[Senate Hearing 116-43]
[From the U.S. Government Publishing Office]


                                                     S. Hrg. 116-43

                  HIGH RISK LIST 2019: RECOMMENDATIONS
  TO REDUCE RISK OF WASTE, FRAUD AND MISMANAGEMENT IN FEDERAL PROGRAMS

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS


                             FIRST SESSION

                               __________

                             MARCH 6, 2019

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
35-772PDF                  WASHINGTON : 2019                     
          
--------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].        



        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    GARY C. PETERS, Michigan
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
RICK SCOTT, Florida                  KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming             JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri

                Gabrielle D'Adamo Singer, Staff Director
       Patrick J. Bailey, Chief Counsel for Governmental Affairs
              Jennifer L. Selde, Professional Staff Member
               David M. Weinberg, Minority Staff Director
      Ashley E. Poling, Minority Director of Governmental Affairs
         Alexa E. Noruk, Minority Director of Homeland Security
         Yelena L. Tsilker, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator Peters...............................................     2
    Senator Lankford.............................................    12
    Senator Rosen................................................    12
    Senator Romney...............................................    14
    Senator Sinema...............................................    17
    Senator Hassan...............................................    19
    Senator Carper...............................................    28
Prepared statements:
    Senator Johnson..............................................    39
    Senator Peters...............................................    40

                               WITNESSES
                        Wednesday, March 6, 2019

Hon. Eugene L. Dodaro, Comptroller General of the United States, 
  U.S. Government Accountability Office; accompanied by Cathleen 
  Berrick, Managing Director, Defense Capabilities and Management 
  Team; Nikki Clowers, Managing Director, Health Care Team; 
  Elizabeth Curda, Director, Education, Workforce and Income 
  Security Team; Mark Gaffigan, Managing Director, Natural 
  Resources and Environment Team; Nick Marinos, Director, 
  Information Technology and Cybersecurity Team; and Chris Mihm, 
  Managing Director, Strategic Issues Team
    Testimony....................................................     4
    Prepared statement...........................................    44

                                APPENDIX

Minors and Families chart........................................   161
GAO Priority Recommendations to EPA..............................   162
Senior Executives Association Report.............................   164
Responses to post-hearing questions for the Record:
    Mr. Dodaro...................................................   204

 
                  HIGH-RISK LIST 2019: RECOMMENDATIONS
                  TO REDUCE RISK OF WASTE, FRAUD, AND
                   MISMANAGEMENT IN FEDERAL PROGRAMS

                              ----------                              


                        WEDNESDAY, MARCH 6, 2019

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 9:31 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, Lankford, Romney, Scott, Peters, 
Carper, Hassan, Harris, Sinema, and Rosen.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. Good morning. This hearing will come to 
order.
    I want to welcome the Comptroller General, Mr. Gene Dodaro, 
and everybody that has come here in the audience to really 
review a very important report. It is interesting, the 
Government Accountability Office (GAO), every Congress issues 
its High-Risk Report, and the goal of that High-Risk Report is 
very similar to this Committee's stated mission statement, 
which is to enhance the economic and national security of 
America and promote more efficient and effective government. I 
think that pretty well is the whole goal behind both your High-
Risk Report as well as the Duplication Report.
    I will just ask that my written statement be entered in the 
record,\1\ without objection.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Johnson appears in the 
Appendix on page 39.
---------------------------------------------------------------------------
    I will keep my comments pretty short, but I think it was 
pretty noteworthy--and it is in my statement--that since 2006, 
because of the recommendations made by GAO in their High-Risk 
Reports, Federal agencies have saved nearly $350 billion, and 
in fiscal year (FY) 2018 the saving was $47 billion alone. So 
it just shows where a little bit of attention--and Senator 
Scott is working on a little project as well in terms of just 
taking a look at efficiencies in terms of disaster spending 
with the Federal Emergency Management Agency (FEMA), that type 
of thing. Attention to detail is incredibly important.
    The point I wanted to primarily make in this is I know I 
think last year the Duplication Report, one of my 
recommendations was to work with GAO to actually help Congress 
craft the legislation. I was talking to my staff. We really 
were not able to do that effectively because so many of the 
recommendations in duplication had to do with getting agencies 
to cooperate. It is kind of hard to put that into legislative 
language.
    My sense is the High-Risk Report might lend itself more 
toward potentially legislative solutions. Now, a lot of it 
would be outside of this Committee's jurisdiction, but I just 
wanted to make the point that it is important to hold this 
hearing so we raise the profile of what I consider an 
incredibly important report established by GAO, along with all 
your other detailed reports, but this is the one that kind of 
prioritizes areas. We need to get the attention of Secretaries 
and department heads and Deputy Secretaries. That is one way of 
doing it.
    The other way of doing it is honestly just leading the 
horse to water, helping Congress craft the--where a legislative 
fix is required--I mean, so many of your recommendations can be 
carried out and need to be carried out by the agencies. But 
where there is a legislative fix required, I would just ask GAO 
to work very cooperatively with this Committee, and we can pass 
it along to other committees' jurisdiction as well. I have just 
found the easier you make things, the more likely they are to 
get done.
    I just want to thank all of your staff for their dedicated 
efforts. These are excellent reports. They really guide the way 
and just the numbers pretty well speak for themselves--$350 
billion worth of savings since 2006 and $47 billion just last 
year. That is pretty remarkable. So, again, thank you for all 
your efforts. Thank all your staff.
    And with that, I will turn it over to Senator Peters.

             OPENING STATEMENT OF SENATOR PETERS\1\

    Senator Peters. Well, thank you, Mr. Chairman. I would like 
to join you in welcoming our Comptroller General Gene Dodaro to 
today's hearing.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appears in the 
Appendix on page 40.
---------------------------------------------------------------------------
    Mr. Dodaro, thank you for joining us and for all of the 
hard work of the men and women that are a part of the GAO. You 
work very hard to hold the Federal Government accountable and 
to ensure that taxpayer dollars are being spent appropriately. 
As always, I look forward to your testimony here today.
    Since 1990, the GAO has alerted Congress to areas that are 
considered ``high risk'' by providing this list of Federal 
agencies and programs that they have identified as vulnerable 
to fraud, waste, abuse, or mismanagement.
    The High-Risk List is a road map to cut waste, save 
taxpayer dollars, and set our country on a course for a more 
fiscally responsible future. Yet Federal agencies and Congress 
have struggled to effectively address many of the problems that 
are identified in this report.
    I believe that this failure is rooted in the dysfunctional 
budgeting and appropriations process that is filled with last-
minute deadlines, continuing resolutions (CRs), and 
brinkmanship that leads to government shutdowns.
    Instead of thoroughly examining whether the programs we 
authorize and fund are serving the American people effectively, 
Congress routinely relies on stopgap spending measures and 
continuing resolutions that disrupt the regular order and 
really do not allow for meaningful oversight of taxpayer 
dollars.
    This leads to governmental short-termism. Too often, we 
spend more money to lease office space over years or decades 
than it would cost to build and own that property. We did not 
invest effectively in Federal cybersecurity, and we are now 
paying for credit monitoring for over 20 million people in the 
wake of the Office of Personnel Management (OPM) breach.
    Efforts we make now to prepare for and mitigate climate 
change could also save the Federal Government, farmers, 
homeowners, and small businesses billions of dollars in the 
coming years.
    The Federal Government is also dragging its heels in 
addressing toxic chemicals. The sooner the Environmental 
Protection Agency (EPA) and other agencies act to address 
Perfluorooctanesulfonic acid (PFAS)--fluorinated chemicals that 
are harmful to human health--the more money we can save on 
billions of dollars of future cleanup and health care costs.
    This pattern of waste and delay is particularly alarming at 
a time when our country is on course to reach a $1 trillion 
deficit in the fiscal year coming up. Taxpayers in Michigan and 
across this country certainly deserve a whole lot better, and 
we simply cannot afford to continue down this same path.
    As Members of Congress, it is our duty to root out waste 
and ensure that government is being held accountable to 
taxpayers. We must fulfill our obligation to conduct rigorous 
oversight and craft bipartisan, commonsense reforms to 
strengthen the programs that Americans have come to count on.
    We must also look for smart ways to cut spending and save 
tax dollars, such as eliminating duplicative or overlapping 
efforts that end up costing us a whole lot more in the long 
run.
    I appreciated the opportunity to work with my colleagues 
Senator Paul and Senator Lankford to enact legislation to 
increase government efficiency last Congress. I also look 
forward to reviewing Senator Lankford's ``Waste Report'' and 
finding new areas to work in a bipartisan way with Chairman 
Johnson and Members of this Committee to make our government 
function better.
    We must make real progress on these goals--starting with 
today's hearing.
    By examining the areas of concerns raised in today's 
hearing, we can focus on providing the proper funding and 
oversight of Federal programs that will enable us to rein in 
spending, reduce waste, and provide greater accountability for 
the American people.
    And with that, Mr. Chairman, I look forward to the 
discussion.
    Chairman Johnson. Thank you, Senator Peters.
    Mr. Dodaro, you are fully aware that we swear witnesses in, 
so if you will please stand and raise your right hand. Do you 
swear the testimony you will give before this Committee today 
will be the truth, the whole truth, and nothing but the truth, 
so help you, God?
    Mr. Dodaro. I do.
    Chairman Johnson. And, actually, we needed everybody else 
to stand as well, and I forgot to do that.
    [Witnesses sworn.]
    Chairman Johnson. You are all sworn in. Thank you. 
[Laughter.]
    Gene Dodaro has been the Comptroller General of the U.S. 
Government Accountability Office since 2010 and has more than 
40 years' experience at the agency, including as Acting 
Comptroller General, Chief Operating Officer (COO), and head of 
the Accounting and Information Management Division. Mr. Dodaro.

 TESTIMONY OF HON. EUGENE L. DODARO,\1\ COMPTROLLER GENERAL OF 
   THE UNITED STATES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; 
  ACCOMPANIED BY CATHLEEN BERRICK, MANAGING DIRECTOR, DEFENSE 
   CAPABILITIES AND MANAGEMENT TEAM; NIKKI CLOWERS, MANAGING 
    DIRECTOR, HEALTH CARE TEAM; ELIZABETH CURDA, DIRECTOR, 
  EDUCATION, WORKFORCE & INCOME SECURITY TEAM; MARK GAFFIGAN, 
MANAGING DIRECTOR, NATURAL RESOURCES AND ENVIRONMENT TEAM; NICK 
  MARINOS, DIRECTOR, INFORMATION TECHNOLOGY AND CYBERSECURITY 
 TEAM; AND CHRIS MIHM, MANAGING DIRECTOR, STRATEGIC ISSUES TEAM

    Mr. Dodaro. Thank you very much, Mr. Chairman. Good morning 
to you, Ranking Member Peters. Senator Romney, Senator Rosen, 
good morning to you both. I am very pleased to be here today to 
talk about GAO's high-risk update.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Dodaro appears in the Appendix on 
page 44.
---------------------------------------------------------------------------
    As you mentioned, Mr. Chairman, this program continues to 
be a valuable congressional oversight tool and produces 
tangible benefits for the American people. You mentioned the 
financial benefits that we have saved, approaching $350 
billion. A lot of that, I might point out, is where we have 
seen progress in the high-risk areas, Congress has had a hand 
in helping that progress. We have a two-page section in my 
written statement about all the actions Congress has taken 
through legislation, through authorization bills, and through 
appropriation bills to implement GAO's recommendations.
    You asked where congressional action is needed. There is 
actually a note in our report next to each of the high-risk 
areas where Congress needs to act. And we can talk more about 
that, but we have specific recommendations to Congress, where 
appropriate, to remedy these high-risk areas.
    Now, since our last update in 2017, we have seen some 
progress. Seven areas have improved. Two areas have improved to 
the point that we are taking them off the list. One is 
Department of Defense (DOD) supply chain management. Through 
efforts to implement our recommendations, DOD is now saving 
millions of dollars in inventory management, asset visibility, 
and material distribution, and DOD has strengthened its ability 
to help support military operations.
    The second area we are taking off is mitigating weather 
satellite data gaps. The National Oceanic and Atmospheric 
Administration (NOAA) launched a new satellite a year or so 
ago. It is now producing better weather forecasting information 
for the public, so there is a clear benefit there. And DOD is 
on track to update its polar orbiting weather satellites in the 
next couple of years. We think that program is on track now 
thanks to implementation of our recommendations. Both of these 
areas had congressional involvement, and I want to underscore 
that.
    The majority of the 35 areas that are on the list have not 
really progressed very much, so substantial effort is really 
needed by the agencies and by Congress to help make further 
progress in these area.
    Three areas have actually regressed since our last 
assessment: acquisition at National Aeronautics and Space 
Administration (NASA), the EPA's oversight of toxic chemicals 
and assessments, and limiting the Federal Government's fiscal 
exposure by better managing climate change risk. All of those 
have moved backward in a number of areas.
    There are many areas that need attention, but there are a 
few that I want to single out this morning for your special 
attention. One is the Pension Benefit Guaranty Corporation 
(PBGC). The multi-employer portion of the PBGC is expected to 
be insolvent by 2025. That basically means that 11 million 
Americans who are counting on that will not potentially have an 
adequate pension. The amounts that would be available to them 
if this went insolvent would be $2,000 a year--hardly enough to 
qualify as an adequate pension.
    The second area is the Federal role in housing finance. 
Fannie Mae and Freddie Mac are still in Federal conservatorship 
10 years after the global financial crisis. The Federal 
Government has assumed all or most of the risk associated with 
housing programs. About 71 percent of all single-family 
mortgages are supported by the Federal Government, either 
directly or indirectly. The portfolio of Ginnie Mae has swollen 
to about $2 trillion, the Federal Housing Administration (FHA) 
over $1.2 trillion. There is tremendous exposure here. A lot of 
the lending in the mortgage area is being done by nonbanks, 
which are not regulated as much as the banking industry, and so 
this increases the risk. So this area is very important.
    Cybersecurity and protecting the Nation, both the Federal 
Government systems, critical infrastructure protection, but 
also protecting the privacy of Americans, are important and we 
have many recommendations. Actually, last year--Mr. Chairman, 
you mentioned we do this update every 2 years. I have been so 
concerned about cybersecurity, we did a special update that I 
testified on last summer before Congress. We need a more 
comprehensive national and global strategy. We need to fix the 
problems. We still have over 700 GAO recommendations that have 
not been implemented. We do not know as much as we need to know 
in the Federal Government about critical infrastructure 
protection, the electricity grid, financial markets, 
telecommunications, and other areas. We have called for 
Congress to pass a comprehensive privacy protection framework 
for consumers. This is, we believe, is needed.
    The 2020 Census, I have been before this Committee and 
talked about that before. That still needs a lot of attention. 
We are concerned about lack of testing in the preparation for 
the 2020 Census, and I can talk more about that in the question 
and answer (Q&A).
    I know you are also concerned in this Committee about the 
Department of Homeland Security (DHS). In that area, they have 
made a little bit of progress. We are tracking 30 performance 
measures. They now have 17 that they have fully met, but we 
have not really materially changed the overall rating. 
Financial management modernization continues to lag. 
Acquisition policies have been improved, but not consistently 
implemented. And morale continues to be a real problem there at 
the Department.
    So there is a lot to talk about today. I will conclude my 
opening statement now, and I would be happy to engage in 
questions with the Committee. I underscore GAO's full support 
to work with this Committee and others in Congress to make 
these high-risk areas experience progress.
    When I was before this Committee for my confirmation, one 
of the goals I set for myself was to not only identify all the 
high-risk areas across government, but to get them actually 
solved and off of the list. So that is definitely our goal, and 
I know this Committee shares that goal. I look forward to 
engaging with you today and beyond.
    Thank you very much.
    Chairman Johnson. Thank you, Mr. Dodaro.
    Normally I would defer my questioning, but I am going to 
have to leave for another hearing here in about 10 minutes, so 
I do have a number of questions to ask you.
    Let us start with DHS. It has been a troubled agency 
because it cobbled together 22 different agencies with 
different missions, and it has enormous responsibilities. Brock 
Long took over as being head of FEMA and within literally days 
was hit with just unprecedented hurricanes, fires, that type of 
thing. We just updated our chart of unaccompanied alien 
children (UAC) and family units coming to this country. In 5 
months, we have 159,000 unaccompanied children and people 
coming in illegally as family units compared to 2014 where 
President Obama declared the humanitarian crisis of 120,000. So 
2014, 120,000 as a humanitarian crisis. In 5 months, we are 
already at 159,000.
    So the Secretary is, from my standpoint, dealing with 
crisis after crisis. It is kind of hard to get DHS management 
of 22 different agencies together. Can you just kind of speak 
to that basic reality of that Department?
    Mr. Dodaro. Yes. We placed DHS on the High-Risk List in 
2003 the day it was created. They were compromised of 22 
different departments and agencies, each of which had their own 
challenges to begin with.
    Now, to be fair, they have made a lot of progress. They 
have set policies in place. They have strategies. They have 
come a long way, and we have reduced the scope of the high-risk 
area down to management integration of their basic functions on 
purchasing and acquisitions, financial management, human 
capital, and those type of areas. So they have a good plan. We 
have probably the best relationship that we have with any 
agency in working with them to make progress. We have agreed on 
these 30 measures they need to put in place, and they have made 
good progress.
    Chairman Johnson. Again, you are seeing----
    Mr. Dodaro. I am seeing progress.
    Chairman Johnson. You are seeing buy-in from management and 
from the Secretary.
    Mr. Dodaro. Yes. They have a plan. But they are down to the 
real tough issues right now, and that is really the problem. 
While they get a clean opinion on their financial statements, 
their financial management systems still require a lot of 
manual intervention to produce the financial statements. They 
have tried and failed a number of financial system 
modernizations. They are trying again now. For some components, 
FEMA and U.S. Immigration and Customs Enforcement (ICE), they 
do not even have a plan yet on how they are going to go forward 
on financial system modernization. They need more people with 
the right kind of skills in financial management.
    For the morale issues, we have made recommendations. They 
have implemented our recommendations to have plans at the 
component agencies where they are having problems where you 
really have to manage at the detailed level in those 
situations. But they have not been successful in breaking 
through. They are still last out of the 20 largest Federal 
agencies in the Federal Government with an employee 
satisfaction score of only about 60-61 percent, I think. And we 
are going to dig in a little bit more there.
    On the acquisition side, they have put in place a lot of 
good policies and practices. They have not fulfilled one of our 
recommendations to really assess the capabilities of their 
current acquisition staff and fill gaps if needed. And they 
have not really adhered to implementing their own policies and 
practices. As a result, the last time we looked, about half of 
their portfolio of major acquisitions were over cost and behind 
schedule.
    So they have a road map. They just need to execute.
    Chairman Johnson. Under our homeland security part of our 
Committee, we have four primary priorities. You mentioned three 
of them, or I mentioned: border security, cybersecurity, 
protecting our critical infrastructure. Last week, we held what 
I thought was an excellent roundtable on the threat of 
electromagnetic pulse (EMP) and geomagnetic disturbance (GMD) 
against our electrical grid, but our grid is vulnerable, 
whether it is a cyber attack or whether it is other kinetic 
attack or whatever.
    I know in your testimony you are talking about--and Senator 
Peters has a bill that recognizes this, but the whole issue of 
attracting and then retaining personnel in cyber, in computer 
science, because the private sector pays so much more. That is 
a real issue.
    I want to go to a different issue. We had the blue ribbon 
study panel come in here talking about the threats on 
biothreats. Their number one recommendation was somebody has to 
be in charge. Throughout all the departments, all these 
agencies, there are so many different agencies that have some 
part in different budgets in the whole biothreat. But we have 
the same issue, whether it is cybersecurity, whether it is 
protecting our critical infrastructure, things like the 
electrical grid.
    I would like you to just kind of speak to that, from my 
standpoint, imperative. Somebody has to be in charge, and they 
have to have a high enough profile, they have to have direct 
access to the President and top levels of government to really 
drive this process and consolidate all these responsibilities 
so we have a unity of effort, as we are trying to do with DHS, 
in some of these critical areas, like cyber, like protecting 
our critical infrastructure.
    Mr. Dodaro. Yes. Most of the high-risk areas we have added 
to the list in recent years have been areas where multiple 
Federal agencies need to work together in order to have an 
appropriate effort to address the problem.
    Chairman Johnson. Let me stop you right there. So where you 
have seen that, have you really seen, without somebody in 
charge--I hate to use the word ``czar,'' but, I mean, that 
shows the concept. Have you seen those agencies ever really 
effectively work together?
    Mr. Dodaro. Not really, no. Many of our recommendations are 
focused on that. Our recommendations in the cyber area is to 
have a comprehensive national strategy that is both domestic 
and global. We need cyber diplomacy as well, because there are 
no international norms in this area. And while the government 
has put out national strategies--and we give this 
Administration and prior Administrations credit--still there is 
no implementation plan with clear roles and responsibilities, 
resources that are needed, metrics to decide how much progress 
is being made over time.
    I put cybersecurity on the high-risk area across the entire 
Federal Government in 1997. We have been pushing for this. We 
put critical infrastructure protection on in 2003. I still do 
not believe there is enough of a sense of urgency in correcting 
the problems across the government, whether it is in individual 
agencies or across the government. I think the cyber risks are 
getting more complicated. With the Internet of Things (IoT), 
artificial intelligence (AI), and quantum computing on the 
horizon, this issue is going to get more complicated, not less, 
and these are global supply chain issues. And so we need a 
strong, comprehensive national strategy. We need leadership. 
The leadership has to come out of the White House in a number 
of these areas, and the National Security Council (NSC) is 
charged with this right now. We are doing an assessment right 
now to find out exactly who is in charge of what and how it is 
being executed since they eliminated the position of 
Cybersecurity Coordinator in the White House. So we are trying 
to pin down that very issue, and we will provide this Committee 
with a detailed report with our recommendations on that.
    But you are exactly right. We need a strategy. It needs to 
have all the elements of a successful strategy, and it needs to 
be implemented and tracked over time.
    Chairman Johnson. Again, I think urgency exists, but when 
the urgency is diffuse, we need somebody in charge in these 
different areas, whether it is bio, whether it is cyber, 
whether it is critical infrastructure. Because that is the only 
way you create the public pressure to have the urgency that is 
going to be required.
    Mr. Dodaro. I agree with you, Mr. Chairman. I agree with 
you. But you also need the urgency within individual 
departments and agencies. Given the OPM breach occurred several 
years ago, they still have not implemented our recommendations 
to address the vulnerabilities at OPM. So virtually every 
Federal department and agency has problems that they can fix 
themselves. There are national issues that need the leadership 
that you are talking about, so you need both. I would not 
overlook the individual agencies and departments because every 
vulnerability that is not fixed is a vulnerability that can be 
exploited and cause the Federal Government great harm.
    Chairman Johnson. Well, thank you. Now I will turn it over 
to Senator Peters, and I mean fully turn it over, probably, so 
thanks.
    Senator Peters. Well, thank you, Mr. Chairman. Do you want 
me to take the----
    Chairman Johnson. Sure, sit in the big chair. [Laughter.]
    Senator Peters [Presiding.] I will sit here until Senator 
Lankford gets here.
    Mr. Dodaro, I think it is quite evident that the EPA is 
facing some serious challenges in assessing and controlling a 
number of toxic chemicals, things that you have outlined in 
your report as well. I would argue that the EPA and the 
Department of Defense have consistently failed to take 
responsibility and protect Michigan residents and communities 
across the country from exposure to PFAS, which are harmful 
fluorinated chemicals, as you know.
    I appreciated the GAO's participation last September when I 
convened the first Senate hearing on PFAS, and I want to follow 
up on the Federal Government's exposure to what could be 
considerable cleanup costs. While you have estimated the 
government's total environmental liability, has the GAO since 
determined the Federal cost of cleaning up PFAS contamination 
specifically?
    Mr. Dodaro. We have not been requested to do that and, 
therefore, have not, but we would be happy to work with you in 
designing some work where we could go in and try to determine 
that figure.
    Senator Peters. So there is some precedent for analyzing 
total costs related to clean up, health care, and liabilities 
for something as specific as PFAS? And how would you do that 
analysis kind of generally?
    Mr. Dodaro. I would have to talk to our experts and be able 
to figure out how to do it. We would start with what efforts 
the agencies have made to deal with it and find out what 
methodology they have used. Under Federal accounting standards, 
departments and agencies are supposed to determine their 
environmental liabilities and report them in their financial 
statements. The largest environmental liabilities that we have 
at the Federal Government are at the Department of Energy. This 
year they reported almost half a trillion dollars alone just at 
the Energy Department.
    So all the departments and agencies are supposed to do 
this, so we would look at what the departments and agencies 
have done. We would look at best practices and how to develop 
such methodologies, and then we have a standing contract with 
the National Academy of Sciences (NAS), so we would bring in 
some experts in that area that have experience to advise us in 
developing an estimate, if one is not already available.
    Senator Peters. Well, I think we certainly need a 
coordinated, multiagency action plan to tackle the PFAS 
contamination crisis. But I am also concerned that an 
interagency review process could be used to delay action to 
protect health and safety, which we cannot allow to happen. 
This morning, along with three of my colleagues, I sent an 
oversight letter asking for information on how the interagency 
process influenced the development of the PFAS Action Plan and 
if any agency tried to weaken EPA's plan to address drinking 
water contamination.
    So my question for you, sir, is: Has GAO done a 
comprehensive assessment and evaluation of the Federal response 
to the PFAS contamination crisis, and looking specifically at 
how the EPA, DOD, the Office of Management and Budget (OMB), 
and the Department of Health and Human Services (HHS) have 
worked on this issue and what can be done better?
    Mr. Dodaro. We have looked at how DOD handles some of these 
chemicals for example, firefighting foam that is used at their 
military installations and bases. But we have not been asked to 
and have not done a comprehensive assessment in that area. But, 
again, we would be happy to work with you and other Members of 
the Committee if you want us to do one and to do that.
    Senator Peters. Well, I appreciate that. This is a priority 
for me. It is certainly a priority for the people of Michigan. 
I know many of my colleagues, Senator Hassan and others, have 
significant issues in their States as well. So I think we would 
all like to work----
    Senator Carper. Would the Senator yield for a moment?
    Senator Peters. Yes.
    Senator Carper. I have to run off to the Environment and 
Public Works Committee where we are having a hearing that 
starts in about a minute. This is an issue that has popped up 
all over the country. It is one we have been very much focused 
on. We very much appreciate your taking a look at it.
    Thank you so much.
    Senator Peters. That is great. Senator Carper is a lead on 
a very important bill related to that. Thank you, Senator 
Carper, for your leadership on that bill.
    The Federal Government suffers, as you have already 
mentioned, from a shortage of trained cybersecurity 
professionals for a number of reasons, including the 
recruitment and retention of these professionals. Can you talk 
about improvements agencies have made in shoring up our 
cybersecurity workforce? And, specifically, which agencies are 
making the most progress, in your estimation, and perhaps you 
could share some of those best practices for us?
    Mr. Dodaro. Yes, I will call our cybersecurity expert to 
the table, Mr. Nick Marinos, to help give you specifics. But 
one of the things that we found is Congress has put a lot of 
legislative requirements on agencies to assess their 
cybersecurity workforce gaps, and most of the agencies have not 
completed that task. So recently there has not been a full 
assessment in most parts of the Federal Government about their 
existing cybersecurity workforce and what gaps they need to 
fill in those areas. So that has been an important area. We 
have looked at that and made lots of recommendations to the 
agencies to be able to do that.
    But this is an area where OPM has not provided enough 
leadership over time, in my opinion, to determine 
classification standards for the cyber workforce. There is 
really no planning ahead for this type of situation that we 
find ourselves in now. But Nick can give you more details.
    Senator Peters. Great. Thank you.
    Mr. Marinos. We completely agree, Senator, there is a 
significant shortage not only within the Federal Government but 
globally for cybersecurity talent. We have seen with respect to 
the Federal Government one of the biggest challenges have 
been--and we have heard this actually from chief information 
security officers (CISOs)--that you bring in great talent, you 
develop them into a great workforce, and they become the most 
competitive folks to actually leave government for higher-
paying jobs in the private sector.
    One of the things that I would mention, though, to kind of 
double down on what Mr. Dodaro mentioned, is the importance of 
agencies knowing what their current workforce is and then 
knowing what they are going to need. So, ultimately, the 
Federal agencies really do need to do a better job at really 
assessing what their gaps are.
    Mr. Dodaro. And, Senator Peters, I would mention, too, that 
I do not think this is necessarily an insurmountable issue. I 
wanted to expand our cybersecurity workforce at GAO. We just 
hired over 30 cybersecurity people. I have gone to colleges and 
universities--Carnegie Mellon, University of Maryland--where 
they have Cybercorps scholarship programs, and they are 
producing good people. Some of these people are going back for 
second careers, so they have a variety of experience, and we 
try to establish a pipeline where we can continue to recruit 
and bring people in.
    So you have to work at this. There are a lot of 
flexibilities the agencies have been given. I am not minimizing 
the task associated with this, but I do think with concerted 
effort, greater results could be achieved.
    Senator Peters. I am out of time here, but just as part of 
looking at some of those gaps and how we make Federal service 
more attractive to folks, it seems to me we have rules that 
were made many years ago before people moved from job to job, 
and they go into the private sector, then come back because 
they believe in the mission of what we do here, but then they 
want to go back to the private sector. And yet people are 
limited in what level they can come into in the Federal 
Government based on rules. So those are the kinds of things 
that I am sure you have seen that we need to fix. We need to 
have a 21st Century personnel policy, particularly in cyber, 
but in other critical areas. Would that be an accurate 
statement?
    Mr. Dodaro. Absolutely. In 1980, GAO got its own personnel 
authority from OPM, and we got rid of the General Schedule (GS) 
classification system, and went to a broadband system where it 
is much easier to bring people in and out of the government. 
Actually, we have changed our whole recruiting approach so that 
we can facilitate that kind of activity, particularly with 
today's modern workforce. So we recruit all levels. In any one 
year, a number of people we hire are people we are hiring back 
into GAO, who had been there earlier, but went to the private 
sector, went to academia or some other place, and then come 
back to the organization. So with this different personnel 
structure, it would be a lot easier than it is under the GS 
structure.
    Senator Peters. All right. Thank you.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford [Presiding.] That could be the most earth-
shattering personnel whole series of hearings conversation I 
have heard in a long time, that we got rid of the GS structure, 
we went to this, and it actually worked more effectively. We 
will follow up on that in the days ahead because there have 
been a lot of questions on that. So glad to have you in the 
dialogue. Senator Rosen.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you for being here and for your 
report, and I want to kind of continue in this vein of not just 
cyber workforce but the information technology (IT) workforce 
in general and how we are preparing and planning and developing 
this people pipeline, maybe not just at the college level but 
even down starting in the junior high level.
    I am a former computer programmer and systems analyst, and 
I am really concerned that IT staffing is an issue that comes 
up over and over again in this report. For example, there is a 
lack of staff to oversee the $886 million contract for 
integrating IT systems needed, like you said, to conduct the 
census next year; problems with recruiting IT personnel for the 
Defense Department over and over again.
    However, conversely, elsewhere in your report you point out 
that the Federal Government invests $90 billion a year in IT, 
so this is concerning to me that we have a shortage, we are 
investing $90 billion, and how our tax dollars are effectively 
spent.
    But where I really think this is an issue is on workforce 
planning, training, and development. So I want to be sure that 
we are forecasting the need of IT professionals going forward 
across the spectrum, not just cyber. There are many areas in 
the IT world.
    And so what I would like to do is to see if you would be 
willing to institute an analysis going forward of the needs 
that we are going to have, how we invest in our trained 
workforce and how we partner with our State, Federal, and 
community partners.
    So do you have this analysis in your department for the 
next 5 to 10 years, as much as you can currently do, knowing 
that we could be rolling and changing it?
    Mr. Dodaro. This is one of the key issues that we have 
looked at. We have designated IT acquisitions and operations 
across the entire Federal Government as a high-risk area. Most 
of the $90 billion that gets spent every year is spent to 
maintain existing legacy systems and not put new systems in 
place.
    I worked with this Committee back in 1996 to actually 
create Chief Information Officers (CIOs) for the Federal 
Government to provide leadership. Congress strengthened the 
leadership requirements for the Chief Information Officers, but 
our recent work has shown that the Chief Information Officers 
and departments and agencies still do not have all the roles, 
responsibilities, and authorities to work on the IT workforce 
issues.
    So this is a particular problem because you have to----
    Senator Rosen. Would you be willing to conduct an analysis 
of the need? So then we can go out to those junior high and 
high school counselors, college counselors, work with the 
businesses in our States to be sure that we are developing the 
skills and people, especially kids or anyone who needs 
retraining, to enter this workforce.
    Mr. Dodaro. Well, that definitely needs to be done. We 
would not substitute our judgment for the management of the 
individual departments and agencies, however. So they would 
have to determine what their needs are.
    Let me ask Nick Marinos, who is our cybersecurity expert, 
to tell us, but we have identified this as a high-risk area 
across the government.
    Senator Rosen. I want to ask you one more question about 
legacy systems. I know the importance of legacy systems. Like I 
said, I used to write computer code. But there also is an 
importance for transitioning from those legacy systems and 
having that bridge as technology and things change and the 
people who are able to maintain and support those legacy 
systems begin to retire or move on.
    And so would you be willing to do an analysis of how we 
bridge from the legacy systems in smart ways, effective ways, 
on to newer technology and different platforms?
    Mr. Dodaro. Yes. We would be happy to work with you on 
that. In fact, we are currently examining how agencies are 
identifying and categorizing their IT positions, and we expect 
to issue a report next week on that subject. So perhaps after 
you take a look at the report, we could get together and work 
out what additional things you would like to have done.
    Senator Rosen. I would love to do that. This is a huge 
challenge as technology changes and challenges of the past are 
not challenges of the future and how do we bridge that in smart 
ways going forward.
    Mr. Dodaro. I agree with you, Senator Rosen. This is a very 
important issue, and we are committed to working with you on 
it.
    Senator Rosen. Perfect. Thank you.
    Did you want to talk about cyber?
    Mr. Marinos. Yes, Senator. I think even more broadly to 
your comments with respect to the IT workforce, I think one 
thing to build on what Mr. Dodaro mentioned with respect to the 
authorities that are empowering our Chief Information Officers, 
we also find routinely across IT and cybersecurity issues that 
coordination among the C-suite entities within the Federal 
Government agencies is absolutely critical. That is the only 
way really to know that the IT workforce needs are really 
getting communicated effectively to the human capital office as 
well.
    Senator Rosen. So let me ask you this question, because we 
are here in Congress and we write legislation. So what do you 
think might be some effective ways that we can help promote and 
encourage our businesses, our institutions, our educational 
opportunities? How can we best partner to provide this 
workforce?
    Mr. Marinos. Well, one thing I would say is that Federal 
agencies have a lot of flexibility when it comes to the hiring 
authorities that they can use but quite frequently are only 
leveraging a small percentage of those. And so part of it is 
educating the human capital workforce on these critical areas 
of need. So as you have human capital officers and their staff 
making decisions ultimately on where to recruit, who to hire, 
how to make those decisions, and they are informed about the 
technical issues. And so actually training is quite a 
substantial component of this.
    Senator Rosen. But does it go deeper than recruiting down 
to younger educational levels, so that the pipeline is already 
there by the time you are starting to get out of high school 
and people are thinking about what they are going to do next?
    Mr. Marinos. I absolutely agree, and I would say that with 
respect to the cybersecurity workforce side of things, we have 
explored and do routinely look at efforts within the Office of 
Personnel Management and DHS. There are programs that they are 
partnering on to really do that, look at the K-12 education 
aspect of this as well. And I completely agree, if we do not 
get people really focused and interested in these areas even 
before they enter into universities, then we are losing out on 
some very good talent.
    Senator Rosen. Thank you.
    Mr. Dodaro. I think in addition to what Nick just said, 
Congress' role could be also in addition.
    Senator Rosen. Yes.
    Mr. Dodaro. To do additional oversight over departments and 
agencies. I think that the congressional oversight in this area 
is to inquire what agencies are currently doing to manage their 
IT workforce, to get coherent answers from the agencies on what 
they are doing, because Congress could, as they have done in 
the past, give a lot of additional authorities, but if they are 
not being used effectively----
    Senator Rosen. Right. We have apprenticeships, grants, and 
work opportunity tax credits. We want to be sure that they are 
out there, not being wasted, and used in the best ways.
    Mr. Dodaro. That is my point. So I think you need both.
    Senator Rosen. Yes. Thank you. I appreciate it.
    Mr. Dodaro. Thank you.
    Senator Lankford. Senator Romney.

              OPENING STATEMENT OF SENATOR ROMNEY

    Senator Romney. Thank you. I appreciate the chance to speak 
with GAO this morning, and I appreciate your work, Mr. Dodaro. 
Obviously, the responsibility you have is massive. I cannot 
imagine any accounting firm in the country that has a client as 
big as this one or as dysfunctional sometimes as this one. And 
so I appreciate the work that you do and the work of your 
entire team. It is essential, and I wish we were more effective 
in responding to the identification of concerns that you bring 
to our attention.
    I do not have to tell you that one of the great challenges 
of our Nation is a debt of about $22 trillion, which is going 
to be growing by about $1 trillion a year into the indefinite 
future. And if we were to take all the money that the Americans 
earned this last year, take all of the money that they earned 
and used it to pay down the debt, why, we would still have more 
debt to pay down. So it is becoming a very large number, and 
the interest on that debt is becoming a real challenge as well. 
I would note that that number is large and growing larger and 
certainly presents a certain risk to us.
    Those of us who have run national campaigns--and there are 
quite a few in this chamber that have, and some are right now. 
[Laughter.]
    Often talk about balancing the budget with just taking care 
of waste, fraud, and abuse. And I would like to ask a question 
which may be impossible to answer because it is not really in 
your purview to have to add all this together. I am wondering, 
if one were able to gather all of the waste, fraud, and abuse 
that exists throughout government and not to reach perfection, 
not nirvana, but a realistic, if you will, best demonstrated 
practice that might be employed in either governments or in 
corporate America, and to say if we were able to apply those 
techniques in Medicare, for instance, if we were to do it as 
effectively as the best insurer does in preventing waste, 
fraud, and abuse among their subscribers, if we were to take 
those kinds of practices and apply them throughout government, 
do you have a sense of what the number might be? How much 
number is available in waste, fraud, and abuse if we were just 
to apply the best practices that are reasonably existent? 
Because, for instance, there is a tax gap, which is worth half 
a trillion dollars, but we are not going to close the tax gap 
entirely. But being realistic, what kind of number might we be 
looking at?
    Mr. Dodaro. I think you are basically looking--in addition 
to the tax gap, the current most recent estimate of improper 
payments--these are payments that were made or were made in the 
wrong amounts--is $140 billion in the last year. So you have 
that figure out there. But you are not going to eliminate all 
that either.
    The bottom line is you can do a lot, and the amounts will 
be maybe in the tens of billions or hundreds of billions of 
dollars, but it will not be enough to deal with the 
unsustainable long-term fiscal path of the Federal Government.
    The amount of debt to gross domestic product (GDP) right 
now is 78 percent, and it is on a path to exceed the historical 
high of 106 percent of gross domestic product for World War II. 
The Social Security program this year, both the Old Age portion 
and Disability, will be approaching $1 trillion a year. Both 
Medicaid and Medicare are on track to achieve individually $1 
trillion by 2026. The Medicaid amount considers State spending 
as well, so it is not all Federal, but mostly. And the interest 
on the debt is expected to be $928 billion, according to 
Congressional Budget Office (CBO), by 2029. So we are on track 
for just those areas alone to be $4 trillion, sort of an 
opening bid before you fund anything else in the Federal 
Government.
    There is considerable fraud, waste, and abuse in the 
Federal Government, but not enough to deal with the structural 
problem that we have between our expenditures and our revenues. 
It is going to require Congress to look at all the entitlement 
programs and the revenue side of government, in order to get it 
on a more sustainable path.
    I have also recommended that Congress change how it tackles 
the debt ceiling issue. The current approach is divorced from 
the appropriations process, and all it does is authorize 
Treasury to borrow the money to pay the bills Congress and the 
President have already authorized. And when there is a concern 
about whether the Federal Government is going to raise the debt 
ceiling in time, as we are right now--we are in a debt issuance 
suspension period. Treasury is taking extraordinary actions. 
They are actually borrowing against Federal retirement funds in 
order to pay the government's bills until they get the 
authority from Congress to borrow more. We did a study on the 
interest costs of borrowing money, if there is concern in the 
markets, it shows the interest rates go up; markets want more 
of a premium.
    Also, some in the markets, Treasury security markets, are 
avoiding purchasing securities that might mature around the 
time Treasury could run out of cash. So it is distorting 
liquidity in the secondary markets. So it does not control the 
debt, it is causing our interest costs to go up, and it is 
distorting the markets. And so we need to have a different 
approach in this area.
    We should do everything we can to reduce fraud, waste, and 
abuse in the Federal Government, but I have also recommended 
that Congress have a plan to deal with the long-term 
unsustainable nature of the Federal Government's budget and to 
change the debt ceiling. We need to do everything we can to 
never affect the full faith and credit of the Federal 
Government, which if we do not pay our bills on time, that 
would be broaching, I think, very dangerous territory.
    Senator Romney. Thank you. For some of us who have been 
outside Washington for our entire career, the fact that 
Washington did not grab the work that was done by Simpson-
Bowles and the effort that was done by their group was a bit of 
a mystery. And it does sound like waste, fraud, and abuse might 
be able to come up with tens of billions of dollars or even 
$100 billion, but that we have to address the structural 
challenge that we have, in particular with regard to some of 
our entitlement programs as well as other parts of our 
spending, to avoid, as you say, almost $1 trillion in interest 
costs.
    I had the occasion at the end of one of my unsuccessful 
campaigns to receive a call from a former Democrat President 
who said, ``We cannot lead the world if we are paying interest 
like that.'' I hope you will help give us some encouragement to 
move in that direction.
    I know my time is up. I want to underscore the comment made 
by our Chairman just before he had to leave for another 
committee hearing with regard to cybersecurity, and your 
agency's suggestions as to how we can organize an effort to 
actually implement true agency-to-agency cybersecurity would be 
helpful, and I think his point, which is you need someone or 
some group responsible for this across agencies and perhaps on 
a more strategic basis than hoping each agency will just do it 
on their own. I do not know how to go about doing that, but you 
might be able to give us some guidance in that regard.
    Mr. Dodaro. On that point, Senator Romney, the Department 
of Homeland Security does have central responsibility for 
working across the Federal departments and agencies. But to 
address fully cybersecurity issues, in our opinion, you also 
need to be able to work with the private sector and others. And 
so DHS is an important component of coordinating across the 
Federal Government, but to deal with cybersecurity issues, you 
need a national strategy to deal with State and local 
governments as well as the private sector, and that has to be 
out of the White House.
    Senator Lankford. Senator Hassan.
    Senator Hassan. Actually, I think Senator Sinema has a 
pressing problem, so I will yield to her.
    Senator Lankford. Yes, Senator Sinema.

              OPENING STATEMENT OF SENATOR SINEMA

    Senator Sinema. Thank you, Mr. Chairman. Thank you, Senator 
Hassan. And thank you so much, Mr. Dodaro, for being here 
today.
    The GAO does important work, and I look forward to working 
with you and all of my colleagues to improve the effectiveness 
and efficiency of Federal programs. As you know, the Phoenix 
Department of Veterans Affairs (VA) was the epicenter of the VA 
crisis, and that crisis was the result of oversight, gross 
mismanagement, a broken scheduling system, and insufficient 
resources and staffing.
    There has been progress, but I am concerned that the VA 
appears twice on the High-Risk List for access to care and its 
contracting practices. Our office continues to hear from 
veterans about problems accessing care and navigating the VA 
bureaucracy. Access to care is especially challenging in rural 
areas in our State where veterans have to navigate existing 
community care policies and transportation to facilities. I 
have heard from our Veterans Service Organization (VSO) leaders 
about veterans who actually forgo medical treatment because it 
is just too difficult to navigate the travel and the 
regulations.
    As you know, Congress passed the VA Maintaining Internal 
Systems and Strengthening Integrated Outside Networks Act of 
2018 (VA MISSION) to streamline and improve contracted care in 
the community, and under these recently released standards, 
veterans who have to wait more than 20 days or drive more than 
30 minutes to get primary care can use this contracted care. I 
support that effort because our veterans deserve the best care. 
I am concerned that the GAO names the VA's acquisition policies 
and health care access programs as most at risk for waste, 
fraud, abuse, and mismanagement. This is, of course, very 
concerning because this is at the core of implementing the VA 
MISSION Act, and poor implementation of the act could further 
strain the issues that have been identified by the GAO and 
further put at risk the quality of care for our veterans.
    So given the importance of the VA MISSION Act, which we are 
working to implement, and how important it is to improving 
health care access for veterans, how do you recommend that 
Congress exercise oversight on the MISSION Act and its 
implementation?
    Mr. Dodaro. I think one of the first things--and I have 
been joined by Ms. Nikki Clowers, who is head of our Health 
Care Team and does a lot of work at the Veterans Affairs 
department. Actually, it is on the High-Risk List three times. 
You caught two of them. The third one is in the disability area 
where we have their inability to process disability claims, and 
particularly appeals on disability claims, in a timely fashion.
    So there is a lot of room for congressional oversight in 
this area. We placed the Veterans Health Care portion on the 
High-Risk List in 2015. There has yet to be a comprehensive 
plan on how to address the high-risk issues that we identified 
in that area.
    I have met with four VA Secretaries since then, and I met 
most recently with Secretary Robert Wilkie, and he has a 
modernization approach that he pledges that will address our 
high-risk areas. But there are a lot of details that need to be 
worked out and resources and commitments. We have met with the 
heads of the Veterans Health Administration (VHA). I met with 
the head of the Veterans Benefits Administration (VBA). We just 
put the acquisition area on the High-Risk List because of 
concerns about outdated policies and procedures. They have not 
updated their acquisition regulations in about 11 years. They 
have been working since 2011 on an update, and they still do 
not have the update available. Their approach to save money in 
the surgical and medical supplies areas produced limited 
savings. We found about 20 percent of their procurements are 
still emergency procurements where they are not going through 
all the competitive processes to get the benefits of lower 
costs.
    So I will ask Nikki to explain a little bit more in the 
health care area, but these are areas I am very concerned 
about, and we are committed to working with Congress. But I 
think congressional oversight is absolutely essential.
    Senator Sinema. Thank you.
    Ms. Clowers. Senator, you raise an important issue in terms 
of the Choice program, the program that we have right now in 
terms of veterans getting care in the community as they 
transition to the new program under the MISSION Act. We found a 
number of problems that veterans were experiencing under the 
Choice program, as well as providers in terms of timely payment 
to providers, as well as access to providers on the beneficiary 
side. For example, last summer, we were looking at the access 
and timeliness in terms of veterans getting care, and the 
policy states the veteran should be seen within 30 days under 
the Choice program. And when you just outlined the process, it 
could take up to 70 days for the veterans to receive care. And 
we went through the medical files and found cases where the 
time was exceeding that 30 days.
    So we made a number of recommendations to VA to consider as 
they transition to the new program to make sure that the 
contracts are written in a way that will hold everyone 
accountable for providing timely access to care for the 
veterans.
    Senator Sinema. Thank you.
    Of the five criteria that GAO uses to determine if a 
program can be taken off the High-Risk List, what is the area 
amongst those five criteria where the VA struggles the most? 
And how can we help the VA overcome that particular challenge?
    Mr. Dodaro. The number one issue is to get an action plan 
in place that outlines with specific milestones and measures 
and timeframes for being able to address those issues that we 
have struggled to get that. Without a good plan, you are really 
going to struggle to determine how to fix the problems and 
determine what kind of progress you are making.
    The second area I would say is the leadership. I think the 
Secretary is committed to this. He has said that to me and my 
team. He has brought his team in to work with our team. We have 
people working with them as much as possible. But there has 
been a lot of leadership instability at the VA at a lot of 
levels within the organization. So they need to have all the 
vacancies filled; they need to have some leadership stability; 
they need to really deal with the fundamental problems of the 
lack within VA of oversight and accountability. They really 
struggle with that. They are a very decentralized operation. 
You need to give discretion to the different areas, but you 
need to have some central oversight and accountability within 
VA.
    Their policies are outdated in a lot of different areas. 
The training needs to be better developed. Over time we 
continually find that to be a problem where they may have a 
good policy, but the people have not been trained properly, and 
it has not been implemented.
    So they have many fundamental management weaknesses. Their 
management structure at the VA is among the most challenged in 
the Federal Government, in my opinion, looking across the 
entire Federal Government. And that is why they have many areas 
on the list, and they need leadership, they need plans, and 
then they need follow up and holding people accountable for 
results, both within the VA, holding their managers 
accountable, but also Congress holding the VA accountable.
    Senator Sinema. Thank you.
    Mr. Chairman, I see my time has expired. Thank you.
    Senator Lankford. Thank you. Senator Hassan.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you, Mr. Chairman and Ranking Member 
Peters. And good morning, Mr. Dodaro. Thank you so much for 
being here and for your service.
    I want to try to touch on three different areas: one is to 
follow up a little bit on the issues of toxic chemicals 
generally; the second is on cybersecurity; and the third is on 
domestic terrorism, actually. So let us see how we can do here.
    One of the high-risk entries in GAO's report examines EPA's 
challenges with assessing and controlling toxic chemicals. The 
report points out that EPA has made little progress on this 
task over the past 2 years, and, in fact, that EPA's leadership 
has actually become less committed to addressing these 
challenges.
    Let me repeat that. The leadership has become less 
committed to assessing the public health threat of toxic 
chemicals, according to the High-Risk Report.
    In particular, the report cites EPA's leadership decision 
to cut in half the funding for the Integrated Risk Information 
System (IRIS) program which identifies and assesses the health 
threats posed by chemicals. Deeply concerning to me and people 
in New Hampshire that even with growing evidence that toxic 
chemicals are infecting our drinking water supplies, the EPA's 
leadership wants to undermine and underfund one of its key 
tools for identifying these kinds of health risks.
    In your view, sir, is this a conscious policy decision from 
the Administration to ignore these health concerns? Or have 
ineffective management practices led to inaction?
    Mr. Dodaro. We lowered the rating in leadership for two 
reasons: one was that there had not been a statement or 
commitment to focus on the IRIS issue where we have seen that 
in the past Administration; and, second, they proposed budget 
cuts in those areas.
    Congress ultimately said no to the budget cuts and held the 
budget stable at 2017 levels, but they still have to execute 
against that budget area. We just were not comfortable that 
they have stated a commitment. I will not speculate on their 
motives, but those are the facts. And that is why we lowered 
the rating. We would like to see more attention in that area. 
The IRIS program has not had a release of program outlook in 
December 2018, but we had fewer chemicals on it. Some 
assessments that they had started did not appear, so it was not 
clear why those disappeared and whether they plan to do that in 
the future.
    I know you have other areas, so I will stop there.
    Senator Hassan. This is helpful, and I am actually going to 
follow up, and if I have to do questions for the record, I 
will. But, in your view, what level of funding does the IRIS 
program need to be truly effective?
    Mr. Dodaro. Well, we typically do not give specific 
numbers. That is a management responsibility in the agencies, 
but it has to be sufficient.
    We make in our recommendations not only funding for IRIS 
but funding for implementation of Toxic Substances Control Act 
of 1976 (TSCA).
    Senator Hassan. Right.
    Mr. Dodaro. For example, they have proposed to have a fee. 
Whether the fee will cover the full cost or not--so both 
resource issues, are very important to focus on there.
    Senator Hassan. Well, I thank you for the focus. I am very 
frustrated to hear about EPA leadership's failure to take this 
particular public health threat seriously. People in New 
Hampshire have really struggled to get the Federal Government 
to acknowledge the public health threat of PFAS chemicals in 
their water supply, and they really do not appreciate the 
Administration's lack of urgency.
    Do you have any recommendations about what steps their 
leadership, EPA's leadership, can take today to immediately 
address the public health crisis resulting from toxic chemicals 
in our water supplies?
    Mr. Dodaro. Yes, they need to prioritize the IRIS 
assessments that are put in place. They need to have an 
implementation plan for TSCA that has measures among other 
things. And we have detailed out a number of recommendations I 
would be happy to submit for the record.\1\
---------------------------------------------------------------------------
    \1\ The information referenced by Mr. Dodaro appears in the 
Appendix on page 162.
---------------------------------------------------------------------------
    Senator Hassan. All right. Thank you for that.
    Let us turn now to another issue that a couple of Members 
have also talked about. In its 2019 High-Risk Report, GAO 
states that Federal agencies and other entities must take 
urgent action to, among other things, ``perform effective 
oversight'' of efforts to secure the Federal Government from 
cyber attacks.
    Now, we have talked about the workforce issue, but could 
you quickly expand on what you mean by ``increased oversight'' 
and what you think this should look like?
    Mr. Dodaro. Yes. We have a listing--it is in my statement--
of four critical areas that need attention and 10 specific 
actions that are needed. The first is a comprehensive national 
and global strategy that deals with emerging technologies, 
global supply chain risk, the workforce issue you mentioned. So 
we need a plan, a specific implementation plan, clear roles and 
responsibilities, resources, etc.
    Second, we have to fix the problems that are known at the 
individual departments and agencies, effectively implement 
continuous diagnostics and monitoring and attention; add when 
there are incidents that happen, to respond quickly. We have 
not seen that in a lot of cases. And we have known weaknesses 
that are not being fixed. There is no excuse for that.
    Senator Hassan. OK.
    Mr. Dodaro. Third is understanding more of critical 
infrastructure protection in our country. Right now those 
standards are voluntary, so the Federal Government tries to 
encourage them. There are some areas they have regulatory 
authority, they can be more specific. But in most of the areas, 
it is pretty much voluntary. And so we do not really know how 
prepared the private sector is to secure critical 
infrastructure protection, some of which we rely on for both 
military and other homeland security purposes as well.
    Last is improving the privacy of personally identifiable 
information (PII) and also dealing with information reselling 
on the Internet. Congress has really only dealt with that as it 
relates to health care information and consumer reporting. 
Other than that, there is really no framework, and the privacy 
laws have not been updated since 1974. So we have recommended 
that Congress legislate a comprehensive privacy security 
framework for the private sector.
    Senator Hassan. Excellent. Can you speak to whether 
agencies' Inspectors General (IGs) are adequately equipped to 
perform this cybersecurity oversight?
    Mr. Dodaro. We look at what they do. We have worked with 
them on a methodology that we both share and both use the 
methodology. We are updating it now, and the IGs do a good job 
in those areas. Again, the problem is that they keep finding 
the same things and problems are not fixed, the same as we do. 
But we rely on them to cover agencies where we just do not have 
all the resources necessary.
    Senator Hassan. Do you think there would be a value in an 
independent Cyber Inspector General that could perform 
oversight both across the Federal interagency as well as for 
specific Federal agencies?
    Mr. Dodaro. I would not think that would be necessary.
    Senator Hassan. OK.
    Mr. Dodaro. We have the authority at GAO to look across 
departments and agencies. They have the authority within 
departments and agencies. So I think there is a potential for 
duplication there, just to give you my opinion.
    Senator Hassan. Right, and that is why I ask because the 
issue is we keep hearing that, despite good intentions, it is 
not happening; that there is a list of recommendations, and the 
question becomes if there was somebody specifically designated 
across agency to actually also look at duplicative efforts and 
free up the other Inspectors General to do the other work, but 
really coordinate across agencies our cybersecurity efforts, 
whether that would have value.
    Mr. Dodaro. I think the problem is not lack of audit. The 
problem is lack of management, the intention to fix the 
problems identified in the audit. I think the auditors are 
perfectly well equipped and are highlighting the areas. They 
are just not getting fixed. And having another auditor find 
more problems is not really going to fix the problems that have 
already been identified.
    Senator Hassan. Got it. Yes.
    Mr. Dodaro. We made 3,000 recommendations just at the GAO 
alone since 2010; 700 of them are still not implemented.
    Senator Hassan. OK. That is great.
    Thank you. I realize I am over time, and I appreciate your 
generosity.
    Senator Lankford. Thank you.
    Senator Hassan and I have worked on trying to solve the 
government shutdown issue together, and we have a piece of 
legislation that we will probably drop by at some point for you 
to be able to take a look at also, but there are multiple 
issues that you bring to our attention that require a solution, 
and I appreciate it. I appreciate that you bring it to the 
attention of all of us. This is something only Congress can do, 
and this is something the Administration can do. That is very 
helpful to be able to continue to get out.
    Let me pick up a couple of things. One is keep doing the 
work you are doing and keep being as blunt as you can possibly 
be. Every one of your reports, when it goes through any kind of 
government editing process, everyone is always editing it and 
trying to make sure the right word is in there and it is not 
too harsh of a word and not too strong and make it as blunt as 
you can possibly make it. And so keep going, keep pushing back 
against the forces that say, ``Make that more careful.'' Make 
it clear. So thanks. We appreciate the work you are doing on 
that.
    On the debt ceiling, I would be interested to be able to 
finish that conversation that you started with Senator Romney 
as well. Are you making a recommendation for a process? 
Because, obviously, this is unique in the world in the way that 
we do a debt ceiling vote. No one else does it like we do, and 
probably for a good reason, no one else does it like we do. Do 
you have recommendations on that that you would want to 
present?
    Mr. Dodaro. Yes. We have highlighted three potential 
options that Congress could consider. One would be to set it 
within the budget resolution process each year, so when you 
make appropriation decisions and the revenue decisions, you can 
say, just like any household would say, here are our 
expenditures, here are our revenues, here is how much we are 
going to have to borrow. OK, we recognize that when we make the 
decisions on appropriations. I also think that the Budget 
Committees need to have a more holistic look at the government. 
Somebody needs to do it in the Congress. So that could be done 
that way.
    Second, another option could be that Congress just 
authorize Treasury and say, OK, when you need more money to 
borrow against, you can notify us, and we will disapprove it or 
not. So they can move forward unless Congress acts to say no.
    The third option would be to just authorize Treasury to 
borrow whatever sums are necessary in order to execute 
decisions and laws that Congress has passed and the President 
has signed into law.
    Up until 1917, Congress approved every borrowing in the 
Federal Government, but after World War I and then World War 
II, and the government got bigger, until it was not practical. 
So we arrived at this solution. So it was really a mechanical 
solution, and it is separate from the decisions that Congress 
makes on the budget and the allocation.
    Part of the problem is two-thirds of the Federal 
Government's budget is on automatic pilot and does not even go 
through the appropriation process. There is no real look.
    Now, one recommendation we have not formally made except 
orally is another improvement, I think, would be for Congress 
to agree on what the debt-to-GDP ratio should really be. What 
are we willing to tolerate? It just sort of is what it is.
    Senator Lankford. It is.
    Mr. Dodaro. And we do not plan or manage on a budget 
standpoint, and there are many things that are not accounted 
for in the budget process--major disasters, for example. A lot 
of our fiscal exposures are not accounted for in the budget.
    These estimates I was talking to Senator Romney about 
earlier are not even considering if we have a recession, there 
is another war, there are all these other major catastrophes 
and disasters. Congress does not have a game plan.
    Senator Lankford. Last year, I was on the budget reform 
committee. It was an ad hoc committee, eight Democrats, eight 
Republicans, trying to be able to find a solution to how we fix 
the budgeting process. Obviously, debt ceiling was a major 
portion of that. It was very unfortunate that after a year's 
worth of work, that failed at the end, and it was really a 
trust issue, is the reason that failed at the end in December. 
I have talked to the Budget Committee about reviving some of 
those same issues. Senator Enzi is very committed to that. 
Senator Whitehouse and several others are very committed to 
getting that done.
    I am hopeful that we can address that, but one of the 
things that came out of it was our blunt conversations with CBO 
when they said if you want to keep debt-to-GDP at 78 percent 
where it is right now, it does not get worse, and it is already 
bad--obviously, $22 trillion in debt is bad, 78 percent debt-
to-GDP is bad. If you want to just keep it at bad, you have to 
either increase taxes or decrease spending by $400 billion a 
year every single year for the next 30 years. I think most of 
our colleagues do not realize that we have already tipped over. 
Is there a tipping point? We are over the tipping point. We are 
on the other side of it now. There is no will in Congress to 
raise taxes or decrease spending by $400 billion a year this 
year, much less every single year for the next 30 years, just 
to be able to keep the status quo where we are debt-to-GDP.
    I appreciate you raising this. The debt ceiling is a 
portion of the conversation. It used to be a useful tool. Now 
it is a destabilizing tool that is there in the arsenal, and it 
will continue to be an issue for us.
    I want to bounce a couple of issues, and Senator Peters has 
some additional questions, and I will probably have some 
additional as well.
    You raised the issue of tribal issues on your High-Risk 
List for both the Federal Government's engagement with tribes 
and tribal members. I would like to be able to finish that 
conversation as well. There is some progress in areas I am 
grateful to be able to see, but I saw none of them as being met 
at this point.
    Mr. Dodaro. Yes, that is correct. There has been some 
progress, and we got some immediate attention right after we 
put it on the High-Risk List in 2017 with the update at that 
point in time. But there is still a lot of work that needs to 
be done in that area, and we need to see some consistent 
leadership. We put on the health care area, the education area, 
and then allowing them to use energy resources on their lands. 
So we have seen improvements in each of the areas, but they are 
not at the met level yet.
    Senator Lankford. Have you looked at the coordination 
agency to agency? Because if you look at tribal connections and 
responsibilities, obviously it is not just Bureau of Indian 
Affairs (BIA). It is every agency has a tribal component to it 
as well on how they are actually working together for strategic 
focus.
    Mr. Dodaro. Yes, this is Mr. Mark Gaffigan. He is head of 
our Natural Resources and Environment Team that handles 
coordination for Indian issues.
    Senator Lankford. OK.
    Mr. Gaffigan. Yes, Senator, I think you are absolutely 
right, the coordination issue is key. In December 2018, the 
U.S. Commission on Civil Rights issued its most recent report 
on the Federal Governmnet's commitment to tribal nations, and 
it is not meeting its commitment, and this is through a lot of 
areas across government. And even within GAO, we are talking 
about doing a more coordinated effort to look at these issues 
across government to ensure that we are doing a coordinated 
look at the audit and that the different agencies that are 
involved, whether it is education, health care, broadband on 
tribal lands, economic development, sustainable communities, 
environmental, it is all government all across the scheme of 
things, and we are definitely going to be looking at that.
    Senator Lankford. OK. That would be very helpful, because 
even areas like criminal justice, BIA will say, well, that is 
not really us, the Department of Justice (DOJ) has that, and 
they have that in that certain wing, but it does not coordinate 
actually with BIA and the requests may have four different 
forms from four different entities to be able to do one thing 
and no one really knows who has the ball. And in Government, as 
we know, if everyone has the ball, no one has the ball. And it 
has become a really big issue in our tribal areas.
    Mr. Gaffigan. Absolutely, Senator.
    Senator Lankford. OK. Thank you. I appreciate that.
    Senator Peters and I have worked a lot together on Federal 
real property, as you know because we poked you on it several 
times. We have passed some different pieces on it, on leasing 
properties. I want to just open up one thing on it, and that 
is, when I was chairing the Financial Services and General 
Government (FSGG) Appropriations Committee, it was the first 
time I got into the financing and saw the Department of 
Transportation (DOT) building that we had leased for 15 years 
for $700 million, and at the end of our 15 year lease had the 
opportunity to buy it for $700 million.
    Mr. Dodaro. Yes.
    Senator Lankford. We can never do that again. We have to 
figure out how to do this. And one of the big questions we have 
had is how we can work out a lease to own type process with a 
discounted purchase at the end. You have made some 
recommendations and ideas on that. We have to figure out how to 
be able to manage it better.
    We lease buildings that we are going to have temporarily. 
We are probably going to have a Department of Transportation 
long term. That seems like an office we should probably own. We 
will probably do that more than 15 years.
    Mr. Dodaro. We will go out on a limb.
    Senator Lankford. I am just reaching out into the future 
and just guessing that. [Laughter.]
    Help us with this issue of what you have seen on the lease 
to discount purchase type structure.
    Mr. Dodaro. Well, first, the team gave me a note that the 
General Services Administration (GSA) plans to buy the DOT 
building this year.
    Senator Lankford. Yes, we put that intentionally into the 
appropriations bill. That was in my Committee. I said, no, we 
cannot do this, so you are correct. We are purchasing that 
building.
    Mr. Dodaro. Right.
    Senator Lankford. We are not going to continue leasing a 
building we should have owned a long time ago.
    Mr. Dodaro. Yes, there are three different areas that we 
focused on. One is to try to get GSA to focus on these high-
value leases that it makes sense to look at whether you should 
purchase it or not. So they have agreed to do that finally. 
That took several years. So they are going to at least look at 
one this year. But they need a plan, and I think Congress needs 
to push them to go a little faster in that area. So at least 
they have agreed to do it. They have a plan to do it. So we 
will see. They have a target of trying to save a certain amount 
of money in doing that, which is an improvement.
    They have also thought about having a capital--or made a 
proposal for a capital fund to set up to be capitalized to 
allow them to have some money to operate that the agencies 
would pay back. That needs congressional authority. They have 
not yet developed a legislative proposal to present to 
Congress, so that is another area.
    A third recommendation that involves when you are going to 
lease and it makes sense to lease and there are improvements 
that need to be done to the property before you are ready to 
occupy it, right now that gets funded through the lessor, and 
then the government ends up paying interest costs on that. So 
our recommendation is to have GSA loan the money to the agency 
through the Federal Building Fund unless there would not be any 
interest cost necessarily, but it would save the government a 
lot of money to be able to do that.
    So those are the three recommendations that we have had.
    Senator Lankford. All right. That is very helpful. Senator 
Peters.
    Senator Peters. Good, and we want to continue to work with 
you on that area, and, Senator Lankford, thank you. We have to 
keep going down that path to make sure we are saving money long 
term for the government.
    Mr. Dodaro, I wanted to talk a little bit more about cyber 
just briefly. We have already had a pretty full discussion of 
that and the threat and how we have to deal with preventing 
this. But, I was struck by the 2016 Federal Information 
Security Management Act of 2002 (FISMA) report that noted even 
beyond the well-known OPM breach, which got a lot of attention 
and impacted a huge number of folks, there were about 6,000 
other incidents that impacted almost half a million 
individuals. They flew below the radar as far as press, but had 
a significant impact on people.
    We have already talked about the challenges about cyber. My 
question to you is: Would providing impacted individuals early 
notice that their information has been compromised, would that 
help mitigate some of the damage?
    Mr. Dodaro. Well, I think there is definitely--in the 
Federal Government, there are breach notification requirements. 
I will ask Mr. Marinos, Nick, to explain that in a little bit 
more detail. But, definitely, I mean, people need to be 
notified.
    Senator Peters. The earlier, the better.
    Mr. Dodaro. The earlier, the better, so that they can take 
actions to protect themselves. Congress has now made it 
available for people to--the cost is free to freeze their 
credit, which is a good move for people to take if their 
information has been compromised. So, yes, they should be 
notified, and it should be as early as possible.
    Senator Peters. Can we do more?
    Mr. Marinos. Yes, Senator, I think we can. As Mr. Dodaro 
mentioned, Federal agencies have responsibility. I will 
highlight two key pieces of that.
    One, they have a responsibility to be good stewards of the 
information that they collect on U.S. citizens for the purpose 
of their mission.
    And then in addition to that, they are required by law to 
report major incidents to you, to Congress as well.
    So what that really means is that we need to ensure that 
Federal agencies are doing a better job of identifying 
incidents when they are occurring, understanding the impact of 
those incidents, and then being able to communicate quickly to 
potential individuals that are affected as well as to Congress.
    Senator Peters. All right. Thank you.
    The other issue that you brought up in the High-Risk List 
that I think we need to spend a little bit more time on is 
climate change and the impact of climate change in particular 
related to storms and the fact that we are seeing the severity 
of storms increase, and that is likely to continue in the years 
ahead. And it is driving big increases to the cost to the 
American taxpayers as we deal with these disasters.
    It seems to me that investing some money up front in 
mitigation and planning to have more resiliency with our 
infrastructure is critically important, and it is kind of back 
to the buying or leasing concept. If you build hardened assets 
that are not going to be destroyed in a storm, that is going to 
be cheaper than actually going in and fixing it and cleaning it 
up and then rebuilding.
    Could you help us better understand the costs to our 
economy of climate change based on your analysis?
    Mr. Dodaro. The last several years have been some of the 
most costly in U.S. history--in 2017 in particular, several 
hundred billion dollars, I believe. We have had very costly 
storms. But the Federal Government's cost to respond to this 
since 2005 is approaching half a trillion dollars to be able to 
handle this area.
    Now, the National Institute of Building Services estimates 
that for every dollar spent in hazard mitigation and resilience 
building saves $6 later. And it states that if we went in the 
United States to the most recent international building 
standards, building codes, you could save $11 for every dollar 
invested.
    So I think there is a lot of material, but, Mark, can you 
explain the cost?
    Mr. Gaffigan. Sure. NOAA estimates since 1980 there have 
been 241 billion-dollar events. That is an average of about six 
a year. But over the most recent years, it is averaging about 
15 of those types of events a year, and the number 1 year was 
2017, $312 billion; the number 2 year was 2005, with Hurricane 
Katrina; 2012, $128 billion; in 2018, it is the fourth highest 
year, $91 billion in costs.
    Mr. Dodaro. And I would point out, Senator, those are 
direct costs. They do not consider lost productivity during 
that period of time or all the individual trauma that 
individuals go through, because it takes several years, as you 
know, to rebuild these areas. I mean, it is going to take a 
long time in Puerto Rico, for example, from the 2017 storms. We 
are looking at the results of the 2017 and 2018 disasters in 
terms of Federal recovery efforts.
    Senator Peters. Right. You mentioned some of the direct 
costs to the government, particularly to the military, and this 
is an area where the Department of Defense for a number of 
years has talked about this as a high risk, as you have at the 
GAO. I am just reminded during Hurricane Michael, a number of 
F-22 Raptors at Tyndall Air Force Base were damaged because 
they could not be moved prior to the storm. And the storm cost 
the Air Force an estimated $3 billion to address the damage to 
the infrastructure as a result of that and the impact to the 
aircraft.
    What specifically should the Department of Defense be 
doing?
    Mr. Dodaro. They need to have a plan to look ahead as they 
are building their infrastructure, modernizing their 
infrastructure, to build in resilience, climate resilience 
policies and procedures. They are starting to move in that 
direction. Congress required them to develop a plan and submit 
it to Congress, which they did, but many members of the Armed 
Services Committees were not satisfied with the plan, and so 
the Defense Department is now back preparing an additional plan 
to send to Congress. We will look at that plan once it is 
submitted and have additional recommendations, which we will 
share with this Committee.
    They just need to put it in their planning activities and 
guidance. I mean, they have coastal issues with sea level 
rises. And the plan, Senator Peters, for DOD needs to not only 
be domestic but international, because we have a lot of 
facilities around the world that are at risk in these areas as 
well.
    So that is really the issue, is just better planning and 
making sure it gets built into their decisionmaking process as 
they go forward, because they have a massive amount of 
facilities.
    Senator Peters. They do.
    Mr. Dodaro. And they are threatened--you mentioned Tyndall 
Air Force Base, but also at Camp Lejeune, with Hurricane 
Florence, there was over $3 billion of damage there as well. So 
this is very costly, and there is a lot that could be done to 
prevent this ahead of time.
    I am also concerned that the Administration revoked the 
flood hazard mitigation standard that required buildings to be 
elevated to have a national standard in that area. The Flood 
Insurance Program is on the High-Risk List. Even though 
Congress has forgiven $16 billion in debt, it still over $20 
billion in debt to the Treasury. It is not operating on an 
actuarially sound basis. So there is a lot of exposure for the 
Federal Government.
    Senator Peters. Yes, and I am glad you brought that up 
because to me that makes no sense whatsoever to rescind the 
flood risk management standard given all that you have said. So 
in your mind we need to have a standard. Is that a correct 
statement?
    Mr. Dodaro. Yes.
    Senator Peters. Great. Thank you.
    Chairman Johnson [Presiding.] Senator Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks. Thanks, Mr. Chairman. Welcome. We 
welcome both of you this morning and are delighted you are 
here. Thank you to you and the folks you lead at GAO for the 
important work.
    Our country's budget deficit last year in this country hit 
$757 billion. This year we are looking at $850 billion, next 
year maybe $1 trillion. And I like to say everything I do, I 
know I can do better. We have to find a whole lot of ways to do 
things better in this country.
    I have just come from a hearing in Environment and Public 
Works on surface transportation where we just basically are not 
raising through user fees anywhere close to the money we need 
to build our roads, highways, bridges, transit systems. And 
that is just not sustainable. We are just in an unsustainable 
direction. Thank you for helping us to restore some sanity to 
all of this.
    The first question I have deals with chemical safety at 
EPA, and I just want to say thanks for being responsive on this 
front. But EPA's chemical safety efforts have been on GAO's 
High-Risk List, as you know, for years. And on Monday, GAO 
released a long report, one that I requested, on chemical 
safety. That report describes some disturbing developments 
about EPA's Integrated Risk Information System. It is called 
IRIS, which studies the health hazards posed by chemicals.
    Here is my question. GAO's report said that, until 
recently, EPA's IRIS program had been implementing many of the 
recommendations made by both GAO and the National Academy of 
Sciences. But the report also said that that progress was 
halted almost a year ago when EPA's political officials told 
the EPA's career staff to stop working on some of its reports, 
including the Formaldehyde Health Assessment. Is that correct?
    Mr. Dodaro. This is Mr. Gaffigan, who has led the effort on 
that report.
    Senator Carper. OK. Thank you.
    Mr. Gaffigan. Thank you, Senator Carper. What had happened 
is EPA has an IRIS assessment plan in which they list all the 
chemicals they are working on at the current time. And as of 
May 2018, they had a list of about 20 or 22 chemicals that they 
were working on, including formaldehyde. They had checked in 
with the program offices because they do these studies on 
behalf of the program offices to meet their needs in assessing 
safety in various areas, in air, water, whatever it may be. And 
that May 2018 list was good to go, but they were told in June 
to hold off, that the leadership wanted to take a look at that 
list. They sent a survey out to the program offices to 
reconfirm their interest in those 20 or 22 chemicals. 
Eventually, the survey had 20 chemicals listed on it. There 
were two that were already at peer review, so it did not 
include those.
    And then they got the answer back from the program offices, 
yes, indeed, we would like to look at these same 20. They 
reconfirmed that. But then later, in October, before they 
released the survey results, there was a further inquiry as to 
prioritization asking again the program offices to prioritize. 
Yet they did not provide any criteria for deciding how to 
prioritize.
    The next thing that we were aware that happened is in 
December 2018. They released a new list. There were only 11 
chemicals on EPA's internal memo and 13 on its publicly 
released list.
    Senator Carper. So almost cut in half.
    Mr. Gaffigan. Almost cut in half, and there was no 
explanation as to why they decided to drop some chemicals. 
There are at least four chemicals in the later stages ready to 
go to peer review, including formaldehyde, that vanished. And 
so that raises a lot of uncertainty and questions about what 
happened and what was the rationale for doing that.
    Senator Carper. All right. Thank you. That is a very good 
explanation.
    Just for my colleagues, let me just note for my colleagues 
that formaldehyde is a known carcinogen. It has been reported 
that EPA's career scientists have concluded that it causes 
leukemia. There have actually been chemical industry and 
congressional efforts to stall the publication of this report 
now for more than a decade.
    I would ask, Mr. Dodaro, for you and Mark--GAO's report 
also found that initially EPA's Water and Superfund offices 
both said that they considered the completion of the 
formaldehyde report to be a priority. A priority. But after 
that, EPA's political officials asked for a new list of 
priorities, as Mark has mentioned, and magically vanishing, the 
formaldehyde report was not listed as a priority on this new 
list. That means EPA no longer plans to finish the formaldehyde 
report even though it has been ready for peer review since 2017 
and they have spent, I am told, about $10 million on the 
research.
    Do I have all that right?
    Mr. Gaffigan. And I would just add, they have been working 
on it actually since 1997.
    Senator Carper. Wow, 21 years or 22 years.
    Another question related to this, but I would ask again, 
Gene, of you and of Mark, did GAO learn why EPA's political 
officials asked for a new list of priorities that has resulted 
in a decision not to publish the Formaldehyde Health 
Assessment?
    Mr. Gaffigan. This came in December toward the end of our 
report. We never were able to assess what the rationale was. 
There was some talk about trying to limit the budget, but as we 
had the conversation before, Congress did not support 
reductions for IRIS, whose budget makes up about half of the 
human health risk assessment area, which ended up about $20 
million in the President's budget requests. And in May, with 
that list of 20 chemicals, IRS officials felt they had the 
resources to do all 20 with their budget. So that explanation 
does not seem to make sense unless, in fact, they were trying 
to not spend as much money in IRIS.
    Senator Carper. Well, thank you both for the responses. 
Mark, especially, thank you. For an agency that is so concerned 
about so-called secret science that it is writing a rule 
against the topic, EPA appears to be going to great lengths to 
keep its own science secret. I would just note that for the 
record.
    I have another question, and I will direct this one back to 
you, Gene. It deals with Medicare improper payments and the 
Payment Integrity Information Act. I understand there has been 
some progress in reducing the overall improper payment rate for 
Medicare. That is good. And while improper payments in Medicare 
remain unacceptably high, I believe your report notes that 
Centers for Medicare & Medicaid Services (CMS) has made some 
progress in addressing this issue.
    Could you just take a moment, Gene, and share with us how 
CMS has been able to reduce its Medicare improper payment rate 
over the last couple of years? And is there any lesson from CMS 
that can be shared across the government where we have a lot of 
improper payments? Please.
    Mr. Dodaro. Yes. Ms. Nikki Clowers has joined me from the 
Health Care Team. I will give an answer, and then she can add 
to that.
    Senator Carper. Good.
    Mr. Dodaro. First, they have a Program Integrity Center for 
payment integrity that they have established, so they have a 
clear leadership in place for that center. They have increased 
the staff by over 200 people in that area over a period of 
time, so they have put more resources in it. And those are the 
two criteria on the High-Risk List: you have clear leadership, 
you have capacity. They have a fraud system they put in place 
to help them identify areas that they could look at more 
quickly in that area, and we have said that that system is 
working well, and they should expand it to other areas. So 
those are the things that they have done to improve it.
    I will ask Nikki to add.
    Ms. Clowers. In addition to what the Comptroller General 
mentioned, another effort was working with both private sector 
companies and other public agencies through a Healthcare Fraud 
Prevention Partnership to learn best practices and implement 
them.
    The other issue is continuing to look at efforts on the 
prepayment side, to move away from the pay-and-chase model of 
putting the money out and then trying to claw back the money 
when it is deemed improper, because that takes time and it does 
not always work.
    One of our outstanding recommendations for CMS is to seek 
legislative authority to allow their recovery auditors to 
conduct prepayment checks. They are one of the auditors that 
right now focuses primarily on post-payment issues, but through 
a demonstration where they were given in this one demonstration 
the authority to conduct prepayment checks, CMS deemed that 
successful. And so we have recommended CMS seek legislative 
authority to expand this.
    Senator Carper. Well, good. Mr. Chairman, I have been 
working on improper payments for some time, and, in fact, we 
have collaborated on legislation, I think it is called the 
``Payment Integrity Information Act,'' which consolidates and 
updates existing improper payment laws while trying to make 
some key improvements in this area.
    I would just add, Gene, I think your folks have been 
helpful to us in crafting the legislation. We appreciate that 
help, and I would just ask, do you think that Congress ought to 
pass the legislation and could it be helpful as we try to curb 
the $140 billion plus made in improper payments?
    Mr. Dodaro. Yes.
    Senator Carper. Good. Thank you.
    Chairman Johnson. I guess that was the right answer. 
[Laughter.]
    Senator Carper. I thought it was a very good answer.
    Chairman Johnson. Unfortunately, improper payments, it is 
not going away.
    Just real quick, I want to follow up with improper payments 
in Medicaid, which the Committee has done a fair amount of 
work, and I know that GAO has as well. I believe the figure was 
$37 billion last year.
    One of the drivers is Medicaid expansion that incentivizes 
States to provide the Medicaid expansion to potentially just 
the primary Medicaid population because they get a better--they 
are going to get a higher reimbursement from the Federal 
Government. Have you done any further work on that? Would you 
comment just on that area of improper payments?
    Ms. Clowers. Senator, yes, we continue to look at the 
improper payment issues under the Medicaid program, and as you 
know, the rate is composed of three components, and one of them 
is the eligibility. This is one area that we are concerned 
about they froze the eligibility component since 2014 exactly 
for some of the reasons you were mentioning. With the expanded 
populations, there were new systems put in place, so they 
wanted the States to have time to implement them before they 
started measuring again.
    They plan to start measuring this year, in 2019, but our 
concern with that is during this time we are not getting an 
accurate picture of the improper payments that could be made in 
the eligibility component. And it is at the exact time when 
things got more complicated, so you would want more additional 
scrutiny on those issues.
    The other area that we have concerns about in the Medicaid 
improper payment area is the second component, which is managed 
care, and we have reports documenting that the managed care 
component does not account for all the program risk, in 
particular, the payments that go from the Federal Government to 
the State and from the State down to the managed care 
organizations. There are opportunities for over-repayments to 
come into play there and then get factored into the payments 
that are made the next year, sort of a compounding problem. So 
we have recommendations to CMS to address those issues.
    Chairman Johnson. My concern with Medicaid is there are so 
many areas where we incentivize the States to game the system, 
and so they do. And we need to track that down, but the 
frustration is getting the information on how extensive this 
is, and the information does not exist. So I want to continue 
to work with GAO, the Inspector General, and CMS to try and get 
the information so that--again, these programs are already 
spending a lot of money. We have huge deficits. We cannot 
afford to be paying money to ineligible individuals. We cannot 
afford to have States game the system.
    Mr. Dodaro. I agree with you, Mr. Chairman. And I mentioned 
earlier that Medicaid is on a track by 2026, to be $1 trillion 
a year, Federal and State money, just for the Medicaid program 
alone. And my concern is because of the limits on looking at 
the beneficiary eligibility determination.
    Now, managed care is also half of the funding, so right now 
you are not really getting a good estimate on the improper 
payments of about half of Medicaid spending. So it conceivably 
could be a very underestimated figure, and more needs to done. 
Also CMS is supposed to come out with a new disclosure on the 
supplemental payments that we talked about the last time I was 
here, and so we will look at that and give you our thoughts on 
that as soon as that is out. But we are definitely going to 
continue our work in this area, and the dialogue between CMS 
and the State auditors has continued based on your hearings. 
That is a good development as well.
    Chairman Johnson. OK. One thing I have encouraged all the 
Members of this Committee--Senator Scott, I have deputized him 
in terms of taking a look at FEMA and some of the abuse, some 
of the waste we see in disaster spending, and he is in a 
perfect position to do that. But I am trying to get other 
Members to grab a hold of one of these issues. I think the 
Committee in general has looked at Medicaid, because I just 
think with the Medicaid expansion we have just created greater 
incentive for improper payments. And so I want to work very 
closely with you.
    Mr. Dodaro. OK.
    Chairman Johnson. I guess Senator Lankford has a few 
questions as well.
    Senator Lankford. I do. I just have about 75 more. 
[Laughter.]
    We are getting close to the end.
    Mr. Dodaro. You missed your chance when you were Chairman.
    Senator Lankford. I know. I could have just taken over from 
there.
    You and I have talked about the Taxpayers Right-to-Know 
bill multiple times.
    Mr. Dodaro. Yes.
    Senator Lankford. It has passed the House multiple times 
now and has been stuck here in the Senate. It has been the 
interest of some to say we really do not need the Taxpayers 
Right-to-Know Act, that it is not needed, there is data in 
other places and other ways, but that particular bill and that 
particular gathering of data is not necessary.
    Do you have a perspective on that?
    Mr. Dodaro. Yes, I do not agree with that statement. I do 
not think it is that transparent or available in other formats 
at the level at which as I recall the Taxpayers Right-to-Know 
Act is asking for the information. It also pulls together what 
is the results of the spending. That is not really available. 
But it would bring it together in one effort at a more 
transparent and accountable and actionable information for 
Congress and the public to act on. So I think that Congress 
would do well to pass that legislation, but also make sure it 
gets implemented effectively. The Digital Accountability and 
Transparency (DATA) Act is still not implemented effectively 
because the information is not as accurate as it needs to be.
    But the first step is to get the legislation passed, and I 
think it would be a good move for government accountability and 
transparency to have that legislation enacted.
    Senator Lankford. We will keep nudging and pushing on that. 
I appreciate that very much.
    Let us talk about the Federal disability programs. Have we 
talked about that yet this morning? Has that come up?
    Mr. Dodaro. Just once as it relates to VA.
    Senator Lankford. OK. I would like to do the non-VA side of 
it, just in the disability programs and to be able to see--you 
highlighted some things that are affectionately called ``the 
grid,'' the vocational list, the giant dictionary of all 
occupations in America that is now well in excess of $100 
million to be able to compile this. I have been tracking it for 
7 years and have heard over and over again next year, next 
year, next year, next year it is coming.
    Now my understanding is it is actually next year that it is 
coming and that we are actually seeing some progress in this 
area on disability and on the vocational grid. I would love to 
be able to see what your team has seen as well.
    Mr. Dodaro. Yes, this is Ms. Elizabeth Curda, who is our 
expert in the disability area, Senator. She can give you an 
update.
    Ms. Curda. Yes, there are two systems in play here involved 
in updating the occupational information that the Social 
Security Administration (SSA) uses to decide disability claims.
    The first is the Occupational Information System. That is 
what is very close to being completed. They are in their final 
year of data collection for that system using Bureau of Labor 
statistics surveys. And they plan to start using that system in 
2020, according to their most recent plans.
    Now, the grid is another tool that SSA uses in addition to 
the Occupational Information System--when they have it 
implemented, they will be using it, but not yet. The grid is 
something that is a decisional tool that helps them decide 
what--they take all this information, medical, occupational, 
and they make a decision about what work this person with a 
disability could do in the current economy. That has not been 
updated, and that is why we have actually lowered their rating 
in the High-Risk List for action planning because they have not 
given us plans for how they plan to update that system and use 
it in conjunction with the new information----
    Senator Lankford. So your concern is we are going to have 
the occupational list and not have any way to be able to 
implement that in 2020, so we will basically have a book and no 
way to use it.
    Ms. Curda. Potentially, yes.
    Senator Lankford. OK. So what steps need to be taken at 
this point to be able to move that from I have the occupational 
list to actually transitioning that into a usable form in the 
grid?
    Ms. Curda. We would need to see an action plan for the use 
of the grid in terms of how they plan to change that. They have 
indicated they have plans to update it, but they have not given 
us any detailed action plan for that.
    Senator Lankford. Do you remember offhand how long it has 
been since the vocational list has been updated?
    Ms. Curda. 1970s.
    Senator Lankford. Yes, that is what I thought, it was the 
1970s. I do recall the famous list of their elevator operator 
is in the vocational list, but there are no IT jobs listed at 
all because they were not around in the 1970s other than a 
punch card operator.
    Ms. Curda. I heard about this problem just last week when I 
was in West Virginia visiting with disability examiners, and 
they said this is a key problem for them to process claims.
    Senator Lankford. It is an enormous issue for us to be able 
to say, yes, there is nothing available, no way to be able to 
help transition somebody.
    One other quick question that I had and that is on the 
security clearance programs. There is a pretty massive 
transition that is happening right now into DOD and being able 
to manage this. I have seen some progress, you have listed some 
progress in trying to deal with our backlog. This affects all 
of our Federal hiring that the Chairman and I have worked so 
much on in trying to be able to bring to greater attention that 
we are exceeding 100 days for Federal hiring. A lot of that 
ends up being security clearance in the process, and so we are 
all very concerned. When DOD said no, we want to give this to 
OPM years ago, and now it is all going from OPM back to DOD, we 
are trying to figure out how that handoff is going. Can you 
give us an update?
    Mr. Dodaro. Ms. Cathy Berrick has been leading our work in 
that area, Senator. She can give you an update. It is moving, 
but there are still a lot of issues that need to be dealt with. 
She can detail those for you.
    Ms. Berrick. Sure. DOD is planning to assume responsibility 
for conducting investigations for all Federal workers. That is 
supposed to be transitioned by September 30th of this year. So 
they are doing some planning related to the National Background 
Information Services (NBIS), which is the information system 
that they are going to use to conduct investigations.
    There is one key concern that they have, which is linking 
to the OPM legacy systems and the security issues that exist 
with those systems. DOD is ultimately planning to separate from 
those systems, but they are going to need to rely on them at 
least for a few years.
    Another key area that the entire Performance Accountability 
Council (PAC), which governs the security clearance process 
within the Executive Branch, really needs to do is focus on the 
quality of investigations. They have been attempting to develop 
quality metrics since back in 2010. They have taken a couple of 
important steps to get there, but they still have not completed 
those metrics.
    And then, finally, I would say although the Executive 
Branch has made some progress in reducing the investigative 
backlog, they were at about 720,000 a year and a half ago; they 
are at about 565,000 investigations right now backlogged. They 
do not have a plan for meeting their timeliness objectives for 
their investigations moving forward. They have made some tweaks 
here and there, but they really need a comprehensive plan. Just 
to give you a statistic----
    Senator Lankford. Is that in process, by the way?
    Ms. Berrick. They are working on it, and there was just a 
big announcement last week that the Executive Branch is rolling 
out Trusted Workforce 2.0, which is a new strategy for 
conducting security clearances that involves continuous 
vetting. They made some key process improvements.
    But just to give you a stat on the significance of this 
problem, last year only 3 percent of agencies within the 
Executive Branch met mandated and other established timeliness 
objectives for conducting background investigations for initial 
secret clearances, and for top secret it was only 13 percent of 
agencies met those requirements. So it is a big problem. There 
are some plans in place, but this issue has always been one of 
implementation.
    If you go back, since the early 2000s, there has been a 
number of studies, a number of initiatives. The problem has 
always been the coordination among the agencies and actually 
executing on these plans.
    Senator Lankford. Is there a congressional action that is 
required other than oversight at this point? Do they have what 
they need to be able to make the decisions and implement the 
way they need to?
    Ms. Berrick. I believe they do have what they need.
    Senator Lankford. All right. That is helpful to know.
    Mr. Dodaro. Congress reinstituted the requirement to get 
reports on the status of this effort. That was a good move by 
Congress. But, based on what we know of their current plans, I 
do not think they need anything else other than oversight at 
this point. However, if they do develop plans and we notice 
something, we will let you know.
    Senator Lankford. I know it is a human resource (HR) issue 
for us, obviously, in the hiring and the process they would go 
through, but there is a larger HR issue just with the handoffs 
that you will have identified multiple times. If I go into many 
private businesses, they have a software system that, when they 
do the interview, all the information is dumped in the 
interview. If they decide to hire them, that same system will 
actually start getting them through all the forms that they 
need to do for hiring. That same system will also manage all of 
their personnel reviews they do on an annual basis, and when 
they retire, that same system will also do it, as well as their 
tax forms and their raises all go through this one system. We 
have about 19 different systems that do those same things, and 
I think 18 of them we would call ``legacy'' in the process, and 
none of them talk to each other. And that is not the way that 
it is going to be most effective to do it.
    Have you seen any progress in agencies moving to a seamless 
system to be able to handle HR? Or is this still multiple 
different systems that are out there to be able to do the most 
straightforward personnel issues?
    Mr. Dodaro. Yes, this is Mr. Chris Mihm. He is the head of 
our Strategic Issues Team that looks at personnel matters. 
Chris.
    Mr. Mihm. Senator, there are still too many legacy systems 
out there, is the short answer on that. One of the things--and 
this gets back to what you were talking about with Taxpayer 
Right-to-Know and the DATA Act. That data is going to help 
agencies identify, as the DATA Act is implemented, 
opportunities for shared services so they can bring together 
some of these legacy systems. So that is just a minor potential 
advantage going forward of better integration--not just in the 
HR area but across a whole series of back-office functions.
    Senator Lankford. Right. I am just tired--and the Chairman, 
we have heard this over and over and over again--of a Federal 
employee that worked in two different agencies that goes to 
retire and it takes 6 to 9 months for them to start their 
retirement process because the two agencies did not talk to 
each other and because the handoff does not work, and now 
somebody that has worked 35 years for the Federal Government is 
waiting 6 months to start their retirement process because the 
data is not all together.
    Mr. Mihm. And, sir, that is not just with the agency 
systems, which it is and we have found that there are problems 
in the agency systems, but just on the retirements with the 
Office of Personnel Management as well. They have huge backlogs 
in that. We have been urging them to get--it is the word you 
have been hearing all day. We have been urging them to get a 
plan in place in order to deal with their backlogs that they 
have in place to get a more--I mean, there are known spikes 
each year of when they have increases in retirements. They 
should be able to deal with those spikes much easier than just 
each year being caught with----
    Senator Lankford. Again, a streamlined system where 
everything is consistent would make an enormous difference on 
that. It is not like it does not exist. I can go to Paycom, a 
huge national company, and they can put that off the shelf 
right now and be able to adapt that into a government system 
they could do. So it is doable software. It is not something 
new and radical. But we have to be able to help implement that.
    Mr. Mihm. Yes, sir.
    Senator Lankford. Mr. Chairman, thank you for allowing me 
to be able to come back and do another round of questions.
    Chairman Johnson. I appreciate you, first of all, talking 
about the whole security clearance issue, which is big. Of 
course, the retirement system, part of it, it is still a paper 
system. They are in files in some cave. I cannot remember 
exactly which State, somewhat close at least, but----
    Mr. Dodaro. It is in Pennsylvania.
    Chairman Johnson. There you go. So you are fully aware of 
that.
    Again, General Dodaro, thank you. I thank all of the 
members of your team for providing testimony and for all your 
great work. You know better than anybody that you have so many 
things that you can take a look at. The analogy is use, it is 
like a mosquito in a nudist colony. It is a target-rich 
environment where you are looking for waste, fraud, and abuse 
in the Federal Government.
    One of the things I am trying to get the Members of this 
Committee to do is to concentrate on an issue, one of those 
targets, and, utilize their staff in conjunction with our 
Committee staff and Inspectors General and the GAO to highlight 
the issue, because that is what it takes. You have to publicize 
the issue to create the incentive within the departments and 
agencies to actually take action. So that is what your High-
Risk List does. That is what this hearing does. But that is 
really what I want Committee members to do. I would like them 
to look at the big things, prioritize it, let us go after the 
low-hanging fruit, the massive dollars. But, again, you have 
already done the $350 billion since 2006, $47 billion just last 
year, pretty remarkable results, and I am sure you and your 
team will keep investigating these things and even increase 
those savings. So, again, thank you for your testimony. Thank 
you for all your work.
    The hearing record will remain open for 15 days until March 
21 at 5 p.m. for the submission of statements and questions for 
the record.
    This hearing is adjourned.
    [Whereupon, at 11:22 a.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]