b"<html>\n<title> - STATE OF PLAY: FEDERAL IT IN 2018</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n\n                   STATE OF PLAY: FEDERAL IT IN 2018\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         INFORMATION TECHNOLOGY\n\n                                AND THE\n\n                            SUBCOMMITTEE ON\n                         GOVERNMENT OPERATIONS\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 14, 2018\n\n                               __________\n\n                           Serial No. 115-75\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                       http://oversight.house.gov\n                                   ______\n\t\t \n                     U.S. GOVERNMENT PUBLISHING OFFICE \n\t\t \n31-105 PDF                WASHINGTON : 2018                 \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n                       \n              Committee on Oversight and Government Reform\n\n                  Trey Gowdy, South Carolina, Chairman\nJohn J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, \nDarrell E. Issa, California              Ranking Minority Member\nJim Jordan, Ohio                     Carolyn B. Maloney, New York\nMark Sanford, South Carolina         Eleanor Holmes Norton, District of \nJustin Amash, Michigan                   Columbia\nPaul A. Gosar, Arizona               Wm. Lacy Clay, Missouri\nScott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts\nBlake Farenthold, Texas              Jim Cooper, Tennessee\nVirginia Foxx, North Carolina        Gerald E. Connolly, Virginia\nThomas Massie, Kentucky              Robin L. Kelly, Illinois\nMark Meadows, North Carolina         Brenda L. Lawrence, Michigan\nRon DeSantis, Florida                Bonnie Watson Coleman, New Jersey\nDennis A. Ross, Florida              Raja Krishnamoorthi, Illinois\nMark Walker, North Carolina          Jamie Raskin, Maryland\nRod Blum, Iowa                       Jimmy Gomez, Maryland\nJody B. Hice, Georgia                Peter Welch, Vermont\nSteve Russell, Oklahoma              Matt Cartwright, Pennsylvania\nGlenn Grothman, Wisconsin            Mark DeSaulnier, California\nWill Hurd, Texas                     Stacey E. Plaskett, Virgin Islands\nGary J. Palmer, Alabama              John P. Sarbanes, Maryland\nJames Comer, Kentucky\nPaul Mitchell, Michigan\nGreg Gianforte, Montana\n\n                     Sheria Clarke, Staff Director\n                    William McKenna, General Counsel\n                         Meghan Green, Counsel\n     Troy Stock, Information Technology Subcommittee Staff Director\n     Julie Dunne, Government Operations Subcommittee Staff Director\n                    Sharon Casey, Deputy Chief Clerk\n                 David Rapallo, Minority Staff Director\n                 Subcommittee on Information Technology\n\n                       Will Hurd, Texas, Chairman\nPaul Mitchell, Michigan, Vice Chair  Robin L. Kelly, Illinois, Ranking \nDarrell E. Issa, California              Minority Member\nJustin Amash, Michigan               Jamie Raskin, Maryland\nSteve Russell, Oklahoma              Stephen F. Lynch, Massachusetts\nBlake Farenthold, Texas              Gerald E. Connolly, Virginia\nGreg Gianforte, Montana              Raja Krishnamoorthi, Illinois\n                                 ------                                \n\n                 Subcommittee on Government Operations\n\n                 Mark Meadows, North Carolina, Chairman\nJody B. Hice, Georgia, Vice Chair    Gerald E. Connolly, Virginia, \nJim Jordan, Ohio                         Ranking Minority Member\nMark Sanford, South Carolina         Carolyn B. Maloney, New York\nThomas Massie, Kentucky              Eleanor Holmes Norton, District of \nRon DeSantis, Florida                    Columbia\nDennis A. Ross, Florida              Wm. Lacy Clay, Missouri\nRod Blum, Iowa                       Brenda L. Lawrence, Michigan\n                                     Bonnie Watson Coleman, New Jersey\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on March 14, 2018...................................     1\n\n                               WITNESSES\n\nMr. David Powner, Director of IT Management Issues, U.S. \n  Government Accountability Office\n    Oral Statement...............................................     3\n    Written Statement............................................     6\nThe Honorable Margaret Weichert, Deputy Director for Management, \n  Office of Management and Budget\n    Oral Statement...............................................    47\n    Written Statement............................................    49\nMr. Bill Zielinski, Deputy Assistant Commissioner of the IT \n  Category, U.S. General Services Administration\n    Oral Statement...............................................    59\n    Written Statement............................................    61\nThe Honorable Jeanette Manfra, Assistant Secretary for the Office \n  of Cybersecurity and Communications, U.S. Department of \n  Homeland Security\n    Oral Statement...............................................    66\n    Written Statement............................................    68\n\n                                APPENDIX\n\nResponse from Ms. Weichert, OMB, to Questions for the Record.....    92\nResponse from Mr. Zielinski, GSA, to Questions for the Record....    94\n\n \n                   STATE OF PLAY: FEDERAL IT IN 2018\n\n                              ----------                              \n\n\n                       Wednesday, March 14, 2018\n\n                  House of Representatives,\nSubcommittee on Information Technology, joint with \n         the Subcommittee on Government Operations,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The subcommittees met, pursuant to call, at 3:16 p.m., in \nRoom 2154, Rayburn House Office Building, Hon. Will Hurd \n[chairman of the Subcommittee on Information Technology] \npresiding.\n    Present from the Subcommittee on Information Technology: \nRepresentatives Hurd, Gianforte, Kelly, and Krishnamoorthi.\n    Present from the Subcommittee on Government Operations: \nRepresentatives Hice, Blum, Connolly, and Maloney.\n    Mr. Hurd. The Subcommittee on Information Technology and \nthe Subcommittee on Government Operations will come to order.\n    And, without objection, the presiding member is authorized \nto declare a recess at any time.\n    Good afternoon. Sorry for the wait, but it is Washington, \nD.C. And the House of Congress is the people's House, but \nsometimes we get a little delayed.\n    We have had momentum over the last couple years. I think \nthis year, or this Congress, with the Federal IT modernization \neffort through the passage of the MGT Act, the Modernizing \nGovernment Technology Act, we have gained strength and force. \nThis, now a law, is bipartisan legislation that will, for the \nfirst time, reward and incentivize Federal agencies and CIOs to \ncut costs and invest in cutting-edge technology.\n    The effort, also, of modernization has gained momentum from \nTrump administration initiatives like establishing the Office \nof American Innovation, releasing an IT modernization report, \nand retaining good ideas from the previous administration, \nincluding the U.S. Digital Service.\n    I am concerned, however, that in some areas we have lost \nmomentum. We went too long without a Federal CIO. I am glad Ms. \nKent is now in the position and look forward to having her up \nhere before the committee within the next few months.\n    I am also pleased that Ms. Weichert is in place as the \nDeputy Director for Management at OMB.\n    I have spoken to my former colleague, Director Mulvaney, \nabout our efforts here in the subcommittee and how we can work \ntogether to modernize government. He is an enthusiastic \nsupporter of using emerging technologies to make government \nmore efficient and accountable.\n    We need to rethink how we structure the Federal workforce, \nto ensure the Federal Government has access to smart, well-\ntrained IT and cybersecurity professionals, and be working in a \nbipartisan fashion, as always, in introducing a bill in the \ncoming months to establish the U.S. cyber reserves, a public/\nprivate-sector rotational workforce. I look forward to the \nwitnesses' thoughts on how to best organize and structure this \nkind of workforce.\n    I also continue to have concerns about longstanding GAO \nrecommendations that remain unaddressed, oftentimes year after \nyear after year. These open, lingering vulnerabilities put us \nat incredible risk, as we saw with the devastating data breach \nat OPM, which it is crazy to think was almost 3 years ago.\n    I want to hear from GAO their most critical open \nrecommendations and, from the rest of the witnesses, concrete \nplans to close them. Let's use this hearing to ensure IT \nmodernization across the Federal Government continues, even \nwith more force and strength, in 2018. Let's not lose the \nmomentum.\n    And, as always, it is an honor to be exploring these very \nimportant issues in a bipartisan fashion with my friend, the \nranking member, the one and only, the Honorable Robin Kelly \nfrom Illinois.\n    Ms. Kelly. Thank you, Mr. Chairman. Thank you for calling \ntoday's hearing on the Federal Government's information \ntechnology.\n    These two subcommittees have prioritized holding agencies \naccountable for their compliance with the Federal Information \nTechnology Acquisition Reform Act in the effort to modernize \nour legacy IT systems. We have managed to work in a bipartisan \nmanner not only to conduct oversight but to introduce \nlegislation seeking to address the Nation's IT and \ncybersecurity problems.\n    Improving the efficiency and security of the Federal \nGovernment's IT system is essential to our Nation's security. \nIn order to improve the efficiency and security, we must \nmodernize legacy IT systems across every Federal agency.\n    The Federal Government spends nearly $60 billion just to \nsustain its existing outdated IT. When agencies must spend 75 \npercent of their IT budgets merely to maintain legacy systems, \nthey predictably fall behind in the effort to modernize.\n    That is why the Modernizing Government Technology Act of \n2017 is critical to shoring up our Nation's cybersecurity and \nmoving us forward. MGT is now law. It creates a working capital \nfund called the Technology Modernization Fund that will have \nmoney for efforts like cloud migration for agency CIOs to think \ncreatively about modernization.\n    The next couple of months will determine whether the MGT \nAct is allowed to spur that type of innovation. I was pleased \nto see that the President's proposal budget called for $228 \nmillion for the modernization fund. OMB Director Mulvaney \nrecently released a memo to agencies with guidance on MGT's \nimplementation.\n    The board overseeing the modernization fund is in place. It \nis now up to Congress to fund this important effort. Our \ngovernment technology is too outdated to allow this opportunity \nto pass us by.\n    By allocating these funds, we further our goals under \nFITARA to fully empower agency CIOs. I view the MGT Act as a \nnatural complement of FITARA. We cannot speak about important \nefforts, like moving to the cloud and data center \nconsolidations, without providing the funding necessary to make \nthat happen.\n    In addition to modernizing our technology, we must \nmodernize our Federal workforce to make sure they have the \ntools and skills necessary to address the problems of not only \ntoday but tomorrow.\n    In 2016, GAO found that the evolving array of cyber-based \nthreats continue to pose a risk to our national security. The \ngovernment's inability to attract and retain qualified cyber \nprofessionals throughout the government threatens our ability \nto address these cyber threats. Therefore, attracting IT and \ncybersecurity talent is critical to the safety of every \nAmerican and the security of our country.\n    I hope that our witnesses can update us on the state of the \nFederal IT and how each agency plans to address the \nopportunities and challenges facing the Federal Government.\n    Thank you, Mr. Chairman.\n    Mr. Hurd. Thank you, Ranking Member Kelly.\n    And when the ranking member and chair of Government \nOperations get here, we will allow them to have opening \nremarks, if they do. But now it is a pleasure to introduce our \nwitnesses.\n    Mr. David Powner, probably our most visits to this \ncommittee of anybody in government. Thanks for being here. And \nhe is the Director of IT Management Issues at GAO.\n    The Honorable Margaret Weichert, Deputy Director for \nManagement at the Office of Management and Budget. Thank you \nfor being here.\n    Mr. Bill Zielinski, Deputy Assistant Commissioner of the IT \nCategory at the General Services Administration.\n    And last but not least, the Honorable Jeanette Manfra, \nAssistant Secretary for the Office of Cybersecurity and \nCommunications at the Department of Homeland Security.\n    Welcome to you all. And pursuant to committee rules, all \nwitnesses will be sworn in before you testify, so please stand \nand raise your right hand.\n    Do you solemnly swear or affirm the testimony you are about \nto give is the truth, the whole truth, and nothing but the \ntruth, so help you God?\n    Thank you.\n    Please let the record reflect that the witnesses answered \nin the affirmative.\n    In order to allow time for discussion, please limit your \nopening remarks to 4 minutes. Your entire written statement \nwill be part of the record.\n    And as a reminder, the clock in front of you shows the \nremaining time during your opening statement. The light will \nturn yellow when you have 30 seconds left and red when your \ntime is up. Please also remember to press the button for the \nspeaker.\n    So, with that, Mr. Powner, welcome back.\n\n                       WITNESS STATEMENTS\n\n                   STATEMENT OF DAVID POWNER\n\n    Mr. Powner. Chairman Hurd, Ranking Member Kelly, and \nmembers of the subcommittee, I would like to commend your \nsubcommittee for your consistent and thorough oversight of IT \nand cybersecurity issues, in particular with FITARA and with \nrecently moving the FITARA Enhancement Act and MGT.\n    This afternoon, I will highlight top priorities for OMB and \nagencies. My comments will address three broad areas: human \ncapital, acquisitions, and operations.\n    CIO authorities still need to be strengthened, despite \nsignificant improvements from FITARA. Your push to elevate \nthese positions at departments and agencies is still needed. \nCurrently, 13 of the 24 CIOs report to the DEPSEC or higher. \nOMB plays a critical role here, especially with the recent \nfocus on agency reorganizations.\n    Also, cybersecurity and IT workforce needs to be further \nstrengthened. Specifically, we still need to properly identify \nand tackle our workforce gaps. Properly addressing many of \nthese needs with contractors is a critical part of the solution \nhere. GAO has ongoing government-wide reviews looking at both \nthe cybersecurity and IT workforce needs.\n    Turning to improvements on major acquisitions, we still \nneed to stay the course with major provisions in FITARA. This \nstarts with incremental development. Your scorecard shows major \nprogress in this area, but we still have too many projects not \ntackling this in manageable segments.\n    We also need to have IT shops aware of IT contracts so that \nwe can avoid duplication and to ensure the right governance \nover these acquisitions. A recent contracting review was \ndiscouraging, as only one-third of the agencies had a process \nto approve IT contracts consistent with FITARA and OMB \nguidance.\n    And of our sample of almost 100 contracts, only 10 percent \nwere approved by CIOs or their designee. Strengthening the \nrelationship between CIOs and chief acquisition officers is \nneeded.\n    We also believe the Nation's top Federal IT acquisitions \nshould have OMB governance over them in addition to agency \ngovernance. The top acquisitions should include VA and DOD's \nEHR acquisitions, IRS's K-2 project, SSA's disability case \nprocessing system, and FAA's NextGen acquisitions.\n    The reason these acquisitions need OMB's attention is \nbecause these agencies, left alone, haven't managed them well. \nThe administration's attention to VA's EHR solution is spot-on; \nwe just need more of this. We have a review underway where we \nare identifying and profiling these most critical acquisitions.\n    Regarding operational systems, again, we need to stay the \ncourse with FITARA. Data center optimization metrics provide \ngreat transparency on where agencies are at with their \noptimization metrics. And extending the sunset date from 2018 \nto 2020 will give agencies more time to both optimize and save.\n    A couple key points here: Savings still can be significant \nas we optimize space and equipment. And the MGT working capital \nfunds can be used to invest in unfunded priorities.\n    Also, these agencies who can't optimize by 2020 need to get \nout of the data center business. We plan to report annually \nthrough 2020 on agencies' data center progress.\n    We also believe that the Nation's most mission-critical \nlegacy systems that are costly to maintain and pose significant \ncyber risk due to unsupported software need to be replaced with \nmodern, secure technologies and ultimately decommissioned.\n    OMB needs to have an active role here to ensure that these \nold systems, like VA's VistA system and IRS's Individual Master \nFile, have plans to replace and decommission.\n    The administration's recent modernization strategy was \nsolid on network modernization, shared services, and cyber but \nlight on tackling these most challenging modernization efforts. \nCIOs with average tenures of 2 years don't always focus on \nthese longer-term, challenging legacy systems, which is even \nmore reason for OMB to drive this. We have a review underway \nwhere we are identifying and profiling these legacy systems \nmost in need of modernization.\n    In conclusion, the American Tech Council, the Office of \nInnovation, and the modernization strategy are all positive \ndevelopments. Now we need more action and implementation from \nOMB and agencies.\n    Key focus areas should be on fixing CIO authorities in the \nIT workforce; regarding acquisitions: incremental development, \nCIO alignment with acquisitions, and the focus on our Nation's \ntop acquisitions is needed. On the operations side, data center \noptimization and mission-critical legacy modernization need \ncontinued attention.\n    Finally, the Comptroller General held a forum with prior \nFederal and agency CIOs from previous administrations in late \n2016 to explore what has worked over the years in Federal IT. \nThe results of this forum, summarized on page 10 of my written \nstatement, are consistent with the comments here this afternoon \nand highlight the critical role OMB leadership plays.\n    Mr. Chairman, again, thank you for your oversight of \nFederal IT.\n    [Prepared statement of Mr. Powner follows:]\n    \n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n \n    \n    Mr. Hurd. Thanks for being an important partner on this.\n    And I misspoke. I apologize. Everybody has 5 minutes.\n    So, Ms. Weichert, you are now up for your 5 minutes.\n\n          STATEMENT OF THE HONORABLE MARGARET WEICHERT\n\n    Ms. Weichert. Thank you very much. It's great to be here on \nPi Day to talk about this important subject.\n    So, Chairman Hurd, Ranking Member Kelly, and members of the \nsubcommittees, thank you for the opportunity to appear before \nyou today to discuss the state of Federal information \ntechnology in 2018.\n    In December, in testifying before the Senate Committee on \nHomeland Security and Governmental Affairs, I discussed the \nrange of disciplines that the Deputy Director for Management is \ncharged with overseeing, including IT, information security, \nhuman capital management, finance, accounting, performance \nmanagement, and procurement.\n    Today, as the newly sworn-in Deputy Director for \nManagement, I'm working with our agency partners to drive \nnecessary improvement in those disciplines. And I'm excited to \ntalk about one of those areas, IT modernization, in depth.\n    Improving our technology infrastructure is fundamental to \naligning the executive branch to the mission, service, and \nstewardship needs of the 21st century. To that end, next week, \nwe will release the President's Management Agenda, the PMA, an \nagenda which places IT modernization at its core.\n    The PMA sets out a long-term vision for more effective \ngovernment that better achieves missions and enhances the key \nservices upon which the American people depend. IT \nmodernization must provide the essential backbone of the \ngovernment service delivery while keeping sensitive data and \nsystems secure. And the President's Management Agenda also \nlinks to related critical issues associated with data \naccountability and transparency as well as the people and \nworkforce for the 21st century.\n    Since the establishment of the Office of E-Government and \nInformation Technology in 2002, OMB has played a pivotal role \nin formulation of IT policy and strategic direction across the \nFederal Government. The Office of the Federal CIO, the Chief \nInformation Security Office of the U.S., and the United States \nDigital Service are all in my organization. And, together, \nthese groups leverage the convening authorities of OMB, \nincluding the CIO Council and the CISO Council, to coordinate \nexecutive-branch IT modernization activities.\n    In addition, since 2014, U.S. Digital Service has been \nfocused on improving and transforming the experience of \nAmericans who interact with government online. This means that \nmore citizens can easily and seamlessly access government \nservices online due to more secure identity-proofing. It means \nveterans are receiving appeals responses in a more timely \nmanner. It has enhanced Medicare claims processing, allowing \ncitizens to access health data online. And USDS has also helped \nmade it easier for small businesses to compete for government \ncontracts and for acquisition officers to be better positioned \nto acquire commercial technology. Ultimately, all this work is \npart of a broader strategy to help rebuild Americans' trust in \ngovernment.\n    Today, I look forward to talking with you about a range of \nIT modernization initiatives, including the IT modernization \nreport, the Modernizing Government Technology Act, Federal \ncybersecurity policy, agency IT transformation activities, \nincluding the work of U.S. Digital Service, and the IT \nworkforce of the future, to name a few areas. More detailed \nbackground on many of these topics is included in my written \ntestimony for the record.\n    And, in closing, OMB looks forward to working with the \nOversight and Government Reform Committee and with Congress \nbroadly on IT modernization. Over the years, this oversight \ncommittee has been instrumental in driving Federal IT \nmodernization through its role in developing legislation such \nas FITARA, the DATA Act, and the MGT Act. Through our \ncollaborative efforts, I know we will be able to improve \ngovernment services and cybersecurity.\n    I thank the subcommittees for holding this hearing and for \nyour commitment to IT modernization. I will be pleased to \nanswer any questions you have.\n    [Prepared statement of Ms. Weichert follows:]\n \n \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    Mr. Hurd. Thank you.\n    Mr. Zielinski, you are now recognized for 5 minutes.\n\n                  STATEMENT OF BILL ZIELINSKI\n\n    Mr. Zielinski. Great. Good afternoon, Chairman Hurd, \nRanking Member Kelly, and members of the subcommittee. My name \nis Bill Zielinski, and I am the Deputy Assistant Commissioner \nfor the Office of Information Technology Category in GSA's \nFederal Acquisition Service. In addition, I also serve as the \nOffice of Management and Budget-appointed government-wide IT \ncategory manager.\n    I am pleased to be here today to discuss the important role \nGSA plays in Federal information technology efforts government-\nwide.\n    The IT Category at GSA enables agencies in the acquisition \nof $50 billion in goods and services annually from more than \n20,000 industry partners. ITC's top priority is to maximize \ncustomer value and mission productivity.\n    And while GSA brings significant capabilities to the table \nin facilitating the modernization of the Federal Government's \nIT infrastructure and applications, it's through the strategic \npartnerships with other agencies and our industry partners \nwhere we will make the greatest progress.\n    For instance, I work closely with OMB's Office of Federal \nProcurement Policy and administrator of the Office of \nElectronic Government to review the Federal IT spend, determine \nwhere opportunities exist to collaborate on the acquisition of \nIT products and services, and implement strategies to get more \nvalue from IT dollars.\n    In that vein, I would now like to discuss four key ways in \nwhich GSA is supporting the modernization of the Federal \nGovernment's IT infrastructure and applications.\n    First, in December, the American Technology Council issued \nits final report to the President on Federal IT modernization. \nThe report is the culmination of a months-long process to \ndevelop a strategic plan that approves the security posture of \nFederal IT and incorporates feedback from industry and members \nof the public.\n    The report has three key objectives that will inform future \nefforts: to reduce the Federal attack surface through enhanced \napplication and data-level protections; to improve visibility \nbeyond the network level; and to ensure that policy, resource \nallocation, acquisition, and operational approaches to security \nenable the use of new technology without sacrificing \nreliability or performance.\n    GSA is directly tasked, in whole or in part, with half of \nthe 50 action items recommended by the report and is actively \nworking on these deliverables in accordance with report \ntimelines.\n    Second, the MGT Act is another critical tool for \nmodernizing Federal IT. GSA thanks the members of these \nsubcommittees for their dedication to getting this legislation \npassed.\n    GSA is tasked with several key actions related to the MGT's \nTechnology Modernization Fund. Chief among them is providing \nbroad support for the Technology Modernization Board's \nactivities, including technical support and the monitoring of \nagencies that receive funds from the TMF. Subject to \nappropriations, the GSA is prepared to help administer this \ncritically important fund.\n    Third, in partnership with the White House Office of \nAmerican Innovation, GSA is working to establish five new \ncenters of excellence. The COEs will house centralized \nfunction-specific talent, products, and acquisition vehicles. \nThese teams will provide expert advice, development resources, \nand support solution implementation in the areas of cloud \nadoption, IT infrastructure optimization, customer experience, \nservice delivery analytics, and contact centers. The first \nclient agency for the COEs is the United States Department of \nAgriculture.\n    Finally, GSA is helping agencies adopt new approaches for \nbuying commercial off-the-shelf and as-a-service solutions. By \nleading in the development of modular contracting approaches to \nenable agile and efficient development of complex, new \nrequirements, we are able to assist agencies through the entire \nlifecycle of procurement and system development.\n    GSA's unique mix of talent and expertise in acquisition \ntechnology and service delivery, combined with our government-\nwide scope and scale, makes our agency an agent of \ntransformation in how agencies will buy, build, and use \ntechnology.\n    I want to thank you for the opportunity to appear before \nyou today to discuss GSA's role, and I look forward to \nanswering your questions.\n    [Prepared statement of Mr. Zielinksi follows:]\n \n \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n         \n    Mr. Hurd. Thank you.\n    And, Ms. Manfra, you are now recognized for 5 minutes for \nyour opening remarks.\n\n           STATEMENT OF THE HONORABLE JEANETTE MANFRA\n\n    Ms. Manfra. Thank you.\n    Chairman Hurd, Ranking Member Kelly, members of the \ncommittee, thank you for today's opportunity to discuss the \nDepartment of Homeland Security's efforts to secure Federal \nnetworks.\n    I would like to begin my testimony by thanking Congress for \nits work on the Cybersecurity and Infrastructure Security \nAgency Act of 2017. If enacted, this legislation will \nstreamline the National Protection and Programs Directorate, or \nNPPD, and rename our organization to more clearly reflect our \ncentral role in government and private-sector critical \ninfrastructure security. Much progress has been made, but we \nmust stay focused until this work is complete. The Department \nstrongly supports this effort and encourages swift action by \nCongress.\n    Cyber threats remain one of the most significant strategic \nrisks for the United States, threatening our national security, \neconomic prosperity, and public health and safety. Over the \npast year, Federal network defenders saw the threat landscape \ngrow more crowded, active, and dangerous. While in many cases \nour defenses have been successful in mitigating these threats, \nwe must do more to ensure our cyber defenses keep pace of \ntechnological change and evolving risk.\n    In my role at DHS, I head the Office of Cybersecurity and \nCommunications. A core part of my role is protecting and \nmanaging the overall information security of Federal civilian \nnetworks. To do this, we must first gain visibility to \nunderstand the exposure that the Federal enterprise faces. Then \nwe need to use our authorities to reduce this risk, whether \nthat's through directives, guidance, or direct support to \nagencies. And, finally, we must build capacity within agencies \nto implement our guidance, act on threat information, and fully \nleverage the capabilities and services that DHS has to offer.\n    Programs like the National Cybersecurity Protection System, \nor EINSTEIN, and the Continuous Diagnostics and Mitigation \nProgram directly serve and enable these three lines of effort.\n    Last year, the President signed an executive order on \nstrengthening the cybersecurity of Federal networks and \ncritical infrastructure, which set in motion a series of \nassessments and deliverables to improve our defenses and lower \nour risk to cyber threats.\n    Across the Federal Government, agencies have been \nimplementing the NIST Cybersecurity Framework. Agencies have \nbeen reporting to DHS and OMB on their cybersecurity risk \nmitigation and acceptance choices. DHS and OMB have evaluated \nthe totality of these agencies' reports in order to \ncomprehensively assess the Federal Government's cybersecurity \nrisk management posture.\n    The assessment found the Federal enterprise to be at risk. \nThe choices we make to reduce this risk, in both cybersecurity \nbudget and operational priorities, must be informed by a data-\ndriven, risk-based assessment of Federal cybersecurity and the \nthreat environment.\n    As part of the executive order, my office has been working \nwith OMB, GSA, and Federal agencies to modernize the Federal \nGovernment's IT infrastructure. We are exploring opportunities \nto consolidate network architectures, embrace shared IT \nservices, all the while emphasizing cybersecurity as a \nfoundational element to all new IT services.\n    We recognize that legacy IT systems present considerable \nchallenges in efforts to secure Federal networks. The risks \nposed by these antiquated, end-of-life systems has perhaps best \nbeen demonstrated by the difficulties agencies face in \ncomplying with DHS's binding operational directives which \ngovern vulnerability patching. Some legacy systems can no \nlonger be patched, others are not supported by vendors, and \nsome experience significant performance issues if not \nreconfigured during the security upgrade process.\n    While in most cases DHS and the agencies have been able to \naddress these issues and either upgrade, transition, or \nmitigate the problem entirely, this complicates and adds cost \nto agency efforts to patch their own systems--an exercise that \ndoes need to be as painless as possible.\n    While the use of more modern IT has efficiencies and \nconvenience of its own, the benefits it brings to cybersecurity \nefforts are also significant.\n    My organization works with departments and agencies to \nidentify and prioritize high-value assets or those systems for \nwhich a cyber incident could cause significant impact to the \nUnited States. We conduct security architecture reviews to \nassess network architectures and configurations and conduct in-\ndepth vulnerability assets, which determine how an adversary \ncould compromise these systems, persist in their networks, and \ngain access to sensitive data.\n    These assessments provide system owners with \nrecommendations to address identified vulnerabilities and \nassist them in prioritizing their limited resources to fix the \nworst things first.\n    In closing, I want to assure this committee that DHS is \nembracing our statutory responsibility to administer the \nimplementation of Federal agency cybersecurity policies and \npractices by leading the effort to secure the Federal \nenterprise, in coordination with my partners on the panel, \nfollowing a risk-based approach.\n    This committee played a key role in championing the passage \nof FISMA 2014 and clarifying these important authorities for \nDHS, and we thank you for those.\n    The overarching goal of Federal cybersecurity is to ensure \nthat every agency maintains an adequate level of cybersecurity \ncommensurate with its own risk and with those of the Federal \nenterprise.\n    Thank you for the opportunity to testify, and I look \nforward to any questions you may have.\n    [Prepared statement of Ms. Manfra follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    \n    Mr. Hurd. Thank you.\n    And now it's a pleasure to recognize the gentleman from \nMontana for 5 minutes.\n    Mr. Gianforte. Thank you, Mr. Chairman.\n    And thank you to the panel.\n    Mr. Powner, it's good to see you again. It seems like \nyou're here monthly. And I appreciate your help in moving \nforward the IT procurement.\n    Mr. Zielinski, I would like to dive in a little bit into \nGSA's role in procurement, particularly as it relates to shared \nservices. Could you talk a little bit about, to help the \ncommittee, what are shared services and what do you see as the \nbenefits of mandating those for agencies where appropriate?\n    Mr. Zielinski. So, in the broadest sense, shared services \nis an opportunity for us to, rather than having each agency \nindependently build out a capability set, to be able to build \nthose out in a centralized way.\n    It could be that it is a government-operated, government-\nbuilt shared service, or it could be that it is a commercially \noffered solution. In working with the Office of Management and \nBudget, as well as with our own Unified Shared Services \nManagement office, we are working to develop a series of shared \nservices along the lines of business.\n    There's a lot of opportunities and benefits to this \napproach. First of all, there's significant cost savings. \nSecondly, as we talked about, the security posture, that \nability for us to protect the shared service and be able to \nmake changes to that individual or that one shared service and \nhave all of the participants benefit across the government is \nsignificant.\n    Mr. Gianforte. Okay. And what IT services are already being \nprocured under a shared services model?\n    Mr. Zielinski. Oh, sir, there are a number. What I would \nlike to offer is to be able to bring the full list, but I'll \ngive you some examples here today.\n    Mr. Gianforte. Please.\n    Mr. Zielinski. For one, we have a shared service offering \nthat's in and around the implementation or the issuance of the \nPIV credentials, the HSPD-12 PIV credentials. That is operated \nout of GSA. There are 110 customer agencies with more than \n750,000 credentials under active management.\n    That's an example of a very mature shared service that is \nutilized across government. There's shared infrastructure for \nagencies to be able to go to, common issuance sites. In \naddition, there are shared services for payroll, shared \nservices for financial services. And we continue to build out \nother shared services.\n    And, again, I will bring back a more complete list of what \nthose shared service offerings are.\n    Mr. Gianforte. Okay. So it sounds like shared services \nallow us to standardize procurement in such a way that various \nagencies don't have to roll their own, so to speak?\n    Mr. Zielinski. Correct.\n    Mr. Gianforte. Yeah.\n    So there's cost savings. You mentioned earlier $50 billion \nof annual procurement. If shared services were fully \nimplemented where appropriate, how big is the size of the prize \nin terms of savings?\n    Mr. Zielinski. Yeah, I don't have an answer for that. You \nknow, I think that as we are now going through the different \nlines of business and identifying those opportunities for \nshared services, we'll have a much better or more complete \npicture of what those savings opportunities are.\n    Mr. Gianforte. In instances where you have used shared \nservices, how much savings resulted?\n    Mr. Zielinski. It differs based upon the service itself. \nAnd, again, what I can do is bring back some more explicit \ninformation for each of these shared services as to where that \nis.\n    Mr. Gianforte. Okay.\n    So cost savings are one benefit. What impact does it have \non security when a service is shared versus implemented \nindividually by the agencies?\n    Mr. Zielinski. So I would like to start, and I would also \nlike to ask my partner, Ms. Manfra, to also add in as well.\n    One of the things that we're able to do is that, as each \nindividual agency is building out a capability, that means that \nthose individual agencies are also responsible for ensuring \nthat they are patching and kind of doing the basic blocking and \ntackling that's necessary to secure the capability, and that if \nthere is something that happens within the overall system that \nthey have to respond to, that also means that they each \nindividually would have to do that.\n    In a shared services instantiation, we have where there is \na central group who is managing that security posture of the \nshared service. And that means that, when there is something \nthat occurs or there is a need for us to make a change or to \naddress a vulnerability, we are able to do that once and it is \naddressed for all of the customers of that.\n    Mr. Gianforte. And, again, I want to go back to my prior \nquestion. I realize you want to go collect more data, and I do \nwant an accurate answer. But it seems like shared services \npresents an opportunity to standardize procurement, limit \nvariability, increase security, and lower cost, all of which \nare good objectives.\n    Where is shared services on your priority list as you're \nworking with agencies on procurement?\n    Mr. Zielinski. So I will say that, going back to the IT \nmodernization report, this is one of the core principles within \nthe President's IT modernization report, is for us to look for \nthose opportunities to build out shared services to be able to \nboth speed the modernization but also to increase the \nprotection. So it is one of the core priorities in moving \nforward with modernization.\n    Mr. Gianforte. And final question: Who should be managing \nthese shared services within the government?\n    Mr. Zielinski. The plan, as it stands today, is to look for \nmanaging partners based upon the capability areas. So, \ndependent upon what the business function or area is, that \nthere is a role for the appropriate agency. So, in the case of \nHR shared services, OPM would have a significant role, as an \nexample.\n    Mr. Gianforte. So, then, they could be a service provider \nto other agencies, if necessary?\n    Mr. Zielinski. Correct.\n    Mr. Gianforte. Okay. Thank you.\n    I yield back, Mr. Chairman.\n    Mr. Hurd. Ranking Member Kelly.\n    Ms. Kelly. Thank you.\n    The growing rate of sophisticated data breaches and cyber \nattacks in the private and public sector have heightened \nconcerns over the security and strength of Federal IT systems.\n    And some of these devastating attacks succeed because \nFederal systems are dangerously outdated and obsolete. And I \nmentioned in my opening statement that nearly 75 percent of the \nFederal Government's IT budget is dedicated toward maintaining \nlegacy computer systems.\n    Mr. Powner, why does it take such a large share to maintain \nthose systems?\n    Mr. Powner. Well, I think, historically, operational \nsystems in the Federal Government get a pass. So when you look \nat that's something the lights are on and it's running and \nwe're serving the mission, we might not be serving the mission \nefficiently, we might not be serving the mission securely, but \nit's gotten a pass over the years. That's been the biggest \nproblem.\n    I think this committee, you know, going back to 2016, when \nwe did the big report with the 8-inch floppy disk at DOD, \nhelped raise the issue of how old and insecure and costly these \nsystems are.\n    We are starting to make progress. The problem is that we \nstill need firm dates to replace these systems where we \nactually turn them off. I mean, I agree with all the comments, \nthat it's difficult to maintain and patch, there's unsupported \nsoftware. But, ultimately, the security solution is turning \nthem off and decommissioning them.\n    Ms. Kelly. I'm not trying to be comical, but because the \nsystems are so old, do we even have the staff--we talk about \nthe staff for the new systems and the workforce, but what about \nthe staff to maintain these systems?\n    Mr. Powner. Well, that--so it's very difficult. I know, \npersonally, I do a lot of detailed work at IRS, and when you \nstart looking at assembly programmers there, we're losing them \nleft and right. We pay a premium to contractors to maintain. We \npay other younger programmers who know modern language as a \nretention. It costs money to maintain these systems. And each \nyear we go on, it costs more and more, and we become more and \nmore insecure.\n    Ms. Kelly. And what happens if we just turn it off?\n    Mr. Powner. Well, right now, we need a lot of these \nmission-critical systems to actually do the mission. You know, \nthe IMF system at IRS, that's where we get $3.3 trillion in \nrevenue through tax returns. It's critical.\n    Ms. Kelly. Uh-huh.\n    Mr. Powner. Chairman Hurd's held hearings on the VA VistA \nsystem. I mean, we still need that to apply medical services to \nour veterans.\n    But, again, you know, that's why we need to keep them \nrunning, because they're mission-critical.\n    Ms. Kelly. Okay. Thank you.\n    The Modernizing Government Technology Act is a key \ncomponent of this administration's continued effort to improve \nFederal technology by providing financial resources and \ntechnical expertise to agencies.\n    Does the MGT Act continue to be, you think, a priority for \nthe Trump administration and OMB?\n    Ms. Weichert. Absolutely. The MGT Act and the Technology \nModernization Fund are absolutely priorities for the \nadministration.\n    And we've actually pulled together in the President's \nManagement Agenda, which will be released next week and was \nhinted at in the President's budget in February, a wholistic \nperspective on how we tackle these issues, which is not purely \nthe technology piece, as you have mentioned. It includes issues \naround data and data structure. It also includes very critical \npeople issues.\n    We want to solve these issues wholistically, build on past \nsuccesses, and we believe that the MGT and the Technology \nModernization Fund will be great stepping stones toward the \nfuture of really pulling all of these dimensions together so \nthat they are not siloed by function, where, you know, we have \nCIOs, you know, who, by the way, need more authority--and you \nall have done great work in FITARA to do that, and we support \nthat. But we also need the human capital element, the financial \nelement, the procurement element to be at the same table.\n    And so what we're laying out in the President's Management \nAgenda is that wholistic framework. It was why I was so eager \nto actually be here and share. Because one of the root-cause \nobservations that we had when we looked at how government was \ntackling these issues versus the private sector, it was that \nlack of integration across function. And we plan to tackle \nthat, leveraging these authorities that Congress has provided \nthrough the MGT Act and TMF.\n    And, by the way, we really hope the appropriators actually \nfund the TMF.\n    Ms. Kelly. Okay. Thank you.\n    Mr. Powner, can you comment on the steps that OMB is \ntaking?\n    Mr. Powner. Well, I think, clearly, the guidance that OMB \njust put out, you know, that's the right direction. And that \nguidance was very solid. You know, now the hard part is \nimplementation. You know, we're really good at plans and \nguidance in this town, but we're not always good at getting \nthings done and implementing them completely.\n    So let's do this right with the MGT Act, because we got \nsavings out there. As Mr. Zielinski said, with shared services \nor still with some data centers, we can populate these working \ncapital funds and really do MGT right.\n    Ms. Kelly. Thank you.\n    And I yield back.\n    Mr. Hurd. Mr. Blum, you're now recognized for 5 minutes.\n    Mr. Blum. Thank you, Chairman Hurd.\n    Thank you to our panelists for being here today.\n    Mr. Powner, your challenge is, in the next 5 minutes, to \nmake me an expert on cloud computing. Cloud computing has been \nin the news lately with the Federal Government. Department of \nDefense, I think, is looking at going to cloud computing. I \nassume the entire government will be there at some point.\n    Can you talk to me about the efforts to go to cloud \ncomputing, A? B, financially, is that going to save the \ntaxpayers money or not? And, C, I'm particularly interested in \nthe following, and that is, will it be more secure or less \nsecure or perhaps the same level of security that we have \ntoday, not being in the cloud?\n    Mr. Powner. So there's all kinds of various aspects of the \ncloud. So, like, for instance, on our data center situation we \nhave, when I say that some agencies by 2020 should get out of \nthe business of data centers, that's because we have \ninefficient data centers that they're not going to optimize, \nmaybe two-thirds of them. And what we could do there is we \ncould host our existing applications in a cloud environment or \non servers and infrastructure maintained by contractors who are \ncloud providers.\n    So that's one way that we could actually save money and \nhave optimized data centers, by actually outsourcing all of it \nto the cloud.\n    We can also, too, in some of the shared service areas that \nwe talked about, you can actually buy software as a service in \nthe cloud from many of these cloud providers. And that's \nanother way where we can save money.\n    However, there are some of these mission-critical \napplications like some of these homegrown systems that are \ncritical to agencies' mission that you're not going to find \nthat as a software, as a service, that we've got to actually \njust do the hard work and convert those old systems.\n    So cloud, there's a great opportunity. It's not the \nsolution for everything. But there's substantial savings.\n    And from a security perspective, you know, if you really \nlook, the intel community kind of led the cloud migration. We \nwere concerned on the civilian side about having enough \nsecurity. So if it was good enough for intel, it's probably \ngood enough for a lot of others.\n    The other thing you could do is, through your contracting \nprovisions--and we did work on this, looking at service-level \nagreements and contracts--you can specify the level of security \nyou want from those cloud providers and actually dictate the \nlevel of security. So, in many ways, cloud services can be more \nsecure than what we currently have.\n    Mr. Blum. Do you think all Federal IT should eventually end \nup in the cloud?\n    Mr. Powner. There are some aspects that won't be in the \ncloud because they're unique to agency missions, but there's a \nlarge portion that could end up being in the cloud.\n    But there are these pockets of unique applications that we \ndo that no one else has that we have to do the hard work and \nconvert those to more modern platforms and modern software.\n    Mr. Blum. Where are we at today in this journey to the \ncloud?\n    Mr. Powner. So that's a good question. We're doing some \nwork for this committee where we've done prior works, and we \ntry to measure it as a percentage of budget or IT spend, and \nit's very difficult. You know, we did this work a couple years \nago, where agencies varied from 2 to 7 percent of their IT \nbudgets were in the cloud. That's improved somewhat. But it's \nvery difficult to give you a good, hard number right now. We're \nworking on that for this committee.\n    Mr. Blum. Thank you.\n    Ms. Weichert, is it?\n    Ms. Weichert. Yes.\n    Mr. Blum. OMB, how involved are they in this migration to \nthe cloud?\n    Ms. Weichert. So it's a great question, and it is actually \none of the priorities that we're laying out as part of the \nPresident's Management Agenda. Now that the Federal CIO is in \nplace, it is on her top priority list.\n    And we're working closely with GSA and the centers of \nexcellence on the implementation. They've already met to put \ntogether tiger teams in terms of cloud email adoption, and \nthey're looking at other areas where commercially available \nsolutions are already in place, secure, and working at some \nagencies, to elevate the lessons from those and extend them \nacross government.\n    But ultimately the test, to the question that you asked \nearlier around which things should migrate to the cloud, it's \nessentially going to be dependent on the mission; the service \naspects, so how well we can serve the needs of our citizens and \nthe American people; and then the stewardship aspects of \nfinancial stewardship. So we're really going to be looking at \nbalancing those three items.\n    Mr. Blum. Thank you.\n    Mr. Zielinski--I hope I pronounced that right--this is kind \nof interesting. The centers of excellence, can you just briefly \ntell me about that and that effort?\n    Mr. Zielinski. Certainly. Thank you for the question.\n    Going back to some of the things that Mr. Powner mentioned, \nas agencies are making these decisions about their strategies \nfor moving to the cloud or considering the cloud, the centers \nof excellence are places where we bring together technical \nexpertise, the engineers and others who understand the dynamics \nof matching those business applications and those business \nfunctions to where they best lend themselves to a cloud \napplication, whether that software is a service or platform is \na service, and then help agencies to find acquisition \nstrategies for them to be able to move.\n    So there's a lot of direct assistance that those centers of \nexcellence provide to a customer agency, and they do that \nthrough bringing together the expertise, as Ms. Weichert said, \nbeing able to make sure that we have all of those functions \nworking hand in glove, the technical expertise as well as the \nacquisition.\n    Mr. Blum. Is it more of a planning function or more of an \nexecution function, the centers of excellence?\n    Mr. Zielinski. It's absolutely an execution function, sir.\n    Mr. Blum. Because I agree with what Mr. Powner said earlier \nabout we're good at planning, not so good at following through.\n    Thank you very much. I am out of time and I yield back.\n    Mr. Hurd. I now recognize the ranking member.\n    Ms. Kelly. I just have one quick question and not for Mr. \nPowner.\n    How long have all of you been in your positions you're in \nnow?\n    Ms. Manfra. I was appointed in June of last year, ma'am.\n    Mr. Zielinski. I've been with GSA for 2 years.\n    Ms. Kelly. In the position you're in now?\n    Mr. Zielinski. Six months.\n    Ms. Weichert. The Senate confirmed me on Valentine's Day of \nthis year.\n    Ms. Kelly. All relative newbies, okay. No insult to you, I \njust knew you'd been around. Thank you.\n    Mr. Hurd. He's been there forever, I think is the right \nanswer.\n    Mr. Zielinski, can we follow up on the centers of \nexcellence. I recognize myself for 5 minutes. How does this \nprogram differ from 18F?\n    Mr. Zielinski. So thank you for the question, sir. The 18F \nhas those technical experts that the centers of excellence can \nactually tap into. So as I talked about bringing together the \ndifferent discipline areas to be able to bring to bear on a \nparticular agency problem set and to assist them in being able \nto understand the dynamics of their business case and how they \ncan move forward, 18F, as an organization, would be one of the \nareas into which the centers of excellence can reach to bring \nthat technical expertise to the table.\n    Mr. Hurd. Got you. And how do we ensure these centers of \nexcellence, other than having GAO white glove it, how do we \nensure that these don't duplicate efforts that are going on in \nthe rest of the government?\n    Mr. Zielinski. So going back to the agenda that has been \nlaid out by the administration in and around starting with the \nIT modernization report as well as with the President's \nManagement Agenda, it's a very tight weave in terms of ensuring \nthat there's a collaboration across all those functional areas.\n    And there are many opportunities for those functional areas \nto be brought together to ensure that we are all bringing to \nbear the best talent and that we're also not duplicating \neffort, sir.\n    Mr. Hurd. Good copy.\n    Ms. Weichert, one of the things that is still frustrating, \nand I'm glad Mr. Powner alluded to this in the beginning of his \nremarks, is CIO authorities. We can't hold CIOs accountable if \nwe don't give them all the power they need. FITARA gives them \nthat authority, but in many places the agency CIO doesn't have \nthe complete budget authority of those--of that entire \noperation.\n    And Transportation is an example. I think they have nine \nCIOs, people with the title, nine CIOs, $3 billion-plus budget.\n    Can we reprogram the funds from those various sub-CIOs \ninto--under the Federal--under the agency CIO in order to \nstreamline that budget authority?\n    Ms. Weichert. So not being an expert on appropriations, I \nwant to caveat and say that I would love to answer that in more \ndetail after conferring with some of our budget folks. But what \nI can say is absolutely agree with your frustration. It's \nsomething we in the administration share and are looking very \nclosely at how do we address.\n    I think in the President's Management Agenda we are laying \nout how all of the components of the various authorities across \ngovernment, how they work together and how they align together, \nand to avoid duplication, while giving the maximum elevated \nlevel of capability to the CIOs.\n    I think the Technology Modernization Fund and the MGT, in \nproviding new capabilities around working capital funds, that \nis a place we are going to start and are already exploring ways \nthat we can work with agencies to help them focus and target \nresources towards the highest priority projects, as Mr. Powner \nhas suggested.\n    In terms of getting additional capabilities, I think the \nauthorities are different in terms of transfer and how they can \nuse their working capital funds, that I wouldn't want to give \nyou an across-the-board answer.\n    Mr. Hurd. But would you have heartburn if we were to \nreprogram some of these to ensure that the agency CIO had all \nthe budget authority for IT spend across that network?\n    Ms. Weichert. So I haven't studied that specific issue.\n    Mr. Hurd. Okay. That's a fair answer.\n    Ms. Weichert. But what I can say is we are absolutely in \nalignment in terms of the idea that the CIO for the broad \nagency needs to have all the capabilities and tools to make \nthese very profound investments.\n    And the more we can align to the way the private sector \nworks, where you've got a general manager of a division or an \nagency, and their C-suite includes the chief information \nofficer, the chief financial officer, the chief people officer, \nand, where appropriate, the procurement officer, they need to \nall be there in lockstep.\n    Mr. Hurd. And the CIO. I think you said that.\n    Ms. Weichert. I said that first, yes.\n    Mr. Hurd. Okay, first. Okay. Gotcha. Gotcha. I agree. And \nmy teams would get mad because we're talking about how do we \nchange the FITARA Scorecard to penalize agencies that don't \nhave the Federal CIO reporting directly to the agency or deputy \nagency head.\n    We've asked everybody why, what's going on, why is that the \ncase? We've gotten a lot of excuses: ``Oh, it's kind of already \nthere.'' Well, if it's already there, then change the damn \nstructure. And so we are looking at having that be reflected in \nthe FITARA Scorecard.\n    Mr. Powner, do you have any opinions on the reprogramming \nand giving complete budget authority to the CIA--CIO? Let me \nrephrase that. The CIO, not the CIA. I don't want anybody to \nget mad and run an ad against me.\n    Mr. Powner. I think the first step is that we understand \nall the IT spend. I think many CIOs, we don't even know the \nfull totality of what we spend at these departments and \nagencies. So once we understand that, I do think the CIOs \nshould control that more.\n    It's okay, too, if there ARE some business units that \ncontrol it and they act in partnership, where the CIO is \nworking with those business units to spend it appropriately, to \noversee it the right way and that.\n    So I think there's probably even some blend. I think right \nnow if we did it completely whole hog, you have complete budget \nauthority, the whole bit, I don't know if that would--maybe we \nneed to shock the system as you're intending. That's one way to \ndo it.\n    Mr. Hurd. Your word, not mine, sir.\n    Mr. Powner. But the other way to do it is to have some type \nof blend where we know the entire spend and the CIO has a role, \nwhether they control every dollar or not, but they're still \nresponsible for governing over it. We've got too much IT spend \nthat we don't have IT people on it.\n    Mr. Hurd. You reminded me of something I was going to ask.\n    And, Ms. Weichert, this may not be something on the top of \nyour mind.\n    Or, Mr. Zielinski, I think this is outside of your scope.\n    The Department of Defense recently made the decision to not \npublish their IT amount. I believe it was in a recent--was it \nan OMB report? What was it? The analytical prospectus. It said: \nHey, we're going to stop showing DOD's number on IT along with \neveryone else.\n    So we went from spending, the Federal Government spending \n$90 billion to $40 billion, and they said, you know, asterisks, \nfiscal year 2018, it was roughly $50 billion.\n    Do you have any insight into that decision, that process? \nAnd we will be bringing--again, not to, you know, show our \nhand--but we'll be bringing DOD for the next FITARA Scorecard \nhearing to have them answer that directly. But I'd welcome your \nthoughts.\n    Ms. Weichert. Yeah. Unfortunately, that was prior to my \nbeing confirmed, so I wasn't read in on that particular \ndecision.\n    Mr. Hurd. When you're talking to them----\n    Ms. Weichert. I will note it.\n    Mr. Hurd. --tell them this committee is interested.\n    Ms. Weichert. I will share that.\n    Mr. Hurd. And I'd love to have the answer prior to--should \nI introduce these into the record?\n    So, yeah. The analysis in this chapter excludes the \nDepartment of Defense and classified spending, which in fiscal \nyear 2008 was $42.5 billion, or 44 percent of the IT budget. So \nwe're going to start showing only 66 percent of the budget as a \nwhole number, which seems a little odd to me.\n    Ms. Manfra, one of the things I want to do with the FITARA \nScorecard is transition it into more of a digital hygiene \nscorecard as well. I think the elements, as Mr. Powner has \ntalked about, we've got to continue to double down on those \nissues.\n    But I think being able to highlight at the macro level good \ndigital hygiene is important. I think the inclusion of the \nMEGABYTE Act on that was one of that. Do you know all the \nsoftware that's running on your system? And I think only three \nwere able to answer yes, which is pretty shocking. And, again, \nthese are self-reporting numbers.\n    So what are some of the areas that you think that we should \nor could be exploring when it comes to digital hygiene and how \nwe look across that over the entire enterprise?\n    Ms. Manfra. So I think, first of all, I think that's a \ngreat idea, to include that. Frankly, shining a light on some \nof these basic practices has been useful in agencies \nprioritizing.\n    So I briefly alluded to the critical vulnerability \npatching. What we saw through years of assessments was just \ncontinued poor patch management programs. Some of it does have \nto do with legacy systems and all that.\n    But what we decided to issue, our first binding operational \ndirective, was actually to require the time to patch a critical \nvulnerability down to 30 days.\n    And the important way, though, that we were able to be \nsuccessful, I think, with this and with other directives and \nother guidance that we provide is that we can independently \nvalidate. We're not relying on self-reporting. And so the more \ncapability that DHS is deploying--in this case it's the \nexternal scanning that we're doing of all internet-facing \ndevices--that we can say, no, I can see that you haven't \nactually patched.\n    The good news story is that when we--I think fiscal year \n2014 average time to patch was somewhere in excess of 200 days \nfor critical vulnerabilities, which is bad. After the \ndirective--and it continues, which shows how these things \nchange behavior--we're averaging in the 10 to 15 days.\n    And so it's helping them prioritize their very limited \nresources by focusing on known issues, and that's what we want \nto continue to do, but it's also important that we can \nindependently validate this.\n    You talked about knowing what software on your system. So \nthe Continuous Diagnostics and Mitigation Program that we've \nbeen deploying, the first phase is hardware and software asset \nmanagement. And we've learned a lot through that program in \nwhat agencies thought they had on their network was not exactly \nwhat we found that they had on their network after deploying \nthese.\n    And I know in one sense it's frustrating to sort of be in \nthat environment, but at least we're in a position now where we \ndo know. We know what's connected to the network and as we \ndeploy more tools.\n    And as a side note, this program actually is also very \ncost-effective, and we've been able to identify that I think \nit's 75 percent cost savings off of schedule--if they had \nbought these on Schedule 70.\n    So we're deploying common tools that are identifying what \nand who is on networks. And I believe that this will \nfundamentally transform the way that we do, in the first case, \nvulnerability management for the government, but eventually we \nwill get to event management and ongoing authorization in those \nprograms.\n    But it has to be through the deployment of these \nstandardized tools that then feed data back to an agency CIO \nand DHS so that we can, through automated sensors, understand \nwhere they are.\n    Mr. Hurd. Would you have security concerns of publishing \nthat number of how long it takes to patch software, like the \naverage it takes to patch software from agency from agency?\n    Ms. Manfra. I don't know how----\n    Mr. Hurd. You can take time to think about it.\n    Ms. Manfra. Yeah.\n    Mr. Hurd. It's just I think that's an element that, self-\nreporting, we can establish a letter grade based on what are \nindustry best practices. Is a week an A? Two hundred days is \ndefinitely an F, right? Where that's something that we could \npackage and keep track of and make sure that we're continuing \nto shine a light on.\n    Ms. Manfra. Absolutely, sir. And there's a few other things \nthat we've identified as very common practices that we're \nfocusing our guidance on. And we'd be happy to work with you on \nhow we can improve those practices.\n    Mr. Hurd. And before we get to the gentleman from the \nCommonwealth of Virginia, my last question is, one of the \nthings that I've--in the 3-1/2 years we've been doing this \ntogether, we've asked a lot of questions about, are you doing \ntechnical vulnerability assessment, penetration testing? And a \nlot of agencies have said yes, and then you find out after the \nfact they're just doing a scan, that they're not bringing a \nthird-party system, a third-party vendor to come in and do that \ntesting.\n    Your organization has been doing that. Have you seen an \nincrease in that as a best practice?\n    Ms. Manfra. So you're right, there isn't a very common \ndefinition of what people mean by penetration testing. You \nknow, as I noted, we do passive scanning, but that is to \nidentify one set of issues.\n    We also do our risk and vulnerability assessments, which is \npenetration testing, which is actively going and trying to \nidentify and exploit vulnerabilities. That's what we would \nconsider.\n    We haven't previously taken statistics on what agencies are \nusing penetration testing. I can tell you that just in the last \nfiscal year, we did 42. We focus, prioritize high-value assets. \nSo we go through all of the high-value assets to do a full risk \nand vulnerability assessment, which includes a penetration test \nas well as a report to them. But we could definitely follow up \non that.\n    Mr. Hurd. Well, we'll be asking the agencies this question, \nso when we collect that information we'll share it with you so \nthat you're aware.\n    Ms. Manfra. Thank you, sir.\n    Mr. Hurd. Now I'd like to recognize the gentleman from the \nCommonwealth of Virginia, the ranking member, Mr. Connolly.\n    Mr. Connolly. I thank my friend.\n    And welcome to our panel.\n    And thank you both to Mr. Hurd and Ms. Kelly for their \nleadership of this subcommittee and on this subject matter. \nWe're really fortunate to have Members who care about the \nsubject matter and delve into it. It's actually rare. You'd \nthink more Members would be involved in IT, but they actually \naren't, for various and sundry reasons.\n    And so one of the great pleasures of serving on this \ncommittee is that--and Mr. Meadows is not here, but the four of \nus have really worked seamlessly, in a nonpartisan way, to try \nto help rationalize Federal IT policy. And I think for all four \nof us, it doesn't matter whether it's a Democrat or a \nRepublican administration, we want it to work.\n    And so, in that spirit, welcome.\n    Ms. Weichert, in March of last year the White House \nannounced the Office of American Innovation. And after that, \nOAI was credited with a whole bunch of projects as large as \npushing the overhaul at the Veterans Administration healthcare \nIT system, setting the policy for the Federal Government's \nadoption of AI, and presumably implementation of FITARA, data \ncenter consolidation, moving to the cloud, empowerment of CIOs, \nand so forth.\n    Now, under the E-Government Act of 2002, normally that role \nwould be played by the Federal CIO. Now that presumably we're \ngoing to have a Federal CIO, what is OAI's role going forward, \nand how does OMB play a role in all of this as well?\n    Ms. Weichert. I think it's a great question, and we are \nworking in lockstep across the administration to set out a \nfocused agenda for all the elements around not only IT \nmodernization, but the other enabling capabilities around data \ntransparency and accountability, as well as the people \ndimensions of that.\n    And OAI did a great job providing catalytic capabilities in \ngetting a lot of these activities started. But what's been \nincluded in the President's budget in February and what will be \nrolled out next week in the President's Management Agenda is \nthe comprehensive go-forward plan.\n    We do have a Federal CIO, an outstanding leader from the \nprivate sector who has done execution of change in complex, \nhighly regulated environments in the financial services and \nother industries, who's really here to help continue to carry \nthat torch.\n    I think a lot of the activities that have been enabled by \nthe MGT Act and the TMF are stood up. The Federal CIO actually \nmet earlier this week with the members of the IT Modernization \nFund Board, and they did a dry run, so that when appropriations \ncome--I'm hoping they're coming soon--that the board will be \nprepared to act quickly.\n    We continue to work very closely with OAI in terms of \nhelping shape the strategy and bring to bear the best thinking \nof the administration and also marshal resources outside of \ngovernment to provide insights that might be helpful in our \njourney.\n    But we in OMB are really leading the direction with the \nPresident's Management Agenda and bringing the executive branch \nalong. And I look forward to having you all get to see what \nwe're putting together that's going to be in the PMA launch \nnext week.\n    Mr. Connolly. So I know that the chairman talked about \nmaybe broadening the current FITARA Scorecard at some point to \na digital hygiene scorecard. I would be supportive of that once \nwe make more substantial progress on implementation of what's \nin front of us, because we've seen some backsliding. You know, \nDOD, the Big Kahuna, got an F. And so we want to see more \nprogress, but we can't really see it without leadership coming \nfrom your office.\n    I assume, but let me ask, you are committed to the metrics \nset in the law, FITARA, and the tools, allowing us to try to \nfacilitate that, that MGT, just passed into law, also gives \nagencies, to facilitate implementation of the law.\n    I assume you're trying to push agencies to meet the metrics \nset for them in the law.\n    Ms. Weichert. Absolutely. And I think the focus \nhistorically, that has been very siloed. In a lot of cases some \nof the challenges around FITARA implementation and some of the \nthings measured in the scorecard hit root cause issues that \nwere underlying those things. In a lot of cases, people issues \nare part of the problem.\n    Mr. Connolly. Yes.\n    Ms. Weichert. In some cases data and even the ability to \nsee the problem is part of it.\n    So part of what we want to do is actually use the broad \nmanagement table to really shine a light on those issues. And \nto the extent the scorecard needs to evolve or mature, we'd be \nvery happy to take input from GAO and work with Congress on \nthat. But we are very supportive of the spirit of FITARA and \nmoving forward with that.\n    And I guess the last thing I'll just say is, my perspective \nin the private sector, if you've got a broad failing to meet \nthe needs outlined in a strategic plan or a set of metrics, \nit's incumbent upon the person who's accountable for those, \nespecially if it's me, to really understand are there root \ncause issues that are preventing us from doing that and then \naddressing those as well.\n    Mr. Connolly. Yes, I couldn't agree with you more. And like \nyou, I come from the private sector. I spent 20 years as a \ncorporate officer. And what I learned in the private sector and \nthe public sector is, if the boss doesn't care, neither do I.\n    Ms. Weichert. Right.\n    Mr. Connolly. I'll give it lip service.\n    Ms. Weichert. I care. I care a lot.\n    Mr. Connolly. Exactly.\n    But they need to feel pressure. They need to know I'm going \nto be evaluated by the boss on implementation, on meeting those \nmetrics.\n    And the other thing, and then I'll be quiet, but with \nrespect to personnel, we've got to empower, in Latin we call it \nprimus inter pares, the first among equals in CIOs. There has \nto be a primus CIO who's got the responsibility, the \naccountability, and the power to make decisions. They've got to \nbe empowered, and everyone has to know that.\n    If the CIO of an agency is reporting to the deputy \nassistant Gromit in the basement, that does not escape the \nattention of everybody else. And I might give lip service, but \nI know he or she doesn't really have the boss' attention.\n    We elevate the issue--I mean, we elevate the role of that \nperson and the stature of that person, we elevate the issue and \nits importance in everybody's eyes.\n    I commend that to you as a reform. It doesn't cost a lot of \nmoney, but I think it would have a profound effect on \nperformance and would save a lot of money for agencies over \ntime and make us a lot more effective.\n    Thank you, Mr. Chairman.\n    Mr. Hurd. Thank you, sir.\n    And I failed to spend some time on MGT, so I have a few \nquestions. And, Ms. Weichert, they're probably best for you.\n    The agencies are still planning to present their \nimplementation plans of the MGT working capital fund on the \n27th of March. Is that correct?\n    Ms. Weichert. That is correct.\n    Mr. Hurd. And will you be able to share those with us?\n    Ms. Weichert. So we will be able to share the status on the \nworking capital funds early this summer. So we are actively \nworking with the agencies to understand what specifically their \nneeds are in terms of implementing on that.\n    So we already have a number that are well on the way of \nimplementing it. We have identified some challenges related to \ntransfer authorities that we need to work out. And we'll \nactually be coming back to Congress with some thoughts about \nways to streamline what's needed to actually make it work as \nintended in the legislation. But we will be coming back \nimminently.\n    Mr. Hurd. The sooner you come to us on that, we'll do \neverything we can to help, because I think it's important by \nthe end of this fiscal year to have some money deposited in \nthose funds at a handful of agencies to be sure that it's \nworking.\n    Ms. Weichert. We absolutely agree, yes.\n    Mr. Hurd. Mr. Powner, do you think we can do that?\n    Mr. Powner. Definitely, definitely. And we'll continue to \nwork with you. I know that's one of the things we want to focus \non the scorecard, too, as we evolve that, to look at the \nestablishment of those MGT funds and the accountability, who's \nin charge of those and that type of thing.\n    Mr. Hurd. Because if you are able to deposit money in your \nMGT working capital fund, it shows a culture of modernization, \nand I think that's important to monitor and focus on.\n    I'd like to thank our witnesses again for being here today. \nThe hearing record will remain open for 2 weeks for any member \nto submit a written opening statement or questions for the \nrecord.\n    If there's no further business, without objection, the \nsubcommittees stand adjourned.\n    [Whereupon, at 4:26 p.m., the subcommittees were \nadjourned.]\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 [all]\n</pre></body></html>\n"