[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]

                               FITARA 9.0



                               BEFORE THE


                                 OF THE

                         COMMITTEE ON OVERSIGHT
                               AND REFORM

                        HOUSE OF REPRESENTATIVES


                             FIRST SESSION


                           DECEMBER 11, 2019


                           Serial No. 116-77


      Printed for the use of the Committee on Oversight and Reform


                  Available on: http://www.govinfo.gov
                    http://www.oversight.house.gov or

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
38-737 PDF                  WASHINGTON : 2019                     

                CAROLYN B. MALONEY, New York, Chairwoman

Eleanor Holmes Norton, District of   Jim Jordan, Ohio, Ranking Minority 
    Columbia                             Member
Wm. Lacy Clay, Missouri              Paul A. Gosar, Arizona
Stephen F. Lynch, Massachusetts      Virginia Foxx, North Carolina
Jim Cooper, Tennessee                Thomas Massie, Kentucky
Gerald E. Connolly, Virginia         Mark Meadows, North Carolina
Raja Krishnamoorthi, Illinois        Jody B. Hice, Georgia
Jamie Raskin, Maryland               Glenn Grothman, Wisconsin
Harley Rouda, California             James Comer, Kentucky
Katie Hill, California               Michael Cloud, Texas
Debbie Wasserman Schultz, Florida    Bob Gibbs, Ohio
John P. Sarbanes, Maryland           Ralph Norman, South Carolina
Peter Welch, Vermont                 Clay Higgins, Louisiana
Jackie Speier, California            Chip Roy, Texas
Robin L. Kelly, Illinois             Carol D. Miller, West Virginia
Mark DeSaulnier, California          Mark E. Green, Tennessee
Brenda L. Lawrence, Michigan         Kelly Armstrong, North Dakota
Stacey E. Plaskett, Virgin Islands   W. Gregory Steube, Florida
Ro Khanna, California                Frank Keller, Pennsylvania
Jimmy Gomez, California
Alexandria Ocasio-Cortez, New York
Ayanna Pressley, Massachusetts
Rashida Tlaib, Michigan

                     David Rapallo, Staff Director
              Wendy Ginsberg, Subcommittee Staff Director
                     Joshua Zucker, Assistant Clerk

               Christopher Hixon, Minority Staff Director

                      Contact Number: 202-225-5051

                 Subcommittee on Government Operations

                 Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of   Mark Meadows, North Carolina, 
    Columbia,                            Ranking Minority Member
John P. Sarbanes, Maryland           Thomas Massie, Kentucky
Jackie Speier, California            Jody B. Hice, Georgia
Brenda L. Lawrence, Michigan         Glenn Grothman, Wisconsin
Stacey E. Plaskett, Virgin Islands   James Comer, Kentucky
Ro Khanna, California                Ralph Norman, South Carolina
Stephen F. Lynch, Massachsetts       W. Gregory Steube, Florida
Jamie Raskin, Maryland
                        C  O  N  T  E  N  T  S

Hearing held on December 11, 2019................................     1


Carol Harris, Director, IT Management Issues, Government 
  Accountability Office
Oral Statement...................................................     4
Renee Wynn, Chief Information Officer, National Aeronautics and 
  Space Administration
Oral Statement...................................................     5
Elizabeth Cappello, Acting Chief Information Officer, U.S. 
  Department of Homeland Security
Oral Statement...................................................     7

Written opening statement and statements for the witnesses are 
  available on the U.S. House of Representatives Document 
  Repository at: https://docs.house.gov.

                           Index of Documents


Documents entered into the record during this hearing and 
  Questions for the Record (QFR's) are listed below/available at: 

  * Questions for the Record: To Ms. Elizabeth Cappello, Acting 
  Chief Information Officer, Department of Homeland Security; 
  submitted by Chairman Connolly.

  * Questions for the Record: To Ms. Renee P. Wynn, Chief 
  Information Officer, National Aeronautics and Space 
  Administration; submitted by Chairman Connolly.

                               FITARA 9.0


                      Wednesday, December 11, 2019

                   House of Representatives
      Subcommittee on Government Operations
                          Committee on Oversight and Reform
                                                   Washington, D.C.

    The subcommittee met, pursuant to notice, at 2:52 p.m., in 
room 2154, Rayburn House Office Building, Hon. Gerald Connolly 
    Present: Representatives Connolly, Norton, Khanna, Meadows, 
and Grothman.
    Mr. Connolly. The committee will come to order.
    Without objection, the Chair is authorized to declare a 
recess of the committee at any time.
    Sorry for the delay but we had an extra unplanned vote that 
took up some time, and my friend, the Ranking Member, Mr. 
Meadows, and I were both delayed. I beat you, Mark, by one 
    Mr. Meadows. You are younger than me.
    Mr. Connolly. I now recognize myself for my opening 
    Since the enactment of the FITARA Act, the Federal 
Information Technology Acquisition Reform Act, in 2014, this 
subcommittee has maintained steady and bipartisan oversight of 
implementation of the law. The benefits of continued oversight, 
which were lacking in the predecessor structural law, Clinger-
Cohen, are clear: across the government, agencies have improved 
Federal information technology acquisition practices and 
management practices.
    In fact, the FITARA scorecard's success has led this 
subcommittee to incorporate other aspects of Federal IT into 
the grades over the years. Our framework is not rigid. The 
subcommittee has augmented and changed the scorecard to take 
cognizance of other important components of Federal IT, such as 
cybersecurity, and incorporated other constructive feedback 
from agencies.
    Today, the scorecard incorporates grades adapted from three 
additional pieces of legislation, including the MEGABYTE Act, 
the Modernizing Government Technology Act, MGT, and the Federal 
Information Security Management Act, FISMA. The bottom line is 
that the FITARA scorecard works and continues to hold agencies 
accountable for implementing the best IT practices. The 
evidence is visible today in that chart.
    In November 2015, the average FITARA grade was a ``D'' 
across all participating agencies. Over the past four years, 
agencies have incorporated new, sometimes challenging metrics 
and higher stakes, and yet, the average overall agency grade 
today is trending up. It is now above a ``C'', a full grade 
improvement, not trivial. The witnesses from the Department of 
Homeland Security and the National Aeronautics and Space 
Administration, who are going to testify today, model this 
progress. In the eighth scorecard from June 2019, DHS and NASA 
received the worst grades of all agencies, a ``D-''. While 
there is still room for growth, the CIOs here today should be 
recognized for the progress they have achieved. In the ninth 
FITARA scorecard, today's, DHS is a ``B'' and NASA a ``C+,'' 
material progress.
    Unfortunately for some agencies, and in some categories, 
progress has slowed. Today, I hope to hear from our witnesses 
and GAO about what it takes to move beyond these hurdles to 
ensure efficient IT acquisition and management practices. We 
must continue to see the dividends from putting resources 
toward replacing legacy IT systems, migrating to the cloud, and 
maintaining a strong cyber posture.
    This subcommittee recognizes that each agency has its own 
unique attributes. Agencies vary greatly in their personnel and 
budget size, and in the number of missions, components, and 
programs that fall within their purview. Large, federated 
agencies such as DHS and NASA likely face additional challenges 
when implementing the best IT practices across their enterprise 
because of this complexity.
    Despite these challenges, improvements are possible. 
Progress in Federal IT takes political will and the recognition 
that the CIO needs a seat at the leadership table directly and 
a critical role in an agency's management decisions. Both DHS 
and NASA scorecards reflect increased grades given their 
agencies' commitments to give the CIO or a CIO direct reporting 
access to the head of the agency. Ms. Wynn, I am pleased to see 
that NASA recently reversed course on its reporting structure 
after the Ranking Member and I both expressed our concerns in 
writing, and we thank you for that.
    With the ninth scorecard, this one, our subcommittee 
acknowledges that some other agencies have taken steps toward 
direct reporting structures. DHS, the AID, and the Department 
of Treasury received partial credit this cycle for having a 
direct report to the head of the agency and indirect reporting 
to an Undersecretary or Assistant Administrator for Management. 
For DHS, the authority to drive change in IT practices across 
the entire department is of the utmost importance. The DHS IG 
reported on numerous IT deficiencies in components like the 
Federal Emergency Management Agency that hindered the agency's 
recovery operations following catastrophic hurricanes and 
wildfires. Lives depend on FEMA doing its job and doing it 
well, and that is what the importance of this finding really 
    Finally, I would like to take some time to reflect on the 
actions of the Administration regarding data center 
consolidation. At our last hearing, the Federal CIO, Suzette 
Kent, testified that she would continue the push for aggressive 
data center closures in the Office of Management and Budget's 
revised Data Center Optimization Initiative policy. After all, 
the law calls for that consolidation. It is explicit in the 
law. And we, both Mr. Meadows and myself, and the subcommittee 
were very gratified to hear Ms. Kent's rededication or 
recommitment to the explicit commitment of data center 
    In June, OMB released new agency data center guidance, 
however, that changed the entire baseline for how agencies 
define and count data centers. Just one year ago, agencies 
reported on more than 4,700 such centers that they planned to 
continue to operate. In 2019 data center inventory, however, 
the number dropped by nearly 50 percent to 2,400 data centers 
because of a definitional change, not because of consolidation, 
and I think that is of concern to us because it bypasses the 
whole point. Whether it is deliberate or bureaucratic, one does 
not know. But we do not want to miss the need to achieve that 
    When we passed the MGT Act that both Mr. Meadows and I also 
sponsored, it was to be able to allow reinvestment in the 
enterprise through the savings effectuated through 
implementation of FITARA, primarily this, because data center 
consolidation is what frees up capital. That is what gives you 
the cost savings. If you play games with the definition of what 
is a data center or what constitutes consolidation, you miss 
the benefits. So we want to hear more about that, but we are 
concerned about it, and we want to make sure no one is playing 
games or doing an end-run; and even if it isn't deliberate, 
that unwittingly we are actually evading the purpose of the 
law. After all, the law is a good-government law. It is a 
bipartisan bill to try to bring agencies into the 21st century.
    So we are eager to hear the testimony today, and I want to 
again thank my colleague, Mr. Meadows, who has always been 
there on this issue, and then some, and I just thank him as 
being an equal partner in this enterprise. Thank you.
    Oh, Mr. Meadows. I recognize the Ranking Member.
    Mr. Meadows. I will be very, very quick. Thank you, Mr. 
Chairman, for your leadership on this issue, and the very fact 
that we are having this hearing is the emphasis and the 
priority not only of the Chairman but of members broadly. I 
know it is not a topic that brings in the cameras and members 
come rushing in.
    I do want to let you know, though, for our two witnesses 
that are here, to kind of give a synopsis of what you have done 
-- Ms. Harris will certainly attest to this -- we pay very 
close attention to this. It is actually now starting to become 
indirectly part of the appropriations process. We are looking 
at it. We want to make it a more formal part of that where 
literally we reward you for doing a good job, and both of you 
are here today to talk about your successes.
    Certainly, efficiency in government as it relates to IT is 
critical. I have shared this a number of times. We spend more 
on IT than we should, and I say that because it is $100 
billion, if you count all of the agencies that we name and 
don't name. It is over $100 billion a year, and when you look 
at that kind of number, I used to get more computing ability in 
my private-sector real estate company than some agencies do 
with the amount of money that we spend. So we have to do a 
better job.
    That being said, we know that there have not been rewards. 
So I am committed both on the fiscal side of things, which is 
hard for this conservative to say, but also on the reform side 
of things, to work with not only the two of you but all the 
agencies. Ms. Harris and your colleagues, I want to thank you 
both for your continued work on this.
    And without further ado, I think I will yield back to the 
Chairman so we can hear from all of you.
    Mr. Connolly. I thank the Ranking Member. Thank you very 
    I now want to welcome our witnesses.
    Carol Harris, Director of IT Management Issues at the 
Government Accountability Office. Welcome back.
    Elizabeth Cappello, Acting Chief Information Officer, U.S. 
Department of Homeland Security.
    Renee Wynn, Chief Information Officer for NASA, the 
National Aeronautics and Space Administration.
    And, I will point out, an all-woman panel.
    Thank you for being here.
    If you would please stand and raise your right hands, we 
will swear you in, which is the habit of our committee.
    [Witnesses sworn.]
    Mr. Connolly. Let the record show all three of our 
witnesses answered in the affirmative.
    Thank you so much. You may be seated.
    Without objection, your written statements will be entered 
into the record in full. We would ask you within a five-minute 
timeframe to summarize your testimony as best you can.
    And we will start, Ms. Harris, with you. Welcome.


    Ms. Harris. Thank you, Mr. Chairman. Chairman Connolly, 
Ranking Member Meadows, and members of the subcommittee, I 
would like to thank you and your very excellent staff for your 
continued oversight on IT management and cybersecurity with 
this ninth set of grades.
    Overall, nine agencies' grades went up, four went down, and 
11 remain the same. Also, for the first time ever, three 
agencies received an ``A'' grade, including two ``A+'s,'' and I 
would like to commend USAID, the Department of Education, and 
GSA for earning these top grades.
    I will now share some key highlights from this ninth 
scorecard. First, I will start with the CIO reporting 
    The CIOs of USDA and NASA now report to the agency head or 
deputy, which brings the total number of agencies with this 
direct reporting structure to 16. In addition, DHS, Treasury, 
and USAID have established acceptable CIO reporting 
relationships that, while not perfect, have enabled them to 
achieve partial credit in this category. This progress would 
not have happened to this extent without your scorecard and 
your oversight.
    Turning to data centers, the grading was suspended in the 
prior scorecard to provide the Federal CIO the opportunity to 
share OMB's plans for revising its data center optimization 
initiative at that hearing. At your direction we have 
reintroduced these grades, and the change increased the overall 
grade of DHS and decreased the overall grade of Interior, 
Labor, and state.
    OMB's guidance is now final, and unfortunately the concerns 
I raised at the last hearing about the revisions remain 
unchanged. Among other things, OMB's guidance revises the 
classification of data centers and data center optimization 
metrics. For example, OMB's new data center definition excludes 
roughly 2,300 facilities that agencies previously reported on 
in Fiscal Year 2018. Many of these excluded facilities 
represent what OMB itself has identified as possible security 
risks. Some are also large facilities that agencies will keep 
operating but will no longer be reporting on. SSA has five 
facilities over 8,000 square feet, and state has two over 
10,000 square feet, as an example. In addition, there are 194 
data centers over 1,000 square feet for which closure progress 
will no longer be reported as a result of the redefinition.
    Accordingly, the subcommittee and the committee will lose 
the ability to track and measure progress in this area because 
the baseline for comparison will have changed. Moreover, the 
changes will likely slow down or even halt important progress 
agencies should be making to consolidate, optimize, and secure 
their data centers.
    I will now turn my comments to DHS and NASA. These agencies 
collectively plan to spend $8.6 billion on IT this year. For 
each of them, roughly 80 percent of their IT spent is on 
operational systems. DHS has an overall ``B'' grade, which is a 
solid improvement from the past four scorecards in which it 
hovered between a ``C'' and a ``D-''. NASA, too, has made 
noteworthy progress from its ``F'' grade on the first two 
scorecards back in 2015 to a ``C+'' today.
    Some positive areas to highlight for both. They have 
comprehensive software license inventories and use them to make 
decisions and save money. These agencies also have highly 
effective IT portfolio review processes which have led to a 
collective $2.6 billion in savings and cost avoidances since 
2012. For DHS, progress in the area of incremental software 
development is still rather low. Only about 55 percent of its 
IT projects are delivering functionality every six months, as 
OMB has called for. For NASA, the lack of transparency in its 
evaluation of major IT investments is troubling. NASA spent 
$442 million on major IT in Fiscal Year 2019 and did not rate 
any of those investments as yellow or red.
    Mr. Chairman, this concludes my comments on the overall 
scorecard and the results for these two agencies. I look 
forward to your questions.
    Mr. Connolly. Thank you very much. I just wanted to 
mention, Ms. Harris, I will assure you we are not going to lose 
our ability to evaluate by virtue of OMB obfuscating the 
baseline. If necessary, we will work with you to create/
recreate the baseline we have been using, and that is how we 
will continue to monitor and score agency performance. But we 
are not going to allow either the evisceration or the dilution 
of the baseline that has served us so well and agencies so 
well. Thank you.
    Ms. Wynn?


    Ms. Wynn. Thank you, Chairman Connolly, Ranking Member 
Meadows, and the members of the Subcommittee on Government 
Operations, for allowing me to appear before you today to 
provide you an update on NASA's implementation of the Federal 
Information Technology Acquisition Reform Act, or FITARA.
    NASA's global information technology infrastructure plays a 
critical role in every aspect of NASA's mission. Today is an 
especially exciting time to work at NASA as we work toward 
delivering the first American woman and the next American man 
to the moon in 2024.
    NASA's new Artemis program will use a long-term presence on 
the moon to test, build, and validate new capabilities for 
human missions to Mars. My team looks forward to playing our 
part in this great endeavor.
    Effective IT management is not an easy task. As the CIO, I 
must balance innovation with mission needs, costs, and evolving 
threats. NASA has come a long way from our initial FITARA 
score, and more work remains. As an example, in 2010, NASA had 
79 data centers. Today we have 19. This is a 75 percent 
reduction, resulting in the repurposing of approximately 80,000 
square feet of space and generating about $36.2 million in 
savings since Fiscal Year 2012. When reducing our data center 
footprint, we also increased our use of cloud computing. NASA 
currently has more than 10 petabytes of data in the cloud and 
uses more than 1.4 million commercial cloud computing hours per 
    To its credit, over the last several years NASA has 
transformed its IT governance structure to empower the CIO with 
greater authority. For example, the CIO directly reports to the 
Administrator, and I have access when needed. The NASA CIO and 
most of the center CIOs sit on all key NASA decisionmaking 
councils, and the CIO has direct authority and oversight over 
the center CIOs, including their IT and acquisition decisions.
    Within NASA, IT is now regarded as a strategic agency 
resource, with the CIO having clear authority to approve the 
agency's IT spend plan. In doing so, NASA is strengthening the 
agency's ability to rely on IT resources with agency missions, 
goals, and programmatic priorities. My office continues to work 
closely with our customers to better understand and support 
their mission and mission support needs. My office is even 
integrating team members directly into the Artemis program, 
ensuring cybersecurity risks are mitigated at the earliest 
    Additionally, my office continues to participate in NASA's 
mission support future architecture program, or MAP. Through 
MAP, NASA is implementing a phased approach to transform 
mission support services into more efficient enterprise 
operating models. This includes realigning budget authority and 
lines of reporting, improving the sharing of capabilities 
across our centers, and strategically assessing and aligning 
the work force to support this transformation. My office is on 
track to complete our MAP assessment and planning by December 
    When speaking about NASA, it is important to remember that 
cooperation with our Nation, the public, and scientists across 
the world is one of NASA's founding principles. Therefore, NASA 
seeks the widest practical and appropriate distribution of 
information from our missions, but in doing so we must also 
safeguard our IT assets against well-resourced and highly 
motivated threat actors.
    The reported number of cyber incidents against NASA 
continues to increase because we have greater visibility into 
our network. I am confident that NASA continues to 
appropriately address these threats. Some of the metrics that I 
provided in my written testimony demonstrate that. 
Additionally, I would like to publicly congratulate NASA's 
Identity Credential and Access Management team for being named 
a finalist for the prestigious 2019 National Security Agency's 
Frank B. Rowlett Award, an award that recognizes outstanding 
Federal Government excellence in the field of cybersecurity.
    In conclusion, I appreciate the opportunity to appear 
before you today to assure you that effective IT management is 
a top priority for NASA and its senior leaders. NASA looks 
forward to continuing to work with Congress and our other 
Federal cyber partners to ensure that NASA's IT global network 
remains secure, effective, and resilient. I would be happy to 
answer any questions you may have.
    Mr. Connolly. Wow, right on the nose. Excellent job.
    Ms. Cappello?


    Ms. Cappello. Chairman Connolly, Ranking Member Meadows, 
and distinguished members of the subcommittee, thank you for 
your continued commitment to achieving the goals of FITARA and 
the opportunity to appear before you today to share the 
Department of Homeland Security's progress in meeting these 
    Across DHS, our components serve disparate missions at 
various operational tempos, requiring information technology at 
locations across the globe. As a career Federal specialist from 
within DHS, I know that providing capability for this complex 
agency requires a strategy that advances the mission, optimizes 
the organization, enhances service delivery, and strengthens 
    The DHS Chief Information Officer is accountable for the 
efficient and effective use of IT resources across DHS. As part 
of my statement, I would like to highlight a few areas of 
success that relate to FITARA's scorecard metrics, the 
Department's cybersecurity posture, cloud adoption, Agile 
development, and data center consolidation.
    Cybersecurity must be at the core of everything we do in 
information technology. At DHS, my office operates the 
enterprise-wide area network that connects the 240,000 DHS 
Federal employees, more than 4,300 physical locations, and 
dozens of mission-essential applications. An important layer of 
protection for this ecosystem starts at the enterprise Security 
Operations Center, or SOC, which is focused on the risk of 
attack from hostile cyber actors.
    The next levels of defense in-depth occur within the 
components themselves. To ensure consistency in cybersecurity 
across all levels of the Department, we implemented the 
Cybersecurity Service Provider Program this year. The CSP 
Program tailored the well-established Department of Defense SOC 
accreditation program for use within the Department of Homeland 
Security, and this past year the U.S. Immigration and Customs 
Enforcement SOC received accreditation, and DHS will continue 
assessments of the remaining DHS SOCs throughout this fiscal 
    Given all these efforts, I am proud to note that the 
Department's improved cybersecurity posture is evident on our 
Federal scorecards, including FISMA and FITARA. Our 
cybersecurity strategy is not static, however. As DHS continues 
to make great strides in cloud adoption, we must update our 
enterprise security model, our policies, and our architecture. 
We must eliminate the barriers to cloud migration while 
supporting information assurance.
    The perimeter defense approach is evolving into zero trust, 
which very simply means that we eliminate the concept of trust 
from our technology enterprise. This architecture will better 
protect DHS IT assets from compromise through improved 
monitoring and strict access control. At the same time, the 
Department is implementing the new OMB TIC 3.0 and the 
streamlined authority to operate process to facilitate the 
cloud environment.
    The Department is also committed to developing and 
retaining a skilled cyber work force. We are partnering with 
the Office of the Chief Human Capital Officer as they develop 
the Cyber Talent Management System to manage the entry and 
training of cyber talent within DHS. Additionally, DHS supports 
a cyber internship program and numerous engagements with 
educational institutions.
    Cloud adoption also requires re-skilling the work force. By 
integrating cybersecurity with incremental development, we 
ensure that DHS operates a resilient and responsive technology 
enterprise. DHS is focused on building Agile skills so that 
security, development, and operations are an integrated 
culture. We host an annual Agile Expo highlighting the best 
practices from across the Department.
    At DHS, we understand clearly that data center 
consolidation is a top priority for the Chairman and the 
Ranking Member of this subcommittee. FITARA focus has led DHS 
to continue enterprise data center consolidation and cloud 
adoption. For example, we have almost eliminated our on-premise 
email system and will continue with migrating out of the DHS 
Enterprise Data Center 2.
    DHS requires secure, responsive, and resilient information 
technology to execute its mission. I am proud of our efforts 
thus far and excited about our continuous improvement. But as I 
said in my written statement, there is certainly more room for 
progress. As a leader with success in these areas at the 
component level, I look forward to working with this 
subcommittee and actively engaging across DHS to improve our 
enterprise using FITARA as our yardstick.
    Once again, thank you for the opportunity to appear before 
you today, and I look forward to your questions.
    Mr. Connolly. Thank you so much.
    And thank you all for your thoughtful testimony.
    The Chair calls on the distinguished Congresswoman from the 
District of Columbia for five minutes of questioning.
    Ms. Norton. I thank my good friend from Virginia, and I 
appreciate this hearing. I do believe it is an important 
hearing. We are obligated to have it for good reason.
    It is interesting to note that the CIO is understood to 
have such an important role that the subcommittee reduces an 
agency's overall grade in its annual FITARA scorecard if that 
person does not have that role reporting to the agency head.
    So, Ms. Wynn, in the last FITARA scorecard that was in June 
2019, NASA had demoted the position of the CIO; and, of course, 
NASA reversed course after the Chairman and the Ranking Member, 
Mr. Connolly and Mr. Meadows, wrote to the Administrator, and 
the future of the CIO was changed. I don't know why it was 
demoted. I don't know if you know.
    But how has your role changed since the Chairman and 
Ranking Member wrote and you were reporting directly to the 
agency head?
    Ms. Wynn. Thank you for the question. My role remains the 
same with the short-term move to our mission support 
directorate. That role never was changed. It was only my 
reporting authority to the --
    Ms. Norton. Well, that is what I am trying to find out. 
What difference does the reporting authority--it was the 
reporting authority that was at issue.
    Ms. Wynn. That was at issue, and then that was returned. 
The intent of the agency was to try to gain some --
    Ms. Norton. And how has that mattered to you is my 
question. If you report directly to the agency head, why does 
that matter to you?
    Ms. Wynn. It helps me when I am reporting in particular on 
cybersecurity events, to be able to get easy access to the 
Administrator, which I remain to have that access to him. I 
think there are a couple of other issues in IT that get to be 
significant, and we certainly have easy access to report any of 
those issues to him.
    Ms. Norton. So I think that justifies your action, Mr. 
Chairman, very much so.
    This committee is very concerned about the skills gap in 
technology across the Federal Government. There are a lot of 
places you can work and make a lot more money, and we certainly 
appreciate your work.
    IT management and acquisitions is listed in the GAO's 
annual high-risk list. Let me ask Ms. Wynn and Ms. Cappello, 
what steps are you taking, or should we perhaps take, to 
strategically manage your human capital to ensure DHS and NASA 
have the work force that you need?
    Ms. Wynn. I will start, and you can take it from there.
    One of the things is the continued support of this 
committee, as well as Congress, in terms of taking a look at 
the importance of hiring cyber-skilled personnel and letting 
them know that working for the Federal Government, and the 
missions in particular --
    Ms. Norton. Well, you should be doing that as well.
    Ms. Wynn. Yes, we are, and we need your support to do that. 
At NASA, the one thing is we are not, except geographically, 
struggling with hiring right now, but I know that we keep a 
constant eye on making sure that we are looking at new ways to 
recruit individuals. We certainly get out there and tell them 
about our mission and how they can be a part of protecting our 
    Ms. Norton. Do you go into the colleges?
    Ms. Wynn. Yes, we do go to the colleges, and we work in a 
number of different ways. We get into the high schools and the 
elementary school level as well.
    Ms. Norton. Oh, I appreciate that, yes.
    Ms. Wynn. Yes. So we --
    Ms. Norton. Let them begin seeing the Federal Government as 
a place you want to come to.
    Ms. Wynn. Absolutely. And so with the continued support of 
the Hill and a lot of recruiting practice, we continue to work 
on this effort. But I do know that my colleagues in other 
Federal agencies do have some significant challenges. There are 
geographic areas that are challenging for everybody.
    Ms. Norton. Yes, I understand that. So people need to be 
doing it across the United s.
    I do want to get this question in. I notice we have an all-
female group here testifying, and I am pleased with that 
because that is not what we see across the profession. So let 
me ask Ms. Wynn and Ms. Cappello, as female senior-level 
technology officials in the Federal Government, help us to 
learn what we should be doing to encourage more minority and 
female entrants into the field of information technology.
    Ms. Cappello. Ma'am, thank you for recognizing the rather 
historic panel that we have today. I think you bring up an 
incredibly important topic. Diversity in our work force at 
every level serves our mission. Whether it is females, 
minorities, cognitive diversity, it is incredibly important 
that we attract the very best talent. I think one of the ways 
that we begin to do that is by setting the example. We are 
here, we are at the table, and we are given a voice. So when 
someone, a young woman or someone from the minority community, 
looks up and says is that a place where I want to work, do I 
see people that look like me, well, you do; we are here.
    We need to be out there mentoring. We need to be out there 
talking about our agencies. We need to be talking about 
technology. And I agree with Ms. Wynn, that starts at the 
elementary school, the middle school, the high school level. 
Certainly, we are recruiting at the college level. But if we 
want to get folks excited about DHS, I think it is incredibly 
important for those of us who are in senior leadership, 
especially women and minorities, to be out talking to the 
community and here is what we have to offer here in DHS or in 
NASA or anywhere else in the Federal Government.
    Mr. Connolly. And to your point, if I may, I think having 
our agencies aggressively get into schools where they can show 
role models for women and minorities and mentor them, and even 
adopt programs, I have seen incredible work done by -- I will 
pick an agency -- DARPA on robotics. The enthusiasm among young 
people, and it doesn't matter whether they are boys or girls, 
what backgrounds, is just contagious. So that interaction can 
also -- you all can make a difference too, to Ms. Norton's 
    I am afraid the gentlelady's time has expired.
    I now recognize the gentleman from Wisconsin, Mr. Grothman, 
for his five minutes.
    Mr. Grothman. First question for Ms. Wynn. NASA has a 
department-wide working capital fund, correct? I understand you 
are evaluating the establishment of an IT-specific fund, right? 
What is NASA's timeframe as far as coming up with a solution, 
and what steps are you taking?
    Ms. Wynn. We finished an initial analysis to look at our 
current working capital fund and other working capital fund 
authorities this past summer, and right now we are marching 
toward making a decision within our IT council, as well as with 
our other senior leaders, by the end of Fiscal Year 2020.
    Mr. Grothman. Okay. Do you have any specific plans to work 
away from any of your legacy systems, your legacy systems all 
    Ms. Wynn. So, at NASA we have two types of legacy systems, 
and there is a set of legacy systems that we have to be very 
careful with because those are our flying assets, our 
satellites, and some of those were started back in the `60's. 
So for those, we are not thinking about modernizing, but we are 
taking the best precautions that we can in order to protect 
those flying assets.
    Then there is the legacy that definitely needs modernizing, 
and we work across the agency to identify what those projects 
are and then prioritize those projects for funding. In the last 
year I had $10 million to provide specifically to modernization 
activities in Fiscal Year 2019.
    Mr. Grothman. When you talk about systems that are flying, 
you mean things that are still around 50 years later?
    Ms. Wynn. Yes, 10 years and much longer.
    Mr. Grothman. Okay. I suppose stuff can stay up there 
forever and you keep using it, right?
    Ms. Wynn. Yes. Because a new satellite program costs 
millions of dollars, NASA takes great prudent measures to 
evaluate each mission that is in flight each year to see if the 
value of the data coming back versus the cost of a new mission, 
as well as other protection needs, good-neighbor policies in 
space, and then proceeds with either continuing the mission or 
stopping it.
    Mr. Grothman. Okay.
    Ms. Harris, I was going to ask you the same question. What 
progress have the agencies collectively made in transitioning 
away from legacy systems?
    Ms. Harris. Well, unfortunately, when you take a look at 
the total IT spend per year, $90-plus billion, 80 percent of 
that $90 billion-plus is still mired in the O&M, the operations 
and maintenance category. So the Federal Government still has 
quite a bit of work to do to reduce the amount of legacy IT.
    Mr. Grothman. When you say legacy, I mean, things have 
changed so much in IT, it kind of amazes me. When you say 
legacy IT, when does that date from normally?
    Ms. Harris. It could be anywhere from the 1970's or 1960's 
to 1997, to even as far as three years ago. It depends. But 
when we talk about legacy, we are talking about systems that 
are in desperate need of either modernization or being turned 
off because they present security vulnerabilities, among other 
    Mr. Grothman. I am trying to think of industries that are 
data heavy. I suppose financial services, insurance, that sort 
of thing. Do you ever take a look and see how old systems are 
around or how many legacy systems are around, say, in those 
types of industries?
    Ms. Harris. We haven't done work, sir, in examining what 
you just described, the financial management services 
community, in terms of how old the systems are. But what I can 
tell you is that back in June we did a report on the top-10 
legacy systems across the Federal Government, and what we found 
is that for these 10, the majority of them lacked modernization 
plans. So they didn't even have plans in place in terms of the 
game plan moving forward, whether they were going to shut them 
off or how they intended to modernize. So that is a problem, 
and that is systemic across the Federal Government.
    Mr. Grothman. I think the thing that frustrates me is we 
should know what is going on in the private sector in data-
heavy operations, right? And my guess is if you went into -- it 
probably doesn't matter what insurance it is, probably health 
insurance is the most data heavy, but whichever field you go 
into, my guess is you would find very little that has been 
floating around for even more than 15 years. I would think that 
if you collect that data or collect data from other places, you 
would find how out of whack the government is. Is there any 
reason why you don't? Because presumably all three of you want 
to update things, and I would think you would have a lot more 
ammunition if you could say we checked in with such and such 
insurance company, they don't have things floating around here 
for more than 12 years. Is there any reason why you don't do 
    Ms. Harris. Sir, the work that we do is driven by the 
requests that we receive from committees and members. We would 
be happy to take on a request like that if that is something 
that the subcommittee would be interested in sponsoring.
    Mr. Connolly. We can work with the gentleman from Wisconsin 
in formulating such a request, and I thank you for the idea.
    The Chair now recognizes the distinguished Ranking Member 
of the subcommittee.
    Mr. Meadows. Thank you, Mr. Chairman.
    Ms. Harris, what would be the top three things that you 
would recommend this committee focus on? We are now at our 
ninth report card. So we have seen some trends, we have seen 
what works and what doesn't work, and you and your colleague 
have been very helpful in helping us address certain areas to 
modify. So what would be the top three things that you would 
recommend we pay attention to over the coming year?
    Ms. Harris. No. 1, continuing to be aggressive on data 
center consolidation; No. 2, looking at the ----
    Mr. Meadows. I am sure the Chairman liked to hear that. I 
mean, that is his number-one priority. So the fact that it is 
your No. 1, you get an ``A'' for the day, and maybe even an 
``A+'' on the FITARA scorecard.
    Mr. Connolly. That is a motion I second.
    Mr. Meadows. Go ahead.
    Ms. Harris. The second being continuing to be aggressive 
with the agencies on the CIO reporting structure. We still have 
five that are no, and we need to make sure that those five turn 
into yeses. And then the third thing is looking at the working 
capital funds, making sure that agencies have -- the CIOs have 
-- the funds necessary to modernize those legacy systems that 
are in their house.
    Mr. Meadows. All right. Let me followup. On the legacy 
systems, so much of the money is spent on O&M and not capital 
purchases. Do you think we could substantially lower our 
operating and maintenance costs if we invested significant 
dollars -- and significant system-wide would be hundreds of 
millions in terms of infrastructure. Do you think we could 
systemically change the trend of our O&M expenses?
    Ms. Harris. Yes, I do.
    Mr. Meadows. All right. By a factor of -- I mean, could we 
reduce O&M by more than 15 percent? Too healthy? Ten?
    Ms. Harris. I think it is hard for me to say at this time, 
but I think that if --
    Mr. Meadows. Let me ask it a different way, then. How much 
are we spending on programmers that know what I would call dead 
programming languages?
    Ms. Harris. We are spending, actually, a notable amount. I 
don't have the figure on me, but it is a notable amount.
    Mr. Meadows. Do we have young people that we are training 
on COBOL and Fortran now because guys like me with gray hair 
that learned it a long time ago are dying off?
    Ms. Harris. The new folks that are coming into the work 
force are not interested in learning those archaic languages. 
And so I think that --
    Mr. Meadows. So we are going to run into a problem, I 
guess, with our cap on Federals, because at some point the 
supply and the demand -- if I knew that you needed a Fortran 
programmer, I might refresh my abilities. But if I can only get 
paid similar to what I am getting paid in other areas, I guess 
that is going to be a problem, isn't it?
    Ms. Harris. Yes, it is going to be a big problem.
    Mr. Meadows. All right.
    Ms. Wynn, let me thank you on behalf of the Chairman and 
myself for actually listening to the reporting structure. It 
was actually something that Ms. Harris and her colleague let us 
know when we were doing a review. We sent a letter, and I just 
want to say that it changed my attitude. I have a reputation 
for asking real tough questions. You are not supposed to agree 
with that. But it changes my attitude, and I think the Chairman 
would agree that even though you are not at an ``A'' or an 
``A+'', it changes my attitude on the fact that you are willing 
to look at that. So if you would take that back to the 
Administrator and just let him know that, and thank you for 
your work. I would love to see, not in your verbal answers, but 
if you could come up with three things that you are going to 
prioritize for our next scorecard, we can kind of be familiar 
with that and that would be great. Obviously, data center 
consolidation needs to be one of the three. All right?
    Obviously, I was checking your scorecard and where you have 
been and where you are at DHS. Again, I want to thank you. 
These hearings can be very difficult, and we will have other 
FITARA hearings that don't go quite as smoothly, but I want to 
thank you.
    Here is the one concern that I do have. DHS is so big, and 
when you look at -- sometimes because you are so big, you can 
actually overlook a lot of things when you are getting a good 
grade, because part of the grading is relative to where you 
have been. So it gets tougher. The more scorecards we have, the 
more finite we become with what we are looking at. So if you 
would try to look beyond just the next scorecard and where you 
are with your agency. Obviously, you have had a lot of 
turnover. So what we would love to do is make sure that we get 
those same three things from you.
    And with that, Mr. Chairman, I know we will have a full 
FITARA hearing later on. I just want to say thank you. Thank 
you, GAO, once again. You have delivered, and we appreciate 
that, and I yield back.
    Mr. Connolly. I thank the gentleman and thank him again for 
his leadership and partnership in this enterprise. We couldn't 
have done it without him.
    And as the gentleman indicated, the next FITARA hearing 
will be the 10th. I think it will be an expanded hearing where 
we will take an expanded look at implementation and compliance, 
so we look forward to that.
    The Chair now recognizes the gentleman from California, Mr. 
Khanna, for his five minutes.
    Mr. Meadows. Would the gentleman yield for just a second?
    Mr. Khanna. Absolutely.
    Mr. Meadows. I just want to wish your daughter a belated 
happy birthday.
    Mr. Khanna. Well, thank you very much.
    Mr. Meadows. I remember her birthday, and so 
    Mr. Khanna. That is very kind of you, Representative 
Meadows, and I appreciate our friendship.
    And thank you, Mr. Chair.
    Mr. Connolly. I am sorry I wasn't there. I was getting 
ready for the FITARA hearing.
    Mr. Khanna. Well, that is more important.
    Mr. Connolly. Believe me, that was a tough choice. The 
birthday party sounded pretty enticing.
    Mr. Khanna. We still have cake if you need some.
    Mr. Connolly. Good. Thank you, Mr. Khanna.
    Mr. Khanna. I appreciate that. I appreciate the Chair's and 
Representative Meadows' work on FITARA and in a bipartisan way 
making government more technologically proficient.
    As you know, the 21st Century ID Act passed last Congress, 
and the implementation is ongoing. Ms. Wynn and Ms. Cappello, 
what steps have you taken to implement the law?
    Ms. Wynn. Well, I think the first step was education, to 
share with people what the law was about, and then identify a 
plan that would be appropriate for NASA to do the 
implementation steps. Many steps of the law are fairly broad 
and big, and so we just broke it down to bite-sized pieces at 
    I think the big thing to the success is really 
understanding what you wanted out of the law, what is expected, 
and then outlining for my leadership team what we needed to do 
to deliver here at NASA in a way that was supportive of the 
law, as well as our mission.
    Ms. Cappello. Thank you for the question. My office at DHS 
is responsible for accessibility and 508 compliance, and so we 
are a little bit excited about the opportunity to leverage user 
interface and user experience as we redesign the website.
    I think basically what we are doing right now at DHS is 
following the GSA three-phase maturity model. So we are using 
the principles, we are looking at user experience guidance, and 
then following the web design code. I know the team at DHS that 
is working on this project has got a plan that they are putting 
together, and it is going through the process right now for 
review, and I would expect it to be submitted rather soon.
    Ms. Wynn. And if I might add, in advance of that Act we had 
already started to take a look at our external footprint and 
started to shrink that down so the work that we have left is 
now very much aligned with the Act itself, and we appreciate 
the focus on it. But as you know, our website, our web presence 
for any Federal agency is also an attack surface.
    Mr. Khanna. I appreciate that.
    The subcommittee has seen steady improvement across the 
government over the course of nine FITARA scorecards. It 
appears that large decentralized agencies have had a more 
difficult time implementing FITARA than small or medium 
agencies that have one clear mission.
    Ms. Harris, what challenges do large and decentralized 
agencies have in implementing IT initiatives, and what steps do 
you recommend that they can take?
    Ms. Harris. Well, it is not surprising that these large 
federated, decentralized agencies have a tougher time than the 
smaller ones with a single focus. A large part of the success 
that we have seen at these large federated agencies in areas of 
the FITARA scorecard such as software licensing is centralizing 
the collection of information so you have a centralized 
inventory, for example, in this case software licenses, that 
you are able to then make decisions about economies of scale 
across the enterprise as one example.
    So I would start with centralizing the collection of 
information, whether it is licenses or anything else, mobile 
phones, other inventory that you might have.
    And then also it is really about establishing relationships 
with the CIOs at the component level. I think Ms. Cappello 
actually could speak quite eloquently about the successes they 
are seeing at DHS in terms of the synergies that they are 
experiencing between the component CIOs and herself in order to 
be able to more effectively manage at that department-wide 
level. But that is a major step as well, establishing that 
communication and instituting institutional processes across 
the department so that these component agencies will fall in 
line and be able to provide the information that is needed at 
that department level so that sophisticated management 
decisions can be made.
    Mr. Khanna. I appreciate that.
    Ms. Wynn, can you describe your relationship with NASA 
centers and facilities and what authorities you have over 
NASA's IT and challenges that you have seen?
    Ms. Wynn. Yes. So, I am happy to report that all the center 
CIOs actually report to me.
    Mr. Khanna. That is good.
    Ms. Wynn. Yes, this is a great place to start. And then 
also each of the centers themselves, as well as myself, sit on 
key decision boards at the agency, whether it be at the center 
or at the agency level, and this allows us to learn about the 
mission as well as influence the decisions that would come down 
and affect our infrastructure, or make suggestions on better 
ways to implement cybersecurity principles.
    Mr. Khanna. Thank you. Thank you all for your leadership 
and expertise.
    Mr. Connolly. Thank you, Mr. Khanna. Thank you so much for 
being here today and your interest in the subject.
    To Mr. Khanna's last point, Ms. Wynn, I like hearing that 
the other CIOs report to you. One of the things we wanted to 
do, and we hoped to do it in an evolutionary rather than a 
mandated way, was to have what we call in Latin ``primus inter 
pares,'' first among equals.
    Mr. Meadows. Show off.
    Mr. Connolly. I know; I can't help it. In six years, I have 
to use it sometime.
    We could have mandated, but we chose to respect the Federal 
culture and let it evolve. But when we started -- and I see 
Rich Buetel, who helped write this bill when he was on the 
committee staff -- we had 250 people in 24 agencies called CIO. 
You would never see that in the private sector, ever. I don't 
care how big or small, they would be one. So you are the model. 
That is exactly what we want to happen. There has got to be 
somebody who reports directly to the boss who has the 
authority, responsibility, and accountability for IT 
management, procurement, and reduction of legacy systems. So, 
congratulations again; that is great.
    Your agency is a lot more difficult because it is this 
compressed hodge-podge, but are you making progress in that 
respect, Ms. Cappello?
    Ms. Cappello. Chairman, thank you for the question. I think 
it is very interesting when you look at DHS. We were created 16 
years ago, and I think it is safe to say that of all the large 
Federal agencies, we have the most disparate mission sets. So 
while I certainly appreciate and understand the intent behind 
the reporting structure as described, my concern would be 
responsiveness to the operational tempos and to the individual 
mission sets. I think what we are doing in DHS right now that 
is really exciting and really useful is we have strong working 
relationships amongst the CIO community. We probably have a 
little bit of competitiveness as well, especially in regards to 
cloud adoption and Agile development and modernizing our 
applications. I think what the disparate mission sets allows us 
to do and the responsiveness in the CIO community is, for 
example, CBP is a very large component agency, more than 70,000 
employees. In their mission set, they had to develop an 
analytics capability very early on. So they are able to bring 
best practices/experiences to the conversation as the next part 
of DHS looks to adopt analytics, and we have examples of that 
across DHS. I would say our HSI under Immigration and Customs 
Enforcement has done such tremendous work in computer forensics 
in its child exploitation space.
    So while I fully understand the concerns around the 
reporting structure, I would offer that in DHS there is an 
awful lot of value in the technologists being able to respond 
directly to the operational requirements.
    Mr. Connolly. It is a good point you make, and I think that 
is why we respected the culture. That is why we didn't, by 
fiat, say there will only be one. We didn't do that because we 
understood that this is a disparate Federal Government, lots of 
different agencies, lots of different missions. Some are more 
narrowly focused and it is easier to do. Some are much more 
complicated, with multiple missions.
    But what we want to avoid, though, is this: It is not me; 
it is her; it is somebody else other than me, and no one is 
responsible, and no one is accountable. That is how you waste 
gazillions of dollars, and that is how projects go awry. 
Someone has to be vested with the primary responsibility and 
the primary accountability, that you are empowered, you are 
imbued with decisionmaking, and that is the model we want to 
move toward. We will respect the evolution, but not forever. 
That doesn't mean there can't be individual pieces, but you get 
what I mean, because the private sector somehow is able to do 
    I worked for a company before I came here of 42,000 people. 
We were into everything. I mean, we did engineering, we did 
science, we did pharmaceuticals, we did government contracting, 
we did cybersecurity, all kinds of things. We had one CIO, and 
that company to this day has one CIO. So it can be done, and it 
is probably the preferred model over time.
    Ms. Harris, final question. We started out by talking about 
data center consolidation, and I, like Mr. Meadows, was very 
pleased that that was the first of your top three in answer to 
him, and I am glad to hear it. I just want to cite that GAO 
found, as of August of last year, agencies had closed 6,250 
data centers and had plans to close an additional 1,200, 
leaving the Federal Government with 4,716 data centers left. As 
a result of the closures, agencies had achieved $1.94 billion 
in cost savings for Fiscal Years 2016 through 2018, so there is 
more in this last year, and identified an additional $42 
million in cost savings. That amount is still $38 million short 
of OMB's goal under the previous guidance of $2.7 billion. But 
the point is that is where the savings are. That is where the 
savings are if we are going to retire these legacy systems, if 
we are going to reinvest in the enterprise.
    So that is why we are concerned about OMB guidance on what 
will be acceptable. We want explicit language that says close 
them, consolidate them, and we were worried, and we thought we 
had gotten the reassurance that this new guidance that included 
the vague term ``optimization'' allowed people to avoid 
consolidating and achieving these savings. Your comment? And 
feel free to expand on what you said in your testimony so it is 
clear for the record why are we concerned about what OMB is 
    Ms. Harris. Absolutely. We are taking significant steps 
backward from where we were even just four years ago. The focus 
and the priority needs to be on consolidation because that 
gives you the large amounts of money that you need in order to 
reinvest back into modernizing agency infrastructure. So that 
is why the number-one priority, when you asked me the top 
three, has to be consolidation of these data centers.
    And with this redefinition of data centers, we are losing 
visibility into 2,300 facilities, and that is a problem because 
agencies are going to lose focus on consolidation as being a 
top priority. In addition to that, there are security risks 
with not monitoring these facilities, even if you are not going 
to consolidate them.
    So we do anticipate -- we have ongoing work right now 
evaluating the OMB guidance. We do expect to issue that report 
sometime soon, and we will make recommendations to OMB which 
will include taking another look at the policy and the 
classification of the data centers. Even if they maintain that 
current definition which excludes 2,300 centers, at this point 
the agency should be keeping a pulse on those that are now lost 
because of the things that I described in my oral statement.
    But again, this is a major issue, and I do look forward to 
working with your staff in order to ensure that we maintain 
this baseline, whether it is through OMB guidance or through 
work that we will do with you.
    Mr. Connolly. Well, I am going to operate on the assumption 
that everybody is highly motivated and of good intention. And 
with that assumption, I am also going to operate on the view 
that this change has unintended but negative consequences.
    Ms. Harris. Yes.
    Mr. Connolly. And with that operative principle, I am going 
to consult with the Ranking Member, and maybe we can work our 
magic like we did at NASA at OMB. But, I mean, this would have 
real consequences. This is where the savings are. If you want 
to effectuate a whole host of things, modernization of the 
enterprise, retirement of legacy systems, upgrading of cyber, 
streamlining management to make it more efficient and 
hierarchical, all of it flows from the ability to effectuate 
these savings, and it is in the billions of dollars. It is not 
    So we have to get this right, and we will gladly work with 
you, and I know my friend will also be part of this enterprise 
to try to make sure OMB understands our concerns, and maybe we 
can get this right before the next FITARA hearing.
    Mr. Meadows, anything else for the record?
    If not, I want to thank our witnesses for being here today. 
I thank everybody for coming. You can see the press table is 
loaded. I don't know what else anyone is interested in today, 
but Mr. Meadows and I, let the record show, are still doing our 
jobs. And I thank our staff for putting through another great 
    This hearing is adjourned.
    [Whereupon, at 3:54 p.m., the subcommittee was adjourned.]