    Mr. Hurd. Thank you.\n    Now the gentleman from the Commonwealth of Virginia, you're \non the clock.\n    Mr. Connolly. Thank you.\n    And congratulations to USAID. And I take a little bit of \nspecial interest. In my previous incarnation here on the Hill, \nbefore my 20 years in private sector, I spent 10 years on the \nSenate Foreign Relations Committee. And my job was to write the \nforeign aid bill. And I helped write the very last one to \nbecome law in 1986. That's how ancient I am. And it was so \ngood, apparently, that we haven't passed one since.\n    In any event, congratulations. And I think--well, let me \nask you, Mr. Warren. What happened? You were getting a D and \nyou moved it up to an A. I'm talking process and political \ndecisions here, not we moved the grommet to the widget and the \nwidget to the--what happened inside A that changed it--changed \nthe will to want to do it differently?\n    Mr. Warren. So two points to make, I think. The jump from \nthe D to the A was largely from working with GAO to better \nreport what we had been accomplishing over a longer period of \ntime. So if you look at the scorecard, it looks like we had \nthis quantum leap in 1 year. I think the quantum leap was \nreally in better reporting. The changes to get from a D to an A \ntook place over a longer period of time than that.\n    But to answer the other part of your question, I think we \nwere driven by the fact that we were having failures daily in \nthe system as we were trying to manage it. And the fact that we \nhave a worldwide workforce, and the only way we can communicate \nwith our staff around the world and get our work done is \nthrough our IT systems. And if they are not working, we just \ncan't do our job. And so it was kind of out of necessity that \nwe realized we needed to make big changes. And then as I said, \nthe political and the career----\n    Mr. Connolly. Well, I would just say you say that as if, of \ncourse, we had to, we had no choice. I'm looking at a really \nbig neighbor of yours in the Federal family, maybe the biggest, \nand it hasn't concluded that and it's got a worldwide \nenterprise too. And they're getting an F instead of an A.\n    So something happened in A that galvanized you to do it \ndifferently, to make different decisions, to set goals for \nyourself, that, unfortunately, our Defense Department has yet \nto do. And it could bat you person for person and then some in \nterms of overseas bases, operations, personnel and the like. \nBigger, much bigger, and maybe you could argue more difficult, \nbut it's as far up along as you are, and it has yet to make the \ndecisions or show the political will you've shown.\n    And that's what I'm trying to get it, what--because I think \nthat's how we all learn. You know, go talk to USAID in terms of \nhow they did it, and I'm trying to get you on the record to get \nsome of the elements of how did you do it.\n    And, Mr. Powner, feel free to jump in here, because I know \nyou had something to do with this as well.\n    Mr. Powner. Yeah. I think it's a combination of both. I \nmean, clearly the data cleanup was a part, but also there was a \nfocus on some of these areas, you know, going small and \nreporting more risk and that type of thing. We saw big \nimprovements there.\n    It was interesting, because a lot of this data's been \nreported to OMB for quite a while. And honestly, most agencies \ndon't really focus on that adequately enough. This scorecard \nreally helped. And this is important--this is important \nreporting because it's savings. It's things that we can use to \nreinvest in the Working Capital Funds. So this isn't just for \nthe sake of reporting. It's real stuff that we need to actually \nget more efficient with our operational side of the house so \nthat we can invest and modernize the government more.\n    Mr. Connolly. Yep. And by the way, Mr. Mitchell, I hope \nyour answer to Mr. Gianforte about savings was only on that \none, because it's critical that the CFO understand what savings \nare being effectuated here because that's how we incentivize \nother agencies to do it too, right? Here's the--here's the \ncarrot, here's the reward at the end of this process, and \nthat's reliability, savings, freeing up capital, really \nworthwhile investment, and a happier, more productive \nworkforce. But some of that we can measure in actual dollars. \nAnd I commend to you that the CFO, as well as the CIO, has to \nbe monitoring those savings. I assume you are.\n    Mr. Mitchell. Yes, I am.\n    Mr. Connolly. Okay. Okay. Let me just say--end by saying \nthis, and maybe, Mr. Warren, you take the lead working with Mr. \nPowner at GAO, but all of you, I really think it's important \nthat this be written up electronically, but how did you do it? \nWhat were the key decision points? How low did you have to go \nbefore somebody said enough already? And show others that it's \ndoable and replicable. Because when we don't really want to do \nsomething, we're going to isolate you as saying USAID's unique, \nno one else is like them, sure they can do it, but no one else \ncan really--and we don't want--that doesn't serve our purpose \nat all and it's not true.\n    And Dave--Mr. Powner, I would urge that in your spare time \nwe help do this. And hopefully, Mr. Hurd and Ms. Kelly would \nagree, there's real value hearing your story, and we want to \nspread that good news to other agencies that it can be done in \na reasonable timeframe and there's a reward at the end of the \nrainbow. So again, thank you, and congratulations.\n    Mr. Hurd. I'd just like the record to reflect that that is \nthe least grumpy line of questioning I've ever seen from the \ngentleman from the Commonwealth of Virginia, which is a pretty \nsignificant feat.\n    So, Mr. Warren, Mr. Mitchell, Mr. Mahanand, these don't \nalways go this way, and thank you for what you do and thank you \nfor the support that you're showing our men and women that are \nputting themselves in some very difficult and extraordinary \ncircumstances. Thank you for being here.\n    And again, the subcommittees will now briefly recess for a \nfew minutes for a third panel.\n    The subcommittee stands in recess, subject to the call of \nthe chair.\n    [Recess.]\n    Mr. Hurd. The subcommittees will come to order.\n    I'm pleased to introduce our third panel. Mr. Powner, for \nthe third time today, thank you for being here. Ms. Maria Roat, \nCIO for SBA; Mr. Tim Gribben, CFO for SBA; and Ms. Althea \nCoetzee Leslie, the deputy administrator at the Small Business \nAdministration. Thank you all for being here. Welcome to you \nall.\n    And pursuant to committee rules, all witnesses will be \nsworn in before they testify. Please rise and raise your right \nhand.\n    Do you solemnly swear or affirm the testimony you're about \nto give is the truth, the whole truth, and nothing but the \ntruth, so help you God?\n    Thank you.\n    Please let the record reflect that all witnesses answered \nin the affirmative.\n    Again, to allow time for discussion--and we're racing \nagainst the clock, the votes are likely to be called soon--\nplease limit your testimony to 5 minutes. The yellow light \nmeans you have 30 seconds; red, time is up. And please turn on \nthe microphone.\n    Mr. Powner, you're recognized for an abbreviated time for \nyour opening remarks on this panel.\n\n                           PANEL III:\n\n                    STATEMENT OF DAVE POWNER\n\n    Mr. Powner. Thank you, Mr. Chairman.\n    SBA spends about $98 million on IT this year. About 80 \npercent of this is used for operational systems, leaving just \nover 20 million for new development. This new development \nincludes important efforts, like its Disaster Credit Management \nModernization, which automates processing and approval for \ndisaster loan assistance. SBA reports having spent over $100 \nmillion--$150 million on this modernization in prior years.\n    SBA's grades have consistently been in the D range, but \ntheir current grade is a C-minus. They're one of only three \nagencies whose grade went up.\n    SBA scores best in incremental development, receiving an A \nin this area. Also, despite receiving a C in the data center \narea, SBA has plans to eventually close all but one of its 43 \nnontiered or smaller centers, and plans to install a necessary \nmetering equipment by 2018. SBA also plans to exceed OMB's key \nserver utilization metric of 65 percent.\n    Turning to areas where SBA needs to improve, let's start \nwith CIO tenure. Since 2004, there have been 10 CIOs at SBA, \nand the average tenure has been only 1.4 years. This is a major \nissue in why IT has not been effectively managed. Their \nsoftware license inventory is not complete. They have a plan to \ncomplete this in early 2018.\n    Finally, I'd like to note that our work for this committee \non IT budgeting, contracting, and CIO authority shows \nadditional areas where SBA CIO has challenges is in budget \nformulation and strengthening their IT workforce. However, \nregarding FITARA's requirement for CIOs to review and improve \nIT contracts, SBA's processes here are quite good.\n    Mr. Chairman, this concludes my comments on the Small \nBusiness Administration.\n    Mr. Hurd. Thank you, sir.\n    And I believe Ms. Althea Coetzee Leslie will do the opening \nremarks for the SBA panel.\n    You're now recognized for 5 minutes.\n\n               STATEMENT OF ALTHEA COETZEE LESLIE\n\n    Ms. Coetzee Leslie. Thank you.\n    Mr. Chairman, ranking members, and committee members, thank \nyou for the opportunity to discuss the SBA's implementation of \nFITARA.\n    From July 2005 to October 2016, the SBA's OCIO leadership \nteam experienced significant disruption with high turnover: \neight different CIOs during that period. Further, prior to the \ncurrent CIOs arrival in October 2016, the CIO position was \nvacant for over a year, from July 2015 to October 2016. \nConsequently, key programs like the Data Center Consolidation \nInitiative did not receive OCIO leadership attention.\n    Immediately upon her arrival, the SBA CIO engaged in frank \nand honest conversations about the state of IT at the agency. \nThe CFO responded in kind, and with the administrators and \nCFO's support, the CIO embarked on a fast-paced journey to \nchange how the SBA builds, buys, and manages information \ntechnology to support small business entrepreneurs.\n    Over the last 12 months, actions taken by the CIO, in close \npartnership with the CFO, are transforming SBA from an agency \nimpeded by outdated technology and unstable infrastructure, \nstovepipes, duplication and significant gaps, no cybersecurity \nstrategy or operational control, to a proactive and innovative \nprovider of critical business technology services to the SBA \nprogram offices and small business entrepreneurs.\n    SBA's governance model is maturing with a focus on creating \nand expanding strong enterprise-shared services. Program \ngovernance requires that all stakeholders are represented, \nengaged, and aligned to achieve program success. For example, \nthe CIO and CFO co-chair the SBA Investment Review Board that \nmet six times in fiscal year 2017. The IRB reviewed every major \ninvestment at least once, and the board recommendations \nresulted in tangible program improvements.\n    Additionally, the CIO conducted four major investment deep \ndives to review milestones, technology capabilities, funding, \nand risks. During one of these deep dives, the CIO identified \nand provided direction to correct specific contractual and \nroadmap-related issues in time to prevent further \ncomplications. The SBA recognizes that transparency is critical \nfor value creation, and the CIO promotes transparency in our IT \nprocurements to prevent duplication, cybersecurity threats, and \nstovepiping.\n    Last year, the CIO reviewed and approved all new IT \ncontracts above $150,000. And this year, the threshold has been \nreduced to $50,000 to ensure we achieve our short and long-term \nmodernization objectives.\n    It is our responsibility to communicate our IT goals, \nvision, and strategy with acquisition professionals to ensure \nthat the entire organization understands the technical \nramifications of individual purchases. I am proud to report the \nSBA is leading innovation as the first agency to deploy DHS's \nCDM system in the cloud. This has resulted in a significant \ncost avoided by not investing in hardware that would require \nfuture recapitalization. Further, it sets the stage and puts \nSBA ahead of other agencies for future DHS cloud-based CDM \nsolutions that will further strengthen SBA's cybersecurity \nposture.\n    Along with our modernization efforts in technology, we are \nbuilding our IT workforce and working to attract new IT staff \nto critical positions. We launched an IT strategic workforce \nplan to be able to support future technology initiatives. And \nthanks to congressional approval, we realigned our digital \nservices team under the CIO to deliver improved mission-focused \nservices and capabilities.\n    Through the implementation of the authorities contained in \nFITARA, our CIO is leading the charge in the achievement of \nagencywide IT goals. The SBA's actions taken over the last 13 \nmonths are laying the foundation for the agency's \ntransformation into future enterprise objectives.\n    As we proceed in executing our enterprise IT plan, we will \ncontinue to strengthen information technology to ensure a \nreliable, secure, and high-performing computing environment \nnecessary to enable the SBA to efficiently and effectively \nperform its mission.\n    Thank you again for the opportunity to share SBA's progress \non FITARA implementation, and we are ready to answer any \nquestions you may have.\n    [Prepared statement of Ms. Coetzee Leslie follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n      \n    Mr. Hurd. Thank you.\n    And because votes have been called, we're going to limit \nour questioning time to about 2\\1/2\\ minutes. So, Mr. \nGianforte, you're up first.\n    Mr. Gianforte. Thank you, Mr. Chairman.\n    So, Ms. Roat, sounds like you walked into a mess. And I'm \njust curious, what advice would you have for other Federal \nCIOs, given the experience you've had in trying to get your \narms around it?\n    Ms. Roat. Don't plan to plan, execute. Walking into a \nfailing data center, our primary data center, we move very \nquickly. We had failing HVAC systems. Last November, I said \nvery clearly to the team, no new hardware, period. And that's \nwhat embarked us moving forward on our data center, shutting \ndown our primary data center, moving into the cloud very \nquickly, very fast. I brought in the right talent to do that, \nto be able to do that, and we executed. And it was driven by \nfailing data centers, the gaps in technology, all of those \nthings, and we executed.\n    Mr. Gianforte. Okay. Just for my edification, where are you \nin the transformation to the cloud at this point, if you had to \nput a percentage on it?\n    Ms. Roat. So for our primary data center, we've moved about \n40 systems already. We are not doing a lift and shift. We \nmodernized everything first. So we did a migration, an actual \narchitecture. We did a migration planning session, and we \nstarted execution of the migration in July of this year. So the \n200 systems that are in our primary data center, we've done \nabout 40 right now.\n    Mr. Gianforte. Okay. So what percentage would you say is in \nthe cloud?\n    Ms. Roat. That's roughly about 25 to 30 percent.\n    Mr. Gianforte. Okay. And what success have you had in \nmoving departments off of custom software compared onto \ncommercial off-the-shelf software?\n    Ms. Roat. To the extent that we're not building our own \ncode, not doing our own coding, take advantage of commercial \noff-the-shelf software is a service, platform is a service, we \nare doing it. For one of our program offices, you know, they \nneeded some investigation software. We're using a particular \nproduct, which is a software solution right in our cloud \nenvironment. So we are driving in that direction and getting \naway from actual hands-on coding.\n    Mr. Gianforte. Okay. With that, Mr. Chairman, I yield back.\n    Mr. Hurd. Robin Kelly, you're on the clock.\n    Ms. Kelly. Mr. Powner, in GAO's assessment, I am assuming \nthat you gave recommendations to SBA to improve their grades \nand software licensing. Is that correct?\n    Mr. Powner. Yes. We've been working closely with SBA.\n    Ms. Kelly. Okay. So, Ms. Roat and Mr. Gribben, do you \nbelieve you can implement these recommendations within the next \nyear? And what do you think you can do? What do you think you \ncan accomplish?\n    Ms. Roat. For the software licensing, specifically there's \nthree pieces to that we're taking into account. One is reducing \nthe footprint of duplicative software. So that's the very first \npiece. We're reducing the number of licenses and providing the \nright level of software licenses to the users that need it.\n    When you look at particular software platforms, you know \nthere's different levels. We're making sure they're assigned. \nSo we've already embarked on getting our arms around our \nlicensing. In particular is we're moving into the cloud, \ngetting our arms around that. We've put the monitoring tools in \nplace.\n    So we started a couple of months ago with this process in \ngetting our arms around all of our software. And a year ago, I \ndidn't have visibility into the entire enterprise; I do now. So \nthat way that gives me the capability to be able to see what \nlicenses are out there, what's deployed, not just on the cloud, \nbut also on the desktop and the systems.\n    Ms. Kelly. I don't know if you have any comment.\n    Mr. Gribben. The only thing I would add to that is that as \npart of the budget execution process, the CIO has visibility \ninto all of the IT requests of the program offices. And this \nyear, we identified some offices that had some software \nlicenses that would be better incorporated into an enterprise \nagreement that the CIO had already embarked on. So from that, \nwe're reducing the software licenses, the one offsetter in the \nprogram offices.\n    Ms. Kelly. Okay. It sounds like you're committed to making \nimprovements, so we look forward to seeing your grades improve.\n    I yield back.\n    Mr. Hurd. Mr. Connolly.\n    Mr. Connolly. I thank the chair.\n    I just--gosh, at risk of destroying my reputation with the \nchairman, I think there's a lot of good news here. And a lot of \nit has to do, though, with having a CIO who, A, has the \npolitical will herself, but also a direct tie to the heavy \nagency so that she is empowered. And I assume you concur with \nthat?\n    Ms. Coetzee Leslie. Yes, we do. Our CIO has direct access \nto the administrator and myself as the deputy, and has also the \nauthority to--or has control over authority to operate. And we \nhave empowered her to do whatever is necessary to protect the \nagency and make sure that we are delivering the products as \nbest we can.\n    Mr. Connolly. Sounds like you were--before this CIO, Ms. \nRoat, it sounds like you were handing out glasses of hemlock of \nsomething, given the turnover that was occurring. So I don't \nknow what you've done to make it a more pleasant and attractive \nplace, but keep doing it.\n    Ms. Roat, did you want to comment on that, not the hemlock \nso much?\n    Ms. Roat. It's not the hemlock?\n    Mr. Connolly. But the turnover and----\n    Ms. Roat. While I can't speak to my predecessors, there \nwere some very good people there. But I will say that I've got \nan incredible relationship with the CFO and then with access to \nthe administrator and the deputy administrator. Myself and my \ndeputy make the rounds informally about once a day in the front \noffice. And we do have actual formal standard meetings and \nparticipate in many of the boards.\n    Mr. Connolly. Just a final point. You actually met the \nmetrics set by OMB on data center consolidation in terms of \nsavings, as I understand it. Keep doing it, double down on it. \nI think that's really important, and that's how we reinvest in \nourselves once the MGT legislation becomes law. Thank you, and \ncongratulations on the progress you've achieved. Keep doing it.\n    Ms. Roat. Thank you.\n    Mr. Hurd. Thank you, Mr. Connolly.\n    Mr. Powner, what do they need to do in order to get that N \nto a Y in the CIO reporting directly to the Secretary----\n    Mr. Powner. It's just a lot of formal reporting. There's \naccess, from what we understand, but in terms of the reporting, \nI don't see the direct reporting there to the dep secretary, to \nthe assistant----\n    Mr. Hurd. Ms. Coetzee Leslie, do you have any opinion on \nmaking that a more formal structure to ensure the CIO reports \ndirectly to you or Administrator McMahon?\n    Ms. Coetzee Leslie. We have several changes that we're \nlooking at with agency reform, and this is certainly one that \nwe are considering.\n    Mr. Hurd. That's great.\n    Mr. Powner. And, Mr. Chairman, I would add, you know, I \nthink what's really important here is we've got this history of \n1.4 years. Hopefully, Ms. Roat sticks around more than 1.4, but \nI think that change is important because, clearly, this is an \nexecutive team that we hear that is working well together and \nthings are happening and there's great plans. But I think \nthat's why that formality is important, the 1.4 history.\n    Mr. Hurd. Ms. Roat, I'm sure you are expecting my question \non your ability to answer whether you have 100 percent \nvisibility of what's on your network.\n    Ms. Roat. I do today. I did not a year ago.\n    Mr. Hurd. And how are you deploying the CDM?\n    Ms. Roat. We deployed CDM in the cloud. Last November when \nI said no new hardware on our data center, my team went back \nand they said but, but, but. And I said, but I want to put it \non the cloud. And I said, why not? And I ask them that \nfrequently, why not? And they went back to DHS and proposed it. \nDHS said let's go ahead and do it. And so we started small. \nInstead of buying 96 cores, spending all that money and all \nthat hardware, we started small in the cloud, spinning up the \nvirtual servers, adding on as we needed. So phase one we \ncompleted this summer. So, again, we're the first Federal \nagency to do it.\n    Mr. Hurd. Awesome. Mr. Gribben, I'm sure you can expect \nwhat my question is going to be. How are you going to help Ms. \nRoat create the Working Capital Fund that MGT is going to give \nher, hopefully as early as tomorrow?\n    Mr. Gribben. That is actually something that I'm going to \nhave to work with the Office of Management and Budget and our \nappropriations committee. And how that would be implemented, \ncurrently what we do is any savings that are----\n    Mr. Hurd. Let me stop you there. What conversations do you \nneed to have with OPM--I mean OMB. Excuse me.\n    Mr. Gribben. Most of the money we spend on information \ntechnology is 1-year money. And even with the reprogramming \nrequest into a Working Capital Fund, we'd still remain as 1-\nyear money.\n    Mr. Hurd. But that's what the legislation is changing where \nthe Working Capital Fund gives the ability to, once you program \nthat money into a working capital fund, you have 3 years to \ngain access. So what you're going to ultimately need is \nguidance from OMB on the steps to making that happen.\n    Mr. Gribben. Exactly.\n    Mr. Hurd. I would welcome your suggestions on those kinds \nof guidance. We should be going to OPM in this--OMB, excuse me. \nAnd, Ms. Roat, your suggestions on how to do that would be very \nhelpful as well to ensure that you have one more tool in your \ntoolkit.\n    Ms. Coetzee Leslie, do you have any final comments on \ncreating a culture within the organization to ensure you have \nMs. Roat staying there for more than 1.4 years?\n    Ms. Coetzee Leslie. Well, I've been telling everybody on my \nroad trips and every forum that I attend and where I speak \nthat, other than Disneyland, the SBA is the happiest place on \nEarth, and we intend to keep it that way. With the current \nadministrator and the leadership team that's there now, we have \na very, very functional team, and look forward to continuing \nthat relationship and keeping Ms. Roat happy.\n    Mr. Hurd. Excellent.\n    Mr. Powner, you're a prince. Your team is amazing. Thanks \nfor all the effort and work that you do on the scorecard, the \nminority and majority staffs' work on this. I really do think \nit is a tool that we are starting to see real changes across \nthe Federal IT infrastructure.\n    And for all of our witnesses, thank you for appearing here \ntoday.\n    The hearing record will remain open for 2 weeks for any \nmember to submit a written opening statement or questions for \nthe record.\n    If there's no further business, without objection, the \nsubcommittees stand adjourned.\n    [Whereupon, at 4:29 p.m., the subcommittees adjourned.]\n\n \n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n               \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]               \n               \n\n\n                                 <all>\n</pre></body></html>\n"