[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


                               FITARA 8.0

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                               AND REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION
                               __________

                             JUNE 26, 2019
                               __________

                           Serial No. 116-40
                               __________

      Printed for the use of the Committee on Oversight and Reform
      
      
                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]      


                  Available on: http://www.govinfo.gov
                    http://www.oversight.house.gov or
                        http://www.docs.house.gov
                        
                              ___________

                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
37-281 PDF                 WASHINGTON : 2019                         



                   COMMITTEE ON OVERSIGHT AND REFORM

                 ELIJAH E. CUMMINGS, Maryland, Chairman

Carolyn B. Maloney, New York         Jim Jordan, Ohio, Ranking Minority 
Eleanor Holmes Norton, District of       Member
    Columbia                         Justin Amash, Michigan
Wm. Lacy Clay, Missouri              Paul A. Gosar, Arizona
Stephen F. Lynch, Massachusetts      Virginia Foxx, North Carolina
Jim Cooper, Tennessee                Thomas Massie, Kentucky
Gerald E. Connolly, Virginia         Mark Meadows, North Carolina
Raja Krishnamoorthi, Illinois        Jody B. Hice, Georgia
Jamie Raskin, Maryland               Glenn Grothman, Wisconsin
Harley Rouda, California             James Comer, Kentucky
Katie Hill, California               Michael Cloud, Texas
Debbie Wasserman Schultz, Florida    Bob Gibbs, Ohio
John P. Sarbanes, Maryland           Ralph Norman, South Carolina
Peter Welch, Vermont                 Clay Higgins, Louisiana
Jackie Speier, California            Chip Roy, Texas
Robin L. Kelly, Illinois             Carol D. Miller, West Virginia
Mark DeSaulnier, California          Mark E. Green, Tennessee
Brenda L. Lawrence, Michigan         Kelly Armstrong, North Dakota
Stacey E. Plaskett, Virgin Islands   W. Gregory Steube, Florida
Ro Khanna, California
Jimmy Gomez, California
Alexandria Ocasio-Cortez, New York
Ayanna Pressley, Massachusetts
Rashida Tlaib, Michigan

                     David Rapallo, Staff Director
              Wendy Ginsberg, Subcommittee Staff Director
           Yvette Badu-Nimako, Director of Policy and Counsel
                     Joshua Zucker, Assistant Clerk
               Christopher Hixon, Minority Staff Director

                      Contact Number: 202-225-5051
                                 ------                                

                 Subcommittee on Government Operations

                 Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of   Mark Meadows, North Carolina, 
    Columbia,                            Ranking Minority Member
John Sarbanes, Maryland              Thomas Massie, Kentucky
Jackie Speier, California            Jody Hice, Georgia
Brenda Lawrence, Michigan            Glenn Grothman, Wisconsin
Stacey Plaskett, Virgin Islands      James Comer, Kentucky
Ro Khanna, California                Ralph Norman, South Carolina
Stephen Lynch, Massachsetts          W. Steube, Florida
Jamie Raskin, Maryland



                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page
Hearing held on June 26, 2019....................................     1

                               Witnesses

Ms. Suzette Kent, Federal Chief Information Officer, Office of 
  Management and Budget
Oral Statement...................................................     3
Ms. Carol Harris, Director, IT Management Issues, Government 
  Accountability Office
Oral Statement...................................................     4
Mr. Gary Washington, Chief Information Officer, U.S. Department 
  of Agriculture
Oral Statement...................................................    18
Mr. Jason Gray, Chief Information Officer, U.S. Department of 
  Education
Oral Statement...................................................    20
Mr. Eric Olson, Chief Information Officer, U.S. Department of the 
  Treasury
Oral Statement...................................................    21

Written opening statements and statements for the witnesses are 
  available on the U.S. House of Representatives Document 
  Repository at: https://docs.house.gov.


No additional documents were entered into the record during this 
  hearing.

 
                               FITARA 8.0

                              ----------                              


                        Wednesday, June 26, 2019

                   House of Representatives
      Subcommittee on Government Operations
                          Committee on Oversight and Reform
                                                   Washington, D.C.

    The subcommittee met, pursuant to notice, at 4:07 p.m., in 
room 2154, Rayburn House Office Building, Hon. Gerald E. 
Connolly (chairman of the subcommittee) presiding.
    Present: Representatives Connolly, Norton, Khanna, Meadows, 
Massie, Grothman, and Jordan.
    Mr. Connolly. The subcommittee will come to order. And 
without objection, the chair is authorized to declare a recess 
of the committee at any time.
    This subcommittee is convening our eighth biannual hearing 
to assess FITARA, the Federal Information Technology 
Acquisition Reform Act, and other information technology laws.
    I want to recognize our two witnesses on the first panel. 
Very brief--I'm going to recognize myself very briefly for an 
opening statement.
    FITARA, from our point of view, is a tool that can be used 
for change agents within Federal agencies to come into the 21st 
century to make ourselves more efficient, to achieve economies, 
to improve productivity and morale while also better serving 
the American people. Not doing that has huge costs including 
compromising data, big data bases that we are charged as the 
Federal Government with protecting. And so after we passed 
FITARA, we wanted to make sure that what happened to FITARA was 
not what happened with Clinger-Cohen, its predecessor law, 
where both authors of the legislation left Congress, and there 
was really nobody who felt they were vested in making sure that 
law did what it was intended to do. We wanted to make sure that 
did not happen.
    And so I think by now it's pretty clear that our committee 
is as committed as ever to insisting on implementation of the 
law. We create a scorecard working with GAO that's designed to 
incentivize that cooperation and that reform so that we can 
achieve all of the valued goal, as I just enunciated. It's not 
designed to burn a scarlet letter on an agency's back or a 
CIO's back. It is designed to be a tool to incentivize change 
for the good. And that's the spirit in which we are going to 
have today's hearing.
    We are glad that there are agencies that are showing steady 
progress. And we believe that there are some agencies that 
would show even more progress had they not fallen back on the 
CIO reporting sequence in the organization chart or if they 
had, in fact, adopted that as a reform. We want to see a 
reporting sequence that makes sure that the chief CIO is 
reporting to the boss. And that's our goal. And you get scored 
on that if you're not doing it.
    So anyway, we're going to get on with the hearing. I want 
to thank everyone for their patience with the House schedule, 
both this subcommittee and the floor votes. Sorry to keep 
everybody waiting, but that was beyond my control or Mr. 
Meadows' control.
    And it now gives me great pleasure to recognize my friend, 
the distinguished ranking member and the former chairman of 
this subcommittee, and my partner in crime, Mr. Meadows.
    Mr. Meadows. Thank you, Mr. Chairman. Thank you for your 
leadership. I'm going to be extremely brief because of the 
lateness of the hour.
    Thank you both for being here. Some of you have made 
recommendations in terms of direct reports on CIOs. I can tell 
you that, having a conversation with NASA, I think they're 
going to address that. And so the bottom line, we're paying 
very close attention to it. We're working in a bipartisan 
fashion. We want everybody to understand the score cards are 
meaningful to us, and eventually they're going to be meaningful 
to the agencies because we're working to attach dollars both as 
penalties and rewards to that, because I believe that if you're 
getting good responses, you ought to be rewarded.
    I can tell you that I took a visit over to OPM the other 
day. And the way that we're doing Federal benefits is archaic. 
We have got to change that. And I am willing--you know, this 
fiscally conservative Republican is willing to spend money to 
get it done. So this is a critical piece.
    And with that, thank you both for coming to testify. Thank 
all the staff. Listen, I know the work gets done, many times 
without a lot of applause. But I want to applaud everybody 
who's trying to make this work. And I thank the gentleman for 
his leadership on the Connolly Issa bill.
    Mr. Connolly. My friend is too kind, and I thank him.
    So for our first two witnesses, we have Suzette Kent, who 
is the Federal chief information officer from the Office of 
Management and Budget. I think this is your first time before 
us, Ms. Kent; is that correct.
    Ms. Kent. This is my second.
    Mr. Connolly. Second. Okay. Well, welcome back.
    And Carol Harris, who, of course, is the director of IT 
management issues at the Government Accountability Office.
    If you would both rise, please. We swear all of our 
witnesses in here at the committee.
    And if you'd raise your right hands, do you swear or affirm 
that the testimony you're about to give is the truth, the whole 
truth, and nothing but the truth, so help you God.
    Let the record show that both of our witnesses answered in 
the affirmative. Thank you.
    Mr. Connolly. The microphones are sensitive, so please 
speak directly into them. Without objection, your full written 
testimony will be made part of the record, so I would ask you 
to verbally summarize your testimony as best you can within the 
five-minute window. With that, Ms. Kent, over to you.

 STATEMENT OF SUZETTE KENT, FEDERAL CHIEF INFORMATION OFFICER, 
                OFFICE OF MANAGEMENT AND BUDGET

    Ms. Kent. Thank you, Chairman Connolly, Ranking Member 
Meadows, and members of the committee, thank you for having me 
here today. I'm honored to be here to discuss FITARA and 
technology topics that are of vital importance to empowering 
agencies to achieve their missions. As you open, FITARA is more 
than just a law and a scorecard; it serves as a vehicle for how 
we communicate involving priorities and a measure to 
demonstrate progress.
    This administration continues to emphasize the FITARA goals 
through the IT modernization goal in the President's management 
agenda and in the executive order on CIO authorities. Our 
government's ID policies must be as nimble and iterative as the 
global technology industry and the changing nature of the 
threat landscape we're addressing. This intent drove our policy 
updates in 2018 and 2019.
    Some of those policies had not been updated in almost a 
decade. We also sought to update how we measure success, so the 
council provided recommendations to GAO and to this Oversight 
Committee around how we continue to enhance the FITARA 
scorecard and continue to make it meaningful in driving 
progress.
    Additionally, we are focused on making metrics and measures 
data driven, publicly available, and continuous through the 
websites. We made great strides in IT modernization in the last 
two years. I'll highlight a couple of quick examples. 
Increasing adoption of commercial cloud email from 45 percent 
to 72 percent. That's 1.8 million mailboxes now. We closed 150 
enterprise datacenters.
    All 23 civilian CFO act agencies have hit defined targets 
for data ex-filtration detection and 21 have met targets on 
mobile device security, and our technology modernization fund 
projects have yielded playbooks and working strategies that can 
be easy--easily replicated to accelerate agency systems 
migrations.
    We've updated policy on high value assets, identity and 
credential and access management, cloud smart, datacenter, and 
delivered for the first time a Federal data strategy with a 
one-year action plan. And in May, various agency CIOs, OMB 
policy leaders, and I met with congressional staff members of 
this and other committees to walk through all of those policy 
updates and how those actually drive progress forward for 
enhancements. The recently released cloud smart strategy is a 
great example of how we remove barriers.
    Three key areas prevented adoption of cloud and 
technologies that were addressed in the update. Security. How 
we move from a perimeter-based model to a data-centric model. 
Procurement. Agencies had to adjust to these new consumption-
based models, and most important, how we address and develop 
the Federal work force to operate effectively in these new 
paradigms.
    It also includes a directive for agencies to develop an 
application rationalization road map. This road map is critical 
and it defines what can move to the cloud and helps inform the 
datacenter needs and helps us define those targets for what 
will be closed.
    The CIO Council has recently released the application 
rationalization playbook to help agencies achieve this task. 
Since datacenter optimization is also important to this 
committee, I'll briefly comment on a couple of pieces of 
division in the new policy. We closely studied the data 
collected under the original memo and working with agencies, we 
identified ways to streamline the closure process and clearly 
identify facility types that will continue to be needed for 
agency mission specific reasons. We included these learnings in 
the updated policy, which does focus on enabling aggressive 
closure with specific targets by agency and ensuring efficient 
operations where datacenters deemed to be a key mission 
facility that's part of that agency's mission.
    Last year when I testified to this committee, I highlighted 
work force challenges and any technology transformation the 
people that are charged with acquiring, deploying, and 
operating in that new environment are ultimately the key to the 
transformation success and we must invest in providing the 
experiences that our work force needs to keep their skills 
relevant.
    Next month we will be celebrating the graduation of our 
first Federal cyber rescaling academy and we will have kicked 
off our second cohort. These initiatives are a way that we're 
investing in our current, dedicated, and qualified Federal 
employees to both enhance their careers, but simultaneously 
address our work force gaps in the technology area.
    As the reskilling model proves itself, we hope to replicate 
it for other skill areas and we endeavor to make this approach 
a standard operating procedure, not just a onetime special 
project.
    So in closing, our continued coordination with Congress is 
key to making government modern, secure, and mission ready. We 
know that the American people expect our Nation to be a world 
leader on every front including technology and cybersecurity.
    In this discussion today, we know that agencies are making 
progress, but modernization and battling cybersecurity threats 
are a continuous journey and there's much more to do. With the 
support of Congress, we will continue to raise the bar in 
agency performance, and overall empower agencies to leverage 
technology to enable their mission, to improve the citizen 
services and be effective stewards of taxpayer money.
    Thank you for the opportunity today, and I look forward to 
answering your questions.
    Mr. Connolly. Thank you, Ms. Kent. And when you go back to 
OMB, you're going to be able to say, I'm the one person in this 
White House who went to a hearing on impeachment and subpoenas 
and nothing like that was discussed at all.
    Ms. Kent. Yes, sir.
    Mr. Connolly. Ms. Harris?

  STATEMENT OF CAROL HARRIS, IT MANAGEMENT ISSUES, GOVERNMENT 
                     ACCOUNTABILITY OFFICE

    Ms. Harris. Chairman Connolly, Ranking Member Meadows, and 
members of the subcommittee. I'd like to thank you and your 
staff for your continued oversight on IT management and 
cybersecurity with this eighth set of grades.
    Overall, five agencies' grades went up, four went down, and 
11 remained the same. HHS and NASA's overall grades were 
lowered because their CIOs no longer report to the head or 
deputy of the agency. This is also the first time in which four 
agencies received two grades, which we prepared at your request 
in response to changes to OMB's datacenter initiative.
    I'd like to briefly comment on this and other selected 
areas of your scorecard. I'll first start with the dashboard 
portfolio stat areas. Thirteen agencies' grades were increased 
by this committee as a way to recognize a significant progress 
made in these areas governmentwide since scorecard 1.0 4 years 
ago. This progress would not have happened to this extent 
without your scorecard in oversight.
    I'll turn to FISMA next, which is now included in the 
scorecard methodology. It's inclusion had a generally negative 
effect as there were 12 agencies with either a D or an F. Only 
one agency, NSF, received an A and four received a B.
    Next, Incremental Development. This area now captures 
projects that are not primarily software development in nature 
such as a non-IT acquisition with the tech component. This 
change, which was previewed in scorecard 7.0 was suggested by 
the CIO Council and makes this area more comprehensive. As a 
result, we saw ten agencies grades in this area decrease while 
three agencies went up.
    And last, with respect to datacenters, you asked us to show 
a set of overall grades that use the datacenter grades from 7.0 
as well as another set that excluded these grades entirely. If 
datacenter grades were included, HUD and EPA's overall grades 
would increase and VA and SSA's grades would decrease. The 
reason for the two sets of grades relates to OMB's changes to 
its datacenter optimization initiative.
    Among other things, OMB's guidance revises the 
classification of datacenters and datacenter optimization 
metrics. For example, OMB will no longer require agencies to 
maintain inventories of their smaller nontiered datacenters 
which make up about 80 percent of the government's facilities. 
If these changes are implemented as is, the committee will lose 
the ability to track and measure progress in this area since 
the initial scorecard because the baseline for comparison will 
have changed.
    Moreover, the changes will likely slow down or even halt 
important progress agencies should be making to consolidate, 
optimize, and secure their datacenters.
    Mr. Chairman, this concludes my comments on the overall 
scorecard. I look forward to your questions.
    Mr. Connolly. Thank you so much. Let me begin. Ms. Harris, 
we're here to talk about the implementation of a law, correct?
    Ms. Harris. Correct.
    Mr. Connolly. When it comes to datacenters, what is the 
language of the law?
    Ms. Harris. The language says that agencies should have a 
comprehensive datacenter inventory.
    Mr. Connolly. And what's the goal besides an inventory?
    Ms. Harris. The goal is to consolidate.
    Mr. Connolly. Correct. That's the verb. We say I believe in 
the law, consolidation, and optimization, but consolidation 
goes first and it means something presumably other than 
optimization, would you agree----
    Ms. Harris. Yes.
    Mr. Connolly [continuing]. since we use both words?
    Ms. Harris. Yes.
    Mr. Connolly. Ms. Kent, one of the concerns we have, 
although your memo delivered to us on June 25 adds some clarity 
that may be reassuring, but since we got a hearing, our concern 
is that when OMB gives guidance on optimization and exempts 80 
percent of the datacenters from specific inventory plans, you 
are--you're skirting the intent of the law.
    The intent of the law was always to identify how many 
datacenters we had, which was a struggle, and then cut them in 
half and then cut them in half again. That was the goal. It was 
set by your predecessor in the early years of the Obama 
Administration, actually. In those days I think we thought we 
had 1600, and so the goal was initially by the administration 
cut it to 800 and my bill said, no, we're going to do that 
again, cut it to 400. And that's what we put--we didn't put 
that number, but that's--that was what we incorporated into 
FITARA.
    What we discovered was that, of course, what we got really 
good at was identifying more. And so we didn't have 1600, we 
had whatever it was, Ms. Harris, 12,000, 14,000, and so at some 
point we thought, well, good that you're getting better at 
counting, but the goal here is to be more efficient, move to 
the cloud, don't have all these little stovepipes all over the 
place, and I know you share that goal.
    So I want to give you the opportunity to talk about, well, 
what is it that OMB is doing in emphasizing optimization and 
exempting from, sort of, our audit here 80 percent of the 
datacenters that exist because we're afraid that whatever your 
intent, the consequence is we won't capture that and we will 
not effectuate the savings the law was intended to encourage.
    Ms. Kent. Thank you for your question, sir, and the 
opportunity to talk about it. And first statement of intent is 
to comply with the law.
    Mr. Connolly. We are relieved.
    Ms. Kent. You referenced changing various numbers over 
points and time, and that was one of the components of the 
analysis was that there were things that had been included that 
included rate things for printers and weather stations and 
things that weren't necessary--MRI machines weren't actually 
classified as a datacenter, so some of the things are trying to 
address what actually operates as a datacenter and we intend to 
close. And that is very specific in the new guidance.
    But we also understand and very clearly from talking with 
agencies, there are some reasons where we will continue to 
operate a datacenter, a super computer site, something that is 
needed for resiliency, special needs of agencies that we 
believe are very important and we want to ensure those are 
being operated efficiently and securely with the intent of this 
committee.
    But we also found out something else that's included in the 
cloud strategy. One of the barriers to making progress from 
closing those remaining datacenters and the IT dashboard has 
the target, by Fiscal Year for each of the agencies that was 
developed at the agency level, but in some cases, the 
application rationalization work is not complete. So they don't 
have an identified target for whether it's moving to the cloud 
or what we're going to do with it, so that's the part of the 
application rationalization playbook that's included in cloud 
and you will hear some agencies, they've met their target, 
they've done a fantastic job, but other agencies have more work 
to do.
    Mr. Connolly. How long have you worked in government?
    Ms. Kent. Sixteen months today.
    Mr. Connolly. All right. So sometimes with the best of 
intentions and trying to be flexible, we send signals we did 
not intend to send and that's our concern. We don't want a 
rigid, mindless mentality, and you've--everything you said I 
can agree with and I know Mr. Meadows could too, but both of us 
come from private sector backgrounds and I also come from a 
public sector management background and I'm a big believer and 
I think--I know Mr. Meadows is too, in setting metrics because 
that's goal setting.
    So at the end of the day, yes, we want to be flexible, but 
what we felt--and I still do feel, we've got to set metrics. So 
Agency X, we all agree you've got 340 and after some 
consultation and all that, the goal is to reduce a hundred of 
them because the others you need or cut it in half.
    Once we do that, let's set that and hold people to that 
metric and we're willing to work with you on that. What we 
obviously don't want is a circumvention and a dilution of the 
goal and we're nervous optimization gives a lot of wiggle room.
    And it's easy for somebody to say I have 3,420 of them and 
I need every one of them. Every one is precious, and we're not 
going to change a thing. Or wait you out because, after-all, 
you've used this weaker word optimization, which doesn't really 
require me to do something specific and so I know that's not 
your intent, but you hear my concern and my experience is, 
sometimes you've got to give very clear direction and set very 
explicit metrics in order to accomplish something.
    Ms. Kent. I hear your concern. I look forward to continuing 
to talk with the committee because I think we are being 
extremely explicit and actually in the opening of the guidance, 
it specifically says, any plans to open new or expand have to 
be approved by OMB as well as the closure intent is part of 
their strategic planning and reporting in the capital planning 
process.
    Mr. Connolly. And as I said at the beginning, I'd be more 
worried but I think your memo of June 25 does, I agree, it's 
reassuring in some ways.
    Ms. Kent. Thank you, sir.
    Mr. Connolly. Not 100 percent, but maybe we're all on the 
same page. So all right. I saw you shake your head in agreement 
about the CIO reporting to the boss and I want to give you an 
opportunity given your title and your position to maybe talk 
about that. I think, again, both Mr. Meadows and I know Mr. 
Hurd if he were here and Ms. Kelly if she were here, our 
experiences, especially in bureaucracies--and I don't mean that 
in a pejorative way, but big, large organizations who you 
report to matters a lot.
    Ms. Kent. Yes, sir.
    Mr. Connolly. If you report to the deputy assistant under 
widget manager in the bowels of the basement, everyone can 
figure that out and it's how fascinating you've got an opinion 
about what I should do with my IT, but I'm going to listen to 
him because he's the assistant secretary or the secretary or 
whatever he is.
    When you report to the boss and everyone knows you report 
to the boss, that carries weight and we want to empower a CIO 
to have that relationship and to carry that kind of weight and 
make those kinds of decisions. I think Ms. Harris indicated 
that in the case of two agencies had they done that, they would 
have had A scores. Is that correct?
    Ms. Harris. Yep. That's correct.
    Mr. Connolly. Yes. So we're missing an opportunity here. 
How can we better encourage that org chart and that hierarchy 
of efficient responsibility so that we're all doing better?
    Ms. Kent. Thank you for the opportunity to comment on that. 
We do share that concern and are very focused on not just the 
reporting relationship from the perspective of reporting to the 
boss, but ensuring that we have technology as a mission enabler 
and they are absolutely clear with the direction from the top 
about what the priorities are and what set out to be 
accomplished by that agency.
    We shared your concerns with the agencies that moved 
backward, we had direct conversations with them as well, and 
appreciate your continued support in emphasizing that both 
through law, through guidance, and through an executive order, 
directives have been issued. We're going to continue those 
conversations and I do believe, though, that in--it's a 
conversation with GAO and some of the scorecard reporting 
relationships, there are agencies who have made recent changes. 
They recognize the intent. I've had opportunity to be with at 
least three of those agencies in conversations with the 
Secretary and the CIO with clarity around priorities, budget, 
and resource needs. So we will continue to focus on it, your 
support in those that moved backward is much appreciated.
    Mr. Connolly. Thank you, and I have overstayed my welcome. 
So I know my friend, Mr. Meadows, has, in fact, directly 
engaged in one of these questions to good effect. Mr. Meadows?
    Mr. Meadows. Mr. Chairman, thank you for continuing to make 
this a priority. I know this is not our first, second, or third 
FITARA hearing. It won't be our last and for both of you, thank 
you for your testimony.
    Obviously Ms. Harris, thank you for continuing with your 
fine folks at GAO to guide us through on what we believe is--
will ultimately be a good tool. I don't know that we're there 
yet. I think my perspective is that it's a work in progress and 
even with the way that we changed the grading just recently to 
make sure that some of the unintended consequences are not 
there.
    So Ms. Kent, one of the areas that we've got to be aware of 
is, as we start to see how agencies game the system, and I say 
game the system in that, you know, it's basically figuring out 
how the scorecard works and how you can either underreport or 
overreport to create a better grade and so we're trying to 
address that.
    Getting back to the point that the chairman made just a few 
minutes ago as it relates to datacenters, so I'll give you the 
cheat sheet. There is nothing more important to him than 
getting rid of datacenters and he can look at all the scores on 
this FITARA scorecard and if you're messing up on datacenters, 
you're going to have a problem. All right? So I just--Ms. 
Harris, would you agree with that?
    Ms. Harris. I would absolutely agree with that.
    Mr. Meadows. And so in doing that, here's what I would ask 
for greater clarification than what we have. The word 
``optimization'' when we look at that, you know, you can 
optimize this and it doesn't necessarily mean that we're 
changing anything and so here's what I would ask is, if you 
could provide this committee with some--and GAO with guidance 
on what optimization actually means. I mean, are we looking at 
70 percent capacity on servers? Are we looking at redundancy of 
X percentage? What does it mean because what it means to one 
agency will be very different than--and, actually, probably, 
should be different for some agencies.
    You certainly want redundancy in some areas of the 
government with greater--with the need for greater reliability 
than others. That being said, we need to define that and make 
sure that Ms. Harris and her team has the proper input.
    One of the concerns is that the quality of the data that we 
continue to get is a hodge podge, and so I need to make sure 
that that gets prioritized, if you can, and if you're running 
into a problem, here's, I think, the chairman and I would 
agree, you just call us, we'll be glad to raise it to the very 
highest levels within those agencies.
    I know when Ms. Harris the other day mentioned the direct 
report for the NASA administrator, I'm one of the few that have 
had the privilege of knowing the previous NASA administrator 
under the previous administration and thinking incredibly 
highly of him and what he was able to accomplish.
    I also have a personal relationship with the new NASA 
administrator and so I sent him a text and just said, listen, 
this is not good. You're getting dinged on the scorecard. He 
responded back promptly, we're going to take care of it and 
those are the kind of things that I think all of us just want 
to see, is just that willingness to say, golly, we didn't know 
it was a problem, especially when you have a transition from 
administration to administration, but that's the other key 
point, I guess.
    And what I would love to see from you, Ms. Kent, is the 
processes in place that when we change an administration, we 
don't go backward. I think there's a real--and it's not a ding 
on this administration or the prior administration that have, 
you know, been able to deal with FITARA, but it's a real 
problem that we are going to have going forward is the minute 
you get a new political appointee in there, if they don't 
realize that it's a big deal, then we're going to have the same 
thing with somebody that's here for 16 months saying, golly 
gee, I didn't know it was a problem.
    So is that something that you can work with the committee 
in terms of establishing those for us?
    Ms. Kent. Yes, it certainly is. And I appreciate our 
ongoing discussions. The phone call from Members of Congress 
certainly seems to assist in getting action and we would very 
much like to talk through the details on the guidance on what 
we are holding agencies accountable when we say optimization. 
It's some of the things that have been part of the baseline and 
been defined, and I would add one more point on the CIOs. We're 
at a point today as reflected in the scorecard for the first 
time where we have 22 of 24 that are actually permanent and not 
acting, and that is--as you look over the history of the 
scorecard, that's an important accomplishment.
    Mr. Meadows. And that's to be applauded. It truly is.
    Ms. Kent. And it let's us move forward as you have said and 
have some consistency as we go forward, so I do look forward to 
taking those followups back to this committee.
    Mr. Meadows. I yield back.
    Mr. Connolly. I thank my friend and I reiterate his offer. 
Another way of putting it as, he and I are Alphonse Gaston and 
I'm not going to say which is which, but it's all good.
    The gentlelady from the District of Columbia, our friend, 
Eleanor Holmes-Norton.
    Ms. Norton. Thank you very much, Mr. Chairman. I think this 
is a timely hearing given what we learn was the state of IT, of 
technology in the Federal Government, how behind the Government 
of the United States was, so I'm interested in how we're doing 
in catching up.
    Now it looks like we made a decent start, 90 million in 
funds allocated during that first year, so the first thing I'd 
want to know since this is so new is, examples of modernization 
projects that have been done. What have you done with the money 
particularly given reductions in appropriations which perhaps 
we could help get if we could have some examples, good examples 
that speak to the public and speak to the Congress about what 
you've done with the pretty good start. You had $90 million in 
the fund I'm interested in is the technology modernization 
fund.
    Ms. Kent. I'd be very excited to share some of those 
successes with you and I'll frame a couple of things. Just in 
the time since the board has started, so a little over a year, 
we looked at over 50--or approximately 50 proposals that would 
have totaled almost $600 million. Now, as you pointed out, we 
only funded a very small set of approximately--that represented 
$90 million and those were projects that had not only agency 
benefit, but all of government benefit and I'd like to tell you 
the--share the success stories of a couple.
    You will hear later from USDA, one of the initiatives that 
they undertook was consolidation of multiple portals for 
farmers.gov to provide an enhanced services for things that had 
been spread out and created an environment that was not only 
the most effective from customer service, but from--or farmer 
facing, but from a maintenance perspective, more costly and 
less efficient.
    In the case of HUD, they have eight applications that are 
cobalt applications that are core applications to their mission 
and they brought forward two of those as a pilot to learn both 
the tools, the process, and the playbooks to convert that from 
cobalt to java and not disrupt the business. And that's a 
really exciting part of what they are achieving is, they've 
been able to take 1.2 million lines of code and convert it and 
not disrupt the business.
    Ms. Norton. Is this a competitive process? Is this based on 
who will cost you less while saving you some money in this 
fund? How do you judge?
    Ms. Kent. That's a great question.
    Ms. Norton. They compete against one another, or how?
    Ms. Kent. So in what was actually laid out in the law, 
there were specific intents--modernization, implementation of 
shared services, work force transformation, large broad scale 
transformation. There was also a very important component that 
the benefits from the initiative could pay back the funds that 
they received, so not every project actually has--and they have 
to pay it back in a very specified timeframe under a definition 
of----
    Ms. Norton. Are they doing that, by the way?
    Ms. Kent. They are doing that. They are doing that. As I 
said, we started a year ago and this is the first time we will 
have money coming back on schedule as planned----
    Ms. Norton. Your appropriations----
    Ms. Kent. I'm sorry?
    Ms. Norton [continuing]. fail, though, tremendously from 
that healthy $100 million in that first year to only $25 
million in 2019, so giving--excuse me?
    Ms. Kent. Yes, ma'am. It certainly has moved.
    Ms. Norton. That's a huge reduction. I'm not sure why, but 
I'd like, since this was supposed to be a full cost recovery 
fund, how does that work and are you concerned about the funds' 
ability to remain solvent?
    Ms. Kent. It is full cost recovery and I appreciate 
Congressman--Chairman Connolly's support for the technology 
modernization fund. We did request additional funds because we 
saw the worthiness of all these projects coming forward and in 
many cases with the agencies and I would invite you to speak 
with our team at USDA in the next panel. The agencies were able 
to accelerate things that they would not be able to do in 
normal course of business and they have a payback plan.
    And one of the other very large benefits that we saw and I 
know that Department of Energy, USDA, HUD, and GSA have shared 
is that it brought the CIO and CFO communities very close 
together because they had to reconcile the spend and the 
payback plan and what the benefits look like in a way that they 
have never been tasked to do before to ensure that it is cost 
recoverable, so we've very much appreciate----
    Ms. Norton. Do you think you can remain solvent?
    Ms. Kent. Yes, we can remain solvent with that amount. It 
limits what we can do----
    Ms. Norton. I see.
    Ms. Kent [continuing]. and the projects we can--we 
absolutely have the plan for solvency, but it limits the number 
of projects and the acceleration of modernization that we can 
do going forward.
    Ms. Norton. That's my concern, Mr. Chairman. Thank you very 
much.
    Mr. Connolly. Thank you.
    And if I could, just before I call on you, Mr. Grothman, if 
I may, just quick, Ms. Harris, the fund that Ms. Kent and Ms. 
Norton were just talking about Congress created. Originally we 
had pretty large amounts of money in mind. That got whittled 
down and whittled down and whittled down in order to be able to 
sell the idea of the authorization.
    Do you believe that we have critical mass that this fund as 
currently funded is viable or, put differently, can actually 
make a difference, be the catalyst we intended it to be for 
people to retire legacy systems?
    Ms. Harris. I don't believe so, Mr. Chairman. With fewer 
funds to award, the TMF cannot recover as much in their 
administrative fees. So when Ms. Norton is asking about 
solvency, we have preliminary analysis that shows that the 
office's operating cost through Fiscal Year 2020 will exceed 
the administrative fees to be collected from these awarded 
projects. So our suggestion and--is for the TMF fund to be 
fully funded at that $438 million level to continue the good 
work that Ms. Kent is elaborating on.
    Mr. Connolly. I think that this is something we can find 
some common ground on, and we need to work in the next budget 
cycle hopefully together so we have a number we can all agree 
on that is meaningful, gives us the criticality we need, and 
that can incentivize agencies to do the very thing you were 
describing, Ms. Kent.
    And finally, just both of you, on--I know this is on behalf 
of Mr. Hurd as well as all of us, but one of the things we 
encountered was agencies saying, well, we're creating a fund 
within our agency to be able to capture the savings effectuated 
in FITARA, but our lawyers are telling us we can't use them, we 
can't put money in them because that's an appropriations 
function.
    Now, some agencies I don't think seem to have that problem 
but others do. Just real quickly, do you both believe that we 
need to fix that legislatively, or can that be done 
administratively with guidance from OMB?
    Ms. Kent. We believe in some of the cases it has to be 
fixed legislatively and there is wording proposed at the 
committee level. We had proposed some blanket language that 
would apply to all agencies. That has been turned down multiple 
times. So we have gone very specifically to individual 
agencies, and in some cases, through those committees, that has 
been approved.
    We have some requests and education is one of those 
directly at the committee level for various technical 
enablement of those funds for agencies who don't have a similar 
vehicle or need to fund or operate out of that working capital 
account.
    Mr. Connolly. Ms. Harris.
    Ms. Harris. Mr. Chairman, I think----
    Mr. Connolly. Could you speak up?
    Ms. Harris. Yes. Mr. Chairman, when MGT was passed, I mean, 
the intent was that that transfer authority would be there. So 
while I'm not a lawyer, it kind of boggles the mind that you 
would need additional legislation in order to offer that 
transfer authority so that MGT could be----
    Mr. Connolly. I know Mr. Hurd would share your view and so 
do I. And I don't speak for Mr. Meadows, but he's here. He can 
speak for himself. But our view is the law is the law. We 
passed the law. It's quite clear what the intent is. And to 
have a sudden hurdle from inside agency attorneys saying, well, 
no, you can't do that, certainly thwarts the intent of the law, 
that that may not be their purpose but that's the effect. And 
so we will do what we have to do, but we would share, I think, 
your initial reaction, Ms. Harris.
    Mr. Meadows, did you want to comment on that?
    Mr. Meadows. Well, I just agree. And What I'd like to do--
--
    Mr. Connolly. You do agree?
    Mr. Meadows. I do agree.
    Mr. Connolly. Yes.
    Mr. Meadows. And, Ms. Kent, what I would like to do--I 
think congressional intent was clear. I think general counsels 
in different agencies maybe are a little unclear in what we 
believe we were clear about. And so in doing that some guidance 
I think would go a long way, and if we need to do a little 
research and a little push on our end to support that, I'm 
willing to do that.
    Ms. Kent. I'd be happy to share the specific examples with 
you and appreciate your support.
    Mr. Connolly. Yep. That would be very helpful. I thank my 
friend.
    Mr. Khanna, the gentleman from California.
    Mr. Khanna. Thank you. Well, first, Chairman Connolly, I 
want to recognize your leadership for having the FITARA 
guidelines become law and really bring some accountability to 
technology in government. And I want to recognize our ranking 
member, Representative Meadows, for also his understanding on 
technology.
    You know, I represent Silicon Valley, and probably the 
biggest thing that surprised me when I got to Congress is some 
of the technological illiteracy in this place. There was one 
hearing, I'm not going to mention the Member, who held his up 
his iPhone and started berating the Google CEO telling him how 
he couldn't track the iPhone. And the Google CEO was patiently 
explaining that Apple made the iPhone.
    I appreciate, Ms. Kent, your leadership coming from a 
technology background. When I'm pressed to say what part of the 
administration I liked, I often cite you and Matt Lira. And I 
appreciated your work on the IDEA Act, which coincides with 
FITARA and was bipartisan legislation that we all passed. And I 
would like to know what is the status of the implementation 
guidelines for that legislation?
    Ms. Kent. Thank you for your question, sir, and thank you 
for your kind comments. I'd very much like to tell you about 
where we are with the IDEA Act, and I was honored to be there 
with you when that was signed at the end of the year.
    Our immediate action with all of the agencies was to take 
the specific items that were laid out in the IDEA Act and 
determine both the timeline and what things needed to be done 
centrally and what things needed to be done by the agency 
specifically.
    We met with the agencies and outlined those pieces. Some 
components were actually part of work that was already 
underway, things like the inventory that you required and the 
definition or the intent for a plan for how those would be 
handled. I know that the report for digital signature 
acceptance has just come in.
    So we aligned those things with what was already in place. 
We also had some items that you will see in some of the budget 
requests that are coming forward that has to do with those 
forward implementation plans. And we look to do those in the 
future.
    I would share one really interesting outcome of the IDEA 
Act. In inventorying the websites and determining a plan 
forward, it was very enlightening because many of the agencies 
said we need to consolidate this set of websites. So we 
actually looked at them from priority and a user-centered 
approach of what was highly used, what was highly valued. And 
then those things that didn't have the user traffic, wasn't 
delivering specific services, other reasons, we're actually 
pursuing a plan to consolidate and close those.
    So we are moving forward with many aspects of the 
implementation, they are included in the activities going on 
now. And there are some pieces for which agencies needed 
additional resources, and you'll see those reflected in their 
2020 budgets.
    Mr. Khanna. Great. Let me ask you one final open-ended 
question. I don't think anyone on the committee would disagree 
that the U.S. Government is the most powerful institution 
created in human history. And it was the U.S. Government 
actually that helped fund a lot of Silicon Valley. And so it's 
mind boggling me that this incredibly powerful institution has 
technology platforms or acquisition platforms that aren't up to 
now what many companies do in Silicon Valley.
    What do you think Congress can do in supporting FITARA and 
the IDEA Act to help continue to get us to a place where the 
U.S. Government should be the model for innovation?
    Ms. Kent. Your question actually aligns with part of the 
reason that I'm here and actually believing that same thing, 
that we should have the capabilities in the Federal Government 
that are available across many other industries and set the 
basis of expectations for our citizens.
    So when we talk about particularly modernization and 
cybersecurity as part of the FITARA Act those are the key 
components of how we actually make this transformation. 
Elements of the IDEA Act give us a prioritization to be able to 
actually take action and shut down and close the websites and 
rethink how we deliver services.
    The connected government and delivering mobile and digital 
services help make those things a priority. Those signals both 
through the FITARA scorecard and specific legislation are 
helpful. I would also say though when you look across at the 
agency activity for IT budgets we do--and it's--this committee 
has talked about it frequently--we spend quite a bit on 
maintenance of those legacy systems.
    So tools like the Technology Modernization Fund and 
modernization initiatives that are outside of that basic 
maintenance helps us drive faster and gives us a way--otherwise 
agencies are moving in small increments for what they can 
divert out of that maintenance path, and that's not a good 
solution either.
    Mr. Khanna. Thank you.
    Mr. Connolly. I thank the gentleman.
    And now the gentleman from Wisconsin, Mr. Grothman.
    Mr. Grothman. Thank you.
    And I'd like to thank both of you for coming over here. I 
know you have such a busy day, but I know it's something 
Congress has been waiting for, so thanks for coming over.
    Health and Human Services and NASA changed their reporting 
structures, right, so that the CIOs no longer report directly 
to the head or even the deputy head of the agency. Can you 
comment as to why that was done and what your general opinion 
of it is?
    Ms. Kent. I can comment from my conversations regarding 
that. I would direct you specifically to the agency heads as to 
why they made that decision. You know, what NASA shared had 
decisions that were not necessarily related to the activities 
of the CIO. I think that's in conflict with what we expected. 
And as you may have seen in the HHS side they had lots of 
different moves going on at the time. I am continuing my 
conversation with them regarding that approach.
    Mr. Grothman. It just seems odd.
    Ms. Kent. And we agree, and that is not the intent. So we 
will continue the conversations until we are back in a place 
that is reflective of what is expected.
    Mr. Grothman. Okay. Ms. Harris?
    Ms. Harris. I mean, the only thing I would add, sir, is in 
the case of HHS that reporting relationship was not codified in 
their policy. So at the time the acting CIO also was dual 
hatted as the acting chief or the chief technology officer, and 
so in that role as a chief technology officer he had that 
direct reporting relationship to the Secretary. And so when he 
put on the hat of CIO he also had that relationship to the 
Secretary.
    But since he has now vacated that CIO position because that 
relationship wasn't codified in policy it went away, and so 
that really drives the important point that this relationship 
needs to be set in stone in policy so that we can maintain that 
continuity regardless of who is in the office.
    Mr. Grothman. Okay. Let me give you kind of a broad-based 
question here. From your perspective--first of all, how long 
have you both had your positions? I should know that and I 
don't.
    Ms. Kent. Sorry. Could you repeat the question?
    Mr. Grothman. How long have you had your position?
    Ms. Kent. Sixteen months.
    Ms. Harris. Since 2012.
    Mr. Grothman. Okay. From your perspective what worries you 
the most about IT management, say the last six months?
    Anything?
    Maybe nothing. It runs like a clock.
    Ms. Harris. I think from my perspective when you take a 
look at the spend of the $90 billion each year on IT, 80 
percent of that spend is on legacy IT. We need to focus on 
decreasing that number and reinvesting that money into 
modernizing our aging systems.
    Mr. Grothman. It's kind of a shocking number, isn't it?
    Ms. Harris. Yes.
    Mr. Grothman. If it was done right, how much do you think 
you could save?
    Ms. Kent. It is. And I think I just commented on 
modernization that reflects a similar view. I would also state 
that when you look at our entire set of modernization goals, 
both transformation of the legacy systems and the ability to 
sustain current environment while you're making that 
transformation and then continued focus, you said, you know, 
what are the priorities, it is always cyber, and ensuring that 
we are prioritizing our activities there based on the changing 
nature of the threat environment and where we see that volume 
and where we see those types of threats and ensuring that we 
are prioritizing that.
    So when the majority of an agency budget goes to 
maintaining status quo that means that agency CIOs have to be 
incredibly crystal clear on the priority for those funds and 
their internal resources that are focused on the transformation 
in cybersecurity.
    Mr. Grothman. When we talk about legacy systems what 
percent of the systems that you're familiar with--I mean, you 
said how much more money we're spending on the legacy systems, 
but what percent of this--even compared to the private sector, 
and you must deal with that somewhat, what percent do you think 
we have in the government you'd call up to date or the same 
type of systems you'd find in a modern American corporation?
    Ms. Harris. Sir, we don't have that information. We have 
not done work to look at the percentage of what's legacy and 
what's development in the private sector. So I wish I could 
answer it, but I don't have that information.
    Mr. Grothman. You guys, can I ask one more question?
    Mr. Connolly. Of course.
    Mr. Grothman. That's a surprising answer. I feel I've got 
to ask another question. Do you ever look into and see, you 
know, compare like where you are compared to major American 
corporations, you'd have people begin to work with you and say, 
holy cow, I can't believe you still have this stuff sitting 
around here? Does that thing ever go on? Or do you have people 
leave your organization to the private sector and say, hey, 
wow, you want--you can't believe what I found out here? There's 
no comparison or no looking around or no comparing? You don't 
do that?
    Ms. Kent. I would comment, I don't know that there's an 
exact number, a comparison per se to a single sector, but I 
would mention two things that we are looking at. One of the 
policies that we've used as a driver and a filter for how we 
prioritize legacy system transformation as well as website 
transformation has been high-value assets and looking at those 
things that are of critical importance to agencies and insider 
infrastructure and ensuring that we put resources there first.
    The other thing that we've done is from a customer 
experience perspective actually looked at the citizens that 
we're serving and had dialogs around what they expect. And that 
actually does give a comparison in many cases across industry 
because their expectations are set on what they experience in 
their normal lives, whether it's from their financial 
institution or a retail business that they're shopping with.
    So we have used that user-centered design and customer 
expectations to drive back into the way that we are looking at 
delivering services, both from a digital and mobile capability 
standpoint.
    Mr. Grothman. Okay. Well, again, thanks. Thanks for coming 
over here. I appreciate the chair letting me take so much of 
other people's time.
    Mr. Connolly. Not at all. Thank you, Mr. Grothman.
    And, Mr. Grothman, if I may followup on your question, I 
think we could afford, Ms. Harris, to be a little more 
forthright. I think you're letting yourself off the hook a 
little bit by saying, I don't know, I mean, I'm not in the 
private sector. I mean, there are things we do know.
    For example, I always ask--and you probably do too, Mr. 
Meadows--when I speak to a private sector group, it's a trick 
question. I go, well, how many CIOs do you have? And they 
always look at you no matter how big they are like what a 
trick--well, what do you mean? We have one. Well, how many does 
the Federal Government have?
    When we began FITARA with 24 agencies we had 250 people 
with the title CIO, and that means no one is in charge, no one 
can be held accountable, nobody is exactly responsible. And 
that's a big difference, I would say, Mr. Grothman, between the 
private sector and the public sector where we can learn from 
the private sector.
    Likewise, we were celebrating a little while ago the 
transition from COBOL. I can't think of a private sector 
company that still has COBOL, let alone would be celebrating in 
2019 the transition from it to something else. So I think there 
are some things that we clearly can observe and learn from and 
benefit from in the private sector. Moving to the cloud is 
another one.
    So it is instructive, and hopefully we cannot necessarily 
entirely mimic the private sector, but there's a lot of 
management practices we could learn from. And having the CIO 
report directly to the Secretary of the agency is also 
something quite common in the private sector. The CIO is not 
buried in the bowels of the organization, somebody who is a key 
part of the management team, because everyone understands the 
key role of IT in the enterprise.
    Ms. Harris. Yes.
    Mr. Connolly. Well, I want to thank you both so much for 
coming. We're going to continue this dialog. I am pleased, Ms. 
Harris, that MeriTalk did a study--a survey rather of 200 CIOs 
mostly in the public sector, and they found that 70 percent 
said that FITARA was, in fact, from their point of view, a 
useful kind of nudge for change within the agencies, and that's 
kind of good to hear. And I see you shaking your head. Would 
you confirm that yourself or----
    Ms. Harris. Well, I think that's very encouraging because I 
will say that the progress that has been made since the 
inception of the score--well, the FITARA but then also with 
your continued oversight with the scorecard 1.0 now to 8.0 how 
it has evolved and how it has kind of raised the level of 
improvements across the board has been tremendous from 
transparency in the dashboard to portfolio stats in the 
savings. It's all, you know, because of the tremendous 
oversight from your committee.
    Mr. Connolly. Well, we want to thank GAO also for always 
being innovative in looking at how best we can make that 
scorecard a useful tool. So thank you and to your colleagues.
    Mr. Meadows.
    Mr. Meadows. I just want to make one point. The staff just 
let me know when we look at the transition fund, you know, it 
passed the House today with only 35 million. And when we look 
at this it's--you know, we may represent two different District 
11s, but we are together on this particular issue, and so what 
we need to do is work in a bipartisan way to get that up to a 
number that actually is meaningful. Thirty-five million sadly 
is a rounding error when it comes to addressing this problem.
    Mr. Connolly. I'm so glad you brought that up, Mr. Meadows, 
because I had an amendment to add $15 million to that $35 
million to just get a respectable number. And unfortunately 
that was not ruled in order. It was subject to a point of order 
up in Rules, so we were not able to do it.
    Mr. Meadows. You have better connections with the Speaker 
than I do.
    Mr. Connolly. But we will work on it together.
    Thank you both so much for being here today. And, Ms. 
Harris, I promised you'd make your plane. You're going to make 
your plane.
    Thank you.
    Ms. Harris. Thank you.
    Ms. Kent. Thank you.
    Mr. Connolly. And now we're ready for our second panel: 
Gary Washington, Chief Information Officer of the United States 
Department of Agriculture; Jason Gray, Chief Information 
Officer of the United States Department of Education; and Eric 
Olson, Chief Information Officer from the Department of 
Treasury.
    If you would stand and raise your right hand, we'll be 
sworn in. Thank you. Do you swear or affirm that the testimony 
you're about to give is the truth, the whole truth, and nothing 
but the truth, so help you God?
    I thank you. And let the record show that our witnesses 
answered in the affirmative.
    The microphones, as I said, are sensitive, so if you can 
speak directly into them like I'm doing, you can be heard. 
Everybody has five minutes to summarize their testimony. Your 
full statement will be entered the into the record as 
submitted.
    And, Mr. Washington, why don't we begin with you and your 
five-minute statement. Welcome.

 STATEMENT OF GARY WASHINGTON, CHIEF INFORMATION OFFICER, U.S. 
                   DEPARTMENT OF AGRICULTURE

    Mr. Washington. Thank you, Chairman Connolly, Ranking 
Member Meadows, and the members of the subcommittee for the 
opportunity to update you today on the United States Department 
of Agriculture's progress on implementation of FITARA. I am 
Gary Washington, the Chief Information Officer of USDA. I would 
also like to thank you for your ongoing support and commitment 
to improve information technology management across the Federal 
Government.
    Secretary Perdue's vision is to make USDA the most 
efficient, effective, customer focused, and best managed 
department in the Federal Government. Central to that goal is 
focusing on enterprise-based approaches to management and 
decision-making. We have taken many steps to achieve that goal 
including the implementation of the FITARA Information 
Technology Management Maturity Model, and we continue to make 
progress.
    As evidenced by the latest FITARA scorecard and the 
progress we have made over the past year, I am pleased that 
USDA have moved up an entire letter grade on the scorecard, and 
I hope that we will be doing as well or better than our friends 
here at Department of Education next year.
    I know we have a lot further to go, but every day I am 
seeing the positive impact that FITARA has on our Department, 
and I would like to discuss some of that progress today. Since 
my last appearance before the subcommittee, USDA partnered with 
the White House Office of American Innovation and the General 
Services Administration Center of Excellence to improve the 
management of information technology at USDA.
    This effort accelerated IT modernization across the 
Department, improving leadership alignment, quality, and 
efficiency of IT, including decreasing the number of chief 
information officers, CIOs, from 22 to one, closing 28 to 39 
data centers resulting in a cost savings and avoidance of $42.1 
million and closing 2,255 data centers overall.
    We have enrolled 13 agencies into USDA cloud program 
resulting in a net cost avoidance of $12.1 million, improving 
our megabytes score from an F to an A on the 7.0 scorecard by 
implementing a number of effective processes and procedures to 
improve software management.
    We've also petitioned our existing working capital fund to 
receive technology modernization funding and making significant 
improvements in cybersecurity with 96 percent of USDA systems 
having authorities to operate as opposed to 74 percent in 
Fiscal Year 2017.
    Additionally, end-user equipment and hardware will be 
centrally managed by the Office of Chief Information Officer 
using an IT service management system with asset management as 
a core function. We will onboard the inventory for all the USDA 
mission areas and offices as part of an enterprise end-user 
consolidation initiative scheduled to be completed by the end 
of Fiscal Year 2020.
    And our Digital Infrastructure Services Center will be 
responsible for the central inventory and management of all 
infrastructure components of USDA, which includes network and 
system hosting. The system hosting would be accomplished by the 
end of Fiscal Year 2020 through the data Center Optimization 
Initiative and Cloud Adoption Centers of Excellence.
    The network transition to the new General Services 
Administration enterprise infrastructure solutions contract 
will ensure accurate inventory of our network infrastructure. I 
would like to emphasize the strong engagement and support for 
those efforts from our USDA leadership, namely the secretary 
and deputy secretary who I report directly to on IT matters. I 
believe we have an effective reporting structure and 
involvement in IT management and modernization issues at the 
highest level.
    In closing, USDA has consistently proven itself as a leader 
in embracing FITARA. We want to continue to implement FITARA 
across USDA and integrate it into our daily processes and IT 
modernization activities even further than we have today. We 
recognize there is more work to be done, and we continue to 
tackle those challenges.
    I truly appreciate the attention the committee has brought 
to this issue and your ongoing support of our efforts to change 
the way the Federal Government thinks about and manages IT.
    I look forward to answering any questions you may have. 
Thank you.
    Mr. Connolly. Thank you, Mr. Washington.
    Mr. Gray.

                    STATEMENT OF JASON GRAY


    Mr. Gray. Thank you, Chairman Connolly, Ranking Member 
Meadows, and members of the subcommittee for this opportunity 
to talk about the progress the U.S. Department of Education has 
made in implementing the Federal Information Technology 
Acquisition Reform Act.
    I recognize the great privilege and honor of being invited 
to appear here today. Never in my life could I have imagined 
having opportunities I've had to speak before the U.S. 
Congress. Thank you.
    I'd also like to thank you for your continued commitment to 
improving information technology management. My responsibility 
is to ensure the availability of IT with appropriate controls 
and to ensure the integrity in how we use it under the 
leadership of Secretary DeVos and in collaboration with the 
Office of Federal Student Aid and my office we have achieved a 
number of improvements in recent years.
    Mr. Gray. There are two areas that I would like to 
highlight today, cybersecurity is one focus area of FITARA, 
which encourages agencies to proactively address cybersecurity 
risk and compliance with Federal Information Security 
Modernization Act.
    To address the cybersecurity challenge, OCIO developed our 
own cybersecurity risk scorecard based on the National 
Institute's of Standards and Technical cybersecurity framework. 
The implementation of a scorecard improved our focus and 
alignment with OMB requirements for sound risk management 
practices for protecting our systems and networks.
    The scorecard also provided a specific path for the 
Department system owners and security officers to identify, 
prioritize, and mitigate risks. From September 2018 to June 
2019, the Department has mitigated and closed over 2,300 plans 
of actions and milestones representing a 72 percent reduction 
in vulnerabilities than the Department systems.
    We use the scorecard to provide monthly briefings to the 
secretary, deputy secretary, and senior leaders. With their 
support and with the hard work off our system and security 
personnel, we were able to raise our FITARA security score two 
letter grades to a C in December 2018. The Department, along 
with the majority of its peers, started with a FITARA 
cybersecurity score of F in 2018.
    Another area of focus is IT modernization, which is in line 
with the Department's focus on creating and managing a more 
modern and secure IT environment and is consistent with the 
themes and principles outlined in the cross-agency priority 
goal on IT modernization found in the President's management 
agenda.
    In 2017, we began an exhaustive review of our IT portfolio 
to ensure that IT systems, applications, and services are 
secure, appropriately governed, and modernized to meet the 
needs of today's economy with an eye toward tomorrow 
opportunities.
    To this end, OCIO worked with key stakeholders across the 
agency and industry experts to complete a comprehensive 
analysis of our business missions and the IT assets supporting 
them. As a result of those efforts, we developed a detailed 
visualization or map of the Department's IT inventory, which we 
analyzed to determine the Department's needs and to build our 
five-year IT modernization plan and strategic road map.
    The effort provides greater transparency across the 
Department enabling us to work with business owners, to 
identify opportunities, to leverage shared and cloud services, 
automate manual business processes, reduce cybersecurity risk, 
and consolidated cloud service providers. We are working with 
the Office of Management and Budget and Congress to obtain 
appropriations language that would allow us to transfer funds 
to a working capital fund, which would support the Department's 
future modernization initiatives and accomplish the goals and 
objectives of the Modernizing Government Technology Act.
    We requested this transfer authority in the Fiscal Year 
2020 budget, and the Treasury Department has committed to 
activating an account for the Department once the transfer 
authority has been granted by Congress.
    I recognize our areas for improvement, we must continually 
monitor and assess our IT management and service delivery 
practices and policies. We are taking actions in areas where we 
are not fully meeting our milestones.
    One such area is CIO and CAO collaboration on the review 
and approval acquisition strategies and plans. OCIO is 
partnering with contracts and acquisition management to 
establish touch points between the IT life cycle management 
process and the acquisitions process to ensure the CIO has the 
opportunity to review all approve all acquisition strategies 
and plans that contain IT.
    Secretary DeVos and the Department take FITARA 
implementation seriously, we believe our progress demonstrates 
that. Thank you for your time today, and I look forward to 
responding to your questions.
    Mr. Connolly. Thank you so much, Mr. Gray.
    Mr. Olson.

   STATEMENT OF ERIC OLSON, CHIEF INFORMATION OFFICER, U.S. 
                   DEPARTMENT OF THE TREASURY

    Mr. Olson. Thank you, Chairman Connolly, Ranking Member 
Meadows, and members of the subcommittee for the opportunity to 
testify on Treasury's implementation of FITARA. My name is Eric 
Olson and it is my honor and privilege to serve as the chief 
information officer for the U.S. Department of the Treasury.
    Information technology is at the core of what Treasury 
does. We represent the third largest civilian agency in terms 
of overall IT budget, and plan to spend approximately 4.8 
billion on IT in Fiscal Year 2019.
    Managing a large IT portfolio with the scale in complexity 
of Treasury is a very challenging endeavor, and we are grateful 
for the financial and human resources we have been provided to 
accomplish our mission. We recognize our responsibility for the 
stewardship of these resources, and we take this responsibility 
very seriously. We appreciate that FITARA was enacted to assist 
us to perform this responsibility.
    Our key guiding principle for modernization is to drive the 
greatest amount of resources toward mission enablement and 
digital transformation. This requires pursuing enterprise 
initiatives and shared services so that we can reduce 
duplication and leverage economies of scale. At the same time, 
we encourage our bureaus to focus on transforming mission 
outcomes by adopting practices from the private sector that 
have proven successful in delivering digital transformation, 
such as cloud-based services, agile development, and low code 
platforms.
    I would like to briefly summarize some of our recent 
accomplishments and how they fit into the larger approach for 
Treasury IT modernization. On the heels of Congress' enactment 
of the Tax Cut and Jobs Act, the IRS recently completed a 
successful tax filing season that was annealed in large part by 
the successful delivery of one of the largest and most complex 
IT implementations every undertaken by the Treasury Department.
    Implementation of tax form required the modification of 
hundreds of applications across the IRS and the Bureau of 
Fiscal Service. This recent accomplishment demonstrates 
Treasury's ability to deliver change at scale on an accelerated 
timeframe. Treasury continues its pursuit of enterprise-wide 
services. Recently Treasury delivered an expansive upgrade to 
its enterprise H.R. system, an enterprise-wide service that 
supports the nearly 100,000 Treasury employees.
    Treasury is also in the process of implementing a cloud-
based talent management system that will deliver a common 
platform for employee training, performance management, and 
succession planning. These initiatives demonstrate Treasury's 
ability to use its franchise fund to achieve some of the 
benefits of what an IT working capital fund might achieve.
    In addition to the successes I mentioned earlier, I would 
like to report on how Treasury is implementing FITARA. In some 
areas of the FITARA scorecard Treasury has scored well, for 
example, data center consolation and portfolio review. We have 
worked hard in these areas and we are proud of our results. In 
other areas, although we have worked hard, we recognized there 
is room for improvement.
    FITARA recognizes the importance of agency CIOs having a 
substantial role in agency IT decisions. I meet regularly with 
Secretary Mnuchin on major IT investments, cybersecurity risk, 
and opportunities to pursue Treasury-wide initiatives. I 
believe this increased engagement with Treasury senior 
leadership has produced notable results in the delivery of the 
IRS modernization plan and the delivery of technology to 
support tax reform, among other things.
    On cybersecurity, we fully appreciate the threat posed by 
well-resourced and highly motivated adversaries and are 
committed to mitigating risk posed by such actors. While we 
cannot completely eliminate risk, we acknowledge our supreme 
responsibility to proactively address cybersecurity risk to the 
greatest degree possible. Toward that end, we operate a 
comprehensive cybersecurity program focused on risk mitigation. 
Our strategy is to make investments and capabilities that 
materially reduce our risk and reduce the cost of our 
compliance.
    We are grateful to Congress for the support of our 
cybersecurity enhancement account, which is focused on 
identifying and funding projects that have the greatest 
Treasury-Wide impact in these and other important areas.
    In closing, we recognize and embrace our responsibility to 
be a good steward of IT resources. We understand and embrace 
the language intended in FITARA. We share the common goal of 
Treasury IT modernization. And we value the collaboration with 
Congress to jointly achieve these goals.
    Thank you, once again, for the opportunity to testify 
today.
    Mr. Connolly. Thank you, Mr. Olson.
    Ms. Harris, did you want to comment? And I'm sorry if I led 
you astray, I was simply reassuring you, you're going to make 
your flight at 10 o'clock.
    Ms. Harris. I see. I apologize for----
    Mr. Connolly. No, forgive me if I misled.
    Ms. Harris. Mr. Chairman, Ranking Member Meadows, I'll now 
turn my comments to the Departments of Agriculture, Education, 
and Treasury. These agencies collectively plan to spend $7.5 
billion on IT this year, for each of them, roughly 80 percent 
of their IT spend is on operational systems. Both USDA and 
Treasury have an overall C-grade on this scorecard, while 
Education is at a B+. Education has also sustained this overall 
B+ grade over the last four scorecards.
    Some positive areas to highlight for all three, the vast 
majority of their IT projects use an incremental approach. They 
also have comprehensive software license inventories and use 
them to make decisions and save money. USDA and Treasury have 
also closed more than 50 percent of their total data centers 
and exceeded their savings goals. Education closed all of their 
data centers and moved to the cloud years ago.
    For all three agencies, the progress to improve their IG 
assessments of cybersecurity is rather low. In the case of USDA 
and Treasury, they also self-reported low numbers in meeting 
OMB's 10 cyber metrics. The combination of the two is a reason 
for their low grades in this area. Education, on the other 
hand, self-reported meeting all 10 of OMB's cyber metrics, and 
as a result, raised their grade in this area to a C. I'd also 
like to note that if USDA and Treasury CIOs reported to the 
head of their agencies, their overall grade would increase to a 
B.
    Mr. Chairman, this concludes my comments on the results of 
these three agencies.
    Mr. Connolly. I thank you. Thank you so much. And it is 
heartening to hear the progress. I would just say, and you can 
confirm this, Mr. Gray. As I understand it, you now have zero 
data centers?
    Mr. Gray. That is correct.
    Mr. Connolly. And that you went from paying $12 per 
gigabyte of storage to a few cents?
    Mr. Gray. Actually, sir, we are currently focused on 
transition--or doing cloud consolidation, and we recently 
within the last three months transitioned from $1.43 per 
gigabyte to $0.12 a gigabyte.
    Mr. Connolly. So there are savings to be had in data center 
consolation and moving to the cloud?
    Mr. Gray. Yes. Yes, Mr. Chairman. I think you're a poster 
child for doing that, and I thank you.
    Mr. Connolly. Let me ask, Ms. Harris, GAO looked at best 
practices, and you identified FITARA requirements, one of which 
was--in order to get to best practices, obtains support from 
senior leadership.
    Would it be fair to say that all three of the agencies in 
front of us have achieved that?
    Ms. Harris. Well sir, I think in the case of Education 
that's clearly the case because of Mr. Gray's direct reporting 
to the Secretary. In the case of USDA and Treasury, that direct 
reporting is not as clear-cut. So I would say that in those two 
cases that senior leadership support may not be as clear as 
Education's.
    Mr. Connolly. And I think that's really particularly 
important in your case, Mr. Washington, because Secretary 
Purdue has offered himself up as the pilot for the innovation 
agenda that Mr. Kushner and Chris Little are organizing at the 
White House. And if you're going to do that, the model here is 
the CIO has got to report to the boss. There's kind of no 
getting around that, and it is the desiring goal and objective 
of FITARA, it's in our scorecard, and it is part of best 
practices GAO established.
    The second is--and you can comment on that if you wish. I'm 
sorry, I didn't mean to not let you comment.
    Mr. Washington. Thank you, Mr. Chairman. I have all the 
access--I have extreme amount of access to the Secretary and 
the deputy secretary, and I frequently meet with the deputy 
secretary and speak with him about matters----
    Mr. Connolly. But if I may, Mr. Washington. That's good, 
but that could be personal.
    Mr. Washington. Yes, sir.
    Mr. Connolly. We're talking about an organizational chart 
where you have the right to go in that office because you 
report to him or her. And if the bureaucracy doesn't see that, 
it diminishes your power or your successor's power. Power, 
influence, the ability to make change get enforced because 
everyone understands you've got the ear's boss--I mean, the 
boss's ear. You know, that works in the private sector.
    If I know, in the private sector, somebody has the ear of 
the CEO, so when he or she calls me, I know who that is, 
believe me, I'm paying attention and following up on that as a 
priority. And so I think that's really what we're getting at. 
It has to show on the organizational chart. It's great you have 
access, but your successor may not. And we want to 
institutionalize this in the formal structure of the 
organization.
    And, Mr. Olson, you indicated that you have access to Mr. 
Mnuchin, but again, the same thing, is it not that we haven't 
institutionalized this, though, so that your successors and his 
successors will have the same kind of relationship?
    Mr. Olson. Sir if I could elaborate a little bit on the 
arrangement. So by Treasury policy, I do have a direct 
reporting relationship to Secretary Mnuchin on all CIO matters. 
I do also have an operational relationship to the secretary for 
management, and I think that is sort of the element that is 
causing some confusion or some concern here.
    This is what I would offer up. I think Treasury has a very 
robust, I'll say performance management structure. That 
structure, which has existed for many years, is the purview and 
the responsibility of the assistant secretary for management. 
It has served actually as enhancer to my authorities as a CIO 
to be plugged into that and not try to recreate, for example, 
my own sort of set of oversight, if you will, with all the 
Treasury bureau heads and Treasury IT leaders.
    So it enables me actually to have very good interaction and 
influence with bureau heads routinely. I have the opportunity 
to meet with them and talk with them on technology matters.
    It also brings me to the table when, for example, we're 
talking about a particular bureau's budget or work force issues 
with the bureau head, because IT doesn't live in a vacuum, 
there are work force issues, there are budget issues, there are 
procurement issues, and all those folks need to be at the 
table. So, you know, I do feel like I have that.
    The other thing I'll say, and I mentioned this in my 
opening comments, is that we successfully delivered a tax 
filing season, it was a very complicated heavy lift. Back a 
year or so ago when we were sort of still interpreting the law 
and creating specific requirements, I started to have some 
concerns about our ability to deliver that on time, and I 
expressed those to the Secretary.
    The engagement with the Secretary led to the ability, for, 
me to meet with IRS leadership weekly for the following year, 
and I'm talking about the commissioner, the deputy 
commissioners, the CIO, and we sat down and we reviewed the 
progress of tax reform implementation weekly so that we would 
get there. I don't believe that would have happened if the rest 
of the organization didn't understand my reporting relationship 
to the Secretary.
    Mr. Connolly. Good feedback. And it's also heartening that 
finally IRS is getting the attention it has long deserved. It 
has been on a starvation diet for all too long, and especially 
when it comes to technology, some of those legacy systems are 
particularly characteristic of IRS. I mean, as a Democrat, I'm 
sorry it took the tax bill to be the incentive to do it, but 
I'll take it.
    In any event, thank you.
    Mr. Meadows.
    Mr. Meadows. I'm going to be real brief. Obviously we're 
looking at this. We're looking at detail. We're looking at what 
is being said and then what is actually being done, and I think 
there's a big difference between what is said and what is done, 
and sometimes what is said here as witnesses is not what we're 
hearing is being actually done at the agencies. So I guess what 
I would encourage all of you to do is look at your FITARA 
scorecard.
    And, Mr. Gray, I want to say thank you. Obviously, 
recognizing success is one of the things that we don't do a 
good job of doing sometimes. And I know I've been to--I haven't 
been to your agency, I've been to the other two agencies, and 
many times it's the first time Members of Congress ever come to 
say thank you, and shame on us. And so I just want to say thank 
you for your work.
    Thank you for truly the impact that you're making. And yet, 
we will not spend any more money on any one item than we do IT. 
I mean, Ms. Harris was talking about $90 billion, you know, 
when you add all the factors in there, it's probably up to 110, 
120 billion when you count in some of the agencies we can't 
talk about. When you look at what all of those components--I'm 
amazed at how archaic our IT system is. I mean, we're spending 
more than any Fortune 500 company would spend on IT, and yet, 
obviously--and, listen, I'm preaching to the choir, all of you 
get this.
    And I guess what I'm saying, the big thing for me--the big 
thing for the chairman is data centers and making sure those 
are consolidated. The big thing for me is if we continue to 
spend operational money for COBOL and FORTRAN programmers and 
legacy systems that--it's just mind-boggling that we would do 
it and we continue to do it, not just in some of your agencies, 
but in other agencies across this.
    And so, for me, it is, you know, really critical, Mr. 
Olson. I think about the IRS and the amount of data that you 
have, and what I would call the big mainframe IBM systems that 
are really programmed in such archaic language that we're 
having to pay a premium for the programmers because nobody 
programs in that language anymore.
    So in terms of action items, for me, if you would get back 
to this committee on what is your plan to get rid of legacy 
systems, and what is the cost of doing it? And for some of you, 
you know, you've got to make sure that you're up and running, 
and you may even have to have a parallel system that gets built 
so that you can do the transfer.
    I realize there are logistical problems, Ms. Harris has 
said sometimes it's like trying to change a tire while you're 
driving 55 miles an hour. For some of you it's like your 
driving 100 miles an hour trying to fix that flat tire, but I 
need a plan.
    And I guess the only frustration you will find is that at 
the next FITARA hearing, if there is not a plan, not just from 
the three of you, but anybody that is listening, on how we're 
going to get rid of that, there's going to be a problem. I'm 
tired of talking about it. And I'm saying that in the nicest 
way that I can.
    But thank you all for your work. We are making great 
progress. Even the Cs and the C+s and D+s and all of that, do 
not take the generosity of a modified scoring as oly oly oxen 
free. It's time that we get serious about trying to get those 
to at least the next level up. And I'll yield back.
    Mr. Connolly. I thank the gentleman. The gentlelady from 
the District of Columbia, Ms. Eleanor Holmes Norton.
    Ms. Norton. Thank you very much, Mr. Chairman, I appreciate 
your calling specific agencies so that we could look beneath 
the surface and see how this is doing. So I'm interested in the 
scorecard that evaluates agencies for implementation of what is 
called the Federal Information Security Modernization Act, 
that's what we mean when we say FISMA.
    And I think that this metric is particularly important to 
the Congress because it will enable us to evaluate agencies who 
have a metric of their own and then to ask the agencies to 
explain themselves, and that's what I'd like to begin with now.
    I'm going to ask the Department of Education who received a 
C, the Department of Treasury who received a D, and the USDA 
who received an F, to explain why and what actions you can take 
or have taken to improve these scores?
    Mr. Gray. Thank you for the question. Specifically, as was 
mentioned earlier, the Risk and Management Assessment, the RMA 
piece, is where agencies are assessing against metrics. We meet 
regularly to discuss cybersecurity as a whole. As I alluded to 
in my opening remarks and my written testimony, we use a 
cybersecurity risk scorecard that was developed that is aligned 
with the new cybersecurity framework, and what that does is it 
enables me to have near real time visibility into the 
cybersecurity posture of each of our systems. It reaches back 
to the Department of Justice in this case to pull information 
about my systems and I use that as----
    Ms. Norton. So did you know that--this is Mr. Gray from the 
Department of Education--did you know that at the time that 
your Department received a C? Is that what it would get today--
will continue to get?
    Mr. Gray. We are striving to improve our cybersecurity 
scorecard and have made significant improvements. To your 
question about what have we done or what are we going to do?
    Ms. Norton. Yes.
    Mr. Gray. Within the last three months we have made a 
massive IT transition to everything entirely new. When I got to 
the Department about three years ago, a little over three years 
ago now, we inherited a 10-year-old IT service contract. There 
was a lot of legacy and old things. We have re-competed and 
awarded, and within the last three months have transitioned to 
entirely new--new equipment, new hardware, new software, new 
systems, everything.
    Ms. Norton. So if you were evaluated today, you think you 
would do better than a C? If you were evaluated today, given 
the improvements you just indicated?
    Mr. Gray. We are currently stabilizing within the next two 
months, but absolutely. Once the stabilization is done, I 
absolutely expect for our scores to improve.
    Ms. Norton. The Department of Treasury, that would be Mr. 
Olson.
    Mr. Olson. That's correct.
    Ms. Norton. The Department of Treasury got a D. How do you 
explain that, and what actions have you taken to improve that 
score metric?
    Mr. Olson. Sure. So let's talk about the metric itself. 
Part of it is based on an IG audit----
    Ms. Norton. Based on what?
    Mr. Olson. IG audit that's done of our FISMA system, so we 
scored three out of five.
    Ms. Norton. Is that why you got a D?
    Mr. Olson. So three out of five equates to a D, and that's 
50 percent of our grade. And I would the first to tell you that 
that's not where we need to be. It's a maturity model and, you 
know, part of what we've been trying to do and part of what 
we've been using, the cyber enhancement account, has been to 
make investments where we get the biggest bang for the buck to 
improve these kinds of things.
    I actually sat down with Secretary Mnuchin to talk about 
our scores in this area, and he said, Eric, what's it going to 
take to get to four? So, four, we have 430 systems, it's a 
random selection of systems in any given year. So it's like, 
gosh, it's an extremely heavy lift, but how can we get to four 
on the highest value assets. So he's asked me to put together a 
plan, how can we get to four if we were to be audited on our 
highest value assets.
    The other half of the grade, which is the risk management 
score, as you know, this is sort of like 10 individual items, 
it's passed down. And some of these scores, if you don't get 
100 percent, you fail. So I'm not at all quibbling with the 
scorecard, but I mean to say that 9 out of 10 of them are well 
into the high 90's, and we have a one or two percent delta, 
which--you know, we have got to put it over the line and we 
would get, you know, a much better grade.
    The one area where we're doing the worst and is actually a 
new element that was added to the scorecard in Q-3 of 2018, and 
we have a lot of work to do. That has to do with bringing 
strong encryption to legacy--well, to high value assets, many 
of which in the Department of the Treasury, are legacy systems 
which don't lend themselves sort of architecturally elegant 
ways of doing that. But nonetheless, we understand the ask, 
we'll figure it out. But that's how I look at raising my 
scores.
    Ms. Norton. So it seems that you are aware.
    Mr. Olson. Very aware.
    Ms. Norton. And are taking action. And, finally, to round 
this out, Mr. Chairman, could I ask the Representative of USDA, 
Mr. Washington, about what was the lowest score among the three 
of you here, the F score. How do you explain that? Why that 
score? And what actions have you taken to improve that score 
since you got that score--that low score?
    Mr. Washington. Well, ma'am, we were in an environment 
where we had many different tools that weren't speaking the 
same language in terms of configuration management and 
patching. That's where we fell short on the----
    Ms. Norton. Do you have a variety of tools, did you say?
    Mr. Washington. Yes, we had a variety of tools that weren't 
feeding the same information, that's where we fell short on a 
FISMA metric because it wasn't feeding the metric data 
properly. So what we've done since last year, we've organized 
the end user consolidation that's very important to us across 
USDA, and we're going to get down to one common tool. And all 
of the end user support activities will be managed by the 
Department. So they will have common images and patching will 
be done the same way and standardized across the Department of 
Agriculture. And we intend to have that completed before the 
end of Fiscal Year 2020.
    Ms. Norton. Thank you very much.
    Thank you, Mr. Chairman. That's all.
    Mr. Connolly. Thank you. And thank you for that line of 
questioning because I think that really is something we got to 
work on.
    Mr. Olson, I just want to add, with respect to your answer. 
Surely--I know you do--understand the part of our intention 
was, if it can't be encrypted, it needs to be replaced and 
we're trying to incentivize the replacement of legacy systems.
    Mr. Olson. Yes.
    Mr. Connolly. And that's another nudge.
    Mr. Olson. Absolutely. And I think you're aware of a large 
modernization plan we have put in for most of that portfolio.
    Mr. Connolly. I would just say to all three of you, you 
represent agencies that maintain very large data bases. And I 
can recall, Mr. Gray, not to cite Education, but we had a 
hearing on this subcommittee a number of years ago focusing on 
different Federal agencies, and one of them was on yours. And 
what really was striking was, you wouldn't think of Department 
of Education being a particular target for bad guys in the 
cyber world, but you have a data base of over 40 million 
Americans. Because if I applied for a student loan, you got my 
data. You got my financial data, my banking information, my 
credit cards, my credit history, my mortgage, on and on. And 
what could go wrong with that if that got breached?
    So your being up to snuff in terms of cybersecurity is 
actually pretty important to the American people, and that 
would certainly be true--IRS has data on everybody. And USDA 
has all kinds of data base, of course, as well. So, you know, 
this cyber question is not an academic one, I know not for you, 
but it isn't for us either. We're very cognizant of what can go 
wrong if we don't accelerate this move toward updated systems.
    Oh, I'm sorry, Mr. Grothman, the gentleman from Wisconsin.
    Mr. Grothman. Thank you very much. I'd like to thank the 
other three of you for coming over here, I know it's very busy 
for you and we're keeping you here a little late. So appreciate 
the extra effort.
    We talked before about the huge amount of cost that goes 
into what--I think it was Ms. Harris described as legacy 
systems. And I wondered for each of your three agencies, if we 
can start with Mr. Washington, could you let us know how many 
of the systems in your agencies you would describe as legacy 
systems?
    Mr. Washington. Sir, in terms of legacy systems, is it 
classified and is obsolete using outdate technology?
    Mr. Grothman. Correct.
    Mr. Washington. We have less than five systems that are 
actually classified as old legacy systems. But we do spend 
about 77 percent of our portfolio in terms of O&M.
    Mr. Grothman. Seventy-seven percent of your money you spend 
on the legacy systems? You said you have five legacy systems 
left, of that, five of how many?
    Mr. Washington. Oh, how many systems? We have--I'd have to 
get back to you on the exact number of systems, sir.
    Mr. Grothman. About.
    Mr. Washington. We have about 129 systems in USDA.
    Mr. Grothman. So you spend 77 percent of the money on five 
out of like 150 systems?
    Mr. Washington. On operation and maintenance. Of what we 
spend on our IT portfolio.
    Mr. Grothman. That's almost unbelievable. Could you give me 
the dollar numbers that go with those fantastic figures?
    Mr. Washington. Say again, sir.
    Mr. Grothman. Like how many dollars are we talking about 
here.
    Mr. Washington. We have approximately a $2.3 billion IT 
portfolio at USDA.
    Mr. Grothman. Two point three billion.
    Mr. Washington. Yes sir.
    Mr. Grothman. And you spend like 72 percent of that on five 
out of a 150 systems.
    Mr. Washington. No not on five--that's on O&M. On the five 
systems we don't spend that much money, sir.
    Mr. Grothman. Okay. But you said you spent over 70 percent 
on five legacy systems. Is that right.
    Mr. Washington. I said for operations and maintenance. On 
the five legacy systems, we plan to retire those this year--
those this year. And I don't have the exact numbers right now, 
but it's not--it's a small amount of money.
    Mr. Grothman. Okay. Well, it sounds kind of amazing 
numbers. Mr. Gray, I'll give you the same question.
    Mr. Gray. We have one legacy system at the Department, 
which is currently planned to be modernized through the next 
gen initiative that Federal Student Aid is leading.
    Mr. Grothman. And when will that be done?
    Mr. Gray. Excuse me.
    Mr. Grothman. When will that be done? When will it be 
modernized?
    Mr. Gray. That is a wonderful question. We currently have 
contracts that are under a protest, and as soon as those 
contract protests are resolved, we will be proceeding forward.
    Mr. Grothman. What's the nature of the protests?
    Mr. Gray. There's quite a number of that. I'd be happy to 
followup after.
    Mr. Grothman. Okay. We'll give Mr. Olson the same question.
    Mr. Olson. Sure. So I'm happy to sort of comment. Within 
Treasury we have eight or so major bureaus, and I would 
probably answer that question a little bit for each one. But at 
the end of the day, the biggest rock in the Treasury Department 
is the IRS. So let's sort of talk about that one, because I 
think that one. It's roughly sort of an 80/20 split, maybe 85/
15, depending on the year.
    Mr. Grothman. What is the 85?
    Mr. Olson. Eighty-five is O&M versus what we call 
development, maintenance, and enhancement DM&E, which is the 
build piece. I would offer this--there's been a lot of 
discussion earlier in--in the early panel about private sector 
companies.
    I spent a lot of time talking to private sector companies, 
and in particular, financial services companies, and asked them 
this question a lot about how much do they spend on O&M, which 
is in the private sector they call run, and DM&E, which in the 
private sector they call grow. And they have another--sort of 
another category of spend that they call transform.
    It's not necessarily bad in and of itself to have a big 
number in run. But you have to have strategy for making the 
business case to invest as much as you can in grow and 
transform. And I will just say, as far as the IRS goes, and the 
big banks that I've talked to, this particular fraction, if you 
will, percentage, if you will, is not unlike what the biggest 
banks in the countries see as far as the split between run and 
build.
    We have a big proposal and request for funding, you know, 
that will be coming forward----
    Mr. Grothman. When you talk to other people--and I'm 
already past my time limit here. Do they feel you're up-to-date 
or do they say this is where we were 15 years ago, or what do 
they say?
    Mr. Olson. They, like us, have an enormously complex set of 
systems. So a GAO report just came out, we had, you know, the 
honorary of a 51-year old system. A 51-year-old system, that is 
the year it was put into production. It gets down to I think 
what's the definition of legacy. I mean, we joke sometimes in 
the IT business that legacy begins the day after you implement 
the system for the first day. You know, so the definition of 
legacy is something that there's a fair amount of debate on.
    You know, if I were to take that 51-year-old system and 
tell you it's running on a mainframe that's four years old, is 
it a legacy system. There is a variety of----
    Mr. Grothman. In general, though, when you talk to people, 
because I'm way over, my subcommittee chair is being very 
gracious. When you talk to people, where do they feel about 
where you are?
    Mr. Olson. Oh, absolutely, they say we need to make 
significant changes, and we're committed to that.
    Mr. Grothman. Do they say, like, we are where we were 15 
years ago or something. I mean, you hear some of these stories 
that the government is so far behind where everybody else is.
    Mr. Olson. I'm not going to debate that, but I will tell 
you that I met with a group of financial service CIOs from some 
of the country's biggest banks, and it was amazing how similar 
of the challenges that we have in terms of our portfolio of 
applications.
    Mr. Grothman. Okay. Thank you.
    Mr. Connolly. I thank the gentleman. Mr. Olson, let me 
followup on your answers to Mr. Grothman, however. I think it's 
a little misleading to compare yourself to the private sector, 
we're kind of roughly the same----
    Mr. Olson. Absolutely.
    Mr. Connolly. Same ratio. There is no private sector 
company I know of----
    Mr. Olson. There is not.
    Mr. Connolly. [continuing]. that has a 51-year-old 
operating system still operating and you're dependent on.
    Mr. Olson. Well, yes. I'm not trying to defend that.
    Mr. Connolly. I understand. But it goes deeper, doesn't it? 
So I remember during the Obama years, the IRS was so starved 
that the average computer, the average PC. For example, was in 
the eight to nine year range. In the private sector any modern 
company is replacing computers every two or three years.
    Mr. Olson. Right.
    Mr. Connolly. So already we're at a huge disadvantage, and 
little wonder that we had a lot of hard drive crashes, because 
it just was out living its life span, and we were really taxing 
that hardware really behind its useful life.
    We also had for IRS, if you wanted to archive material and 
be able to retrieve it, the instruction was, print and save. 
Now there is no private sector company that would accept that 
as a standard. IRS has to because we weren't allowing them to 
invest in their technology.
    So I just wanted to clarify that in the case certainly of 
at least your big constituent agency, IRS, it is a victim 
directly of investment starvation.
    Mr. Olson. Absolutely. And I don't mean to--I think I just 
wanted to paint that it was a more nuanced picture, and we are 
trying to look at what is a very large portfolio to identify 
the places where we really need to make that investment and 
move quickly, as opposed to just painting a broad brush to what 
is almost a $300 billion dollars spend.
    Mr. Connolly. As I said earlier, I've been on this case for 
quite some time. And the IRS--I regret that my colleagues on 
the other side finally got around to wanting to do something 
only because they realized their tax bill was at jeopardy if 
they didn't because you couldn't implement it. I wish we had 
made those investments earlier for the sake of serving the 
American public with or without a tax bill.
    Mr. Olson. Agreed.
    Mr. Connolly. And hopefully that will be the ethos going 
forward. Ms. Harris, anything else for the good of the order? 
Anything we haven't covered that we ought to at least mention?
    Ms. Harris. I think we've covered everything.
    Mr. Connolly. We've covered everything.
    Ms. Harris. We have, sir.
    Mr. Connolly. Let the record show, GAO believes we have 
covered everything. But, again, I want to thank you for your 
leadership and your incredible staff work from the very top. I 
mean, you know, this item has been on the high risk list for a 
long time.
    GAO unequivocally got behind FITARA and supported the 
legislation and exhorted Congress to pass it, and has been with 
us every step of the way as we insist on its implementation.
    And we couldn't have done it without you, and I think 
you're really one of the great heros of--if this legislation is 
transformative over time, GAO shares in the credit, and we 
thank you.
    Let me see, what am I doing here? I am adjourning. Okay. I 
want to thank our witnesses. And without objection, all members 
will have five legislative days within which to submit 
additional written questions for the witnesses, and those 
questions will come from us.
    And if you can get back to us in a timely fashion, through 
the chair, we'll distribute them to the members, should they 
appear.
    I want to wish you all a good day. Thank you again for your 
patience with the House schedule. Good luck on your trip, Ms. 
Harris. This hearing is adjourned.
    [Whereupon, at 5:55 p.m., the subcommittee was adjourned.]

                                 [all]