[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


                              FITARA 10.0

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS

                                 OF THE

                   COMMITTEE ON OVERSIGHT AND REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             AUGUST 3, 2020

                               __________

                           Serial No. 116-110

                               __________

      Printed for the use of the Committee on Oversight and Reform
      
      
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]      


                       Available on: govinfo.gov,
                         oversight.house.gov or
                             docs.house.gov
                             
                             
                                __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
41-910 PDF                  WASHINGTON : 2020                     
          
--------------------------------------------------------------------------------------

                             
                   COMMITTEE ON OVERSIGHT AND REFORM

                CAROLYN B. MALONEY, New York, Chairwoman

Eleanor Holmes Norton, District of   James Comer, Kentucky, Ranking 
    Columbia                             Minority Member
Wm. Lacy Clay, Missouri              Jim Jordan, Ohio
Stephen F. Lynch, Massachusetts      Paul A. Gosar, Arizona
Jim Cooper, Tennessee                Virginia Foxx, North Carolina
Gerald E. Connolly, Virginia         Thomas Massie, Kentucky
Raja Krishnamoorthi, Illinois        Jody B. Hice, Georgia
Jamie Raskin, Maryland               Glenn Grothman, Wisconsin
Harley Rouda, California             Michael Cloud, Texas
Ro Khanna, California                Bob Gibbs, Ohio
Kweisi Mfume, Maryland               Clay Higgins, Louisiana
Debbie Wasserman Schultz, Florida    Ralph Norman, South Carolina
John P. Sarbanes, Maryland           Chip Roy, Texas
Peter Welch, Vermont                 Carol D. Miller, West Virginia
Jackie Speier, California            Mark E. Green, Tennessee
Robin L. Kelly, Illinois             Kelly Armstrong, North Dakota
Mark DeSaulnier, California          W. Gregory Steube, Florida
Brenda L. Lawrence, Michigan         Fred Keller, Pennsylvania
Stacey E. Plaskett, Virgin Islands
Jimmy Gomez, California
Alexandria Ocasio-Cortez, New York
Ayanna Pressley, Massachusetts
Rashida Tlaib, Michigan
Katie Porter, California

                     David Rapallo, Staff Director
              Wendy Ginsberg, Subcommittee Staff Director
                       Cameron MacPherson, Clerk

                      Contact Number: 202-225-5051

               Christopher Hixon, Minority Staff Director
                                 ------                                

                 Subcommittee on Government Operations

                 Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of   Jody B. Hice, Georgia Ranking 
    Columbia                             Minority Member
John P. Sarbanes, Maryland           Thomas Massie, Kentucky
Jackie Speier, California            Glenn Grothman, Wisconsin
Brenda L. Lawrence, Michigan         Gary Palmer, Alabama
Stacey E. Plaskett, Virgin Islands   Ralph Norman, South Carolina
Ro Khanna, California                W. Gregory Steube, Florida
Stephen F. Lynch, Massachsetts
Jamie Raskin, Maryland
                        
                        
                        C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page
Hearing held on August 3, 2020...................................     1

                               Witnesses

Panel 1

Carol Harris, Director, IT Management Issues, Government 
  Accountability Office
Oral Statement...................................................     6
Clare Martorana, Chief Information Officer, Office of Personnel 
  Management
Oral Statement...................................................     7
Jason Gray, Chief Information Officer, Department of Education
Oral Statement...................................................     8
Maria A. Roat, Deputy Federal Chief Information Officer, Office 
  of Management and Budget
Oral Statement...................................................    10

Panel 2

David Powner, Director of Strategic Engagement and Partnerships, 
  The MITRE Corporation
Oral Statement...................................................    29
LaVerne Council, Chief Executive Officer Emerald One, LLC
Oral Statement...................................................    31
Richard Spires, Principal, Richard A. Spires Consulting
Oral Statement...................................................    33
* Written opening statements and statements for the witnesses are 
  available at: docs.house.gov.

                           INDEX OF DOCUMENTS

                              ----------                              

Documents listed below are available at: docs.house.gov.

  * Report from Interos Solutions re: IT Supply Chain 
  Vulnerabilities; submitted by Rep. Palmer.

  * Questions for the Record: to Maria A. Roat; submitted by 
  Chairman Connolly.

  * Questions for the Record: to Jason Gray; submitted by 
  Chairman Connolly.

  * Questions for the Record: to Clare Martorana; submitted by 
  Chairman Connolly.

  * Questions for the Record: to Carol Harris; submitted by 
  Chairman Connolly.

  * Questions for the Record: to David Powner; submitted by 
  Chairman Connolly.

  * Questions for the Record: to LaVerne Council; submitted by 
  Chairman Connolly.

  * Questions for the Record: to Richard Spires; submitted by 
  Chairman Connolly.

  * Questions for the Record: to Maria A. Roat; submitted by Rep. 
  Hice.

  * Questions for the Record: to Jason Gray; submitted by Rep. 
  Hice.

  * Questions for the Record: to Clare Martorana; submitted by 
  Rep. Hice.

  * Questions for the Record: to Carol Harris; submitted by Rep. 
  Hice.

 
                              FITARA 10.0

                              ----------                              


                         Monday, August 3, 2020

                   House of Representatives
      Subcommittee on Government Operations
                          Committee on Oversight and Reform
                                                   Washington, D.C.

    The subcommittee met, pursuant to notice, at 2:04 p.m., in 
room 2154, Rayburn House Office Building, Hon. Gerald E. 
Connolly (chairman of the subcommittee) presiding.
    Present: Representatives Connolly, Norton, Lynch, Raskin, 
Hice, Grothman, and Palmer.
    Mr. Connolly. Welcome, everybody, to the Subcommittee on 
Government Operations and our tenth hearing on FITARA.
    Before we begin, pursuant to House rules, most members 
today will appear by Webex, remotely. Since some members are 
appearing in person, or at least this member is, let me remind 
everyone that pursuant to the latest guidance from the House 
Attending Physician, all individuals attending this hearing in 
person must wear a face mask. I'm dropping mine only to speak. 
Members who are not wearing a face mask will not be recognized.
    Let me also make a few reminders for those members 
appearing in person. You'll only see members and witnesses 
appearing remotely on the monitor in front of you when they are 
speaking in what is known as Webex active speaker view. A timer 
is visible in the room directly in front of you.
    For members appearing remotely, I know you're all familiar 
with Webex by now, but let me remind everybody about a few 
points. First, you will be able to see each person speaking 
during the hearing, whether they're in person or remote, as 
long as you have your Webex set to active speaker view. If you 
have any questions, contact Committee staff and they will try 
to be helpful.
    Second, we have a timer that should be visible on your 
screen when you're in the active speaker with thumbnail view. 
Members who wish to pin the timer to their screens should 
contact Committee staff for assistance.
    Third, the House rules require that we see you, so please 
have your cameras turned on if you're on remotely on Webex 
during this hearing.
    Fourth, members appearing remotely who are not recognized 
should remain muted to minimize background noise and feedback.
    Fifth, I'll recognize members verbally, but members retain 
the right to seek recognition verbally in regular order. 
Members will be recognized otherwise in seniority order for 
questions.
    Last, if you want to be recognized outside of regular 
order, you can identify it in several ways. You can use the 
chat function, you can send an email to majority staff, or you 
can unmute yourself to seek recognition verbally, though that's 
the least preferable way to do it. Obviously, we don't want 
people talking over each other.
    Let's see. OK. I will begin with my opening statement.
    Mr. Hice, you are on remotely?
    Mr. Hice. Yes, sir, I'm here.
    Mr. Connolly. OK. We're glad you're there. I know you're in 
self-quarantine, and I know you'd prefer to be here physically, 
but I am really glad we have the hybrid remote option so that 
you can participate fully in today's hearing, and hope 
everything's going to be OK. And I'll call upon you as soon as 
I finish my opening statement for any remarks you may have.
    Today marks the tenth hearing examining agencies' 
implementation of the Federal Information Technology 
Acquisition Reform Act, known as FITARA, to track agencies' 
progress in Federal management and procurement.
    I'm happy to announce that this steady oversight has 
produced the first scorecard in which all agencies received a 
passing grade. This achievement is a testament to the hard work 
of Federal agencies' Chief Information Officers, and also a 
testament to, I think, this committee and subcommittee's steady 
and bipartisan oversight of FITARA since we enacted it in 2014.
    This isn't just about passing grades. These grades 
represent taxpayer dollars saved, better mission delivery, and 
serving the Nation more effectively and efficiently. And during 
this pandemic, we've come to realize just how vital good IT and 
strong IT governance are to Federal Government and the people 
we serve.
    We certainly have seen limitations because of lack of IT 
investment, whether it be with the Ethernet system at SBA, 
Small Business Administration, or the struggles of the IRS to 
provide personal checks to all citizens and dependents in 
America. We've also seen limitations in the unemployment 
systems in the 50 respective states. So, it underscores how 
important these investments in this kind of improvement really 
are.
    In November 2015, when we first introduced the FITARA 
scorecard, I said I hoped this would be the second in a series 
of hearings our subcommittee holds to gauge agency progress in 
realizing the transformative nature of FITARA's reforms. Five 
years later, the benefits of continued oversight, I think, are 
clear, and one would be hard-pressed to find a sustained 
bipartisan congressional oversight initiative on its tenth 
installation. These 24 agencies have made real improvements on 
the scorecard--and I think we're putting it up over there on 
that screen--over a period of time.
    In November 2015, the average FITARA grade was a D across 
all participating agencies. This year, for the first time, no 
agency received a D and no agency, of course, received an F. As 
I said before, these improvements represent vital services 
delivered and dollars saved.
    Among the FITARA scorecard categories with the greatest 
impact is the IT portfolio review process known as 
PortfolioStat. This process enables agencies to reduce 
commodity IT spending and demonstrate how IT investments align 
with the agency's mission and business function. PortfolioStat 
went from helping Federal agencies save $3 billion in fiscal 
2015 to $20 billion this fiscal year.
    When the software licensing metric was first added to the 
scorecard in June 2017, 21 out of 24 agencies received an F 
grade for that metric. Now, 23 out of 24 agencies have As and 
have an inventory of software licenses and use that inventory 
to make cost-effective decisions and avoid duplications.
    Federal agencies are also closing and consolidating more 
data centers, resulting in significant cost savings. The 24 
graded agencies have a reported total of $4.7 billion in cost 
savings from fiscal years 2012 through 2019. Those agencies 
have also reported plans to save more than $264 million in this 
Fiscal Year alone.
    At the very first FITARA hearing, a witness stated that IT 
is no longer just the business of the CIO; rather, IT is 
everybody's business. Never has this been clearer than in the 
wake of the coronavirus pandemic, where IT has saved thousands 
of lives by enabling people to telework and keep the government 
and the economy running while preserving their own health and 
safety. We have seen firsthand how the agencies that continued 
to use outdated IT during the pandemic prevented the delivery 
of government services when the public needed them most.
    Back in 2015, I cautioned that the FITARA scorecard was not 
to be considered a scarlet letter but a point-in-time snapshot 
to be able to measure progress and incentivizing. Five years 
and ten scorecards later, we're now at a point in time where 
all agencies have received passing grades, the first time ever. 
FITARA 10.0 marks the point at which we can reflect on five 
years' worth of progress.
    Initially, the FITARA scorecard consisted of four metrics, 
including data center consolidation, IT portfolio review 
savings, incremental project development delivery, and risk 
assessment transparency. Since then, the scorecard's success 
has led this subcommittee to incorporate other aspects of 
Federal IT into the grades.
    Our framework is not rigid, but like the best of IT, it 
evolves. We augmented and changed the scorecard to examine 
other key components, such as cybersecurity, and incorporated 
constructive feedback from agencies and CIOs. Today, the 
scorecard incorporates grades adapted from three additional 
pieces of legislation, including the MEGABYTE Act, the 
Modernizing Government Technology Act, and the Federal 
Information Security Management Act.
    The bottom line is that the FITARA scorecard continues to 
hold agencies accountable and show the American people that 
they deserve the best IT has to offer, yet all agencies still 
have work to do. Today, two-thirds of graded agencies have CIOs 
who report directly to the head or deputy of the agency. It's 
true that more CIOs are finally getting a seat at the table 
with other C-suite positions, but we'll hear from GAO today 
none of the 24 graded agencies have established policies that 
fully address the role of the CIO, as called for by Federal law 
and guidance. We must continue to work to ensure that all CIOs 
have the authority and policies in place to be able to properly 
do their jobs.
    This hearing will discuss which existing metrics have 
achieved their goals and which might need to be considered for 
retirement. We'll also start a careful discussion about what 
metrics might be incorporated in future scorecards to continue 
to improve IT across the government. In other words, we're 
going to continue this scorecard.
    Today I hope to hear from our witnesses at GAO about what 
it takes to continuously improve and use efficient IT 
acquisition and management practices to do that, what powers 
and authorities might CIOs and government need to improve 
government IT, and in return, what transparency and oversight 
will be provided to Congress and the public to ensure those new 
powers are used effectively and efficiently. We must continue 
to see the dividends from putting resources toward modernizing 
legacy systems, migrating to the cloud, and maintaining a 
strong cyber posture.
    With the coronavirus resurging as states pursue reopening, 
the stakes for effectively implementing FITARA are perhaps 
higher than ever. When executed well, government IT 
modernization can ensure the efficient delivery of critical 
services, improve the government's knowledge and decision-
making, and save lives. When executed poorly, it can, 
unfortunately, lead to outright failures in serving the 
American people when they need the government the most. Simply 
put, the fate of the world's largest economy, it's no 
exaggeration to say, rises and falls with the ability of 
government IT systems to deliver in an emergency.
    The importance of Federal agencies' effective use of IT is 
too great to ignore, and this subcommittee will continue its 
oversight of agencies' IT acquisition and management as we move 
forward.
    With that, I call upon the ranking member for his opening 
statement.
    Mr. Hice. Thank you, Chairman Connolly, and thank you for 
holding this hearing today on the tenth FITARA scorecard. As 
you well know, this has literally been a bright spot of 
bipartisan work for this committee, and I look forward 
personally to continuing to see the development of the 
scorecard's usefulness as it relates to Federal IT reform.
    I also would like to take just a moment and give a shout-
out of thanks to the outgoing Federal Chief Information Officer 
Suzette Kent. She's been extremely dedicated in her service, is 
deeply appreciated. As you well know, enhanced CIO authority is 
one of the pillars, literally, of the FITARA, the whole system, 
and Ms. Kent has just done an outstanding job with her 
leadership and enthusiasm to really help drive some of the IT 
modernization efforts that have been outlined in the 
President's management agenda. So, we're grateful for her 
leadership and service, and hope to continue to buildupon the 
initiatives that she has championed.
    But, as you shared, Chairman, we are here today to discuss 
the tenth FITARA scorecard. Agencies have really made 
tremendous progress, as you well mentioned, over the past five 
years, and I want to congratulate them on their dedication to 
improve the IT procurement and management processes. A job well 
done.
    Some of the things that we have seen accomplished over the 
last several years include, as you mentioned, Mr. Chairman, 
savings of literally billions of dollars. We have increased 
transparency for risky IT investments and, of course, the 
elevation of the CIO position and authority within the agency.
    So, for all these successes, we are very grateful for what 
has been done, but obviously, there is more yet that needs to 
be accomplished. And I would suggest some of those things, we 
need to continue to update the metrics so that they better and 
more effectively match the IT management and implementation 
practices that are actually being used today.
    Also, I think it's imperative that we, as a committee, put 
in place the right kind of incentives to bring about IT 
modernization at scale as it relates to the pandemic. I think 
this has really highlighted to us and exposed, if you will, the 
heavy reliance that we have on some legacy systems and some 
longstanding technology problems. We need to find ways to get 
agencies to move the needle on some of these crucial issues.
    And I think last, we need some forward-looking, if you 
will, some forward-looking metrics to help modernize government 
as a whole. I think some of those things would include some 
moving forward as it relates to the citizen experience. I think 
you actually referred to that, Mr. Chairman. I think it's 
important that we move in that direction, enhancing the skills 
of the Federal IT work force I think we need to continue 
looking toward, and also just overall moving toward a more 
agile and secure cloud computing environment. All these things 
I think are extremely important that we continue moving toward.
    So, I look forward to hearing from our witnesses today. And 
in advance, I want to say thank you to each of our witnesses 
for being here today. We appreciate your time and your 
expertise that you'll bring to the table.
    With that, Mr. Chairman, I will yield back. Thank you, sir.
    Mr. Connolly. Thank you, Mr. Hice. And I also want to thank 
you personally. You and I have talked about this. This 
subcommittee has always had a strong bipartisan thrust, 
especially on this subject. I worked closely with Darrell Issa 
in writing FITARA. I worked closely with Will Hurd in expanding 
on it and having these hearings on the scorecard, as well as 
with Mr. Meadows, now the chief of staff to the President of 
the United States. And you've pledged to do the same, and I 
really very much appreciate that and look forward to continuing 
to work with you, and hope you are OK and healthy in Georgia. 
Thank you for your remarks.
    Ms. Harris, if you would unmute yourself in order to be 
sworn in, and if our three witnesses who are here in person 
would rise and raise their right hands.
    Do you swear or affirm that the testimony you are about to 
give is the truth, the whole truth, and nothing but the truth, 
so help you God?
    Let the record show that all of our witnesses answered in 
the affirmative.
    Without objection, your written statements will be part of 
the record.
    I now call on Carol Harris, director of IT Management 
Issues at the Government Accountability Office, to give us her 
summary testimony. Welcome, Ms. Harris.

  STATEMENT OF CAROL HARRIS, DIRECTOR, IT MANAGEMENT ISSUES, 
                GOVERNMENT ACCOUNTABILITY OFFICE

    Ms. Harris. Thank you, Chairman Connolly, Ranking Member 
Hice, and members of the subcommittee. I would like to thank 
you and your excellent staff for your continued oversight of 
Federal IT management and cybersecurity with this tenth set of 
grades. It's been nearly 5-1/2 years since FITARA's enactment, 
and your scorecard has served as a good barometer to measure 
progress of its implementation.
    During this time period, the agencies have made significant 
progress. In this latest scorecard, there is 1 A, 9 Bs, and 14 
Cs. As you mentioned, this is the first scorecard in which all 
24 agencies received a passing grade. This is huge, considering 
only seven agencies had passing grades in the first scorecard. 
In addition, the agency with the greatest transformation has 
been the Department of Education, moving from an F to a B-plus.
    I'll focus my remarks on a lookback on the progress made 
since scorecard one, where things stand now, and where we need 
to go.
    First, agency progress made. I'll start with incremental 
development. The number of major IT projects utilizing 
incremental development has increased from 58 to 76 percent. In 
addition, the level of transparency on the dashboard has 
improved, with 61 percent of major projects being reported as 
red or yellow, as compared to 24 percent with the first 
scorecard. We've also seen dramatic improvements in the 
agency's management of software licenses, going from two A's to 
23. And the number of CIOs with direct reporting to the agency 
head has increased from 11 to 16.
    To date, the agencies have also closed more than 6,300 data 
centers and saved just shy of $20 billion through OMB's 
PortfolioStat initiative. The progress made in all of these 
areas would not have happened to this extent without your 
scorecard and oversight.
    While these accomplishments are indeed noteworthy, 
significant actions remain to be completed to build on this 
progress, and this brings me to my next point on where we're 
at.
    One-third of the agencies' CIOs still aren't reporting to 
the agency head. CIOs have told us that this reporting 
structure is critical to carry out their responsibilities. It 
gives CIOs a real seat at the management table, and it will 
likely help to attract more qualified individuals to these 
positions over time.
    In addition, about half of the agencies have not 
established working capital funds for use in transitioning from 
legacy IT systems. Roughly 80 percent of the over $90 billion 
spent annually on Federal IT is on operations and maintenance, 
including on aging legacy systems. Establishing these funds are 
so critical so that the savings from software licenses, data 
center optimization, and PortfolioStat can be reinvested in 
agency IT modernization priorities. If each of these agencies 
did these two things, the grades would be 4 As, 15 Bs, and 5 
Cs. These two actions and the associated higher grades are 
achievable by the next scorecard.
    Now turning to data centers. We remain concerned about 
OMB's current guidance which revised the classification of data 
centers and data center optimization metrics. For example, 
OMB's new data center definition excludes more than 2,000 
facilities that agencies previously reported on. Many of these 
excluded facilities represent what OMB itself has identified as 
possible security risks. The changes will likely slow down or 
even halt important progress agencies should be making to 
consolidate, optimize, and secure their data centers.
    Finally, regarding where we need to go scorecard-wise, the 
preview of the Federal EIS telecommunications transition will 
draw urgent attention to an area that has historically been 
neglected by the agencies. For example, had the prior telecom 
transition occurred on time, agencies could have saved $330 
million. And as I testified before you earlier this year, the 
agencies are behind schedule and could again be missing out on 
hundreds of millions in savings. Your scorecard will be an 
effective means for holding agencies accountable and ensuring a 
timely transition.
    Mr. Chairman, this concludes my comments, and I look 
forward to your questions.
    Mr. Connolly. Thank you, Ms. Harris, and I look forward to 
those questions as well.
    Clare Martorana. Have I got that right, Clare?
    Ms. Martorana. Close, sir. Martorana.
    Mr. Connolly. Martorana, forgive me. You are recognized for 
five minutes.

STATEMENT OF CLARE MARTORANA, CHIEF INFORMATION OFFICER, OFFICE 
                    OF PERSONNEL MANAGEMENT

    Ms. Martorana. Chairman Connolly, Ranking Member Hice, 
members of the subcommittee, thank you for the opportunity to 
discuss the status of information technology at the Office of 
Personnel Management, and to provide thoughts on the future of 
FITARA.
    I joined OPM in February 2019 as the seventh CIO in seven 
years and entered an agency with several key challenges: 
Critical staffing vacancies, antiquated and fragile technology, 
and a charge to fully transition the IT systems for National 
Background Investigation Bureau, now DCSA, to the Department of 
Defense, which we hope to complete this fall.
    As a new Federal CIO coming from the private sector, 
admittedly, this is a complex operating environment. Meeting 
and balancing numerous executive, legislative, and oversight 
requirements while working in an uncertain and inflexible 
budgetary cycle is quite challenging. However, I'd like to 
focus on what's possible, because that's what OPM's employees 
and the American people deserve.
    One of the first authorities I learned about was FITARA. As 
CIO, it provides me with an operating framework and a mandate 
to make enterprise IT decisions and strategic investments that 
make best use of taxpayer dollars. I have received a steady 
stream of support from OPM leadership and--I'm sorry. I have 
received a steady stream of support from OPM leadership to meet 
the provisions of FITARA by establishing an agencywide 
enterprise IT strategy. We anticipate working with program 
offices and enabling organizations as we move forward in this 
direction.
    We are extremely proud of raising OPM's FITARA score to a 
C-plus. With only one net new hire and no increase in 
incremental funding, we have been able to make significant 
progress and show people within OPM what is possible, like 
rolling out new laptops across the organization and moving to 
cloud email. This has enabled us to continue meeting our 
mission while supporting DCSA employees and contractors in a 
maximum telework environment during the pandemic.
    Just a few weeks ago, the dedicated CIO team successfully 
migrated our mainframe platform from the Teddy Roosevelt 
Building here in D.C. to a commercial data center. OPM and DCSA 
systems are now fully operational in a new modern environment 
with continuity of operations in place. Once we transition the 
daily IT operations of this important national security mission 
to our colleagues at the Department of Defense this fall, OPM 
will be able to focus on OPM's mission and begin our digital 
modernization journey.
    Now I'd like to touch on a few enhancements to FITARA that 
could drive digital modernization at OPM and across government. 
The first is funding flexibility. OPM's legacy funding model 
with seven funding streams for CIO creates incredible 
complexity and inflexibility to address our IT challenges. By 
standing up a working capital fund with transfer authority 
dedicated to IT enterprise investment and CIO oversight and 
authority over this funding, we will create enterprise 
efficiencies and measurable cost avoidance.
    Also, modern technology, because Federal employees deserve 
the tools I've had the benefit of using in the private sector. 
Attracting, retaining, training and reskilling our work force 
with a customer-first mindset, utilizing agile development, 
modern tools, and modern technology is essential.
    Our modernization strategy begins with upgrading our 
existing paper-based processes and workflows with modern 
electronic equivalents, allowing us to retire end-of-life 
systems. All of these are possible if we work on modernizing 
OPM together and giving OPM's customers the 21st century 
experience that they deserve.
    I look forward to working on this digital modernization 
journey together. Thank you for the invitation, and I look 
forward to your questions.
    Mr. Connolly. Thank you, Ms. Martorana. Martorana. 
Martorana, excuse me.
    Mr. Jason Gray, Chief Information Officer of the Department 
of Education, you are recognized for five minutes.

STATEMENT OF JASON GRAY, CHIEF INFORMATION OFFICER, DEPARTMENT 
                          OF EDUCATION

    Mr. Gray. Thank you, Chairman Connolly, Ranking Member 
Hice, and members of the subcommittee, for this opportunity to 
appear before you today to talk about the progress the 
Department of Education has made in implementing FITARA. I 
would also like to thank you for your continued support and 
commitment to improving IT management across the Federal 
Government.
    I appreciate the support I received from Secretary DeVos 
and Deputy Secretary Zais. It has been critical to the 
Department's FITARA implementation. I also want to thank my 
colleagues in Federal Student Aid, the assistant secretaries, 
and everyone in my office for their continued hard work, 
commitment, and dedication.
    I'd like to briefly share an update on our IT modernization 
efforts and describe the impact FITARA has had on my ability to 
effectively manage the Department's IT.
    In my June 2019 testimony before this committee, I shared 
that the Department had just completed a massive wholesale 
modernization of our IT infrastructure. This effort transformed 
the way my office delivers IT services to the Department. 
Within a five-month timeframe, we migrated over 450 terabytes 
of data into a secure cloud environment and replaced 
approximately 5,000 laptops with newer high-performing models. 
Our users went from experiencing 20 minutes of laptop boot-up 
time to less than a minute, which translates into a return on 
investment of more than 1,500 hours of previously lost 
productivity per day.
    The cloud environment enabled us to reduce the Department's 
service storage cost from $1.43 per gigabyte to 12 cents per 
gigabyte. The Department anticipates saving approximately $20.5 
million over a five-year period as a result of this initiative.
    While the Department will realize cost savings, the true 
value of the modernization initiative was in our ability to 
quickly adapt and respond to the Department's needs throughout 
the pandemic. Due in large part to the modernization, we have 
been able to support 100 percent remote work force with minimal 
impact. When our PIV issuance process was suspended due to 
staff not being able to come into the office, we were able to 
quickly evaluate and implement within days, not months, a 
solution to virtually onboard more than 300 new employees and 
contractors to date.
    By fully embracing the cloud, we were also able to complete 
a massive technology refresh of 28 major systems, more than 700 
servers, and over 500 terabytes of data over a single weekend, 
with no impacts to IT services. In a traditional environment, 
this would have taken us weeks to accomplish. Without FITARA, 
we would not have been able to complete the massive IT 
modernization initiative last year and certainly not within the 
timeframe I described.
    It was through the reporting relationship I have with 
Secretary DeVos and the relationships we have built across 
functional areas that I was able to drive the Department's IT 
priorities to achieve our IT modernization goals. The 
initiative was a cornerstone of our five-year IT modernization 
plan and strategic roadmap, and I'd like to thank you for 
providing us with the opportunity, following my testimony last 
year, to brief Representatives of this committee on it.
    When we originally developed our modernization plan and 
strategic roadmap, we identified shadow IT, redundant or 
duplicative systems, and manual or obsolete processes. The 
institutionalization of FITARA in the Department's governance 
process has provided me with the mechanisms to continually 
assess and rationalize our IT portfolio and adjust our plans 
accordingly, from strategically aligning our IT resource 
management plans with the requirements of the Foundations for 
Evidence-Based Policymaking Act of 2018 to prioritizing 
investments to comply with the 21st Century Integrated Digital 
Experience Act, or evaluating the use of shared services for 
capabilities such as grants management to the rapid response 
actions required to address emergency cybersecurity directives 
from DHS. I am able to achieve a level of visibility necessary 
to understand the impact to Department's IT resources.
    While we have made significant strides in our FITARA 
maturation and IT modernization initiatives, the Department 
continues to seek Congress' assistance with the establishment 
of a working capital fund. We coordinated with OMB and Congress 
to obtain appropriations language that would allow us to 
transfer funds to a working capital fund and included the 
request in our President's budget request for both 2020 and 
2021. I respectfully request your assistance with obtaining 
this transfer authority to further enhance the Department's 
ability to achieve the goals of FITARA.
    In conclusion, the Department has established a solid 
FITARA framework and have clearly demonstrated our ability to 
leverage it in support of the Department's mission. But we do 
recognize that FITARA and IT modernization is a journey and 
it's important to continually improve.
    I thank you for your time today, and I look forward to your 
questions.
    Mr. Connolly. Thank you, Mr. Gray. It's good to have you 
again giving us a year later progress. We certainly will try to 
work with you on that transfer authority, so work with us on 
that.
    Our final participant in this panel is Maria Roat--is that 
correct?
    Ms. Roat. Yes, sir.
    Mr. Connolly [continuing]. Who's the Deputy Federal Chief 
Information Officer at the Office of Management and Budget. 
Welcome.

 STATEMENT OF MARIA A. ROAT, DEPUTY FEDERAL CHIEF INFORMATION 
            OFFICER, OFFICE OF MANAGEMENT AND BUDGET

    Ms. Roat. Thank you. Chairman Connolly, Ranking Member 
Hice, and members of the subcommittee, thank you for the 
opportunity to discuss FITARA and how we can continue to drive 
and sustain governmentwide IT modernization.
    I joined OMB eight weeks ago as the Deputy Federal Chief 
Information Officer, bringing a career of Federal and military 
technology experience and an agency perspective to my role. 
Throughout my career, I have seen firsthand the value of 
investing in modern scalable solutions and how taking prudent 
risk, collaborating, brainstorming, and sharing ideas and 
concepts drives change. And I have experience as a CIO and know 
how a strong partnership with and commitment from an agency's 
business stakeholders can improve how the government meets its 
mission and serves the American public.
    COVID-19 put a spotlight on digital transformation and the 
need to adapt quickly. Every agency worked at never before 
experienced levels of telework and sustained performance by 
leveraging capabilities already in place. There was a sense of 
urgency, and CIOs were entrepreneurial, creative, innovative, 
and agile.
    Since the first FITARA scorecard, technology investments in 
cloud, in infrastructure enabled an overall seamless transition 
to telework. Simultaneously, CIOs were positioned to rapidly 
deploy and leverage scalable platforms for digital service 
delivery for COVID response activities. They leveraged 
microservices to quickly stand up new public-facing portals and 
switched to video teleconferencing for telehealth and benefits 
interviews and to engage with their customers.
    CIOs deployed virtual desktops to replace the purchase of 
costly hardware for surge employees. And the CIO Council 
identified areas for future investments and improvements where 
we need to address gaps or move faster. We must keep the 
momentum. Agencies were able to move fast, innovate, and 
implement changes for more digital interoperability. There is a 
shared interest across all levels of government, Congress, the 
executive branch and the administration, to continue technology 
improvements.
    The Technology Modernization Fund and IT working capital 
funds and their multi-year funding approaches are two programs 
instrumental in improving, retiring, or replacing legacy 
systems. We must do more to drive sustained long-term 
transformation and ensure digital first as we add value and 
service delivery.
    Throughout my career, I've had the honor to lead and work 
side by side with amazing innovators and technologists, public 
servants working for the Federal Government. Today, over 2 
million civilian personnel use technology to carry out their 
job.
    Just as importantly, as we consider any technology 
investment, we should also remember that the people charged 
with using those solutions must also be skilled in the use of 
technology. As the pace of capability and threat continues to 
accelerate, we must invest in our work force to keep their 
skills relevant.
    The CIO Council continues to invest in the IT work force 
and is building on last year's success with the Federal Cyber 
Reskilling Academy to launch this month a similar training 
program in data science. This summer, we are holding, 
virtually, the third annual Women in Federal IT event, where 
women in leadership positions across the Federal Government 
share stories and provide on-the-spot mentorship and career 
advice to emerging leaders. We graduated two cohorts from the 
robotic process automation reskilling course, and in September, 
we will graduate 20 people from the CIO and CISO SES Career 
Development Program.
    As we focus today on the tenth edition of the FITARA 
scorecard, we must adapt to the ever-changing technology 
landscape and, likewise, adapt the scorecard. I look forward to 
collaborating with you to further refine the scorecard to 
support sustained, long-term modernization and drive 
innovation.
    Thank you for the opportunity to speak with you today, and 
I look forward to your questions.
    Mr. Connolly. Thank you, Ms. Roat. I appreciate that. I 
find myself in agreement with everything you've said. It is 
good to learn that the administration has decided to embrace 
telework in light of the pandemic, given the fact that the 
administration was actually cutting back on telework the last 
two years.
    And with respect to retiring legacy systems and the need 
for the Technology Modernization Fund, I also find myself in 
agreement, but we need the administration to make a robust 
request in the budget if we're going to make progress on the 
TMF.
    The chair now calls on the distinguished Congresswoman from 
the District of Columbia for her five minutes of questions. 
Welcome, Ms. Norton.
    Ms. Norton, are you there? Ms. Norton?
    Mr. Lynch, are you there?
    Ms. Norton. I'm here.
    Mr. Connolly. You're there. OK, great. Sorry about that. 
Eleanor, just speak up a little bit.
    Ms. Norton. All right. I'm sorry. I punched the wrong 
button.
    Mr. Connolly. There you go. There you go.
    Ms. Norton. Thank you very much.
    And, Mr. Chairman, I want to thank you for this annual 
hearing. It's very important to have been brought up to date, 
as you have allowed our witnesses to do.
    Now, the FITARA says--and I'm quoting it now--that CIOs 
have a significant role in the decision processes of the 
management, governance, and oversight processes related to 
information technology. Well, I would have thought that they 
have a major role to play in an agency overall, and I 
understand that IT is now baked into policy design and 
implementation.
    This question is for Ms. Harris. There are CIOs that do not 
report to agency heads and, of course, if they don't, they're 
unlikely to play that key role that we spoke about. Well, who 
doesn't and why don't all of them now report?
    I think it was perhaps in your testimony or the testimony 
of one of you that one-third do not report to the agency head. 
I'd like to know why. I understand that there's a minus and a 
plus that you can look to see whether people are reporting, but 
I don't understand what determines or how agencies determine 
what this committee has long said would be helpful.
    Ms. Harris. That's correct, ma'am. About one-third of the 
agency CIOs do not have direct reporting mechanisms to the 
agency head, and that is a problem, because agency CIOs have 
reported to us that that reporting structure is very critical 
to allowing them to carry out their responsibilities.
    Ms. Norton. Well, Ms. Harris, would you explain to the 
committee what would be the resistance so that we can work with 
agencies? Why would an agency not want everybody in the room?
    Ms. Harris. Honestly, I think it, in large part, has to do 
with agency culture, and being able to change that culture so 
that the CIO does have that seat at the table is vitally 
critical. So, it's going to take work with the senior leaders 
within those agencies to empower those CIOs, change those 
organization charts so that those CIOs have direct reporting 
capabilities, and work with you all as well to ensure that that 
happens.
    Ms. Norton. I'd like to work with the chairman on making 
sure that there is no resistance. In the 21st century, you 
would have thought that having the CIO at the table would just 
be a given. So, I really don't understand the resistance to it, 
and believe that the committee could be helpful in either 
requiring, through legislation or through regulation, that the 
CIO be at the table.
    This is a question, I suppose, for Ms. Roat, and it has to 
do with the recruitment of and attrition of IT staff. Are these 
staffers valuable outside of the public sector, Ms. Martorana 
or Ms. Roat? Is there great competition for these staffers? I'd 
like you to discuss that. Then I'd like you to tell the 
committee what we could do to help attract and keep Federal IT 
workers.
    Ms. Roat?
    Ms. Roat. Yes, ma'am. Thank you for your question. For the 
work force, it is hard to attract work force to the Federal 
Government and, in turn, folks that we do train in the Federal 
work force do go to the private sector and make more money.
    What attracts people to the Federal Government is the 
ability to focus on a mission, whether you're working for the 
Department of Energy or Transportation or DHS or NASA. People 
are excited about the mission, and that's what draws people to 
the Federal Government. As a CIO, I've had experience with that 
where people want to come on board, and I've had some 
incredible talent. Other CIOs have had the same experience.
    But to your question, it is hard to get people in, but once 
you get them in, the folks that want to come in, they want to 
stay. They love what they do. And when people leave the Federal 
Government, they may go back to private industry, get more 
experience, maybe they make more money, and then turn around 
and come back to the Federal Government.
    But, again, we continue to explore flexibilities in hiring, 
compensation, and looking at ways to build skills. As I said in 
my opening comments, we've done a lot for the Federal work 
force so far through the CIO Council on data science, on 
cybersecurity, and we're going to continue to build on those 
skill sets so that we can maintain that work force. So, it's 
not only just attracting new workers, but maintaining and 
educating our current work force.
    Ms. Norton. Finally--I'd just like a moment, Mr. Chairman--
is pay a salient issue here in keeping people in the Federal--
IT workers in the Federal work force?
    Ms. Roat. For folks, for people that are working in the IT 
world that are coming into the Federal Government, they can get 
compensated much more on the private sector.
    Ms. Norton. We might have a look at that also, Mr. 
Chairman. Thank you very much. My time has expired.
    Mr. Connolly. Thank you, Congresswoman. And let me just say 
in response to your query about CIOs, I couldn't agree with you 
more. When we wrote FITARA, there were 250 people spread out 
over 24 agencies with the title CIO.
    I asked the private sector, Ms. Martorana, how many CIOs do 
you have? And almost 100 percent the answer is one. So, we've 
got a lot of work to do. We didn't mandate there shall be one 
CIO. We allowed it to evolve that one CIO was sort of primus 
inter pares, first among equals, who reported to the boss. But 
if we need to strengthen that, we will. We'll also be guided, 
Ms. Harris, by GAO's counsel on that matter as well. But we are 
making progress.
    And listening to the testimony today, you've got 
relationships with the head of the agency, and that makes all 
the difference in the world, the empowerment from the boss. But 
it's something we are very mindful of, and I thank the 
distinguished Congresswoman for bringing further attention to 
it.
    The chair now recognizes the distinguished ranking member, 
Mr. Hice, for his five minutes.
    Mr. Hice. Thank you very much, Mr. Chairman.
    Ms. Roat, I'd like to ask you this. One of the things that 
I have discovered in becoming more and more familiar with this, 
it seems like one of the current metrics measures how much of 
an agency's portfolio is high risk. The issue that I have found 
is that there's no definition of what high risk is, at least 
not that I've been able to determine.
    When I think of high risk, I think of things like 
vulnerability to cyber attacks, but what I found out is that 
high risk means something else to others. It may mean whether 
or not a system is able to be delivered on time and at budget 
and, if not, it's at high risk.
    So, my question, really, is there any uniform and 
comparable kind of way for agencies to define what we all mean 
by high risk, so that we're all on the same page?
    Ms. Roat. Thank you for the question. As you look at the 
programs and the portfolios across the Federal Government, 
those programs that are high risk, GAO does look at programs 
that are high priority, the high priority programs, and there 
are different definitions, including high-value assets.
    So, when you're looking at those systems that are at high 
risk, are those the systems that are the oldest in the Federal 
Government that perhaps need to be modernized or are they high-
priority programs that are high visibility and have to be and 
are critical to the Federal Government. So, as we're looking at 
the definitions, there are separate definitions, whether it's 
high-priority programs, high-value assets that are critical to 
the Federal Government, or those programs and those systems 
that are high risk in the Federal Government. So, there are 
different characterizations that are used in different reports.
    Mr. Hice. And to me, that's part of the problem. Is there 
any kind of way of getting a uniform understanding of what 
we're talking about on high risk? Because you just mentioned 
about three or four different things that come under that 
category. So, what--or even just to prioritize the high-risk 
categories so we know if the high risk is any of the things 
that you mentioned or if it's cyber vulnerabilities or 
whatever. Can we and should we kind of focus this definition a 
little more tightly?
    Ms. Roat. Yes, sir. We should take a look at that to make 
sure that we're aligned on the definitions and that we're all 
speaking on the same page as we're looking at the definitions 
of programs across the Federal Government. I mentioned three 
with three definitions on that, where, you know, GAO is using 
the high-priority programs and some of the other ones. So, I 
agree with you, we should take a look at that and make sure 
that we're all in alignment.
    Mr. Hice. OK. I agree. Let's try to move forward on that.
    Also, another thing that has come up, when it comes to 
legacy IT, the current scorecard does capture whether or not an 
agency has a working capital fund, but it does not deal with 
whether or not any of those funds are being used to modernize 
old systems.
    So, my question really is, what kind of metrics can we add 
to the scorecard to incentivize agencies to make these kind of 
IT overhauls that need to be made? We've got to make the 
transition.
    Ms. Roat. I agree with you. It is imperative that we 
continue to modernize. The IT working capital fund is one of 
those programs that allows agencies to have that long-term 
sustained investment in technology that is incredibly--that's 
critical to modernizing. So, the IT working capital fund, where 
you can have multi-year dollars within those, that's the 
intent, is to modernize those legacy systems and really drive 
that modernization over multiple years.
    Where you have legacy systems and programs, being able to 
invest that over multiple years is the way you get out of, you 
know, that technical debt and you continue to move the ball 
forward on that. So, with the Technology Modernization Fund and 
the IT working capital fund, those are two critical programs 
for agencies to sustain long-term modernization.
    Mr. Hice. OK. Thank you.
    My last question will kind of deal with the customer 
service aspect. More and more we're having people who are 
involved in coming to the government digitally. What about, how 
can we put this type of metric in future scorecards to make 
sure that we are providing the customers what they need?
    Ms. Roat. Thank you for that. There's--with the IDEA Act, I 
think there's an opportunity to really look at the customer 
experience. That was the intent of the 21st Century IDEA Act--
the customer experience and how they interact with the Federal 
Government. And there's a number of requirements in there, from 
e-signatures to 508 to enabling an easier customer experience 
with the Federal Government.
    So, I look forward to working with you and the committee on 
understanding what are some good metrics on that, because that 
is a perfect example of a metric that could evolve over time as 
agencies are continuing to improve their websites and their 
customer experience with the American public.
    Mr. Hice. Thank you very much. I yield back.
    Mr. Connolly. I thank the gentleman.
    And that's a good point, Ms. Roat. We'll be glad to work 
with you on that.
    Before I call on Mr. Lynch for his five minutes of 
questioning, Ms. Harris, did you want to address the question 
Mr. Hice raised about what falls under the penumbra of high 
risk on the scorecard?
    Ms. Harris. Sure. So, high risk is defined by each of the 
individual agencies. So, it could be cost, a certain cost 
threshold. It could be a high-value asset. There are a number 
of ways that agencies do define what they consider to be high 
risk.
    And I think that having--I think OMB would play an 
excellent role in having a more uniform decision or even having 
perhaps a watch list of the 10 to 20 top critical IT 
investments across the government would be an excellent way to 
be able to focus and hone down what those high-risk investments 
are. We have work for this committee, looking at the top 10 to 
20 mission-critical IT acquisitions across the government where 
we have put together the list for you. That report will be 
coming out in September. We would be happy to work with OMB to 
perhaps use that list as a jumping-off point to have another 
working list for OMB and the executive branch agencies to work 
from.
    Mr. Connolly. I would just say a word of caution. When we 
began this category, there were agencies that claimed they had 
no high-risk projects, none. No, everything is fine, nothing to 
look at here. We needed to get out of that protective defensive 
mode, candidly, to say, hey, these are high risk for these 
reasons and we're going to monitor them so that they don't go 
awry, but if they do, we'll take quick action.
    Because that was part of the problem FITARA was trying to 
address, that we had these long multi-year, multi-billion-
dollar systems integration projects, and nobody felt empowered 
to pull the plug if the milestones weren't being met. In fact, 
there weren't always milestones. And we were trying to make 
sure that we didn't make a bad thing worse.
    In the private sector, if something goes awry, the CEO 
says, pull the plug, we're going to move on, we'll try 
something different. A little harder to do in the public 
sector, because everybody wants to know why did you waste the 
money? But nothing is improved by doubling down on something 
that's not working.
    So, high risk really matters and getting it right really 
matters, and we don't want unwittingly to change the definition 
so that we go back to the old days of everything's fine, 
because the point isn't to ding on people because it's bad, it 
is to capture something going awry before it goes off the 
cliff.
    But I thank you, Mr. Hice, for raising it, because I think 
some uniformity of understanding probably would be a good 
thing.
    Mr. Lynch, I'm sorry to impose on your time. Welcome.
    Mr. Lynch. Thank you very much, Mr. Chairman.
    I want to followup on that sentiment, because you and I 
know, as longtime members of this committee, that, you know, 
it's been a history of we don't have any problems over here, 
we're good, until there's a blowup like we had at OPM when 22 
million records went out of people who were applying for 
security clearance and others that were in government as well. 
So, we saw the disasters. So, I approach this with a little bit 
of skepticism, just healthy skepticism. I'm happy to hear the 
good reports, don't get me wrong, but I've been here too long 
to believe all of that.
    So, I want to ask about--you know, let's go to Mr. Gray. 
You know, I read recently a pretty good story in The Washington 
Post that talked about thousands and thousands of borrowers of 
student loans whose personal information, their Social Security 
numbers, their detailed financial information was left exposed 
by the Department of Education for like six months. And it had 
all their personal--you know, these were people looking for 
some relief. Either they had been taken advantage of or 
exploited by for-profit universities, those type of cases. So, 
they had to basically open the kimono of these applicants who 
were looking for relief, and yet we left all their information 
available to whoever would tap into it. So, that's one issue I 
got. I'd like to hear from Mr. Gray on that.
    Then on OPM, I noticed the grade is a C. And given the, you 
know, history here--and we all know what it is, I mean, just 
horrific, horrific, and OPM had not even encrypted Social 
Security numbers. It was just an unmitigated disaster, and we 
continue to suffer from that today because of all the people we 
exposed who had asked for security clearance, right? Those are 
the people that do some of the most sensitive work in our 
government, and they were all exposed because of the lack of 
cybersecurity at OPM.
    So, I'd like to hear from Mr. Gray and also someone who can 
speak on behalf of OPM as to why they only have a C at this 
point. Thank you.
    Mr. Connolly. We'll ask Mr. Gray to go first, and then 
we'll call on Ms. Martorana.
    Mr. Gray. So, thank you for that question. I will share 
that that article is incorrect. The Department did not leave 
that open for many months. What really happened was that we had 
a situation where a file share was inadvertently left open to 
internal Department only employees. As this was briefed on 
Friday, there was no external access. It was not open. It was 
one element. We did report, as required, through OMB Memo 20-
04.
    It is a low-risk incident. And as I briefed this committee 
on Friday, it is a situation like being in a bank where a bank 
has a vault. Every employee that can go into that vault is a 
trusted employee. Every person that works at the Department is 
vetted. They have fingerprints. They have user agreements. They 
have annual cybersecurity and privacy awareness training, 
records management training.
    This is a situation where an employee actually recognized 
that a safety deposit box in that vault that external people 
could not get to was unlocked. It should not have been 
unlocked.
    Mr. Lynch. Mr. Gray, hold on for a second.
    So, did every single person have a need to know in each of 
those cases, or was it looser than that?
    Mr. Gray. Every employee is vetted to be able to access 
information and, no, not every employee needed to access that. 
And as of this morning----
    Mr. Lynch. OK. That's all. You need to tighten that up. So, 
you need to tighten that up, right?
    Mr. Gray. Absolutely, and we absolutely did.
    Mr. Lynch. It's not exactly what the Post led me to 
believe, but we can tighten it up, right?
    Mr. Gray. Yes, Congressman, we can, and we have.
    Mr. Lynch. OK. So, let me go--I only have a minute left, so 
let me go to Ms. Martorana on OPM, please.
    Mr. Connolly. You need to turn on--thank you.
    Ms. Martorana. Sorry. Thank you for the question.
    We continue to work diligently at OPM to upgrade our 
infrastructure, upgrade our overall cyber posture. We are 
struggling with our staffing. We are struggling to make sure 
that we have appropriate staff levels to support all of the 
systems that we are maintaining.
    One of the biggest challenges that we do have is we are 
still supporting our Department of Defense colleagues as we are 
decoupling our systems. So, we are still, on a daily basis, 
operating DCSA, the national background investigation systems, 
on all of their daily operations, as well as all of the laptops 
and their desktop support services, et cetera.
    So, as we are able to hand that mission fully over to the 
Department of Defense and focus singularly on OPM, that will 
give us the opportunity to be able to focus on OPM's core 
mission and upgrade all of the services that we deliver to our 
own mission.
    Mr. Lynch. OK. That's a fair answer.
    Thank you, Mr. Chairman, for your indulgence. I really 
appreciate the courtesy. Thank you.
    Mr. Connolly. Mr. Lynch, if I could followup on that 
question, I understand the sequencing with the Department of 
Defense; but when we go back to the original breach, and you 
weren't there, part of the problem was that we had software for 
cyber protection, Einstein, and there was Einstein 2 which had 
not been installed. Now, that has nothing to do with the 
Defense Department.
    That's a management issue about getting around to it, 
prioritizing. I wonder if you want to take a moment to try and 
reassure Mr. Lynch and the rest of the subcommittee that that 
attitude has changed, that, in fact, we are prioritizing cyber 
and protecting our data bases at OPM.
    Ms. Martorana. Yes. I can assure you that the rigor and 
discipline within the current OPM team is extraordinary. We 
would not have been able to execute something as complex as our 
main frame migration without having a disciplined management 
team and extraordinary CIO team that is doing a diligent job on 
a daily basis.
    Can we do better? We can always do better, right? IT is one 
of those areas where you can always improve; but the team is 
extraordinary, and we work utilizing every single tool and 
asset available to us.
    Our cyber team and our CISO are extraordinary, and we do 
everything possible to safeguard every single asset within our 
environment. We utilize the best tools of the Federal 
Government, including DHS, to support us, the perimeter of OPM. 
So, I think you can rest assured that at this time all 
safeguards and standards are being operated at the highest 
level.
    Mr. Connolly. Thank you.
    And thank you, Mr. Lynch.
    The Chair now recognizes----
    Mr. Lynch. Mr. Chairman, thank you.
    Mr. Connolly. Thank you.
    The Chair now recognizes our returning colleague, the 
gentleman from Alabama, Mr. Palmer, for five minutes.
    Mr. Palmer?
    Mr. Palmer. Can you hear me now?
    Mr. Connolly. Yes, sir, we can. We can't--is your video on, 
Mr. Palmer?
    There you are.
    Mr. Palmer. It is.
    Mr. Connolly. There you are.
    Mr. Palmer. You got me? All right.
    Well, first of all, I want to compliment Mr. Lynch on his 
library. That's impressive.
    Mr. Connolly. I hear he rents it.
    Mr. Palmer. He rents it.
    Ms. Harris, there was a 2018 report submitted before the 
U.S. China Economic Security Review Commission that found that 
the Federal Government's top seven IT providers sourced over 51 
percent of its materials from China since 2012. And I just want 
to ask you if you think that this poses a significant economic 
and national security risk.
    Ms. Harris. Yes, sir. This is significant, a significant 
risk to national security. We had work ongoing for this 
committee related to the IT cyber supply chain, and the vast 
majority of the agencies have not instituted proper supply 
chain internal controls. This is a major issue. We're going to 
be making more than a hundred recommendations associated with 
this. But it does pose a significant threat to our Nation.
    Mr. Palmer. Well, and I bring this up, Mr. Lynch raised the 
question about the breach at OPM, that I think there are still 
issues with that, with that information, the personal 
identification information that's still out there.
    What would be the budgetary impacts of shifting Federal 
technology acquisitions away from China?
    Ms. Harris. Sir, I'm not in a position to answer that 
question. We have not done work specific to that, 
unfortunately, so I'm not in a position to answer that with 
specific facts.
    Mr. Palmer. Ms. Roat, would you at OMB have an idea about 
that?
    Ms. Roat. No, sir, I do not.
    Mr. Palmer. Well, I think that's something that we need to 
get an estimate on. I think we're talking--there's a tremendous 
amount of talk about shifting the supply chain out of China, 
particularly when it comes to drugs and materials that are 
critical to our economy and to our national defense.
    And the fact that--I think, Ms. Harris, you're the one a 
few minutes ago that said that we spend 80 percent of our 
budget on maintaining antiquated systems. Is that correct?
    Ms. Harris. Yes, that's correct.
    Mr. Palmer. And then 51 percent of that is sourced from 
China, I think. So, I think this is something--and I'm going to 
make this request to Ms. Roat and to Ms. Harris that either 
your agencies come up with the estimate or you work together to 
come up with that estimate--if I need to, Mr. Chairman, I'll 
put that in writing; but I think we need to know what it would 
cost us to shift our IT supply chain away from China.
    So, I would appreciate it if we could get a response from 
you and let us know when you start working on it.
    The Commission also recommended Congress to establish a 
comprehensive national security supply chain management 
strategy. It further recommended that direct statistical 
agencies, such as the Census Bureau, review methodologies for 
collecting and publishing deeply detailed supply chain data to 
better document the country of origin for imported goods from 
China, including imports related to our Federal IT system.
    And this is for all of the witnesses. Are you aware, are 
any of you aware of any current actions that the Federal 
Government is taking to implement these recommendations?
    Ms. Harris, let's start with you.
    Ms. Harris. Sir, I don't--that work is out of the scope of 
what I am doing for this committee. So, I'll have to take that 
for the record to see if there's a better expert within GAO to 
answer that for you.
    Mr. Palmer. OK. Mr. Gray? Well, that would be outside of 
your area of expertise, too.
    I'll go to Ms. Roat. Do you know where we are on that?
    Ms. Roat. Right now we are working very closely with 
agencies to take a look at their supply chain, currently 
briefing them out on the requirements of section 889, but, 
again, working very closely with the agencies to understand 
their footprint and what the impacts are on that. So, that work 
is ongoing and will continue.
    Mr. Palmer. Is it specific? Are there specific--is there 
specific work being done on the IT systems?
    Ms. Roat. Again, we're working with the agencies to 
understand, as you alluded to, what the impact is and 
understanding if there's equipment that needs to be replaced, 
upgraded, those kinds of things, the impacts on those systems. 
So, that work, we have kicked it off and that is underway right 
now.
    Mr. Palmer. OK. I thank the Chairman, and I yield back.
    Mr. Connolly. Let me just say to the gentleman, I think he 
raises a really good point about the need for coordination so 
that we're not, you know, retiring legacy systems with 150 
different systems that can't coordinate, or can't be encrypted, 
or have different requirements as much as we can in 
coordination by OMB to make sure--and the CIO and CTO in the 
White House to make sure that we're making prudent decisions 
for the future, both in the cyber realm and in terms of 
interoperability and coordination, very important.
    Mr. Palmer. Mr. Chairman, if I might respond to that?
    Mr. Connolly. Thank you, Mr. Palmer.
    The Chair now recognizes----
    Mr. Palmer. Mr. Chairman, if I may respond to that?
    Mr. Connolly. Of course.
    Mr. Palmer. May I respond to that?
    Mr. Connolly. Yes, you may.
    Mr. Palmer. You're absolutely right about the 
interoperability among Federal agencies, but it also should 
extend to the states, and we're seeing--in my previous 
experience on the Oversight Committee, we saw multiple examples 
of the inability because of the antiquated systems to have that 
interoperability between state agencies and the Federal 
agencies.
    I just wanted to add that. And I yield back.
    Mr. Connolly. You are quite correct, and we're certainly 
seeing that in unemployment IT systems all across the country. 
There are at least a dozen that still use COBOL. Now, the only 
good news about that is I understand that the Chinese don't 
know how to hack into COBOL, but that's about the only good 
news.
    So, you're absolutely right, and we're seeing that affect 
millions of Americans in terms of not getting their payments in 
a timely fashion, which creates a snowballing effect in their 
ability to cope during the pandemic.
    The Chair now recognizes the gentleman from Maryland, Mr. 
Raskin, for his five minutes.
    Mr. Raskin?
    Mr. Raskin. Yes, Mr. Chairman.
    Mr. Connolly. Welcome.
    Mr. Raskin. Thank you very much. I'm sorry, I thought I was 
unmuted already.
    Mr. Connolly. No problem.
    Mr. Raskin. Thanks for calling this very important hearing.
    In June of last year, the day before the FITARA 8.0 
hearing, OMB issued guidance which revised and narrowed the 
definition of a data center. According to GAO, this revised 
guidance eliminated reporting on more than 2,000 facilities 
governmentwide, including types of facilities that OMB had 
previously cited as cybersecurity risks.
    Removing the requirement to report on these facilities 
diminishes our ability to exercise oversight over potential 
security risks. Ms. Harris also noted in her opening statement 
that consolidation of data centers has saved us billions in 
taxpayer dollars. So, why would we discontinue efforts that 
save money and improve cybersecurity?
    Ms. Harris, does GAO remain concerned with OMB's decision 
to change the definition of data center and to no longer 
require agencies to include smaller data centers in their data 
center inventories?
    Ms. Harris. Yes, sir, we still remain very concerned about 
the new definition of data centers. Our concern in particular 
is because when agencies stop reporting on these data centers, 
they'll fall under the radar. They'll stop looking at them in 
general, and then that's where the cybersecurity vulnerability 
risks increase because they're not looking and paying attention 
to these centers.
    Mr. Raskin. Yes. And OMB's changes to the new guidance no 
longer allowed the subcommittee and GAO to evaluate agency 
progress toward data center optimization and consolidation.
    Ms. Roat, can you tell us why OMB would stringently narrow 
the definition of data center when doing so could both impair 
cybersecurity and increase costs to the taxpayer?
    Ms. Roat. Thank you for the question.
    So, OMB updated the definitions of data centers to better 
align with industry standards. When you look at the overall 
definitions of data centers, those areas where there was maybe 
just a router and a switch in a closet somewhere, those really 
aren't classified as true data centers because they have com 
gear in it. So, those types of things were changed as part of 
the definition.
    As you look at the modernization across the Federal 
Government and agencies closing data centers, they are taking 
big steps to rationalize their portfolio, upgrade their 
infrastructure, and address those cyber security concerns just 
across the entire environment.
    So, as you shut down data centers, there are many steps 
behind it to do that. So, even as we change the definition of 
data centers, modernizing and closing and shutting down data 
centers per the industry standards takes a lot of work and 
those application, rationalization and infrastructure upgrades 
will continue as we close data centers.
    Mr. Raskin. Well, will you commit to working with the 
subcommittee to track data centers in ways that are consistent 
with the law and GAO's recommendations to improve cybersecurity 
and maximize the saving of tax dollars?
    Ms. Roat. Yes, sir. We look forward to working with the 
committee on those data center metrics.
    Mr. Raskin. OK. Agencies required to implement the data 
center consolidation reported in total $4.7 billion in cost 
savings from Fiscal Year 2012 through 2019. Of these 24 
agencies, 23 reported in August of last year that they had met 
or planned to meet OMB's Fiscal Year 2019 savings goal of 
$241.5 million.
    Ms. Roat, do we now know whether agencies met their Fiscal 
Year 2019 cost savings goals? If not, when will we have that 
knowledge?
    Ms. Roat. I'll work with OMB on those data centers and 
those metrics to make sure that we have accurate information 
for that, but we continue to track what the agencies are 
reporting to make sure that progress continues on the cost 
center and savings.
    Mr. Raskin. OK. Thank you for that.
    Ms. Harris, is there any more potential for cost savings 
through data center consolidation?
    Ms. Harris. Yes. We believe that there is, and so that is 
why this should continue to stay as a priority for the 
committee on the scorecard, as well as for the agencies.
    Mr. Raskin. Well, why has the Administration chosen to halt 
its efforts in this field?
    Ms. Harris. Unfortunately, I don't feel comfortable 
speculating as to why the OMB would make that decision; but, 
again, you know, backtracking on identifying and including 
things like servers in closets and considering that to be a 
data center is something that we disagree with OMB on.
    That is something that should be counted because it may not 
be an opportunity for consolidation, but it certainly still 
poses a threat from a cybersecurity standpoint. So, we do 
believe that having the more inclusive definition is the way to 
go.
    Mr. Raskin. OK. Can you describe the barriers to cloud 
adoption in your approach to removing those barriers?
    Ms. Harris. Well, the barriers to cloud would--it would 
be--the No. 1 barrier is agencies having it as a priority. 
We've found in our work on cloud adoption that agencies don't 
necessarily have the robust processing in place to take a look 
at all of the investments that they have in terms of whether or 
not they would be eligible candidates for the cloud.
    So, we've made recommendations to the agencies in 
implementing those processes, and we currently have work to 
look at whether those agencies are in the process of 
implementing the recommendations that we've made to them.
    Mr. Raskin. OK. I think I have run out of time, Mr. 
Chairman. Thank you very much for your indulgence.
    Mr. Connolly. Thank you very much, Mr. Raskin. And your 
point about data center consolidation is very important, and I 
agree with you.
    Let me just say, Ms. Roat, I wrote that section of the 
bill, so I care about it, and I'm not going anywhere.
    So, we are going to insist on a robust definition of data 
centers so that we continue the goal of consolidation to, A, 
effectuate savings that can then be used internally for 
reinvestment because they are one of the big sources of 
potential savings and, second, in the whole mission of cyber 
protection.
    So, we'll work with you, but we're not going to countenance 
squishiness in the definition so that people get off the hook 
and aren't accountable for what were the data centers we're 
trying to consolidate. So, I hope you will take that message 
back.
    The gentleman from Wisconsin, Mr. Grothman, is recognized 
for five minutes.
    Mr. Grothman. OK. Do you see me on there?
    Mr. Connolly. We can hear you. We can't yet see you.
    Mr. Grothman. Well, you might have to put up with just 
hearing me. Oh, there I am.
    Mr. Connolly. There you are.
    Mr. Grothman. OK. I got in a little bit late.
    Is Ms. Martorana still around?
    Mr. Connolly. Yes, she is right here.
    Mr. Grothman. Good, good, good, good, good, good. OK.
    I understand you spent a lot of your career in the private 
sector and are focused on improving the digital experience. 
Given OPM's importance to the Federal work force and public, 
could you describe how you approach digital modernization?
    Ms. Martorana. Sure. There's an enormous opportunity for us 
at OPM to better serve our customers across a broad spectrum, 
from continuing to improve the opportunity for job seekers all 
the way through to retirees.
    So, there are numerous opportunities. But the most 
important place to start is on a firm platform and starting 
with the foundational investments that are required in people 
and technology to start that digital modernization journey.
    Mr. Grothman. OK. I'll ask you another question together 
with Jason.
    [Inaudible] Ms. Martorana, and what steps are you taking to 
comply with FISMA--[inaudible]
    Mr. Connolly. Mr. Grothman?
    Mr. Grothman. Yes.
    Mr. Connolly. I'm sorry, could you repeat your question? It 
sounds like you're in a railroad train.
    Mr. Grothman. OK. I'm sorry. I'll speak up.
    Mr. Connolly. That's OK.
    Mr. Grothman. OK. Both of your agencies--this is both for 
Ms. Martorana and Jason Gray. Both of your agencies have 
critical missions and process sensitive data, yet both of your 
agencies get C's in cybersecurity, which means you have got 
room for improvement.
    What steps are you taking to comply with FISMA, a critical 
tool for ensuring effective information security across the 
government?
    Mr. Gray. So, I will start. We have taken a four-phased 
approach, focusing on our processes and making sure that we're 
refining our processes to not only comply with FISMA but also 
enhance our cybersecurity posture.
    We're also looking and have been focused on strengthening 
our processes as it relates. We also have a lot of tools that 
we have and continue to use with defense in depth, a whole 
bunch of them.
    Then also equally as importantly, as was mentioned earlier, 
education. So, it's focusing on making sure that our staff 
understand that and the department as a whole understands the 
importance of cybersecurity.
    We've also developed and implemented a cyber risk scorecard 
that we produce that has near real-time metrics that shows it's 
aligned directly within the cybersecurity framework, and that 
is visible to our system owners so they can see exactly how 
they're doing.
    To the comment earlier about making sure that we're 
measuring the risk and actually when something is red, it's not 
necessarily a bad thing. It's an indication that that needs 
some work. That gets briefed every single month to the 
secretary, the deputy secretary and monthly to all of the 
assistant secretaries for all of theirs.
    So, it is really focused on a process improvement, policy 
improvement, leveraging the tools that we have, and making sure 
that we're educating everyone at the department on the role of 
cybersecurity.
    Mr. Grothman. OK.
    Ms. Martorana, do you have anything?
    Ms. Martorana. Yes. And I think I can mimic basically. We 
are probably a little bit behind where the Department of 
Education is, but following in those footsteps, the people, the 
process, adding new technology and tools, and significant 
training. We are consistently training our work force to make 
sure that the policies and processes that we develop and the 
tools that we are implementing are understandable and that the 
entire work force is comprehending that every single one of us 
are the best tools that we have in keeping all of our 
information systems safe and secure.
    Mr. Connolly. Mr. Grothman?
    I think that train left the station.
    OK. Thank you, Mr. Grothman.
    The Chair will now recognize himself for his five minutes 
of questioning.
    Oh, you're back? Glenn, did you have one more question?
    Mr. Grothman. Yes, yes.
    Mr. Connolly. Go ahead.
    Mr. Grothman. Ms. Harris, at this point nearly all agencies 
have gotten A's in the software licensing metric. Do you think 
it's time to remove this metric? And, if so, how can we evolve 
this metric to capture some of the cost saving aspects like 
eliminating unused software licenses?
    Ms. Harris. Yes, that's a great question.
    So, I think that given all agencies except OPM have 
received that A, it may be time to retire that particular 
metric or evolve it. Certainly when it comes to the evolution 
of the metric, one of the key things that we'll have to work 
with with this committee on, as well as with OMB, is the 
availability of governmentwide data that's publicly available 
because that's what is used in order to generate all of these 
scores or these grades.
    So, that would be a key factor in what we could use to 
potentially evolve the software licensing grade.
    Mr. Grothman. Thanks much.
    Great hearing and thanks for putting this together.
    Mr. Connolly. Thank you, Mr. Grothman. Thank you for 
joining us.
    Ms. Harris, despite all of the progress in the scorecard, 
we really don't seem to have made progress in retiring legacy 
systems. Why not? And what will it take to seriously 
incentivize agencies to do that?
    Ms. Harris. Mr. Chairman, I think what we need to see 
greater progress on is the working capital fund establishments 
because that's a very important mechanism that the agencies can 
use to transform their IT and to modernize it.
    So, we would like to see a more aggressive push by the 
agencies that have not yet implemented those working capital 
funds to do so as quickly as possible so that they're able to 
put those savings that they generate from software licensing, 
from portfolios and data center consolidation into that fund so 
that they can use those moneys to be able to--and the 
flexibilities associated with a working capital fund, to be 
able to modernize their platforms.
    Mr. Connolly. Mr. Gray, you will forgive me, but I think 
you soft pedaled the breach.
    So, yes, the breach may not have been huge but, you know, 
this committee had a hearing on your agency or including your 
agency several years ago, and what came out was surprisingly, 
although maybe not surprisingly, but the Department of 
Education actually has a huge data base, 40 million Americans. 
You applied for a student loan, you've got my financial data, 
my checking account, my savings account, all kinds of other 
financial data that's pretty sensitive. And that's a pretty big 
data base and a juicy target for some people up to no good.
    So, the fact that we had this breach raises the question 
about how secure is that data--the bigger data base. And given 
the fact that you get a C minus in cyber, one of your lower 
grades, it underscores vulnerability, maybe I need to be 
concerned. I wanted to give you an opportunity to talk about 
that.
    Mr. Gray. So, I appreciate the question. The incident that 
happened in 2017 is obviously very different than what happened 
here. What was briefed on Friday is that we literally had a 
file share, one out of over 7 million folders, one where a user 
inadvertently allowed other people within the department 
permissions.
    If you have a situation where people have the ability to go 
through and say, hey, I'm going to allow people to have access 
to this, that sort of thing will happen.
    In this situation the employee who actually identified that 
did not report it to the department. They reported it 
externally to the department. To compare this to the TSA, this 
would be like a TSA individual at an airport seeing a 
suspicious package and instead of reporting it, seeing 
something, saying something, they took it externally, which 
then went to the media.
    So, to get to your question, though, I agree this was 
identified. When we were reported--when it was notified to me, 
we took care of it right away. We've also gone through and 
scrubbed and rescrubbed. We've hired a third party to come in 
and recheck all of what we've done just to make sure.
    As of this morning, they have come to the same exact 
conclusion as it relates specifically to this incident. This is 
a low-risk incident where an internal--as I mentioned about the 
bank and the safety deposit box, it was for trusted employees. 
In this case we had a trusted employee who saw something and 
instead of doing what they were supposed to do, they took it 
external.
    To get to your question about cybersecurity, absolutely I 
take cybersecurity seriously. I have been at the department for 
over four years. This is my fifth agency that I have been at. 
Cybersecurity is certainly one of the core focus areas that I 
have had. We, as I mentioned, have gone through what processes 
can we improve, is there policies that we need to implement, 
are there additional tools which we--as I mentioned, we have 
network access control, data loss prevention. So, we're taking 
a lot of necessary steps to ensure that we're protecting and 
defending the information that we are entrusted to.
    Mr. Connolly. You have legacy systems at the Department of 
Education?
    Mr. Gray. Yes one.
    Mr. Connolly. One. How old is that system?
    Mr. Gray. I would have to get you an exact number, but it's 
probably been around longer than I have.
    Mr. Connolly. Wow. Well, I have two conclusions from that. 
One is you're younger than I thought or the other is ah, gosh, 
you know, that really puts an exclamation point on it.
    From your point of view, and you have had experience in 
other agencies, let's stipulate we need a working capital fund. 
But other than that, what's it going to take? Because my 
experience is, in the private sector, management needs to put a 
priority on something if it's going to happen. There has to be 
a multi-year commitment if that's what it takes. You've got to 
back it up with a budget commitment every year.
    From your point of view, what's it going to take to retire 
that legacy system?
    Mr. Gray. To continue on the path that we're on--actually 
there's a Next Gen financial student aid system that is well 
underway. That acquisition or that entire group of projects 
incorporates removing that legacy system and getting rid of it. 
So, it is actually on the road map on where we're going.
    General Mark Brown, who leads the Federal student aid, has 
been doing an amazing job working very closely--both of our 
teams working closely together from an oversight standpoint, to 
make sure that we are--it's fed into our governance process.
    So, at this point we have the support. Funding is always 
something we can always use, but we have the absolute support 
from the Secretary, from leadership and governance to address 
that legacy system because we do recognize it is old and needs 
to be improved.
    Mr. Connolly. It is an enormous opportunity cost, not only 
for you but the rest of the Federal Government. If we're 
spending 80 percent of a $96 billion line item--well, it's not 
a line item, but that's roughly our budget for IT every year, 
and 80 percent of it is going just to maintain legacy systems, 
no wonder we've got some of the problems we've got.
    So, Ms. Martorana, you're relatively new to OPM. Where did 
you come from, may I ask?
    Ms. Martorana. The United States Digital Service. I spent 
two years at the Department of Veteran Affairs prior to 
joining.
    Mr. Connolly. OK. And you had private sector experience 
before that?
    Ms. Martorana. Yes.
    Mr. Connolly. OPM got, I think, a C, C minus overall grade.
    Given the fact that you're the H.R. agency for the entire 
Federal Government and, as Mr. Lynch mentioned, really 
sensitive data on Federal employees, on people seeking security 
clearances, you know, a breach there, what could go wrong with 
that? And, sadly, we had the biggest single breach in the 
history of the Federal Government with your agency several 
years ago.
    There is a sense, not about you personally, but that the 
agency remains surprisingly less than driven by a mission to 
make sure that never happens again and we're the exemplar for 
the Federal Government as opposed to a laggard. So, I want to 
give you the opportunity to address that. I heard you like your 
team and they're committed and you feel pretty good about where 
you're headed, but a C minus is not a great overall grade for--
given your mission. And maybe put more positively, as we look 
to the future, what will it take to get to an A from your point 
of view.
    Ms. Martorana. Yes. We're a C plus, so a slight correction.
    Mr. Connolly. What's that?
    Ms. Martorana. C plus.
    Mr. Connolly. C plus rather; excuse me.
    Ms. Martorana. With the mainframe platform migration that 
we just completed and the coming data center closures that that 
will trigger and the--we had a failing grade in software 
inventory, but through the COVID supplemental, we're able to 
procure software that will allow us to actually do a software 
inventory. We will be able to check that off of our list as 
well, which should get us to approximately a B FITARA score 
within the next six months. So, we are making pretty 
significant progress.
    You know, security is our primary focus, right. Every 
single day we keep those systems safe, secure, and operational. 
But one of the biggest challenges that we have is funding and 
personnel. To the question earlier about risk, one of the 
biggest risks I think that we are facing, in addition to those 
systems, the legacy systems, is also we have many, many people 
in our work force that are retiring.
    And with those folks retiring and a lot of these systems' 
documentation not--systems being old and not being very 
properly documented, a lot of the knowledge of those very old 
complex legacy systems is retiring with those subject matter 
experts.
    So, I think we have multiple levels of challenges that we 
have to face together. So funding, multi-year funding so that 
we can actually retire those legacy systems and put in more 
modern technology, that will reduce risk.
    Continuing to upskill and train our Federal work force and 
inspire younger and different people to come into the Federal 
work force is a critical part of what is going to be needed for 
us to continue to secure and maintain and operate those 
systems.
    Mr. Connolly. I certainly agree with you, although I would 
say, not about you, you know, freezing wages, threatening to 
cut back in compensation, disparaging the work of the Federal 
work force, making it harder for people in the workplace to 
have appeals and representation and talking about extending a 
probationary period from one to two years, none of that is 
particularly appealing to young people on the college campus to 
come work for the Federal Government.
    It's almost designed, in fact, to also accelerate the 
phenomenon of retirement when people--40 percent of the Federal 
work force is eligible for retirement, and some of them can 
delay it because they're so driven with their mission and so 
passionate about what they're doing, or they can accelerate it 
because they feel so discouraged and unappreciated. And none of 
this was helped by a 35-day shutdown, the longest in American 
history.
    So, you come from the private sector; I come from the 
private sector. I don't know a CEO who would get very far with 
his or her board disparaging the work force, slashing 
compensation and talking about--you know, discrediting, shall I 
say, their value and their work. No CEO I know would keep the 
job.
    And, you know, you praise your work force, you motivate 
your work force, you incentivize your work force----
    Mr. Palmer. It looks we lost the Chairman. Is he still on 
your screens?
    Mr. Connolly. OK. Well, anyway, I want to thank you for the 
observation. Thank you for the work you have done. We will stay 
in touch. Congratulations on progress.
    And we certainly, Ms. Roat, need OMB to keep the pressure 
on and to be supportive. We've got to come up with some 
creative solutions to help agencies, in addition to money, 
retire these legacy systems. And they want to, they're 
motivated, but it's a big, big decision and a multi-year 
commitment in most cases and quite disruptive actually in 
making that transition.
    So, we've got to have some creative solutions. As we see 
the vulnerabilities in our systems, they have to be addressed.
    Thank you to the first panel so much for being here today. 
Please stay safe and healthy.
    We're going to take a five-minute break and then convene 
the second and final panel of this hearing.
    Thank you.
    [Recess.]
    Mr. Connolly. The subcommittee will reconvene.
    Mr. Powner, Ms. Council, and Mr. Spires, are you with us?
    Mr. Powner, can you unmute and acknowledge you're with us?
    Mr. Powner. Yes, I'm here, Mr. Chairman.
    Mr. Connolly. Thank you. If you would stay unmuted so I can 
swear you in.
    Ms. Council, are you with us?
    Ms. Council. Yes, Chairman Connolly.
    Mr. Connolly. Thank you.
    And, Mr. Spires?
    Mr. Spires. Yes, Chairman Connolly.
    Mr. Connolly. Thank you.
    If all three of you would raise your right hand. Do you 
swear to tell the truth, the whole truth and nothing but the 
truth or affirm the same, so help you God?
    Let the record show all three of our witnesses on the 
second panel have affirmed in the positive.
    Thank you.
    Mr. Powner, if you're ready, I'm going to call on you for 
your five-minute opening statement.
    And welcome back to our subcommittee.
    Mr. Powner. Thank you.
    Mr. Palmer. It's good to be back, Mr. Chairman. I don't 
have an opening statement.
    Mr. Connolly. I would ask--oh, Mr. Palmer?
    Mr. Palmer. Yes, sir.
    Mr. Connolly. I'm sorry, I didn't see you. Go ahead.
    Mr. Palmer. OK. I do not have an opening statement, but I 
failed to do something in the previous panel, and that is enter 
a document and ask for unanimous consent to enter a document 
into the record on the supply chains vulnerabilities.
    Mr. Connolly. Certainly, yes.
    Mr. Connolly. And, Mr. Palmer, if you didn't hear me, I 
said I would be glad to work with you on that whole question 
about supply chain. I think it's a very good point you made.
    Mr. Palmer. Well, I had hit the little raise my hand button 
thing--I'm trying to get used to all of this webinar stuff--and 
I had a followup question that I will ask one of the panelists 
here.
    But with that, with no opening statement, I will yield back 
so that we can move forward with the questions for the panel.
    Mr. Connolly. Thank you, Mr. Palmer. I didn't call on you 
for an opening statement because Mr. Hice had an opening 
statement for the whole hearing, and this is the second panel 
of that hearing. But, obviously, if you had something you 
wanted to add, you're more than welcome.
    Mr. Palmer. I thought you were asking me if I had an 
opening statement. I do not, but I will have questions.
    Mr. Connolly. Yes, of course, and we welcome them. Thank 
you.
    Mr. Palmer. And I thank the Chairman.
    Mr. Connolly. Mr. Powner, you're recognized for your five 
minutes.

STATEMENT OF DAVID POWNER, DIRECTOR OF STRATEGIC ENGAGEMENT AND 
              PARTNERSHIPS, THE MITRE CORPORATION

    Mr. Powner. Chairman Connolly, Ranking Member Hice, and 
Members of the Subcommittee. Thank you for the opportunity to 
testify on the FITARA scorecard.
    For the past two years, I have worked for MITRE, a not-for-
profit corporation that operates in the public interest. We're 
public/private partnerships with federally funded R&D centers. 
We work across government, partnership with industries to 
tackle challenges for the safety, stability, and well-being of 
our Nation.
    Prior to joining MITRE, I was at GAO where I worked closely 
with this committee crafting FITARA, helping with the creation 
of the scorecard, and assisting in its oversight.
    I would like to start by thanking you, Chairman Connolly, 
for your leadership not only in creating FITARA, but also your 
unprecedented follow-through with more than five years of 
consistent oversight which has included 10 scorecards.
    The Federal IT community has benefited greatly from working 
with you and your bipartisan partners along the way, 
Representatives Issa, Hurd, Kelly, Meadows, and now Ranking 
Member Hice.
    Today I would like to address three areas: One, the results 
and progress that have occurred since FITARA passed; two, the 
reasons for these results; and, three, potential areas to 
consider for future scorecards.
    The progress that has resulted from the scorecard in your 
oversight are significant. Billions of taxpayers' dollars saved 
consolidating data centers and reducing duplicative business 
systems and licenses. FITARA's scorecard has also helped 
elevate the CIO role. More CIOs have a seat at the executive 
table and relationships with agency CFOs have strengthened. 
These enhanced authorities and relationships will be critical 
as CIOs lead their agencies to more modernization and digital 
transformation.
    So, why was FITARA and its implementation successful? 
Simply put, it was a collective team effort from the 
Legislative and executive branches. Let's look into the 
specifics of this oversight. Mr. Chairman, your approach 
focused on critical sections of the law, established clear 
metrics with specific targets, was measurable and data driven, 
and the oversight was consistent every six months over a five-
year period. This is extremely important since it took at least 
two years with four scorecards to see significant progress in 
any of the graded areas.
    Also, OMB played a critical role. They issued FITARA 
implementation guidance and required self-assessments after 
FITARA was passed. Federal agencies' CIOs have provided 
leadership and delivered results. This progress is evident with 
the high grades on today's scorecard.
    So, where should the scorecard go from here? Some of the 
areas graded have reached a level of maturity where perhaps 
grading is no longer a necessity. Now, this is not to say that 
they're not important, just that other areas could benefit from 
the transparency, measurement, and oversight the scorecard 
provided.
    For example, Mr. Chairman, the hearing you held a few weeks 
ago on mission modernization and your March hearing where you 
covered GSA's EIS contracting are prime candidates.
    My written statement provides five recommendations to 
consider as the scorecard is enhanced. These recommendations 
are very consistent with the goals in the President's 
management agenda. Here's a brief rundown of the five.
    No. 1, enhance the cyber area by considering metrics with 
agency and industry use and measure cybersecurity. This should 
include areas like patch and vulnerability management, missed 
cybersecurity framework, and supply chain management.
    No. 2, add a mission modernization category that provides 
transparency to our Nation's most important IT acquisitions and 
incorporates a customer experience measurement as well as 
legacy retirements.
    No. 3, add an infrastructure category that highlights 
progress on EIS so that we have in place more modern and secure 
networks.
    No. 4, add an IT work force category that provides a 
comprehensive view of agencie's gaps in critical cyber 
engineering areas and tracks progress to build the 
appropriately skilled work force.
    And, No. 5, add an IT budgeting category that continues to 
focus on working capital funds but also incorporates TBM so 
that IT costs are better captured.
    We need to shed a light on the discipline agencies use in 
IT budgeting so that it reflects actual needs for 
modernization. This category could drive better conversations 
both internally with CFOs and externally with OMB and the 
Congress.
    In summary, Mr. Chairman, these recs are about having 
better secure agencies, tackling true mission enhancement, 
having a modern infrastructure, a skilled work force to do it, 
and the right resources.
    Could an enhanced scorecard help in these critical areas? 
Absolutely. Future legislation to enhance OMB policies could 
also.
    Mr. Chairman and Ranking Member Hice, we look forward to 
further assisting you on these important topics for our Nation.
    Mr. Connolly. I thank you, Mr. Powner, and I also thank you 
for being one of the architects, key architects of establishing 
the scorecard, and I think it's evolved in a way that we hoped 
it would, which is to incentivize agencies to evolve and to 
modernize and to understand the criticality of that mission. 
And I thank you for your leadership in allowing us to be where 
we are five years later.
    LaVerne Council, chief executive officer of Emerald One, 
welcome.

STATEMENT OF LAVERNE COUNCIL, CHIEF EXECUTIVE OFFICER, EMERALD 
                            ONE, LLC

    Ms. Council. Chairman Connolly, Ranking Member Hice and 
Members of the Committee, thank you for the opportunity to 
appear before you today to share my experience implementing 
FITARA as an Assistant Secretary for Information Technology and 
CIO at the Department of Veterans Affairs where I served from 
2015 to 2017. I am pleased to join you and provide my 
recommendations to support the continued effectiveness of 
FITARA.
    Prior to joining the VA, I spent over 30 years as a global 
leader in operations and technology in private industry. During 
that time I led organizations as large and complex as the VA. I 
had complete fiduciary responsibility and accountability for 
implementing world-class processes and technology. However, 
during the preparation for my role in the VA, I frequently 
heard about how difficult it was to execute IT projects in the 
Federal Government. The causes were numerous: one or two-year 
appropriations, complicated program budgeting, hiring delays, 
data center proliferation, cultural nuances, even technology 
procurement decisions being made outside the IT organization.
    While I did witness each of the obstacles mentioned, within 
a short period of time, we were able to make progress at the 
VA. How were we able to do it? We had one critical strategic 
tool I could rely on. It was FITARA. FITARA is the law, and 
regardless of whatever obstacles I might have encountered, I 
had a law that I could leverage. I want to thank the committee 
for giving us that law and, therefore, the authority to act 
accordingly.
    Let me share a figure with you, 74 percent of all main 
frame IT modernization projects fail. That's a staggering 
figure, and it is industry-wide. The primary reason is 
enterprise complexity and age. Many organizations obtain or 
develop new technology to enable a new process or solve a 
problem well before they understand how the solution will be 
supported or how the process will work.
    In most cases you're trying to make something new work on 
something old. Integrating new technologies on top of old 
infrastructure is always a risky proposition. The old 
infrastructure generally has not been well maintained. 
Therefore, unforeseen risks often occur and lead to subsequent 
failures. Just like the stuff in your attic or basement no one 
wants to get rid of anyway and no one has updated anything, the 
same thing happens in IT.
    In addition to the infrastructure age, the organization's 
culture, and how it drives the use of technology, and the CIO's 
influence within the agency has a major impact on projects' 
success.
    At Emerald One we address the issue of complexity by not 
just focusing on people, process and technology, but also 
engaging the leadership, being culturally aware, building 
trust, attaining the full value of the solution, and doing it 
in the shortest possible time so you can take advantage of the 
new technology. We call this the Elements of Brilliance.
    With this in mind, I respectfully submit to the 
subcommittee several recommendations that I believe could 
strengthen FITARA.
    The first recommendation is make the FITARA scorecard an 
agency-wide metric, therefore, providing the agency CIOs with 
the support needed to become the enabler of a critical agency 
asset along with the rest of the leadership team.
    The second is to add a metric that measures the agency's 
average technology life cycle. This could be utilized to 
understand the risk of modernizing in that environment.
    The committee should also consider a method to assess 
cultural readiness. The culture must be prepared to adopt new 
technology, not just endure it. Organizational leaders must 
focus on user adoption by measuring and managing the culture's 
preparedness before tackling any new technology.
    And, finally, you must ensure that the agency's fiscal 
reality supports the technology mandates we impose. Many of our 
agencies continue to receive technology budgets that allow them 
to do little more than maintain and sustain outdated systems.
    MGT supported by the TMF were both positive steps forward. 
By creating more meaningful connections between the mandates, 
the committee can create the leverage many CIOs need to 
modernize.
    As the Chairman shared in his July 20th opening statement, 
we can no longer allow outdated and legacy technology to stymie 
the delivery of vital public services.
    Chairman Connolly, Ranking Member Hice, and Members of the 
Committee, thank you again for the time and opportunity to 
share my experience and perspectives on FITARA. I look forward 
to its continued success and implementation and am happy to 
take your questions at this time.
    Mr. Connolly. Ms. Council, thank you so much; really very 
helpful observations from your own experience, very practical, 
and we look forward to working with you as we proceed. Thanks 
so much.
    Mr. Spires, welcome back.
    Mr. Spires?

   STATEMENT OF RICHARD SPIRES, PRINCIPAL, RICHARD A. SPIRES 
                           CONSULTING

    Mr. Spires. Yes, Mr. Connolly. Good afternoon to you----
    Mr. Connolly. Welcome back.
    Mr. Spires [continuing]. Ranking Member Hice and Members of 
the Subcommittee. I'm honored to testify today in regards of 
FITARA and the scorecard that Congress has been issuing over 
the past five years.
    Having served as the CIO of the U.S. Department of Homeland 
Security, as well as IRS, and having served as the Vice Chair 
of the Federal CIO Council, I had ample opportunity to 
understand the management dynamics inherent in Federal IT.
    I was pleased when FITARA was enacted, but while the 
legislation itself has been of aid, I believe it has been the 
oversight of Congress that has been the driving factor in 
getting Federal agencies to improve their IT management.
    In particular, the spirit of bipartisan has made a 
significant positive difference, starting with the drafting of 
FITARA, and it continues today with leadership from the 
subcommittee. Yet even with the progress, much work remains to 
reach the state of IT management best practice.
    The hearing held by this subcommittee just two weeks ago 
showcased the need to continue to focus on IT modernization. 
But even if we had unlimited funds to invest in IT, many 
agencies would still struggle as they do not have the 
management maturity and skills to effectively deliver large 
scale IT modernization.
    In 2015, GAO placed the whole Federal Government on its 
high-risk list for improving the management of IT acquisitions 
and operations. In GAO's latest report, it recommended that 12 
agencies identify and plan to modernize and replace legacy 
systems, yet only three of the 12 agencies had implemented 
GAO's recommendation and made progress in even planning to 
modernize their legacy systems.
    Given the success of the scorecard, it should continue as a 
tool to measure agency progress. I recommend changes to the 
scorecard to sharpen the focus on IT management and 
modernization, all of which are provided in my written 
testimony.
    Some highlights of my recommendations include: One, add an 
IT planning category. Meaningful IT modernization starts with 
good planning and support by agency leadership. Hence, this 
category should reflect the maturity and focus on IT 
modernization within the agency's planning function and 
enterprise architecture.
    Two, combine the incremental delivery and transparency and 
risk management categories into a broader delivery of IT 
programs category.
    Agency IT modernization occurs through the successful 
delivery of IT programs and, as such, there should be a 
category that measures the ability of agencies in being able to 
manage such programs.
    No. 3, evolve the managing government technology category 
to a broader IT budget category. This category should keep the 
element of an agency having an IT working capital fund. In 
addition, agencies should much better understand the cost 
element of the agency's IT budget. The Federal Government has 
adopted a Technology Business Management, TBM, taxonomy to 
support this effort.
    Agencies should be measured on their adoption of TBM, along 
with the use of benchmarking of their IT services, so that they 
can compare themselves to other similar-sized agencies and 
private sector corporations.
    Evolve the cybersecurity category. Agencies should be 
conducting meaningful enterprise cybersecurity risk management 
to ensure they are focusing on protecting their most sensitive 
data and critical systems. NIST has developed such a risk 
management framework called the NIST Cybersecurity Framework, 
the CSF, and its use is mandated by Federal agencies. Hence, 
the cybersecurity category should start with measuring whether 
an agency is properly executing the seven process steps of the 
next CSF.
    Add a customer satisfaction category. IT organizations have 
customers. A core measure for all agency support organizations 
should be customer satisfaction. It would be best practice to 
administer a standard customer satisfaction survey to all 
agencies so this category can be added to the FITARA scorecard.
    To determine the specific measures for a category and what 
additional data would be required for agencies to collect so 
the category could be graded, I recommend that Congress convene 
an advisory group that would develop recommendations to evolve 
the FITARA scorecard. This advisory group should be headed by 
GAO but include representatives from the Federal CIO Council, 
the Office of the Federal CIO, and from the private sector. 
Such an advisory group could make recommendations to Congress 
within three to six months.
    Given the scorecard works, let's commit ourselves, as the 
Federal IT community, to evolve the scorecard to support and 
drive agencies to more rapidly adopt IT management best 
practices and move aggressively to modernize agency processes 
and systems.
    Thank you for the opportunity to testify today.
    Mr. Connolly. Thank you so much, Mr. Spires.
    And thank you, all three of you for your very thoughtful 
testimony. And I assure you, we'll be glad to work with you and 
take cognizance of some of the changes you propose in the 
metrics and in the scorecard itself.
    The chair now calls on Mr. Palmer for his five minutes of 
questioning.
    Mr. Palmer?
    I'm informed Mr. Palmer is having a bandwidth issue. In 
Alabama maybe, huh?
    Well, let me ask all three of you a series of questions. 
One is, how important is it that the CIO have the ear of the 
agency head? That's one of the categories we've actually added 
to the scorecard in terms of the reporting sequence, because 
from our point of view, it's about empowerment. If you're going 
to make decisions and make them stick, you know, the rank and 
file need to see that that CIO is empowered by the agency head, 
the boss.
    In your experiences, how important is that, from your point 
of view? Maybe we start with you, Mr. Spires.
    Mr. Spires. Yes, thank you, Chairman. Yes, I had the 
situation of reporting to the, if you will, agency head, a 
large bureau in the IRS when I was CIO, and not the case at 
DHS, actually. I reported to the Under Secretary of Management. 
So, I've seen both situations in government, and I think it 
makes a significant difference. And not to take away from the 
Under Secretary for Management in DHS, but that individual who 
I served under had no IT background and there was a lot of lost 
translation. And, frankly, I don't feel like--not that I wasn't 
able to develop a relationship with the Secretary and Deputy 
Secretary of DHS, but it was not nearly as strong a 
relationship as I was able to develop with the IRS 
Commissioner. And I would say that, in my view, I was able to 
be more effective, significantly more effective, because I had 
a good relationship with the head of agency.
    Mr. Connolly. Ms. Council?
    Ms. Council. Yes, I also agree with Mr. Spires. I actually, 
during my time in VA, even though it wasn't the norm, had a 
direct reporting relationship with the Secretary, who was 
Robert McDonald. Part of the reason for that was we had a short 
period of time to get a lot of things done. He understood I 
understood large enterprises. I had come from Johnson & 
Johnson. He had been at Proctor & Gamble. And it allowed us to 
sync very quickly.
    It also is a way for the CIO to have the kind of support 
enterprise-wide that they need when an agency head is aligned 
with them. It doesn't mean that you don't include others in the 
conversation. It just means that everyone knows this mandate is 
a mandate. So, I totally agree with that alignment.
    Mr. Connolly. Thank you.
    And Mr. Powner.
    Mr. Powner. Yes. So, I will third the importance of 
reporting to the agency head. I think it is very important the 
discussions we're having about mission modernization and 
tackling legacy where we have--where CIOs have relationships 
with the business leads and also a strong relationship with the 
CFO, so that there is the budgetary support to tackle these 
big, complex legacy modernizations.
    So, having the support at the top so that they can be a 
business partner with the business unit and also having that 
strong relationship with the CFO is critical to tackling these 
big challenges the Federal Government faces.
    Mr. Connolly. Mr. Powner, while I've got you, maybe you 
heard the previous panel, our conversation about data centers 
and the attempt by OMB to maybe dilute the definition of data 
centers, which could have the unintended effect of losing 
savings and even compromising security.
    Would you comment on that? Because you remember how 
important, the premium we put on data center consolidation when 
we actually began this process with the scorecard.
    Mr. Powner. Yes. No doubt, Mr. Chairman. So, a couple 
comments here. I knew when that memo came out that there was 
going to be a rub between OMB policy there and where you were 
going with data center consolidation. Do I think that we have 
had great success with data center consolidation? Yes, $4.7 
billion in savings. Do I think there's opportunity to still do 
more? Sure, and populate with the capital funds.
    I think what really needs to occur is I think there needs 
to be a really--there needs to be some type of agreement 
between OMB and what they're doing and what Congress wants to 
do, so you guys get more on the same page. Right now, right, 
we're at different ends of the spectrum here. I do think 
there's probably some coming together where you could tackle 
some data center. There's a lot that's already done, but 
there's still some opportunities.
    That's why I think that the infrastructure category on the 
scorecard where you could still include data centers, but you 
also look at modern networks like with the EIS vehicle, is a 
good way to think more broadly about the infrastructure rate 
and how we tackle that.
    Mr. Connolly. You will remember, perhaps, that the very 
first hearing we had on this subject was when John Mica was 
chairman of this subcommittee, different kind of configuration. 
We had a field hearing at George Mason University in my 
district, and that forced people to look at how were they 
complying with this brand-new bill, FITARA, on data center 
consolidation. And what happened was we got much better at 
identifying thousands of data centers we didn't know we had, 
but we made zero progress on consolidation. Out of that hearing 
actually grew the idea of a scorecard, so we actually could 
create metrics and force action.
    So, I hope we don't go back to that. It's distressing to 
learn that this action alone would take 2,000 existing data 
centers and basically take them offline. That's not the 
language of the statute and it's not the intent of the statute. 
So, it's worth watching.
    And my time is up.
    Mr. Hice, I recognize you for five minutes.
    Mr. Hice. Thank you, Mr. Chairman.
    Real quickly to each of you, and I don't want a long 
answer, just kind of get at your basic feel here, but I'd like 
to hear from each you as to how you think FITARA, the 
scorecard, has it been successful in driving change within 
agencies? From your perspective, is this thing working, and 
real quickly, why or why not?
    Mr. Spires. I'll start, sir. Yes, it is definitely working. 
And as I mentioned in my testimony, the point is we've always 
had good people, good CIOs, you know, people that want to do 
the right things, but the environment in many agencies, the 
culture, as LaVerne was talking about, makes that difficult at 
times.
    So, you shining a light on aspects of IT and IT management 
as congressional oversight, I think, is really critical, and it 
does force agencies----
    Mr. Hice. Real quickly. I've got some other questions. I 
want to hear from the others. Yes or no?
    Ms. Council. Yes. This is Ms. Council. I think it is 
working. I think it is working very well. I also believe that 
people manage what's measured. And because it's managed and 
because it's measured and because it's clearly transparent, it 
gets people focused on the right things.
    Mr. Hice. OK.
    Mr. Powner. I agree with Ms. Council on, you know, what 
gets measured gets done. And I think what's really important to 
look at is your persistence and consistency. In most of these 
areas, it took at least four scorecards and two years to see 
significant change. We've got to stick with it in order to 
drive change, with some of the cultural issues that Ms. Council 
mentioned earlier; it just takes time.
    Mr. Hice. OK. I don't know which one of you is most 
equipped to hit on this, but several of you or a couple of you 
brought this up with the CIOs. What's the biggest challenge 
that a CIO is facing in the attempts to try to deliver large-
scale IT modernization? What's the wall they're running into?
    Ms. Council. I can take that one. Large implementations are 
just that, they're high risk and they're costly and they 
include people. And when you put all those together, you end up 
in the situation where you can't control all the aspects, and 
it requires a really focused effort of all hands on deck.
    One of the biggest issues you run into, especially with 
one-, two-year money, even with the working capital fund, is 
that you may have multiple sets of these systems in the same 
environment. I can only speak to VA, but you're talking about 
one of the most complex environments in the world, not just in 
the U.S. Government.
    So, when you go after trying to effectively change one of 
these, you've got to realize you're impacting an entire 
enterprise. None of these things are in isolation. None of 
these things easily are changed without engaging the entire 
whole. So, they are tough, but can they get done? Yes, they can 
get done. They require a lot of focus. They require everyone's 
intent.
    And I think that's one of the reasons we think that the 
alignment needs to be the top of the house, so that everyone 
understands they have to have a stake in making it successful.
    Mr. Hice. OK. Mr. Spires, are you there?
    Mr. Spires. Yes, I am.
    Mr. Hice. OK. You mentioned in your testimony--I'm sorry, 
my time is running out here, but you mentioned recommendations, 
if you will, regarding next steps for the scorecard, and 
specifically you brought up trying to phase in the metrics and 
obtain a buy-in from the stakeholders. Can you kind of walk me 
through what you have in mind when you make those comments.
    Mr. Spires. Sure, Mr. Hice. I believe that we need to try 
to get better alignment. And Mr. Powner mentioned this earlier 
in an answer to a question about trying to get Congress working 
effectively with OMB, effectively with GAO. Let's come up with 
a set of metrics we all agree with.
    They won't ever be perfect, but I think we can come up with 
a really good set of metrics. We've got to figure out how we 
measure them, that's important, and get the data. But if we do 
that and we can get better alignment--and this is a bipartisan 
issue, so I think we can work to do that. And I think we can 
make significantly more progress in driving IT modernization, 
because too often we're not going after it.
    We're doing things that help, don't get me wrong, but some 
of the really big modernization efforts that do require that 
whole-of-agency effort agencies are just scared to go after, 
and we need to change that dynamic, because it's really 
important to our country that gets done.
    Mr. Hice. Well, thank you. And I hope you're right. I 
agree, we need to--the metrics have been great, the question of 
the scorecard have been moving it forward to get more to the 
bottom line of what we need to get to. I think we can get there 
as well. I thank you for your answers and appreciate it.
    Mr. Chairman, I yield back.
    Mr. Connolly. I thank the ranking member. And our hope I 
think eventually is to move to sort of a scorecard that is a 
digital hygiene kind of scorecard, but it's important to note 
what Mr. Powner noted.
    The only reason, in theory, we've made the progress we've 
made is because we have stubbornly insisted on the metrics 
contained in the scorecard for five years. And it took five 
years to get everyone finally better than a D and no Fs, five 
years. So, we want to be cautious about sliding back or 
assuming progress where it, frankly, has not yet been 
completely achieved.
    So, I want to thank all of our panel for being here. There 
are so many other areas we could expand upon and----
    Mr. Palmer. Mr. Chairman?
    Mr. Connolly. Oh, Mr. Palmer, are you still with us?
    Mr. Palmer. Yes. I swiped myself off a little while ago.
    Mr. Connolly. Sorry. Welcome back. And you are recognized 
for five minutes, Mr. Palmer.
    Mr. Palmer. Thank you, Mr. Chairman.
    I want to go back to something Mr. Spires said about some 
additions to the scorecard, and this has to do with security. 
The Federal Acquisition Regulations are really written in such 
a way that cheapest is best, and it goes back to something that 
we talked about in that first panel about the fact that we're 
dealing with antiquated legacy systems, and about 51 percent of 
what we're buying is sourced from China.
    So, I'm wondering if it makes sense to add to the scorecard 
and to encourage agencies to avoid buying--as much as possible, 
avoid buying from China. Mr. Spires, since you raised the issue 
of adding to the scorecard.
    Mr. Spires. Yes. In the cybersecurity area, certainly I'm a 
huge believer in looking at enterprise risk. And there's no 
doubt today that cybersecurity supply chain risk is a very 
significant risk that we need to address.
    So, I'm not in a position to say exclude--you know, 
shouldn't buy anything from China that's related to IT, but I 
think it is something that agencies need to take seriously as 
they look at their enterprise risk strategy. And I know that's 
certainly something DHS is looking at for all of government 
right now.
    Mr. Palmer. Yes. I'm not saying that they can source 
everything outside of China, but we ought to encourage them to 
do as much as they can, because I think there's a gap, 
particularly when it comes to security, especially around this 
multitiered supply chain. And it's really mentioned nowhere or 
addressed nowhere in these acts.
    So, let me ask it this way: Does it make sense to amend 
FITARA to assess the global supply chain security risk tied to 
the Federal IT acquisitions? Maybe that's where we start, and 
then we put that in--add that into the scorecard. Does that 
make sense?
    Mr. Spires. Again, I go back to it is a key risk for 
enterprise cybersecurity for an agency, and it should be 
addressed as such. Whether or not that needs to be in 
legislation or just part of the scorecard, I think that's--I 
think that's why you should have an advisory group with some 
experts that are really--you know, that study this particular 
field, what would be best for the Federal agencies and how to 
handle this particular enterprise risk.
    Mr. Palmer. OK. And I'm not totally familiar with all of 
the agencies, but I know there are a number of areas that are 
considered high risk. I don't know in the GAO's assessment if 
that includes high risk for security breaches in the context of 
where they sourced their materials.
    Mr. Powner, do any of you--do you know?
    Mr. Powner. This question about high risk has come up a 
couple times, Representative Palmer. I think one of the key 
things we probably need to do here, whether it's supply chain 
or just high risk in regards to other aspects of high risk, you 
know, where there's risky acquisitions that are out there, it 
sounds like there's probably some clarification that OMB might 
need to look at in terms of their policies that they currently 
have in place so that we're all kind of singing off the same 
sheet here, because there seems to be a lot of confusion around 
this risk. And I would recommend that OMB take a good hard look 
at this high risk and look at what their policies say in those 
areas and perhaps clarify that.
    Mr. Palmer. That's a great point. We will followup on that. 
And I think--I've been on Oversight since day one, I took a 
leave for most of this Congress, but I've done a lot of work 
with the GAO, and the thing that I want to commend the chairman 
and the ranking member on is we continue to work together in a 
bipartisan way to improve the quality.
    In the previous panel, Chairman Connolly mentioned the fact 
that some of these agencies are still operating on COBOL. When 
I was in college, I was a COBOL consultant. And my concern is 
that there are not many people left who would know how to 
correct something if something went wrong with that.
    So, there's a lot of vulnerabilities that exist. And I 
think what we're trying to do here, in a bipartisan way, is not 
only enhance our security, but also improve the quality of the 
work product by--what I think we need to be doing is replacing 
antiquated systems, and not only doing it at the Federal level 
but at the state level too, so that we've got that 
interoperability that we desperately need.
    With that, Mr. Chairman, I thank you for recognizing me 
being back and being back on the committee, and I yield back.
    Mr. Connolly. Thank you, Mr. Palmer. Thank you so much. 
Very thoughtful.
    Let me ask one last question, if I may, of all of the 
panelists, because given your experience. One of the things 
that concerns many of us is, especially those of us who are 
also in the private sector in IT, is that there's this gap, 
knowledge gap, experience gap, between the Federal Government 
and, let's say, the private sector, especially vendors who 
provide services to the Federal Government in this sector, and 
that that gap is almost growing. And to try to reverse that, 
we've got to be able to attract technology specialists and 
experts who can help the government manage its IT, procure its 
IT, and even as simple a task but not so simple, even writing 
the terms of reference for a complex IT contract.
    I'd love to hear, as the final part of this hearing, your 
observations briefly about that problem, if you agree it's a 
problem, and what you think we ought to do about it.
    Ms. Council, why don't you start.
    Ms. Council. Thank you for the question. This is actually a 
question that impacts the governmental aspects as well as 
private industry. We don't have enough technologists anywhere. 
We don't have enough data scientists anywhere. We don't have 
enough architects anywhere. The need for technology, the need 
for people that really understand information technology and 
how to make it scale has constantly been there, but I can tell 
you now it's even tenfold.
    As you see the now normal that we go through since COVID, 
technology is everywhere and it's everything. It allows us to 
be where we need to be, and when we can't be there physically, 
it allows our ideas to be there.
    So, getting people to come work in the Federal Government, 
one, is really hard. I talked about that often when I was in 
the role. I wouldn't know how to get a job in the Federal 
Government. It's not a straight line. It's not sending a resume 
and you start talking to someone, as you would in a commercial 
entity.
    It also requires that you know--you have to understand how 
to navigate. And I will tell you some of the best and brightest 
in our universities today, they are interested in working on 
technology, want to work on the newest things possible. They 
want to work on the hardest things possible.
    So, I think the more we can give them that kind of 
environment, the faster we can get up on technology, the faster 
we can get new technology through FedRAMP, Chairman Connolly, 
the more excited young people will be, as well as some old 
people--don't count us all out. We know how to program, some of 
us do--will be more than willing to come in and help the 
Federal Government, no doubt about it.
    Mr. Connolly. Thank you.
    Mr. Spires.
    Mr. Spires. Yes, thank you. And great answer by Ms. 
Council. I'll build on that a little bit by saying that I 
really feel like--I mean, I came in mid-career into government 
at the IRS first, and I'll tell you the sense of mission is 
really palpable. And I don't think--I think we could do a much 
better job of enticing younger people if we would market 
ourselves better as Federal agencies.
    I recognize that sometimes you don't have the latest 
technology that you can offer all of them, but I'll tell you, 
the opportunities that younger people can have that are 
talented, that really want to build a career, I think we're 
missing a big opportunity to be able to entice people. And I 
think if we marketed this more effectively, we could attract 
people.
    Now, you're going to lose a lot of them, there's no doubt. 
I mean, maybe you have a program where you try to keep them for 
four or five years and help you. And some will stay. A lot will 
go back into the private sector, and that's OK. But we need to 
do something different. And I don't think we're going to be 
able to buy our way out of this with increased salaries, but I 
do think we have a wild card here that we need to play, and 
that's that sense of mission and the opportunities we can offer 
younger people.
    Mr. Connolly. Thank you.
    Mr. Powner, final word.
    Mr. Powner. So, I agree on the sense of mission. Many 
times, IT departments in the Federal Government have this 
compliance focus, and that compliance focus isn't going to 
attract anyone. If you look at where Ms. Council was at, you 
know, who doesn't want to help the vets in our country or who 
does not want to help secure the homeland, where Mr. Spires 
worked.
    Those are the types of missions we really need to get out 
front and to talk about the challenges that we face as a 
government and attract those young hard-chargers that are out 
there. It's not going to be easy because of the salary 
differences, but I do think--and we've seen it when you do have 
this mission focus. Like, why do some folks who are seasoned 
come back into government? Ms. Council did. Mr. Spires did. 
They come back because, you know, they're sold on the mission, 
and they want to actually help deliver on these missions.
    It's no different with the younger folks we need to 
attract. We really need to sell the mission hard, because a lot 
of things in government are really important, and I think there 
would be a fair amount of people who would get behind that.
    Mr. Connolly. So, a little inspiration wouldn't kill us?
    Mr. Powner. Absolutely, absolutely.
    Mr. Connolly. Thank you.
    With that, without objection, all members will have five 
legislative days within which to submit additional written 
questions for the witnesses to the chair which will be 
forwarded to the witnesses for their response. I ask all of our 
witnesses to respond as promptly as you are able. And I want to 
thank all three of you for really thoughtful contribution to 
this conversation and to the scorecard on FITARA.
    And, with that, this hearing is adjourned.
    [Whereupon, at 4:33 p.m., the subcommittee was adjourned.]

                                 [all]