b"<html>\n<title> - AGENCY COMPLIANCE WITH THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT (FITARA)</title>\n<body><pre>[House Hearing, 117 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n                   AGENCY COMPLIANCE WITH THE FEDERAL\n                   INFORMATION TECHNOLOGY ACQUISITION\n                          REFORM ACT (FITARA)\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS\n\n                                 OF THE\n\n                   COMMITTEE ON OVERSIGHT AND REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED SEVENTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             APRIL 16, 2021\n\n                               __________\n\n                           Serial No. 117-14\n\n                               __________\n\n      Printed for the use of the Committee on Oversight and Reform\n      \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]      \n\n\n                       Available on: govinfo.gov,\n                         oversight.house.gov or\n                             docs.house.gov\n                             \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n44-381 PDF                  WASHINGTON : 2021                     \n          \n--------------------------------------------------------------------------------------                             \n                             \n                   COMMITTEE ON OVERSIGHT AND REFORM\n\n                CAROLYN B. MALONEY, New York, Chairwoman\n\nEleanor Holmes Norton, District of   James Comer, Kentucky, Ranking \n    Columbia                             Minority Member\nStephen F. Lynch, Massachusetts      Jim Jordan, Ohio\nJim Cooper, Tennessee                Paul A. Gosar, Arizona\nGerald E. Connolly, Virginia         Virginia Foxx, North Carolina\nRaja Krishnamoorthi, Illinois        Jody B. Hice, Georgia\nJamie Raskin, Maryland               Glenn Grothman, Wisconsin\nRo Khanna, California                Michael Cloud, Texas\nKweisi Mfume, Maryland               Bob Gibbs, Ohio\nAlexandria Ocasio-Cortez, New York   Clay Higgins, Louisiana\nRashida Tlaib, Michigan              Ralph Norman, South Carolina\nKatie Porter, California             Pete Sessions, Texas\nCori Bush, Missouri                  Fred Keller, Pennsylvania\nDanny K. Davis, Illinois             Andy Biggs, Arizona\nDebbie Wasserman Schultz, Florida    Andrew Clyde, Georgia\nPeter Welch, Vermont                 Nancy Mace, South Carolina\nHenry C. ``Hank'' Johnson, Jr.,      Scott Franklin, Florida\n    Georgia                          Jake LaTurner, Kansas\nJohn P. Sarbanes, Maryland           Pat Fallon, Texas\nJackie Speier, California            Yvette Herrell, New Mexico\nRobin L. Kelly, Illinois             Byron Donalds, Florida\nBrenda L. Lawrence, Michigan\nMark DeSaulnier, California\nJimmy Gomez, California\nAyanna Pressley, Massachusetts\nMike Quigley, Illinois\n\n                     David Rapallo, Staff Director\n              Wendy Ginsberg, Subcommittee Staff Director\n                          Taylor Jones, Clerk\n\n                      Contact Number: 202-225-5051\n\n                  Mark Marin, Minority Staff Director\n                                 ------                                \n\n                 Subcommittee on Government Operations\n\n                 Gerald E. Connolly, Virginia, Chairman\nEleanor Holmes Norton, District of   Jody B. Hice, Georgia Ranking \n    Columbia                             Minority Member\nDanny K. Davis, Illinois             Fred Keller, Pennsylvania\nJohn P. Sarbanes, Maryland           Andrew Clyde, Georgia\nBrenda L. Lawrence, Michigan         Andy Biggs, Arizona\nStephen F. Lynch, Massachsetts       Nancy Mace, South Carolina\nJamie Raskin, Maryland               Jake LaTurner, Kansas\nRo Khanna, California                Yvette Herrell, New Mexico\nKatie Porter, California\n                         \n                         \n                         C  O  N  T  E  N  T  S\n\n                              ----------                              \n                                                                   Page\nHearing held on April 16, 2021...................................     1\n\n                               Witnesses\n\nMr. Gundeep Ahluwalia, Chief Information Officer, Department of \n  Labor\nOral Statement...................................................     5\nMr. Jay Mahanand, Chief Information Officer, U.S. Agency for \n  International Development\nOral Statement...................................................     6\nMr. Kevin Walsh, Director of Information Technology and \n  Cybersecurity Issues, Government Accountability Office\nOral Statement...................................................     8\n\nWritten opening statements and statements for the witnesses are \n  available on the U.S. House of Representatives Document \n  Repository at: docs.house.gov.\n\n                           Index of Documents\n\n                              ----------                              \n\nDocuments entered into the record during this hearing and \n  Questions for the Record (QFR's) are listed below.\n\n  * FITARA-Metric Recommendation from MicroFocus; submitted by \n  Chairman Connolly.\n\n  * Granite-EIS testimony; Chairman Connolly.\n\n  * QFRs to: Mr. Ahluwalia; submitted by Chairman Connolly.\n\n  * QFRs to: Mr. Mahanand; submitted by Chairman Connolly.\n\n  * QFRs to: Mr. Walsh; submitted by Chairman Connolly.\n\nDocuments are available at: docs.house.gov.\n\n \n                   AGENCY COMPLIANCE WITH THE FEDERAL\n                   INFORMATION TECHNOLOGY ACQUISITION\n                          REFORM ACT (FITARA)\n\n                              ----------                              \n\n\n                         Friday, April 16, 2021\n\n                   House of Representatives\n      Subcommittee on Government Operations\n                          Committee on Oversight and Reform\n                                                   Washington, D.C.\n\n    The subcommittee met, pursuant to notice, at 9:03 a.m., in \nroom 2154, Rayburn House Office Building, Hon. Gerald E. \nConnolly (chairman of the subcommittee) presiding.\n    Present: Representatives Connolly, Norton, Davis, Porter, \nHice, Keller, Biggs, and Comer (ex officio).\n    Mr. Connolly. This subcommittee will come to order.\n    Some witnesses and persons and others will appear remotely \nvia Zoom today. Since some members and witnesses are appearing \nin person, let me first remind everyone that pursuant to \nguidance from the House Attending Physician, all individuals \nattending this hearing in person must wear a face mask. Members \nwho are not wearing a face mask will not be recognized.\n    Let me also make a few reminders to those members appearing \nin person. You will only see members and witnesses appearing \nremotely on the screens in this hearing room. On one side of \nthe room you can see the individual who is speaking in what is \nknown in Zoom as speaker view. On the other side you'll see the \ncollection of individuals within the Zoom platform. A timer is \nvisible in the room directly in front of you.\n    For members and witnesses\n    [inaudible].\n    I now recognize myself for an opening statement.\n    Since the enactment of the Federal Information Technology \nAcquisition Reform Act in 2014, this subcommittee has \nmaintained steady and bipartisan oversight of the agency \nimplementation of the law. FITARA was enacted to establish a \nlong-term framework through which Federal IT investments could \nbe tracked, assessed, and managed to significantly reduce \nwasteful spending and improve project outcomes. FITARA is a \nreport card that holds agencies accountable and exhorts them to \nimprove their IT postures, and in practice, it's a tool for \nCongress and the public to ensure better cybersecurity, reduce \nwasteful spending, and make government service to the Nation \nmore effective. The coronavirus pandemic has proven that IT is \nintegral, not incidental, to the mission. As we have seen both \nat the Federal and state, local level of government, if the IT \ndoes not work, the mission does not work.\n    Today's hearing will discuss the results of Scorecard 11.0, \nwhich was released in December. This hearing will also focus on \nhow Congress and the administration can work together to \napprove services to the Nation with a focus on improving IT \nacross the government. Today's hearing also comes weeks after \nCongress was able to secure a billion dollars in the Technology \nModernization Fund so that agencies have more opportunities to \nimprove IT and enhance cybersecurity.\n    We look forward to engaging with the Office of Management \nand Budget about the importance of IT modernization and this \nfunding opportunity at the next FITARA hearing in July.\n    Last summer marked the tenth FITARA oversight hearing in \nthe last five years and the first time that all 24 agencies \nparticipating in the FITARA Scorecard received passing grades. \nSince the FITARA 10.0 Scorecard, three agency grades increased, \nfive decreased, and 16 remained unchanged. Further, despite the \nremoval and addition of metrics, all 24 agencies maintained \npassing grades for the second time in 11 Scorecards.\n    FITARA 11.0 marks the first--a few firsts in the five-year \nhistory of the Scorecard. The Scorecard marks the first time, \nfor example, in FITARA's history that all 24 agencies included \nin the law received at least one A in a single metric. And that \nmetric was the software licensing metric, the first time that \nmetric will also be retired because everybody gets an A. When \nthe subcommittee added this metric to the Scorecard back in \nJune 2017, only two agencies had such inventories. Agencies \nneeded a better management software licenses to make cost-\neffective decisions and to achieve savings.\n    As a result of continued oversight using the FITARA \nScorecard, all 24 agencies are now using comprehensive, \nregularly updated inventories of the software licenses, \nenabling those agencies to identify duplicative licenses and \nsoftware costs.\n    The GAO, the Government Accountability Office, estimates \nthat agencies have saved or avoided more than $1.4 billion in \nsoftware licensing costs from Fiscal Year 2015 through Fiscal \nYear 2020 because they are now using comprehensive, regularly \nupdated inventories. These types of small but significant \nadjustments over the vast enterprise of Government can rack up \nsignificant savings pretty quickly.\n    FITARA 11.0 also marks the addition of a new metric which \nevaluates agencies' efforts to transition off the General \nServices Administration's expiring telecommunication contracts \nbefore they expire in May 2023. The new measure incentivizes \nagencies to progress toward telecom services that deliver \ncritical services at lower costs to taxpayers.\n    Since the Scorecard's inception in 2015, agencies have made \nsubstantial positive strides in improving their information \ntechnology practices. Among the FITARA Scorecard categories \nwith the greatest impact on taxpayer savings, of course, is the \nIT portfolio review process known as PortfolioStat. \nPortfolioStat went from helping Federal agencies save $3.4 \nbillion in Fiscal Year 2015 to $22.8 billion at the beginning \nof Fiscal Year 2021. Let me repeat that. We got savings of $3.4 \nbillion back in 2015. Six years later, the savings are at $22.8 \nbillion.\n    Federal agencies are closing and consolidating more data \ncenters which also results and significant cost savings. The 24 \ngraded agencies have reported more than $5 billion in cost \nsavings in that category from fiscal years 2015 to 2020.\n    While the FITARA Scorecard has successfully help agencies \nmove the needle on improving IT practices, work still remains. \nAccording to GAO, 21 of the 24 graded agencies still not have \nestablished policies that fully address the role of their CIO \nas required by Federal law and FITARA guidance. Improving the \nmanagement of IT acquisitions and operations remains on GAO's \nhigh-risk list. Citing the need for OMB and Federal agencies to \nimplement all of the statutory provisions of FITARA. Further in \nthe most recent high-risk list, GAO reported that significant \nattention was needed to improve the Federal Government's \nmanagement of IT acquisitions and operations and to ensure the \nNation's cybersecurity.\n    The coronavirus pandemic has highlighted that chief \ninformation officers are more central now than ever before. \nNearly every Federal program service and function relies on IT \nin order to work. It's among the duties of the CIO to plan for \nagency IT needs, including the resources required to accomplish \nthe mission. Outdated legacy systems, software and hardware, \nhowever, continually prevent agencies from providing the \nservices the American public expects and demands and deserves.\n    To determine the scope and feasibility of IT modernization, \nCIOs must be more involved in the agency performance planning. \nThat's why today I introduce the Performance Enhancement Reform \nAct with my ranking member, Mr. Hice. This important piece of \nlegislation requires agencies' performance goals to meet the \ndemands of the ever-changing performance management landscape \nand includes data evidence and IT in their performance plan. \nThe bill would also require agencies to publish their \ntechnology modernization estimates, system upgrades, staff \ntechnology skills and expertise, and other resources and \nstrategies needed and required to meet these performance goals.\n    The subcommittee will continue to evolve the Scorecard in \nways that facilitate tracking improvement over time, while \nadding new metrics as necessary to raise the bar on what is \nneeded across the Federal enterprise. I look forward to today's \nimportant conversation so that we continue to provide accurate \noversight and to exhort Federal agencies to come into the 21st \ncentury with their IT.\n    I now call my friend from Georgia, the distinguished \nranging member, Mr. Hice, for his opening remarks.\n    Mr. Hice. Thank you, Chairman Connolly, and I appreciate \nyour leadership on this issue and for holding this hearing \ntoday.\n    I likewise understand that the intent had been to invite \nthe new Federal Chief Information Officer, Clare Martorana, but \ndue to a family emergency, she is not able to be here. So, I \ncertainly extend my sympathies to her and her family and look \nforward to working with her in the future as well and I \nunderstand likewise the urgency of holding this hearing but \ncertainly regret the fact that we're not going to have the \nbenefit of her views and hope we'll be able to have that at \nsome point in the future.\n    That being said, FITARA no doubt has been a bright spot of \nbipartisan work for this committee /and I look forward to \ncontinuing those efforts in regards specifically to this \nScorecard and its usefulness as it relates to IT reform in the \nfuture.\n    But while agencies have certainly progressed over the past \nfive years, the task, as always, is to ensure that we are \nkeeping the Scorecard current. We want to make sure that it's \nmeasuring the most relevant facets as it relates to the IT \nuniverse, and I look forward to the perspective of our \nwitnesses today on how the Scorecard may potentially need to \nchange as we continue going forward.\n    Since our last FITARA hearing in August, the Scorecard, as \nwe all know, has been modified. It's gone--what is gone is the \nsoftware licensing inventory required by the MEGABYTE Act and, \nas Chairman Connolly has mentioned, the agencies were receiving \nan A grade and that has been replaced by new category, \nEnterprise Information Systems. This is a new contract vehicle \nfor agency telecommunications and will finally bring many \nbenefits, I believe, including enhanced user experience and \ncost savings. My hope is that it will, in addition, drive \nagencies toward faster implementation, which has been a concern \nfor many of us for a long time. We need to be able to meet the \ngoals, not just have goals.\n    But there have been more important events since our last \nhearing than the Scorecard changes itself. Of course, the \nbiggest has been the solar wind cyber-attack. This certainly \nreinforces the urgency to do everything we can as policymakers \nto keep Federal networks secure. That obviously is a major \nconcern to all of us on both sides of the aisle.\n    In addition, a year has now passed since the COVID pandemic \nand the many multiple ways that it stressed agencies' ability \nto both operate and serve citizens in a remote digital \nenvironment. So, as we look to the future, gauging how we will \naccomplish these tasks, that certainly should be a top priority \nas well.\n    This goes hand-in-hand with the need to modernize aging \nlegacy systems, also a very deep concern for many of us. These \nold systems simply are not able to manage the demands and \nexpectations of Americans here in the 21st century. We've got \nto replace these legacy systems.\n    So, in closing, I do want to thank our witnesses who are \nhere today. Thank you for taking your time to be with us. I'm \neager to hear your insights and your suggestions and look \nforward to listening to your statements and to working with you \nas we move forward.\n    And so, again, thank you, Chairman Connolly, for your \nleadership in this area and this hearing.\n    And, with that, I'll yield back.\n    Mr. Connolly. Thank you so much, Mr. Hice.\n    I'd like to introduce our witnesses today. We're grateful \nto have their expertise. Our first witness is Gundeep Ahluwalia \nwho is the Chief Information Officer for the Department of \nLabor. Then we will hear from Jay Mahanand who is the Chief \nInformation Officer for the U.S. Agency for International \nDevelopment. And last but not least, we have Mr. Walsh \nrepresenting the Government Accountability Office, which has \nbeen a great partner for us, and he serves as the Director of \nInformation Technology and Cybersecurity at GAO.\n    If the witnesses would be unmuted and raise their right \nhand and, Mr. Walsh, if you would stand and raise your right \nhand, it is the custom of our committee to swear in all \nwitnesses.\n    Do you swear or affirm that the testimony you are about to \ngive is the truth, the whole truth, and nothing but the truth, \nso help you God?\n    Mr. Ahluwalia. I do.\n    Mr. Mahanand. I do.\n    Mr. Walsh. I do.\n    Mr. Connolly. Let the record show all three of our \nwitnesses have answered in the affirmative.\n    Without objection, your written statements, full written \nstatements will be entered into the record.\n    And, with that, Mr. Ahluwalia, you're recognized for your \nfive-minute summation of testimony. Welcome.\n\n  STATEMENT OF GUNDEEP AHLUWALIA, CHIEF INFORMATION OFFICER, \n                      DEPARTMENT OF LABOR\n\n    Mr. Ahluwalia. Thank you, Chairman Connolly, Ranking Member \nHice, and the members of the subcommittee for the opportunity \nto speak here today about IT at the Department of Labor. I want \nto thank DOL leadership and all DOL employees for their hard \nwork and dedication in support of wage earners, job seekers, \nand retirees across the country. I also want to thank Congress \nfor your continued support with FITARA and the resources for IT \nmodernization as a whole.\n    As CIO, I have always strived to maximize available \nresources and apply them to an IT strategy, enabling data-\ndriven decisionmaking and digitization aimed at better mission \noutcomes. FITARA's Scorecard helps show an agency's IT success, \ngrowth, and areas that may need improvement.\n    The Department's high marks in implementing FITARA is a \ntestament to our organization's commitment to IT modernization. \nWe are the only agency to receive A grades in six of the seven \ncategories. As a result of our efforts in implementing FITARA \nand upgrading our infrastructure, Labor was able to quickly \ntransition 95 percent of our work force to a remote work \nenvironment when the COVID-19 started, without any \ninterruptions to mission delivery.\n    We maintained mission activities for 27 subagencies and \nonboarded more than 1,500 staff virtually. We continued to \nprovide critical services for the American public, including \nprotecting 401(k)'s, inspecting mines, ensuring workplace \nsafety, and handling increased website traffic as people \naccessed weekly and monthly unemployment numbers.\n    It is important to note that investing in IT modernization \nis not a once-and-done scenario. During my time as CIO of the \nDepartment of Labor, our focus has been on paying down our \ntechnological debt, enabling the IT strategy, and utilizing the \ntools Congress has provided with FITARA, Modernizing Government \nTechnology Act, and the Technology Modernization Fund. In \naddition to innovative contracting strategies, we are taking \nadvantage of the TMF funding opportunities coupled with our \nWorking Capital Fund authority and appropriations for IT \nmodernization.\n    For example, in 2018, we used the TMF funding to streamline \nthe temporary labor certification program from a paper-based to \na completely digital process, resulting in a $2 million \nannual--$2 million annual savings for the department. We are \nalso centralizing IT, HR, and procurement functions, which has \nhelped us avoid costs in the past and has positioned us to \ndrive efficiencies in the future.\n    We are proud of the digitization successes we have achieved \nby modernizing our DOL websites to positively impact workers, \nemployers, and the American public. For example, we developed \napprenticeship.gov, a one-stop-shop website to bring together \neducators, employers, and job seekers to easily search for over \n24,000 apprenticeship opportunities across the Nation.\n    And as referenced earlier, the temp labor certification \nprocess, DOL created a completely digital electronic boarding \npass mechanism. By developing the system, we were able to \nreduce processing times and the need for manual printing and \nshipping.\n    The Department of Labor continued to move forward with its \nmodernization efforts and has been successful in large part due \nto the funding mechanisms that Congress has enacted and \nsupported. In fact, we are grateful to have received TMF \nfunding for our enterprise data modernization initiative. This \nmarks the second TMF award for DOL.\n    Thank you for your time today and your continued support to \nFITARA--for FITARA and IT modernization efforts. I look back--I \nlook forward to answering any of your questions.\n    I yield back, Chairman.\n    Mr. Connolly. Thank you, Mr. Ahluwalia, and you're a pro. \nYou had, like, 49 seconds to go. So, thank you.\n    Mr. Mahanand, you are now recognized for your five-minute \nsummation of item.\n\n  STATEMENT OF JAY MAHANAND, CHIEF INFORMATION OFFICER, U.S. \n              AGENCY FOR INTERNATIONAL DEVELOPMENT\n\n    Mr. Mahanand. Chairman Connolly, Ranking Member Hice, \nmembers of the subcommittee, thank you for inviting me to \ntestify today. I'm grateful for the committee's support, and \nI'm pleased to have this opportunity to discuss USAID's \nprogress in complying with the standards set out in FITARA.\n    The global pandemic changed how we work, how we live, and \nhow we interact with each other. For USAID and its people, \nresponding to these global health crises is at the core of our \nmission. We have a longstanding history of dealing with \nemerging threats and global health security such as Ebola and \nnow COVID-19. Because of this rich history, we were able to \nrapidly virtualize USAID's work force and leverage our \nleadership in cloud technology to lessen the impact on the \nagency's most valuable asset: its people.\n    USAID global IT infrastructure plays a critical role in \nenabling and enhancing every aspect of the Agency's mission. \nOur 12,000-plus people in more than 120 countries, often under \nthe most difficult circumstances where communication \ncapabilities are severely limited, they depend on our cloud-\nbased architecture to successful perform USAID's critical work. \nBecause of this, we're an organization that relies on cloud \nservices and solutions that enable data-driven decisions and \nmaximize the impact of those efforts.\n    Now more than ever, reliable and secure and effective \ninformation technology systems and services are essential to \nUSAID achieving its mission. As a global organization that \nworks in some of the most challenging locations around the \nworld and given the business demands of how USAID delivers U.S. \nforeign assistance on the ground, our overseas staff have been \nheavily reliant on modern and mobile IT solutions, even prior \nto the COVID-19 pandemic.\n    The move to a cloud-based email messaging and collaboration \nplatform back in 2011 significantly and quickly improved USAID \nmission delivery. It provided a mobile, on-demand messaging \nplatform that meets the needs of the Agency's global work \nforce, improved cost-efficiency, enhanced cybersecurity and \noverall functional operational improvements to our IT \nenvironment. As early adopters, our leadership and staff across \nthe agency are accustomed to working in a cloud environment, \nleveraging the cloud to underpin our communication, security, \ndata, and development backgrounds.\n    Today USAID is 100 percent cloud-based with no legacy \nsystems.\n    Given all that has transpired this past year, I think about \nwhere USAID was 10-plus years ago, where we are today, and what \nhas helped us get here. Although our journey to the cloud began \nbefore FITARA and the Scorecards, the impact and benefits we \nhave realized by its creation and evolution has significantly \naided our journey. FITARA has served as a cornerstone for \nestablishing, measuring, and helping advance critical IT \nprograms for CIOs across the government. Our USAID's \nlegislation has underpinned our success in aligning the people, \nprocesses, and technology needed to balance innovation with \ncompliance, mission needs, costs, and evolving threats. It has \nalso provided an opportunity to have a collaborative dialog \nwith OMB, GAO, the committee, and Congress, working together to \nimprove how agencies implement FITARA.\n    Although agencies will continue to face significant IT \nchallenges and risks, this past year has shown the true \nbenefits of a modernized, agile, innovative IT organization \nparticularly during a global crisis. Aside from the technology \nchallenges and moving thousands of employees to full-time \ntelework overnight, the pandemic also ushered a new, more \nsophisticated way of cyber-attacks. As we have seen recently in \nthe Solar Winds and Microsoft Exchange breaches, the threats \nare growing more pervasive, sophisticated, and damaging to both \ngovernment and private sector organizations. As these threats \nbecome more advanced, the need for the Federal Government to \nfurther enhance its cybersecurity posture and better understand \nthe various supply chains continue to grow.\n    Over the past year USAID has expanded its effort to \nleverage state-of-the-art technology, such as AI and RPA, to \nhelp the Agency realize the full potential within its many data \nsources. Each project represents a significant investment USAID \nis making in innovation tools and platforms that will continue \nto help secure our network and data globally and help us keep \npace with the Agency ever-changing technology and information \nneeds.\n    USAID looks forward to the continued benefits the Scorecard \nand its measurement provide to Federal CIOs. Having consistent \nIT priorities across all agencies enhances mission outcome and \nprovides a roadmap of technology investment that maximizes \ntaxpayer dollars.\n    I would like to thank the Members of Congress, members of \nthis subcommittee in particular, for your continued leadership, \ninterest in, and support of our work. USAID looks forward to \ncollaborating with you to address future challenges and new \nopportunities for reform.\n    Thank you for your time. I welcome your question.\n    Mr. Connolly. Thank you. Thank you. And you had 30 seconds \nleft. So, thank you.\n    I will say to you, Mr. Mahanand, a little piece of history \nyou may not know. In 1979, when I got out of the graduate \nschool, I was a Presidential management intern and I was \noffered a job at AID to help translate IT and policy. In that \ntime cell phones didn't exist. The Internet didn't exist. \nSocial media didn't exist. PCs didn't exist. It was a very \nprimitive time. But can you imagine how history might have been \ndifferent for you and me and my colleagues in this committee \nhad I taken that job? Anyway, I'm glad you're there.\n    Mr. Walsh, welcome again, and you are recognized for five \nminutes for summation of your testimony.\n\n STATEMENT OF KEVIN WALSH, DIRECTOR OF INFORMATION TECHNOLOGY \n   AND CYBERSECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Walsh. Chairman Connolly, Ranking Member Hice, members \nof the subcommittee, thank you for inviting GAO to testify on \nthis important issue today.\n    To begin, I'd like to share one of my favorite Scorecard-\nrelated quotes from the chairman who has repeatedly said that \nthe Scorecard is not intended to be a scarlet letter. Rather it \nis intended to start a conversation and to make sure that CIOs \nare part of that conversation. Regardless of the letter grades \non the Scorecard itself, I think that elevation of our agency \nCIOs may be the most impactful effect of the committee's \noversight. So, thanks to you and to your staff for your \ncontinued contributions to and oversight of Federal IT. Your \npersistent, thorough, and bipartisan oversight has changed the \nway the government manages its technology.\n    Here are some key highlights of the progress that we have \nseen. Major increases in the authority for the five CIOs that \nnow directly report to the agency header deputy; minor, but no \nless important, increases in the authority and influence of all \nCIOs, largely due to the attention the Scorecard has brought to \nthe role; and better management of agencies' IT portfolios to \nthe tune of $22.8 billion saved.\n    As the chairman noted, the most recent 11 Scorecard \nintroduced two significant changes. First, the committee sunset \nthe area related to software licenses. When the committee added \nthis area in 2017, there were just two agencies that were using \ncomprehensive, regularly updated inventories of software \nlicenses. Now all 24 agencies do, resulting in a number of easy \nA grades for the past several Scorecard cycles.\n    Second, the committee added a new area related to agencies' \nefforts to transition off GSA's expiring telecommunications \ncontracts. This area needs the committee's oversight because \nthe last time the government went through a similar transition \nonto the network's contracts, the government took 33 months \nlonger than planned. It resulted in $66 million in added costs \nand an estimated $329 million in lost savings.\n    As you might expect, replacing the easy A of software \nlicenses and the addition of the area on telecommunications \ntransition put downward pressure on agencies' grades. Despite \nthis, every agency passed by either receiving a B or a C. That \nmay not always be the case. Agencies' past wins are no \nguarantee of future success, and the Scorecard reflects that.\n    The Scorecard's continued growth has kept it relevant, and \nit will be an important tool for keeping Federal leaders \naccountable going forward. For example, the Scorecard could \nmeasure Federal websites' compliance with industry best \npractices in conjunction with the IDEA Act. It could also \nreward or give a bonus to the usage of the billion dollars \nrecently received by the Technology Modernization Fund.\n    However, the Scorecard is only as good as the data behind \nit. In that vein, it would be great to see OMB's IT dashboard \nreflect more of the government's IT spending. For example, \nright now, the dashboard does not include IT spending related \nto weapons systems, satellites, or supercomputers. The \ngovernment's budding efforts to implement Technology Business \nManagement, known as TBM, may help in that regard by closely \nlinking agencies' accounting systems to IT oversight. However, \nhalf measures or an implementation that mimics true TBM will \nperpetuate the underreporting of IT spending.\n    I should also note that the Scorecard is not a panacea. \nThere are many critically important topics that are difficult \nto implement and grade and address: for example, measures of \nhow well an agency serves the citizens, an agency's human \ncapital skills and gaps, or even the IT acquisition cadres and \nstrategic sourcing required under FITARA. Metrics on softer \ntopics such as these are incredibly difficult to measure. How \nwell has USAID's technology served our farmers or the IT and \nIRS our taxpayers? Has the DOD protected our citizens enough?\n    These gaps also stress the significance of the work done by \npublic servants who, regardless of the Scorecard's grades, do \nincredible work. These gaps in coverage also underscore the \nimportance of having trusted, competent IT leaders and ensuring \nthat they are a part of conversation.\n    To that end, I look forward to our continued conversations \nand the improvement of IT oversight. This concludes my \ncomments, and I look forward to your questions.\n    Mr. Connolly. Thank you, Mr. Walsh, also, 30 seconds.\n    I mean, we've got three stars this morning, Mr. Hice.\n    The chair now recognizes the distinguished Congresswoman \nfrom the District of Columbia, Eleanor Holmes Norton, for five \nminutes of questioning.\n    Ms. Norton. Thank you very much, Mr. Chairman. Chairman \nConnolly, I very much appreciate these periodic hearings.\n    My first question is for Mr. Walsh. The Federal Government \ncurrently invests about $90 billion annually in IT. Now what \ntroubles me is that a third of the funding dedicated is for \nmaintaining legacy systems. And so, what we're finding is that, \nas the amount of dedicated funds to IT operations and \nmaintenance increases each year, the investments in the \ninnovative IT projects decline.\n    So, Mr. Walsh, my question to you is, how do the current \nbudgeting and appropriations cycles--and we understand that's \ndone on an annual basis--impede agencies' ability for investing \nin critical IT projects, especially ones that concern me, that \nseek to replace legacy systems? Is there anything we can do \nabout it?\n    Mr. Walsh. So, the annual appropriations process----\n    Mr. Connolly. Mr. Walsh, I am going to--you are soft-\nspoken. If you would move that as close to you as possible, \nthank you so much.\n    Mr. Walsh. Thank you, chairman.\n    So, the annual appropriations process certainly does not \nhelp our efforts to modernize Federal IT. Having to save up \nmultiple years to address a critical need is not currently \npossible. The MGT Act a few years ago attempted to address that \nby allowing agencies to save money in a Working Capital Fund \nand use the savings to address cybersecurity and modernization \nneeds. So, I think that's a good step forward. However, the MGT \nAct did include a critical flaw that has prevented many \nagencies from fully taking advantage of those flexibilities.\n    Ms. Norton. I can see that the problem's in the Congress.\n    Mr. Walsh, several of the agencies have said that the \nreimbursement model itself is cumbersome, especially for IT \nprojects that are critical to the mission but might not realize \ncosts. What other considerations should Congress, and the \nadministration take into account, other than projects that \nrealize hard costs?\n    Mr. Walsh. So, as you correctly note, there are many, many, \nmany things that we should consider when modernizing legacy \nsystems. In particular, the functionality is very important. \nBut there are also very, very old systems that cannot be \nmodernized. For example, we wouldn't want to modernize the \nVoyager space probe's ground systems. We can't modernize the \nVoyager. It's out past the edge of the solar system at this \npoint.\n    But the cost and the functionality are crucial, and in many \ncases, modernizing systems cannot result in cost savings. The \nnew systems that we're using right now in the cloud have a lot \nbetter capabilities. They have a lot better security than some \nof these very, very old systems.\n    So, you correctly note that, in many cases, we may not save \ncosts doing modernization, but it would be better for the \nservices of our taxpayers to do so.\n    Ms. Norton. Thank you.\n    Finally, Mr. Mahanand, could you talk about your experience \nwith establishing an IT capital fund at USAID?\n    Mr. Mahanand. So, that has been an ongoing issue for the \nlast three years for us. We've actually worked very close to \nOMB, our examiner and senior level, senior leadership within \nthe agency. They are all very supportive as far as getting--\nputting the language together and getting us to at least get it \ninto the President's request, but as far as what happened \nthere, we're not necessarily sure. We actually included it in \nthe 2019, 2020, and 2021 budget requests. But it never made it \ninto any of the appropriations.\n    Ms. Norton. My time is close to expire. I had another \nquestion.\n    But thank you very much, Mr. Chairman.\n    Mr. Connolly. If you have one more question, Ms. Norton, \nyou're free to ask it.\n    Ms. Norton. Yes. Mr. Ahluwalia, how can technology, the \nTechnology Management Fund, which was established by the \nModernizing Government Technology Act, which received $1 \nbillion, and the American Rescue Plan, has that helped the \nDepartment of Labor accelerate certain IT modernization \nprojects?\n    Mr. Ahluwalia. Thank you, Congresswoman. So, I'll try to be \nreally very quick here.\n    We are one of the few agencies who has received two TMF \nawards from that board, and it is a toolset that we use in \nconjunction with our appropriations Working Capital Fund \nauthorities to resource and modernize technologies. I am very \nproud of one of recent temp worker program. The visa requires a \nlabor certificate from DOL that used to be printed on a \ncurrency-like paper, and I shudder to think what would have \nhappened to that printing operation during COVID-19. \nFortunately, this January, in part due to the TMF funding, we \nwere able to completely digitize that process and shut down the \nprinting operations, which has now resulted in a $2 million \nsavings that will be returned to the fund.\n    I do agree with my colleague, Kevin Walsh. Not every--when \nyou replace a bicycle with a motor car, will it result in \nsavings? The motor car will require sometimes more to maintain, \nbut it takes you farther and faster. So, that construct has to \nbe considered in the future mechanisms when the DMF awards are \nmade.\n    Mr. Connolly. Thank you very much.\n    Thank you, Ms. Norton.\n    The chair now recognizes the distinguish ranking member, \nMr. Hice, for five minutes of questions.\n    Mr. Hice. Thank you, Mr. Chairman.\n    Yes, the challenge of any effort like FITARA at the end of \nthe day is to prevent it from going stale. I think, when we are \ntrying to ensure Federal IT funding is spent well, the most \nobvious question is whether there are metrics to determine \nwhether or not that money is spent well and how we gauge it. \nSo, let me start with this train of thought.\n    Mr. Walsh--and we spoke a little bit about this before the \nhearing this morning. But given the fact that this is the 11th \niteration of the Scorecard, what changes perhaps need to be \nconsidered by the committee to deal with the metrics to make \nsure we're being effective?\n    Mr. Walsh. So, to the Scorecard's credit and to the \ncommittee's credit, it has changed in every single iteration \nsince the second. Every single time the committee has made \nsometimes minor but important tweaks to improve this Scorecard. \nThis most recent 11 Scorecard is an excellent example of some \nof the changes that can be made with the sunsetting of the \nsoftware licensing and the adding of EIS. So, it's a credit to \nthe committee that this Scorecard continues to evolve and \nchange.\n    To get closer to how to evaluate the efficacy of how the \ngovernment is spending our money is a very, very difficult \nconcept, sir. I think the Scorecard is helping move us in that \ndirection, but measuring how good an agency is at delivering \nits mission or meeting its mission is something that we in the \nGAO and Congress have struggled with for quite a long time.\n    Mr. Hice. Well, is there any way we can quantify the return \non investment through 11 scorecards so far?\n    Mr. Walsh. So, the $22.8 billion that have been saved or \navoided as a result of the PortfolioStat initiative is one \nvery, very large metric we can use to measure ourselves. The \nincreases in CIO authorities are also important but harder to \nquantify.\n    Mr. Hice. I would like to see more of that on a page, like, \nhow do we really know there's this much savings, and where is \nthat savings coming from?\n    You mentioned in your opening statement the Solar Winds and \nseveral--a couple of our witnesses did. Again, the metrics of \nsomething like solar wind in the Scorecard, how do we develop \nthat to better equip Congress to recognize problems and deal \nwith problems before they happen?\n    Mr. Walsh. So, part of the challenge when deliberating with \nyou folks on how to come up with these metrics is what data are \ncurrently available. Especially in the case of supply chains, \nwe want to be careful not to utilize nonpublic data. We don't \nwant to put a target on any agency's head that's not already \nthere. I agree that supply chain management and the risks \nassociated are critically important to cybersecurity and our \ngovernment's operations, and we would love to work to explore \nfurther metrics that we can use to measure that. I think a note \nof caution is warranted though with things as secure and \nsensitive as that.\n    Mr. Hice. Let me cast that question over to Mr. Mahanand \nand Mr. Ahluwalia. As it relates to the cyber issue, the cyber-\nattacks, No. 1, I guess, what keeps you both up at night? And \nwhat can we do on this thing and on our side as it relates to \nthe Scorecard to better assess where we are on the cyber-attack \nconcern?\n    Mr. Mahanand?\n    Mr. Mahanand. Yes. So, I think we're on a good path here. \nIf you actually look at the cybersecurity metrics that you have \non the Scorecard, half of it is about cross-agency priority \ngoals, which is something that the agency--the Federal \nGovernment can decide, know exactly how they want to measure \nthat. But the other part of that is really it comes from the \naudit of your system or the audit of your network. And as far \nas that audit is concerned, it does take a close look at really \nthe controls that you have in place in terms of your systems. \nAnd it gets to whether, you know, you are doing well in \ncybersecurity, where you're actually monitoring and managing \nit, or you're not doing so well in it.\n    I think that's a really good start because in the new \nversion of the kind of the audit document here, they're going \nto be looking at supply chain controls for the next, you know, \nassessment period here. So, I would think that, as far as the \nmetric is concerned, I think it's a good place to start. You \ncan also incorporate more into that as far as the cross-agency \ngoals or as far as the audit is concerned.\n    But this is something that I know it is becoming more \nvisible. I just think this year the audit is possibly going to \nbe looking at supply chain and controls the agency may have in \nplace. So, I think you will get some better, you know, better \ndata when the audit is complete or the next Scorecard is put \nout.\n    Mr. Hice. OK. Mr. Ahluwalia--I'm sorry--if you could \nprovide us an answer with that, I'm really curious. I mean, you \nare among our experts, and I'm curious how we can be better \ninformed as Congress when it comes to the cyber threat. So, if \nyou could provide an answerfor us in the next week or so, I \nwould appreciate that.\n    Mr. Ahluwalia. Happy to do that, Congressman Hice.\n    Mr. Hice. Thank you. I yield back.\n    Mr. Connolly. I thank the ranking member.\n    The chair recognizes himself for five minutes.\n    Mr. Walsh, what is a legacy system?\n    Mr. Walsh. So, legacy means many things to many different \npeople.\n    Mr. Connolly. I have got to hear you. You have got to speak \nup.\n    Mr. Walsh. Legacy means many things to many people, sir. I \nthink probably one of the better definitions is something that \nis no longer vendor supported, whether that be hardware or \nsoftware. So, if the vendor's not supporting it, if we're not \nable to easily maintain it, I think that's an easy definition \nof a legacy system. Similarly, you could say something along \nthe lines of what DOD does, that a legacy system is a system \nthat no longer meets its mission needs. So----\n    Mr. Connolly. Are we concerned that, under either of those \ndefinitions, legacy systems cannot be encrypted to protect from \ncyber hacking, cyber attacks?\n    Mr. Walsh. Absolutely, sir. And I think that's one of the \nthings we saw at OPM when they had that breach a few years ago. \nOne of the things that came out of that was we heard that OPM \nwas not able to encrypt the data that was on the servers at \nrest because of the age of the systems.\n    Mr. Connolly. I think that's a pretty critical point to be \nemphasized.\n    Are agencies required, Mr. Walsh, to have a plan to retire \nor upgrade legacy systems?\n    Mr. Walsh. So, we did work on this a few years ago, sir, \nand we looked at the most important and the most critical \nsystems in the government to be retired, and we found that in \nmany cases not only were they not required but they did not \nhave plans and those plans did not include things like a \ndescription of the work to be done, milestones, or a plan, most \nimportantly, to turn off the legacy system that they're \nretiring.\n    Mr. Connolly. From GAO's points of view, think, putting on \nyour high-risk category hat, would it be helpful if, in fact, \nthey were required to have such a plan?\n    Mr. Walsh. I think we should absolutely be thinking about \nthe oldest systems in need of modernization and have some form \nof plan going forward on how to either turn it off or get it to \na more secure space.\n    Mr. Connolly. Has GAO done any kind of cost estimate? On \njust, you know, spit-balling, if we were to have by fiat all \nlegacy systems need to be replaced and you need to have a plan \nto do that, what would it cost across the 24 Federal agencies \nwe're looking at?\n    Mr. Walsh. We have not done that work, sadly, sir. We did \nhave some case studies in our report that looked at some of the \nmost important, for example, one of the top 10 was--and we did \nnot name these systems but it was at the IRS. IRS spent $10 \nmillion per year to operate and maintain the system, and their \nestimate on how much it would cost to modernize the system was \n$1 billion.\n    Mr. Connolly. Billion.\n    Mr. Walsh. Billion.\n    Mr. Connolly. With a ``B.''\n    Mr. Walsh. So, to Mr. Hice's earlier comments, the return \non investment there would be somewhat dubious.\n    Mr. Connolly. Well, yes, although every dollar you're \ninvested in the IRS has a return on it. It's not a sunk cost.\n    Mr. Walsh. Absolutely. You've got the $40 billion that----\n    Mr. Connolly. By the way, that's true for your agency as \nwell. We get a return on our investments with you and your \ncolleagues at GAO. So, we have to think it in those terms, too. \nAnd as you pointed out, then there are the sort of imponderable \nor indecipherables. But they're still so important, right, like \nquality of service to the American people. That kind of \nmatters, too.\n    Let me ask about CIOs. How, from GAO's point of view, when \nyou're looking at the Scorecard, how much progress are we \nmaking or not making in having a premier CIO report directly to \nthe boss?\n    Mr. Walsh. So, since this first Scorecard, we now have five \nmore CIOs that directly report to the boss. We also have seen \nincremental progress elsewhere. It's a lot harder to measure \nwhich CIOs have a seat at the table that they did not \npreviously have, but those five CIOs having reporting authority \nI think is the most important metric there.\n    Mr. Connolly. We've had--have we had some backsliding in \nthat regard?\n    Mr. Walsh. To the best of my knowledge, I am not aware of \nany agencies that are backsliding I think in large part due to \nthe attention brought by this committee.\n    Mr. Connolly. I mean, you know, if you look at the private \nsector, I can't think of many successful companies where the \nCIO does not directly report to the CEO and even dotted-line \nrelationships in the organizational chart don't count, and \nwe've got to evolve to a system where the CIO, because if we \nreally mean it about fundamental changes in IT modernization, \nin order to undergird the mission, we've got to have a CIO \nwho's empowered. And the best way in a bureaucracy to empower \nsomebody is to make sure everyone can see that person reports \nto the boss.\n    Mr. Walsh. Absolutely, sir. It's hard to imagine a company \nthese days that does not have IT-involved core to its mission. \nSimilarly, it's hard to imagine a government agency that does \nnot have IT contributing critical amounts to its mission.\n    Mr. Connolly. And final question in this round, we just got \n$1 billion for the Technology Management Fund, which is not \nwhat we wanted or what President Biden wanted. But it's \ncertainly a huge quantum leap from what was appropriated at $25 \nmillion. Do you believe that that $1 billion will be a \nsignificant catalyst to incentivize agencies to make the \ninvestments we're talking about including the return of legacy \nsystems?\n    Mr. Walsh. So, previously the fund was receiving $25 \nmillion per year, as you noted. Getting $1 billion in a year is \ngoing to allow them to explore projects that were previously \noutside of their ability. They didn't have the money to address \nsome of these most critical needs. So, I think it will be \nimportant. The challenge is going to be ramping up that team \nthat manages the TMF to make sure that they have the expertise \nnecessary to oversee these projects.\n    Mr. Connolly. Yes, I also think we're going to have to have \nclear criteria soon because the expectations are really high \nabout this. We're going to have to have criteria soon from OMB \nin terms of how that fund could be used and how it should be \nused. And we're going to hope GAO is monitoring that carefully \nso that if there are real-time issues, we can try to address \nthose in real time rather than retrospectively because then the \ndamage is done.\n    Mr. Hice, who is to be recognized?\n    Mr. Keller is recognized for five minutes.\n    Mr. Keller. Thank you, Chairman Connolly. And thank you to \nthe witnesses for taking time to be here today.\n    The pace of government often lags behind that of the \nprivate sector, and the process of technology acquisition is no \nexception. As agencies struggle to keep up with current \ntechnology, Federal acquisitions often overshoot their targeted \ntime and cost estimates. Along with ensuring cybersecurity and \ntransparency, the Scorecard should measure how effectively an \nagency is purchasing and utilizing new technology. My time in \nprivate industry, our mentality was that the team I worked with \ncould not improve unless we knew exactly how well we were \nperforming and what targets we were hitting. The same should go \nfor Federal agencies.\n    The question I have is for all the panelists here today. \nPart of Congress' job is ensuring Americans get the most out of \ntheir tax dollars. How does FITARA achieve this end? And are \nthey--and are there any modifications to FITARA that would help \nus better capture this metric? And that could be for anybody. \nMaybe all the panelists can give me a little bit of explanation \nof what they think.\n    Mr. Connolly. Mr. Keller, without prejudice to your time, \nare you asking modifications to the Scorecard or to the \nunderlying legislation itself?\n    Ms. Kelly. The Scorecard.\n    Mr. Connolly. Yes. Thank you.\n    Mr. Ahluwalia. So, I'll go first. This is Gundeep. I'm the \nCIO for the Department of Labor.\n    I think the ability to use various types of resources is, \nthat span across multiple years is an important mechanism and a \ndifferentiator in the way government and the private sector \nworks. So, I look back at my private sector years and on what \nthe differences are. One is these projects are multiyear, and \nwe try--and we don't have the visibility for the resources on \nthat. Having a clear plan that has outcomes not about moving to \nthe cloud or about taking software out--those are important as \nwell--but having outcomes like I will remove paper from a labor \ncertification process or digitize it completely or I'll reduce \nthe number of--reduce the number of days that it takes for a \nperson to consume its service from the government, or I will \nmake it mobile friendly like the private sector. You can go to \nAmazon and sort of have that shopping experience and that kind \nof customer experience.\n    Those are the metrics that we focus on to bringing the \nservices that we render to our constituents at par with the \nprivate sector. And a focus on that, managing resources as a \nmultiyear resource and with a strategy to execute to, those are \nthe key ingredients that I remember worked in the private \nsector and would work in the public sector as well.\n    Mr. Keller. So, as far as modifications to FITARA that \nwould better capture the metric, I understand how we want to do \nit better. But, again, any other thoughts from the other \nwitnesses?\n    Mr. Mahanand. This is Jay Mahanand, USAID CIO.\n    So we--as you can--from my testimony, you can see we've \nactually moved quite a bit of innovative technologies, you \nknow, that we've implemented or started. For instance, really \nlooking at, you know, how we can get started, I think that's \nthe key to anything we do. But whether or not a technology is \nviable for an organization, that's something to be said and \nsomething we need to go through.\n    For us, we're--an example is that we're very intensive when \nit comes to data and so, you know, questions in terms of all of \nthe data that we have, what do we do with it, and how do we \nmake it--you know, how do we use technology to actually \ninnovate and be able to get answers on the raw data there. So, \nfor us, it's really just taking, you know, some time off and \nbasically create a pilot, some use cases, initiate those use \ncases with the technology that we have, and try to validate \nwhether or not that is something we can go.\n    But for us is that, given the fact we don't get a large \namount of money, we simply use, you know, kind of the \nprototyping to kind of make a determination whether or not the \ntechnology would work for us. And so we've been pretty \nsuccessful because if we can show the agency that, hey, this \nprovides or brings value into the organization, then there's \nalways funding that is, you know, that would be subsequently, \nyou know, coming for that specific technology.\n    So, I think that's how we do it internally because we \nalways look at something. And even I mentioned, you know, \nrobotic process automation, in terms of efficiency that it \ngains because, you know, there's quite a bit of just manual \nprocess we have in agencies. We talked about doing more for \nless. That is the way that we see things and how we would \nactually get things started. Technology has been in place. But \nwe need, you know, the people, processes, and technology all to \nwork together. So, we pilot certain things to make sure that \nthere's an appetite for those types of technology in the agency \nbecause there's an adoption. There's also change-manage-related \nissues to bringing technologies in place as well.\n    So, it's a complex discipline in terms of how you would \nmeasure that. You know, for me, kind of getting back to, you \nknow, some of the comments that were made, you know, \nspecifically when it comes to, you know, ROIs and, you know, \ngetting money to actually make a determination of how \ntechnology would be used, the TMF is a good example of that. We \nkind of--it has been mentioned that, you know, for us, we \nactually made proposals in the TMF for a couple of--we would \nsay innovation, and we got declined for that because it was \nmore--not necessarily a modernization but also it was toward \ninnovation.\n    So, I think, on the TMF, my two cents is also not look just \nat modernization but, getting to your point, really is take a \nlook where agencies can use that money to innovate and be \nbetter at that.\n    Mr. Keller. Thank you. I see I'm out of time, so I yield \nback.\n    Mr. Connolly. Mr. Keller, I will certainly entertain Mr. \nWalsh if he wishes to respond to your question before you yield \nback.\n    Mr. Walsh. Sir, one of the ways that we could perhaps \nbetter measure how we are serving the citizens is how well \ntheir websites, which, you know, is the prime portal that \npeople interact with, citizens, are compliant with best \npractices, are enforcing privacy metrics. So, that is something \nthat we would love to explore with the committee and look \nforward to doing so.\n    Mr. Keller. I appreciate that. Thank you.\n    Mr. Connolly. And, Mr. Keller, we can talk to you offline, \nbut I believe we have some legislation that actually addresses \ntrying to upgrade websites and make sure they're user-friendly \nand that they're ranked and reviewed. So, that's absolutely--\nbecause that's the portal for most citizens to the government, \nat least electronically.\n    Mr. Hice, is Mr. Biggs the next one? Yes. Mr. Biggs is \nrecognized for five minutes.\n    Mr. Biggs. Thank you, Mr. Chairman, and I thank the \nwitnesses for being here today, for sharing their perspectives \non this critically important topic.\n    Like many of my colleagues, I was especially disturbed by \nthe early 2020 Solar Winds hack, which left nearly 20,000 \nentities vulnerable to data breaches, including the Departments \nof Defense, State, Energy, Justice, and Treasury in the public \nsector, and Microsoft, Cisco, and FireEye in the private \nsector. Amazingly, that attack happened over the course of more \nthan a year, which showed a chilling level of patience and \ndiscipline.\n    So, my first question--and it's for each member of the \npanel--is this: How confident are you that we are better \nprotected from a drawn-out, solar-wind-style attack now than we \nwere in early 2020?\n    And I'll start with you, Mr. Walsh.\n    Mr. Walsh. So, we had a remarkably timed report at the same \ntime as the Solar Winds hack, GAO 21-171, which looked at \nagencies' implementation of supply chain risk management.\n    We looked at seven key practices identified by NIST \nguidance that attempted to help agencies manage those risks. We \nfound that only nine agencies had done any of those seven. So, \nto your point, sir, I think we should be very concerned.\n    Mr. Biggs. Please, the other panelists, please respond as \nwell. Thank you, Mr. Walsh.\n    Mr. Ahluwalia. So, at Labor----\n    Mr. Connolly. Would my friend just yield for one second and \nwithout prejudice to----\n    Mr. Biggs. Yes. Yes, Mr. Chairman.\n    Mr. Connolly. Just to followup on that. Could it have been \navoided? I mean, you said we need to be very concerned. Well--\nbut could we have stopped it, done something about it?\n    Mr. Walsh. So, one of the seven practices that we \nidentified is helping to detect problematic items in your \nsupply chain. But, backing up it even further than that, part \nof the issue is knowing what your supply chains are.\n    There are many agencies that don't fully know what their \nsupply chain, not only of the hardware but also of the \nsoftware, is. So, I think could we have prevented it? Probably \nnot at that time. It's disappointing as well that it took so \nlong to detect it. So, it's very, very concerning, sir.\n    Mr. Connolly. Thank you for yielding.\n    Mr. Biggs. You bet, Mr. Chairman.\n    And I--just so you know, Mr. Chairman, I intend--if there \nis time, I want to followup with what's happening now and the \nsteps that are being taken.\n    So, would the other panelists please respond.\n    Mr. Ahluwalia. So, at Labor, just like other departments, \nwe take the cybersecurity very seriously. I think the DHS' \nContinuous Diagnostics and Mitigation Program, the CDM program, \nhas had significant impact and probably protected us from that \nbreach when it happened.\n    We've implemented a 24/7 SOC. We are meeting--and \nimplemented newer technology as well.\n    I completely agree with my fellow panel members here, as \nwell as the committee, that the supply chain risk remains one \nof the largest risks that is there to the entire U.S. economy, \nin the private sector as well as public sector.\n    From the public sector perspective, it is my thinking that \nthere are some steps that can be taken in individual \ndepartments. For example, understanding what our supply chain \nmeans, adding language to our contracts, and things of that \nnature.\n    But then a more comprehensive approach, looking at the CDM \nsuccess, I think can be led by DHS. That crosscuts and protects \nthe entire government apparatus rather than piecemealing it at \neach department at a time.\n    So, I think there is a combination of a strategy where some \nsteps need to be taken locally within the departments, and then \na comprehensive CISA-, DHS-led strategy to protect our \napparatus would be the biggest bang for the buck, Congressman.\n    Mr. Biggs. Thank you. And then our last panelist, if you \ncould please be brief because I want to get back to what are we \ndoing now, how are we going to get----\n    Mr. Mahanand. Yes. So, just to--the one thing that we need \nto realize is that this is a cost application that was \nvulnerable, right? And so one of the things that we really need \nto look at is the supply chain. But, also, how do we extend \nsome of the cybersecurity measures to these specific vendors? \nAnd it's something that we need to think about.\n    I know DOD is looking at the cybersecurity certification \nfor vendors, but that is something within the Federal space we \nknow--we have risk-management frameworks. We have cybersecurity \nframeworks. We have everything to protect our systems in C.\n    The ability to, you know, implement zero-trust--zero-trust \narchitecture is something that we are all looking to do. But \nthe point still goes back to we still need to do something with \nthe vendors to make sure that there is some sort of \ncertification that they also validate the supply chain.\n    Thank you.\n    Mr. Biggs. Thank you.\n    Mr. Walsh, would you please respond to the followup \nquestion, which is where are we going----\n    Mr. Connolly. Mr. Biggs, if you had a brief followup, \nyou're recognized for that.\n    Mr. Biggs. Thank you, sir.\n    Mr. Walsh, if you'd just go to the followup, which is where \nare we going from here?\n    Mr. Walsh. Sure. So, I think the best practices that we can \nimplement are detailed in the report I cited earlier, which is, \nas Mr. Mahanand said, getting some idea of what our supply \nchains are and working closely with the vendors to make sure \nthat we are securing them.\n    Having executive oversight is also very critical. But, to \nsound an alert on where we are now, the Cybersecurity and \nInfrastructure Security Agency has issued multiple alerts over \nthe past several months citing similar things happening with, \nfor example, Microsoft Exchange, or even our critical \ninfrastructure--the water, power plants, and the like--which \nwere vulnerable to attacks.\n    Mr. Biggs. Thank you, Mr. Walsh.\n    And thank you, Mr. Chairman. And I hope that, in the \nfuture, we might have an additional time where we can actually \nexpand on this particular topic even further.\n    Mr. Connolly. Absolutely. Be glad to work with you on that, \nespecially, frankly, the--Mr. Walsh's insight in terms of \nsupply chain. I think that's really--we need to understand that \nmore than the phrase, right? Like, are we talking hundreds of \nparts? Because, if that's the case, no wonder somebody could \npenetrate, because----\n    Mr. Biggs. Right.\n    Mr. Connolly [continuing]. how are we monitoring all that. \nWhat are the mechanisms for monitoring all of that?\n    Mr. Walsh. Sir, it's not only the parts, but it's also the \nsoftware. Every single piece of cloud software that we have \ninstalled on the network is potentially----\n    Mr. Connolly. No, no. I'm including that in the supply \nchain. And, I mean, when I heard that, it--my ears perked up. \nSo, we'll followup on that, Mr. Biggs, with you. Thank you so \nmuch.\n    We're joined by the vice chairwoman of the subcommittee, \nthe gentlelady--and I know it's early out there in California, \nso thank you so much for joining us so early. Ms. Porter is \nrecognized for five minutes.\n    Ms. Porter. Thank you very much, Chair.\n    Mr. Walsh, can you briefly tell the committee what a data \ncenter is?\n    Mr. Walsh. So, currently, OMB defines a data center in two \ndifferent tiers. A tiered data center is essentially something \nthat you probably picture when you hear the word data center. \nIt was purpose built. It has uninterruptible power supply, \ncooling solutions, and the like.\n    There is also what OMB categorizes as a nontiered data \ncenter, which are getting less attention, but those are things \nlike servers in smaller rooms that were not purpose built but \nare still important vectors of bad actors trying to get into \nour agencies.\n    Ms. Porter. I understand that there is a data center \noperation initiative. What is it meant to do exactly?\n    Mr. Walsh. So, the data center optimization initiative is \nintended to help our data centers, the big ones that already \nexist not only consolidate but get better. So, we want them to \nutilize more of their capacity. We want them to run on more \nmodern hardware, which can save us operational costs, and make \nsure that we're best using the tools that we have available to \nserve our citizens.\n    Mr. Connolly. Could I interrupt one second, Ms. Porter----\n    Ms. Porter. Of course, sir.\n    Mr. Connolly [continuing]. on that point? I want to stress \nthe law, FITARA, refers to data center consolidation. It does \nnot refer to optimization, a phrase that was invented by OMB \nand OPM that we were--this subcommittee, on a bipartisan basis, \nwas concerned could be used to actually circumvent the \nrequirement of the law.\n    And, Mr. Walsh, before Ms.--without prejudice to Ms. \nPorter's time, could you just address that because that remains \na concern of this subcommittee. The law must be complied with, \nand the law says consolidation, not optimization.\n    Mr. Walsh. Absolutely, sir. And I think my fellow witnesses \nhere might be able to serve very well in terms of what the \ncurrent state of their data centers are, how many they have \nleft. But you are absolutely correct. The law says \nconsolidation, and we still want to see agencies closing and \nconsolidating those data centers. We don't want empty data \ncenters.\n    Mr. Connolly. Right. So, in response to Ms. Porter's \nquestion about what is this optimization initiative, that is \nwhat? In addition to the requirement of the law?\n    Mr. Walsh. Sir, the law is the law.\n    Mr. Connolly. Well, I know that.\n    Mr. Walsh. Yes. So, OMB's data center optimization \ninitiative, yes, it is in addition to FITARA.\n    Mr. Connolly. OK. It's in addition to.\n    Thank you, Ms. Porter. I wanted to clarify that.\n    Ms. Porter. Absolutely. Thank you very much, Mr. Chair.\n    So, in the past, the GAO has testified before this \ncommittee that data consolidation not only protects us from \ncyber-attacks, but it also decreases cost to taxpayers. In \nfact, Mr. Ahluwalia--I'm going to mess up his name--Ahluwalia. \nHow did I do? Slow.\n    Mr. Ahluwalia. Excellent, Congresswoman.\n    Ms. Porter. In fact, Mr. Ahluwalia, how much has the \nDepartment of Labor realized in cost savings through closing 73 \ndata centers?\n    Mr. Ahluwalia. Thank you, Congresswoman.\n    I think this is one of the bright spots of our portfolio \nand how we have been able to realize savings. Over the last few \nyears, we have been able to close down 73 of these data \ncenters, and despite what the regulations are and the current \ninitiative status is, we are tracking every tiered and \nnontiered data center. We have saved around 70-plus million \ndollars, to answer your question directly.\n    Ms. Porter. Thank you. So, you were able to save over $70 \nmillion and able to reduce office space, consolidate contracts \nand services, cut duplicative costs.\n    Mr. Walsh, do you know how much agencies in total have \nsaved because of the initiative?\n    Mr. Walsh. I do not have the numbers at hand. It is in the \norder of billions of dollars.\n    Ms. Porter. What I have is total of about $7.1 billion in \nsavings, either cost savings or cost avoidance, for fiscal \nyears 2012 through 2020. Clearly, this metric has prompted some \npretty big savings for taxpayers.\n    But, in June 2019, the day before the FITARA 8.0 hearing, \nthe OMB issued guidance updating the data center initiative. \nThey redefined and narrowed the definition of a data center in \na way that, according to the GAO, eliminated the reporting of \nover 2,000 facilities governmentwide.\n    So, Mr. Walsh, if we leave out more than 2,000 facilities, \nwe're missing out the evaluation and potential, you know, \nimprovement and cost savings of all of those facilities through \nthis effort. Isn't that right?\n    Mr. Walsh. That is correct.\n    And to Mr. Ahluwalia's point earlier, he mentioned that \nthey are tracking not only the tiered but also the nontiered \ndata centers. Tracking the nontiered data centers, those are \nthe ones that fell off. That's the 2,000 that you mentioned \nthere. So, it's, in a sense, the----\n    Ms. Porter. And those are those smaller ones that weren't \nnecessarily intended to be data centers, those nontiered ones. \nThis could open us up to cyber-attacks, couldn't it?\n    Mr. Walsh. That is correct. And we have encouraged the OMB \nand the agencies to continue their tracking of these nontiered \ndata centers.\n    Ms. Porter. That's potentially wasting taxpayer dollars, \nbecause we're not evaluating these nontiered data centers for \npotential consolidation or optimization?\n    Mr. Walsh. That is correct. And to help put a face to the \nname, some of these smaller data centers include things like \nFAA's air traffic control centers or large medical machinery \nthat has basically supercomputers built into it.\n    Ms. Porter. I'm pretty concerned about those things, FAA \ndata and medical data.\n    Thank you very much, Mr. Walsh.\n    At every hearing since OMB issued this rule, members of \nthis subcommittee have brought up the data center definition \nissue. It seems from these hearings that OMB thinks it's \nfollowing appropriate private-sector best practices. And GAO \nthinks that we're exposing cyber insecurities.\n    Has GAO been working with OMB to ensure Federal agencies \nare not turning a blind eye to potential cybersecurity risks or \nwasting tax dollars?\n    Mr. Walsh. So, we do correspond very closely with OMB. We \nwork with them as best as able. So, we try. And we do have \nannual reporting requirements----\n    Ms. Porter. Mr. Walsh, are they listening to you, or are \nthey ignoring you?\n    Mr. Walsh. I would say it's a push-pull. We work as \ncollaboratively as we can, but sometimes it does feel like it's \nmore of us talking and them not listening.\n    Ms. Porter. But I get the sense, Mr. Walsh, that you're \ndoing the pushing and the pulling, and they're doing the \nresisting. Is that an incorrect takeaway?\n    Mr. Walsh. So, there are times that we have worked very \ncollaboratively, and I do not want to disrespect OMB or the \ngood work they do. But, on certain issues, we don't always see \neye to eye, so I think you're correct.\n    Ms. Porter. Are they currently--with the GAO in its \nprofessional opinion--again, respecting the mission of OMB and \nthe work that they do, is OMB in compliance with FITARA?\n    Mr. Walsh. So, I hesitate to come out with an official GAO \nopinion on this just because, right now, with the \nadministration change, we have not yet seen how they are going \nto treat this issue.\n    Ms. Porter. OK. Well, I look forward to finding out what \nyou find in the post-administration change.\n    So, I think we're really right that we need to consider \npotential solutions, not just letting you do the investigation \nunder the new OMB management, but I also support a potential \nlegislative fix if OMB continues to not follow through. If \nthey're not following the statute or they're defying \ncongressional intent, then I think we need to consider \nlegislation or even enforcement action.\n    Thank you very much for sharing your expertise with the \ncommittee today.\n    I yield back.\n    Mr. Connolly. Thank you, Ms. Porter. And I love your spirit \nbecause I feel the same way.\n    You don't get to come into compliance with FITARA by \nredefining what a data center is, and you don't get to come \ninto compliance by actually substituting a word in the law with \nanother one that suits your purposes better and gets you off \nthe hook.\n    And we are going to insist on compliance with the law. And, \nif we have to--as Ms. Porter suggests, if we have to further \nrefine legislative language to make it very clear and, \nunfortunately, more restrictive, we will.\n    And we certainly will back up your efforts, Mr. Walsh, and \nthose of your colleagues to insist on compliance. Let there be \nno doubt about that.\n    We are joined by the distinguished ranking member of the \nfull committee, Mr. Comer. Mr. Comer, welcome. You're \nrecognized for five minutes.\n    Mr. Comer. Thank you, Mr. Chairman.\n    I have a couple of questions for Mr. Mahanand and Mr. \nAhluwalia. I mispronounced that. But since most people now \nexperience government through digital interactions, an agency's \nIT system is critical in building citizens' trust in their \ngovernment, obviously.\n    How does your agency measure the digital experience that \nyou are designing in your IT systems?\n    Mr. Ahluwalia. So, I can go first, Congressman. Thank you \nfor the question.\n    At Labor, the service that we provide to the constituents \nthat we serve is extremely important for us. So, the--one of \nthe discussions earlier was around IDEA Act and compliance with \nit. We have taken that--the implementation of that act very, \nvery seriously.\n    We developed a one-web initiative, where we have instituted \nthe responsive design parameters that the private sector uses, \nand also made all our websites mobile friendly and accessible \nfor the general public. The mobility as well as the user-\ncentric design of these are in compliance with the IDEA Act and \nat par with the private sector at this point in time.\n    I will say, with every new project we come up with, we \nmeasure the ease with which customers or consumers or employers \nacross the Nation are able to consume our services. So, are we \nshortening the amount of time taken for the business process to \nyield the results of mission outcomes? And those sort of \nsuccess measures are in each and every one of our projects.\n    Mr. Mahanand. So, this is Jay Mahanand from USAID.\n    So, like Mr. Ahluwalia, we also follow the IDEA's act, but \nwe take it kind of, you know, a step forward. When I say we are \n100 percent cloud enabled, we consider that as kind of the \ndigital implementation of things that we do for the agency.\n    The ability for our staff overseas and locally to be able \nto get any of the services that they need should be--should be, \nyou know, accessible to no matter where you are, and so we take \nthat in terms of the insight in terms of our strategy and \ndevelop that--develop basically our architecture around that.\n    So it is, you know, something that we take very seriously \ngiven the fact that where we work in. We also have to look at \nour challenges of low-bandwidth, you know, areas in different \nparts of the world.\n    And so, when we look at digital technology, we also look \nat, you know, cloud services to be associated with that \nbecause, really, that's where the--you know, the rubber meets \nthe road specifically when it comes to the digitization of, you \nknow, services.\n    You know, we take something like digital forms, right? And \nso we've looked at DocuSign. And, you know, the ability for us \nto not necessarily be in the office to do that is something \nthat, you know--that we would try to roll out for everything \nthat we do.\n    So, it's just looking at what--you know, looking at the \nservice themselves and seeing what we can actually digitize, or \nmove it--again, move it to the cloud, where it is more \naccessible and then put the security around that.\n    Mr. Comer. So, what actions do you all take based on \nfeedback from citizens and employees who use your agency's \nonline tools?\n    Mr. Mahanand. So, although it is--so, from--our primary \ninteraction with users is--and the public is really through our \nmain website, usaid.gov, and there is a feedback loop from that \nwebsite into the agency, and there is a team of folks that \nactually look at suggestions that comes in. And, if it's \nsomething that's viable, again, we act on it. But, if it is \nsomething that--you know, we modernize the site just to make \nsure that we are able to be everything in the IDEA's act, \nright, in terms of all five of those categories.\n    Mr. Ahluwalia. We have a similar loop, Congressman. We take \nthese things very seriously. And I'll give you an example. It \nwas in my testimony earlier as well, the apprenticeship.gov \nwebsite that we created.\n    We went to Job Corps centers. We went to jobs work centers, \nemployment agencies across various states to figure out what is \nneeded. We did a user-centric design study, and we continued \nthat kind of a feedback loop to remain at par with the \nexperiences these folks are getting with the private sector \ntools.\n    Mr. Comer. OK. Thank you, Mr. Chairman.\n    I yield back.\n    Mr. Connolly. I thank the distinguished ranking member.\n    In closing, I want to reiterate some of the things we've \nheard here today.\n    We want to make sure there is full compliance with what's \nin the law, and nobody gets to sort of redefine that \nunilaterally.\n    Second, we do remain flexible with respect to the \nScorecard, and we will be, as Mr. Hice suggested, remaining \nflexible and looking at categories to make sure we're capturing \nperformance as accurately as we can.\n    And of course GAO has always been our partner in that \nregard, and we thank you, Mr. Walsh, and your colleagues for \nthat continuing partnership.\n    And we hope that this kind of hearing--oversight hearing \nreinforces your ability to communicate with counterparts in \nrespective Federal agencies that Congress means it. I can't \nthink of another example on Capitol Hill for a single piece of \nexisting legislation that has already had 11, going on 12, \noversight hearings over five or six years on a very bipartisan \nbasis, you know, to reinforce compliance and implementation. \nAnd so I hope that strengthens your hand as well.\n    And, you know, our goal is to try to make the Federal \nGovernment more efficient, to save money along the way. And we \nhave saved a fair amount of money.\n    We want to followup on Mr. Biggs' question with you about \nsupply chain vulnerability because I think--I think that might \nbe the key to helping us better understand what happened and \nthe how and why. The soft underbelly is the supply chain, and I \nthink that's a pretty key takeaway from your testimony today, \nMr. Walsh.\n    And, finally, I would ask--and, if you need a formal \nrequest, I think we'd do it, but I think all of us, on a \nbipartisan basis, would like to know, how did IT play a role in \nrelief efforts--Federal relief efforts, and, for that matter, \neven state relief efforts related to Federal policy guidance in \nthis pandemic?\n    You know, we look at the Small Business Administration and \nits E-Tran system, for example, that got overwhelmed. We look \nat the IRS, which had 60 different IT systems, some of which \nwork well, some of which didn't. And, you know, it had to both \nremain the tax collector, audit entity, while also becoming a \nbenefit delivery entity. And that transition really challenged \nIRS in terms of its IT systems.\n    And then we also, of course, want to followup on legacy IT \nand the TMF and how we can best use that to leverage more--the \nacceleration of the retirement of legacy systems so that we're \nmore cyber secure and we're saving taxpayers' money.\n    So, those are some things, I think, from today's hearing.\n    I want to thank my partner, Mr. Hice, and Mr. Comer for \nyour presence here today as well.\n    One of the hallmarks of this--you know, we don't agree on a \nlot of things, but, when it comes to IT modernization, we've \nhad bipartisan harmony coming out of this subcommittee. And, in \nfact, I'm very proud of the fact that the very first bill \npassed in the House in this Congress, on January 5, was a bill \ncoming out of this subcommittee on a bipartisan basis, the \nFedRAMP bill, to codify the certification of private entities \nwanting to provide cloud services to the Federal Government.\n    And I thought that was a pretty strong statement about \nrecognizing and elevating the importance and role of IT, which \nGAO first brought to everyone's attention in its high-risk \nreport. So, we're continuing to try to take it seriously and \npush the system to betterment.\n    I thank my colleagues. This hearing is adjourned.\n    [Whereupon, at 10:27 a.m., the subcommittee was adjourned.]\n\n                                 [all]\n</pre></body></html>\n"