b"<html>\n<title> - FITARA 12.0</title>\n<body><pre>[House Hearing, 117 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n \n                              FITARA 12.0\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS\n\n                               OF THE\n\n                   COMMITTEE ON OVERSIGHT AND REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED SEVENTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 28, 2021\n\n                               __________\n\n                           Serial No. 117-38\n\n                               __________\n\n      Printed for the use of the Committee on Oversight and Reform\n      \n      \n      \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]       \n      \n\n\n                       Available at: govinfo.gov,\n                         oversight.house.gov or\n                             docs.house.gov\n                             \n                             \n                             \n                             ______                       \n\n\n             U.S. GOVERNMENT PUBLISHING OFFICE \n45-424 PDF           WASHINGTON : 2021 \n                             \n                             \n                             \n                             \n                   COMMITTEE ON OVERSIGHT AND REFORM\n\n                CAROLYN B. MALONEY, New York, Chairwoman\n\nEleanor Holmes Norton, District of   James Comer, Kentucky, Ranking \n    Columbia                             Minority Member\nStephen F. Lynch, Massachusetts      Jim Jordan, Ohio\nJim Cooper, Tennessee                Paul A. Gosar, Arizona\nGerald E. Connolly, Virginia         Virginia Foxx, North Carolina\nRaja Krishnamoorthi, Illinois        Jody B. Hice, Georgia\nJamie Raskin, Maryland               Glenn Grothman, Wisconsin\nRo Khanna, California                Michael Cloud, Texas\nKweisi Mfume, Maryland               Bob Gibbs, Ohio\nAlexandria Ocasio-Cortez, New York   Clay Higgins, Louisiana\nRashida Tlaib, Michigan              Ralph Norman, South Carolina\nKatie Porter, California             Pete Sessions, Texas\nCori Bush, Missouri                  Fred Keller, Pennsylvania\nDanny K. Davis, Illinois             Andy Biggs, Arizona\nDebbie Wasserman Schultz, Florida    Andrew Clyde, Georgia\nPeter Welch, Vermont                 Nancy Mace, South Carolina\nHenry C. ``Hank'' Johnson, Jr.,      Scott Franklin, Florida\n    Georgia                          Jake LaTurner, Kansas\nJohn P. Sarbanes, Maryland           Pat Fallon, Texas\nJackie Speier, California            Yvette Herrell, New Mexico\nRobin L. Kelly, Illinois             Byron Donalds, Florida\nBrenda L. Lawrence, Michigan\nMark DeSaulnier, California\nJimmy Gomez, California\nAyanna Pressley, Massachusetts\nMike Quigley, Illinois\n\n                     Russell Anello, Staff Director\n  Wendy Ginsberg, Subcommittee on Government Operations Staff Director\n                    Amy Stratton, Deputy Chief Clerk\n\n                      Contact Number: 202-225-5051\n\n                  Mark Marin, Minority Staff Director\n                                 ------                                \n\n                 Subcommittee on Government Operations\n\n                 Gerald E. Connolly, Virginia, Chairman\nEleanor Holmes Norton, District of   Jody B. Hice, Georgia Ranking \n    Columbia                             Minority Member\nDanny K. Davis, Illinois             Fred Keller, Pennsylvania\nJohn P. Sarbanes, Maryland           Andrew Clyde, Georgia\nBrenda L. Lawrence, Michigan         Andy Biggs, Arizona\nStephen F. Lynch, Massachsetts       Nancy Mace, South Carolina\nJamie Raskin, Maryland               Jake LaTurner, Kansas\nRo Khanna, California                Yvette Herrell, New Mexico\nKatie Porter, California\n\n                         C  O  N  T  E  N  T  S\n\n                              ----------                              \n                                                                   Page\nHearing held on July 28, 2021....................................     1\n\n                               Witnesses\n\nMs. Clare Martorana, Federal Chief Information Officer, Office of \n  Management and Budget\nOral Statement...................................................     7\nMr. Keith A. Bluestein, Chief Information Officer, Small Business \n  Administration\nOral Statement...................................................     9\nMr. Sean Brune, Chief Information Officer, Social Security \n  Administration\nOral Statement...................................................    11\nMs. Carol C. Harris, Director, Information Technology and \n  Cybersecurity, Government Accountability Office\nOral Statement...................................................    12\n\nWritten opening statements and statements for the witnesses are \n  available on the U.S. House of Representatives Document \n  Repository at: docs.house.gov.\n\n                           Index of Documents\n\n                              ----------                              \n\n\n  * Questions for the Record: to Mr. Keith A. Bluestein; \n  submitted by Chairman Connolly.\n\n  * Questions for the Record: to Mr. Sean Brune; submitted by \n  Chairman Connolly.\n\n  * Questions for the Record: to Ms. Clare Martorana; submitted \n  by Chairman Connolly.\n\nThe documents are available at: docs.house.gov.\n\n\n                              FITARA 12.0\n\n                              ----------                              \n\n\n                        Wednesday, July 28, 2021\n\n                   House of Representatives\n                  Committee on Oversight and Reform\n                      Subcommittee on Government Operations\n                                                   Washington, D.C.\n\n    The subcommittee met, pursuant to notice, at 2:13 p.m., \n2154 Rayburn House Office Building, Hon. Gerald Connolly \n(chairman of the subcommittee) presiding.\n    Present: Representatives Connolly, Norton, Davis, Lynch, \nKhanna, Porter, Comer, Hice, Keller, Biggs, and LaTurner.\n    Also present: Representative Issa.\n    Mr. Connolly. Welcome, everybody, to today's hybrid \nhearing. Pursuant to House rules, some members will appear in \nperson. Others will appear remotely on Zoom.\n    Since some members or witnesses are appearing in person, \nlet me first remind everyone that pursuant to the latest \nguidance from the House attending physician, all individuals \nattending this hearing in person are expected to wear a face \nmask in the hearing room, regardless of their vaccination \nstatus.\n    Members or witnesses may remove their masks when recognized \nby the chair to speak, and then kindly put the mask back on \nafterwards. Members who are not wearing a face mask risk not \nbeing recognized.\n    In addition, because we have a mix of vaccinated and \nunvaccinated people in the hearing room, we must maintain \ndistancing to protect those who are not vaccinated.\n    Let me also state a few reminders for those members who are \nappearing in person. You will only see members and witnesses \nappearing remotely in the monitor in front of you when they are \nspeaking in what is known as speaker view.\n    A timer is visible in the room directly in front of you. \nFor members appearing remotely, I know you are all familiar \nwith Zoom by now, but let me remind everyone of a few points.\n    First, you will be able to see each person speaking during \nthe hearing, whether they are in person or remote. If you have \nZoom set to speaker view or if you have questions about this, \nplease contact committee staff immediately.\n    Second, we have a timer that should be visible on your \nscreen when you are in the speaker view. Members who wish to \npin the timer to their screen should contact committee staff \nfor assistance.\n    Third, the House rules require we see you. So, please have \nyour cameras turned on.\n    Fourth, members who are appearing remotely who are not \nrecognized should remain muted so that we can minimize \nbackground noise and feedback and hear the person recognized to \nspeak.\n    And fifth, I will recognize members verbally but members \nretain the right to seek recognition verbally. In regular \norder, members will be recognized in seniority for questions.\n    Last, if you want to be recognized outside of regular \norder, you may identify that in one of several ways. You can \nuse the chat function to send a request, you may send an email \nto the majority staff, or you may unmute your mic to seek \nrecognition.\n    Obviously, we don't want people talking over each other. \nSo, my preference would be that members use the chat function \nor email our staff to facilitate formal recognition, and we \nwill do the best we can to get back to you expeditiously.\n    We will begin the hearing in just a moment, and meanwhile, \nthe chair would ask unanimous consent to recognize our \ncolleague, the former chairman of the full committee, Darrell \nIssa, to be able to participate fully in this hearing.\n    Without objection, it is so ordered.\n    Committee will come to order. Without objection, the chair \nis authorized to declare a recess of the committee at any time. \nI now recognize myself for an opening statement.\n    For the past six years, this subcommittee has maintained a \nsteady and bipartisan oversight of agency implementation of the \nFederal Information Technology Acquisition Reform Act in \naddition to other critical IT laws incorporated into the \nbiannual FITARA scorecard.\n    The scorecard holds agencies accountable for improving \ntheir IT postures. In practice, the scorecard is a tool for \nCongress and the public to ensure better cybersecurity, reduce \nwasteful spending, and make government service to the Nation \nmore effective.\n    Throughout this pandemic, we have come to realize how vital \nagile IT and strong IT governance are to the success of the \nFederal Government in meeting the needs of the people we all \nserve.\n    Today's hearing will discuss the results of the twelfth \niteration of the FITARA scorecard. This hearing will also focus \non how Congress and the administration can work together to \nimprove services to this Nation.\n    We will examine how we can effectively modernize IT across \nthe Federal Government, including making changes to \nadministration guidance and adding new oversight metrics to the \nscorecard itself in order to hold agencies accountable for \ntransforming how government does business.\n    Today, we will also hear for the first time from the new \nFederal CIO, Clare Martorana, about the administration's \nFederal IT priorities, including how it plans to administer the \nrecent $1 billion technology modernization fund approved by \nCongress.\n    And, additionally, we will hear how she plans to prioritize \nprojects to retire legacy Federal IT systems to accelerate \nagencies' transition to emerging technologies, improve Federal \ncybersecurity, and to implement actions from lessons learned \nfrom the pandemic.\n    The fact that Ms. Martorana is--am I pronouncing that \nright, Martorana--is here today is a clear indication of the \nBiden administration's commitment and recognition of the \nsignificance of FITARA and Federal IT investments themselves.\n    Since the December 2020 scorecard four agencies' FITARA \nscorecard grades increased, two decreased, and 18 remained \nunchanged. Nearly all agencies received a passing grade.\n    Unfortunately for some agencies and in some categories, \nprogress has slowed. I hope to hear from our witnesses and OMB \nabout transcending the hurdles to improved IT and to ensure \nefficient IT acquisition and management practices.\n    We must continue to strive for the dividends reaped from \nmodernizing legacy IT systems, migrating to the cloud, and \nmaintaining a strong and robust and protective cyber posture.\n    Despite some backsliding, the scorecard demonstrates \ncontinued improvements in many categories. Since the \nscorecard's inception in 2015, agencies have made substantial \npositive strides in improving their information technology \npractices.\n    For example, historically, agencies have reported that \npoor-performing projects are often broadly scoped and aim to \ndeliver functionality several years after initiation. FITARA, \nhowever, requires agency CIOs to ensure that IT investments are \nadequately implementing incremental development practices and \nthat functionality is timely.\n    Since 2015, the portion of agencies' IT projects \nimplemented incrementally has risen from 58 percent to 78 \npercent. Among the FITARA scorecard categories with the \ngreatest impact on taxpayer savings is the IT portfolio review \nprocess known as PortfolioStat.\n    Since 2015, the amount of money agencies have reportedly \nsaved, including the costs they have avoided as a result of \ntheir PortfolioStat effort, has risen from $3.4 billion to \n$23.5 billion.\n    This increase includes $1.3 billion related to eliminating \nduplicative software licenses and about $7 billion in savings \non data center consolidation. I might add, parenthetically, \nthis committee will insist that the law be complied with in \nfull.\n    The law circumscribes how data center consolidation is to \noccur and we will not suffer any delusion in the idea of data \ncenter consolidation or in the metric surrounding it.\n    We will insist the law be complied with and, if necessary, \non a bipartisan basis I believe we are prepared to pass \nadditional legislation for clarification if that is needed. \nHopefully, it won't be.\n    I look forward to hearing from our witnesses on how they \ncan continue to save taxpayer dollars while also ensuring \nagencies improve and fortify their IT infrastructures to better \nserve the public.\n    In addition to modernizing and acquiring the right \ntechnology, agencies must fill the skills gap in IT positions \nacross the Federal Government, a big challenge.\n    Our Federal IT work force is rapidly aging into retirement. \nAs of March 2021, 3.3 percent of the Federal Government's full \ntime IT employees were under the age of 30--3.3 percent. Fifty-\ntwo-point-five percent were over the age of 50.\n    Federal agencies must focus on recruiting and hiring young \nIT professionals with the knowledge and skills needed to \naddress the technology challenges of tomorrow.\n    At the very first FITARA hearing, former Department of \nTransportation CIO Richard McKinney stated, ``IT is no longer \njust the business of the CIO. It is everybody's business.''\n    Never has this been truer or clearer than in the wake of \nthe coronavirus pandemic, where IT saved thousands of lives by \nenabling telework and keeping the government and the economy \nrunning.\n    We have seen firsthand how the agencies that continued to \nuse outdated IT during the pandemic struggled to serve the very \npeople who rely on them.\n    Some agencies remained mired in backlogs, including the \nNational Archives and Records Administration, which failed to \ndigitize critical veterans' records, and we are now paying a \nprice for that.\n    The archives now reports a years-long backlog in providing \nveterans' access to records that qualify them for medical \ntreatment, unemployment assistance, home loans, and student \nloans.\n    That is why I joined the ranking member, Mr. Hice, in \nurging the national archivist to apply for IT modernization \nfunds so government can keep its commitments to our Nation's \nveterans.\n    Unfortunately, NARA is not the only Federal agency plagued \nby legacy IT systems. Congress and the administration must work \ntogether to prioritize IT modernization across the Federal \nGovernment.\n    With the Delta variant on the rise across the country and \nvaccinations flat lining, the stakes for effectively \nimplementing FITARA are higher than ever.\n    When executed well, government IT modernization can ensure \nthe efficient delivery of critical services. It can improve the \ngovernment's knowledge and decision-making and save lives.\n    When executed poorly, it leads to outright failures in \nserving the American people when they need their government the \nmost, and we have seen that too in the pandemic.\n    Simply put, the fate of the world's largest economy \nactually rises and falls in part with the ability of the \ngovernment IT systems to deliver in an emergency.\n    The importance of Federal agencies' effective use of IT is \ntoo great to ignore, and this subcommittee won't waver in its \ncontinued oversight of agencies' IT acquisition and management.\n    And I might say, this is our twelfth scorecard hearing. I \ndon't believe there is another committee in Congress that can \nmatch this record on a single piece of legislation in terms of \noversight.\n    That is how committed we are and have been on a bipartisan \nbasis throughout the years. And, of course, the co-author of \nFITARA, Mr. Issa, will be joining us a little bit later in the \nsubcommittee hearing, and we are very pleased to have him back.\n    So, with that, the chair recognizes the distinguished \nranking member, Mr. Hice from Georgia, for his opening \nstatement.\n    Mr. Hice. Thank you, Mr. Chairman. I appreciate you holding \nthis hearing.\n    And first of all, I do want to welcome Clare Martorana for \njoining us today and for your first time as the role of the \nFederal chief information officer. We welcome you here today.\n    Given your experience as an agency CIO, I really am \ninterested to get your perspective on the FITARA scorecard and \nthe IT dashboard and, for that matter, actually, to help \nagencies' CIOs manage their portfolios and help OMB with its \nown government-wide oversight efforts or if these are just big \nreporting exercises. I look forward to hearing your perspective \non all of that.\n    As the chairman said, this is the twelfth time that we have \nhad a FITARA scorecard. I know it has changed over time. But to \nme, the overriding question is and always will be are we \nspending Federal IT dollars well.\n    I mean, at the end of the day, that is the issue. And, you \nknow, are projects coming in on time? Are they on budget? Do \nthey do what they are supposed to do? Why or why not?\n    I mean, these are just basic questions that we need to face \nand that we need answers for, and that we need to keep a pulse \non as we go through all of this.\n    These are important questions, and the answers to these \nquestions shine the light on pretty much everything else, \nwhether it is procurement, work force, organizational \nstructure, culture, and on and on. So, the score card has \nevolved in the past.\n    Frankly, I think it is time that we take a fresh look at \nthe whole FITARA process through the lens that I have just \ndescribed, with any reported metrics reflecting measurable \nlegislation or executive branch policies. We have got to be \nobjective and quantifiable, and it needs to be reported in a \nmatter that is comparable agency to agency.\n    So, I get it that all of that is probably easier said than \ndone. I mean, I know that. But nothing around this place is \neasy. But I would like to take a good look at these type of \nthings, frankly, before we move on to FITARA 13 and 14.\n    I also think the subcommittee needs to take a good look at \na few other issues, Mr. Chairman, and I would put this out \nthere. What is the state of IT modernization, generally \nspeaking? I know Congress passed the MGT Act and now there is \nbillion of dollars, really, in technology modernization. Those \nfunds are to be spread around.\n    But what is its impact? What are we really getting in \nrelation to modernization? Is it happening? Is it having the \nimpact that it is going to point toward the kinds of \nmodernization experiences that you have described in your \ntestimony, Ms. Martorana?\n    Second, are our systems safe? This is an issue that has \ncome up time and again in hearings. As much as any system can \nbe safe, are our systems safe?\n    In its testimony, the GAO's top concern revolve around \ncyber issues. It is an issue we have got to deal with, and I \nbelieve the scorecard needs to hone in on those types of \nquestions.\n    Given the critical nature of the topic, is it enough just \nto have it to be a subcomponent of the broader scorecard? Or is \nit time to figure out a way to shine the spotlight on this area \nwithout tipping off the bad guys of our vulnerabilities? I \nthink we have got to address this.\n    And then, finally, how well are the American people being \nserved? I think the scorecard needs to reflect this. At the end \nof the day, the Federal Government is here to serve the \nAmerican people, and we need to know how effective we are doing \nin that.\n    How easy is it to access government services and benefits \nthrough digital means? In the private sector, you don't survive \nfor long if you don't excel in this area, and I believe we need \nto take a look at it on the Federal perspective as well.\n    And, Ms. Martorana, again, in your testimony we share the \nview that you said, quote, ``The Federal Government is \nfundamentally in the service business.'' I totally agree with \nyou on that. In fact, I couldn't agree more.\n    So, all of the items that I have mentioned here are \nimportant. But I would like to specifically ask my colleague \nfrom Virginia, Chairman Connolly, if we could look at some of \nthese issues, going forward.\n    I think these are worthy not only of attention, but of fine \ntuning the scorecard as a whole. I will put that out there. I \nam not finished but----\n    Mr. Connolly. I will respond to my colleague, of course, \nand, in fact, I definitely see the FITARA scorecard as always a \nwork in progress.\n    Mr. Hice. Right.\n    Mr. Connolly. And the only caution is, as you can see from \nthe grades in front of us, we have not yet succeeded in full \nimplementation.\n    So, we don't want to lose our sight of that. But we also \nalways want to be capturing other dynamics as we learn and as \nwe see performance in the Federal Government.\n    So, I couldn't agree with you more.\n    Mr. Hice. I thank you, Chairman.\n    Mr. Connolly. And, absolutely, we will work with you.\n    Mr. Hice. Thank you, Mr. Chairman.\n    And the last point I will make is this. I have made clear \nthe focus of the administration. They should be having Federal \nemployees return to their offices. But I am concerned that the \nemphasis instead appears to be on institutionalizing expanded \ntelework.\n    So, I am glad that we are joined by the CIO of the Social \nSecurity Administration today as well. So, this is one of the \nagencies facing the greatest challenge in providing the \nAmerican people with services that they need, and if SSA is not \ngoing to reopen more rapidly then I will be interested to learn \nhow improved IT can help improve citizens' experience.\n    So in closing, again, I want to thank our witnesses for \nbeing here. I am eager to hear the insight and the suggestions \nas we move on to FITARA 13 and 14 and beyond. I look forward to \nhearing our discussion today.\n    And with that, Mr. Chairman, I yield back. Thank you.\n    Mr. Connolly. I thank the ranking member, and I thank him \nfor his cooperation in this and other endeavors.\n    I see we have been joined by the ranking member of the full \ncommittee. Does he wish to make any statement?\n    OK. Welcome, Mr. Comer. Glad to have you.\n    With that, let me introduce our witnesses. We have four \nwitnesses today, and I am going to swear them in. But, first, \nlet me introduce them.\n    Our first witness is Clare Martorana, who is the Federal \nChief Information Officer, finally, at the Office of Management \nand Budget. We are so glad to have you today.\n    Then we are going to hear from Keith Bluestein, Chief \nInformation Officer at the Small Business Administration.\n    Third, we will hear from Sean Brune, Chief Information \nOfficer of the Social Security Administration.\n    And finally, we will hear from our long partner, Carol \nHarris, Director of Information Technology and Cybersecurity at \nthe GAO, the Government Accountability Office, which actually \nhelped design and continues to help us update and modify the \nscorecard.\n    If all of our witnesses could stand and raise their right \nhand to be sworn in, which is the custom of this committee and \nsubcommittee.\n    Do you swear to affirm that the testimony you are about to \ngive is the truth, the whole truth, and nothing but the truth, \nso help you God?\n    [Witnesses are sworn.]\n    Mr. Bluestein. I do.\n    Mr. Connolly. Mr. Brune?\n    Mr. Brune. Yes.\n    Mr. Connolly. Yes. OK. Let the record show all four of our \nwitnesses have answered in the affirmative. You may be seated. \nThank you.\n    With that, Ms. Martorana, you are recognized for your \nopening statement. We will ask all of our witnesses, if you \ncould, your full statement will be entered into the record as \nwritten. We would ask you to try to summarize your testimony in \na five-minute opening statement.\n    Ms. Martorana?\n\n    STATEMENT OF CLARE MARTORANA, FEDERAL CHIEF INFORMATION \n            OFFICER, OFFICE OF MANAGEMENT AND BUDGET\n\n    Ms. Martorana. Chairman Connolly, Ranking Member Hice, and \nmembers of the subcommittee, thank you for the invitation to \ntestify about the twelfth FITARA scorecard.\n    Technology enables mission delivery. It is FITARA that \ngives every CIO a seat at the table to make the best IT \ndecisions to deliver for our citizens, and it is enterprise \ncollaboration that will be key to making it all happen.\n    I would like to thank the committee for your leadership \npromoting modernization. I believe we must take on this \nchallenge together to secure Federal IT and deliver \ntransformational services to the American people.\n    I would also like to acknowledge Sean, Keith, and fellow--\nmy fellow CIOs and the entire IT work force across our \ngovernment for their hard work to achieve the grades on this \nscorecard.\n    Imagine the day when a citizen can use their mobile phone \nto sign in and see everything that they have in flight with our \ngovernment--a small business loan application, the status of \ntheir tax refund.\n    Imagine the process is easy, understandable, convenient, \nsecure, and fast, just like the experiences we have with online \nbanking and food delivery.\n    With the amount of information we collect across the \nFederal Government and the enormous investment of taxpayer \ndollars in Federal IT, this vision is not only possible, it is \nan expectation in the 21st century.\n    For over 20 years in the private sector and the past five \nyears in government, I have used innovative technology and \nhuman-centered design to improve people's lives. As Federal \nCIO, I will use my expertise to scale these successes across \nthe Federal enterprise.\n    Federal employees are counting on us and, more importantly, \nyour constituents, the American people, are not only counting \non us, they are asking us to move faster.\n    We can get there by focusing on three priorities that I \naddress, the long term goals and urgent circumstances we find \nourselves in today.\n    First, cybersecurity is our immediate priority in Federal \nIT. Cybersecurity is a national priority. I am committed to \nensuring every agency is ready for today's threats.\n    The cyber executive order puts us on a good path to faster \nincident response and stronger protective measures. By working \nrapidly and seamlessly, we can achieve results and we must. Our \nadversaries are on the move and they are aggressive.\n    Second, I am committed to modernizing Federal IT. The $1 \nbillion appropriation to the Technology Modernization Fund, or \nTMF, is an important start to improving the government's IT \nsystems.\n    But it is just a down payment on the multi-year technology \nmodernization projects Federal agencies have identified. The \nTMF board has received 108 proposals in our accelerated model, \ntotaling $2.1 billion since the rollout of the funding provided \nby the American Rescue Plan.\n    And third, we must focus on service delivery to the \nAmerican public. It is not our citizens' job to figure out how \nto navigate across a department or agency silos to gather the \nservices they deserve.\n    That is our job. By transitioning agencies to a product \nmindset organized around users, we can deliver modern efficient \ntools and technology, reduce administrative burden, and spend \nmore time on high-value services to the public.\n    These challenges have highlighted our need to rethink our \napproach to Federal IT. We must identify new ways of working \nacross government, such as developing playbooks that build on \nwhat we know already works, collaborate more frequently with \nkey stakeholders to focus oversight on the work being done \ntoday, and rethinking how we are working in the office of the \nFederal CIO, such as pairing technologists with our policy \nexperts at the beginning of the process to develop innovative \ntechnology solutions within our laws, rules, and regulations.\n    Finally, we must optimize for results, not optics. We need \nto show, not tell, and deliver on our mission. As we begin this \nnew chapter of Federal IT modernization, we are building on a \nstrong foundation.\n    I am excited to enable the government's diverse missions as \nFederal CIO, and I look forward to partnering with Congress.\n    Thank you for the opportunity to testify today and I am \nhappy to take your questions.\n    Mr. Connolly. Wow. That is a pro. You had 11 seconds left. \nI am impressed. Great start, and we look forward to working \nwith you as well.\n    Mr. Bluestein--is it pronounced Bluestein or Bluestein?\n    Mr. Bluestein. Bluestein.\n    Mr. Connolly. Mr. Bluestein. Excuse me.\n    Welcome.\n\n  STATEMENT OF KEITH A. BLUESTEIN, CHIEF INFORMATION OFFICER, \n                 SMALL BUSINESS ADMINISTRATION\n\n    Mr. Bluestein. Good afternoon, sir.\n    Chairman Connolly, Ranking Member Hice, subcommittee \nmembers, thank you for the opportunity to discuss the Small \nBusiness Administration's implementation of FITARA.\n    Much has changed since the last time we talked to you about \nFITARA in 2017. To the great benefit of SBA and America's small \nbusinesses, FITARA has provided the critical structure in tools \nfor SBA to optimize, modernize, and innovate while investing in \nthe IT work force of tomorrow.\n    I would also like to add some other benefits that SBA has \nenjoyed, courtesy of the Modernizing Government Technology Act \nof 2017, or the MGT Act.\n    This modernization foundation was vital in enabling \nexponential scaling of SBA's operations to deliver the Nation's \nlargest ever economic recovery initiative in a very short \nperiod of time.\n    Just to recall the scale, by October 2020, SBA's disaster \nprogram approved and disbursed more than three times as many \nfunds for the COVID-19 EIDL program as we had for all disasters \ncombined in the agency's 67-year history.\n    On the capital-access side, SBA issued more loans in 14 \ndays than they had in 14 years. The scaling challenge was \ndaunting, and while there were some hiccups along the way, \nSBA's IT infrastructure proved to be resilient, scalable, and \nadaptable to the changed business requirements, such as \ntransitioning to the maximum telework model.\n    When I rejoined SBA in June 2020 as the CIO, SBA had \nalready adapted to the changed conditions due to the COVID-19 \nglobal pandemic.\n    The flagship economic recovery programs, EIDL and PPP, were \nalready in high gear, and the SBA work force was rapidly \nsurging up after smoothly transitioning to remote work.\n    An accelerated deployment of online collaboration tools and \ntraining had helped the SBA staff to continue to be productive \nand not miss a beat while maintaining a robust security \nposture.\n    FITARA had solidified the coordination and collaboration \nbetween the CIO and the chief human capital officer and the \nchief procurement officer. These two relationships and the \nsupporting infrastructure that resulted were the key \nunderpinning foundation that enabled the SBA surge for the \npandemic response.\n    We tend to focus on technology with CIO-related activities. \nBut FITARA took a much broader approach to how the CIO becomes \na valued mission partner in the agency. The pandemic relief \nand, more specifically, the CARES Act, brought into clear \nrelief how important these relationships are.\n    Had they not existed prior to the passage of the CARES Act, \nthere is likely no way SBA could have responded with the speed \nthat we did. SBA surged from approximately 5,000 employees to \nover 18,000 in only a couple of months.\n    Hiring on that scale was unheard of prior to the pandemic, \nbut the personnel relationships that had developed and \ncultivated were crucial to this rapid expansion.\n    Similarly, the need for immediate increase in technical \nsupport for the agency's systems and employees called for \nacquiring huge volumes of laptops for remote work servers, \ncloud services, software licenses, and contracted support \nteams.\n    This was a testament to the great team that procurement \norganization had in place. The ability to surge to the level \nthat was needed to support all the CARES Act activity was \nenabled by the tight nexus that had been formed with the CIO \nand CFO through FITARA.\n    Looking back now, it is hard to imagine how SBA would have \nbeen able to support the CARES Act activities successfully \nwithout the prior work that had been prescribed by FITARA.\n    I would like to highlight other legislation as well. One of \nthe many IT modernization tools you provided government agency \nis the IT Working Capital Fund, provided for under the MGT Act.\n    We have taken full advantage of this capability that \nafforded great flexibilities to CIOs, especially in agencies \nlike ours where we deal primarily with one-year appropriations.\n    The Working Capital Fund allows SBA to have a long-term \nvision for modernization with a managed resource pool to ensure \nthat that vision is realized.\n    This tool helped bolster FITARA by strengthening the \ncollaborative bond the CIO has with the CFO to execute the \nagency's mission. MGT was a welcome adjunct to FITARA and has \nallowed SBA to better plan and resource expenditures on a \nmulti-year horizon.\n    A sampling of some of these projects included modernizing \nSBA's infrastructure, unifying and enhancing the customer \nexperience, updating support for all small business \ncertification programs, and improving systems that manage \nentrepreneurial development, to name just a few.\n    I want to circle back on FITARA, though, to highlight that \nnone of the success comes without the critical support of the \nadministrator and our immediate leadership team.\n    FITARA is very clear about the importance of the \nrelationship between the department or agency head and the CIO. \nThat importance cannot be overstated, but I don't know that a \nsolid line in an organization chart always captures the level \nof support that the CIO receives. I understand that scoring and \nthe FITARA scorecard reflects less favorably for SBA and other \nCIOs without a solid-line relationship.\n    But I can tell you, personally, that I have unmitigated and \ntotal support from both the former and current administrators. \nWhile that is a feature envisioned in FITARA, I know this may \nnot always manifest itself the same way in every agency.\n    I am fortunate. SBA's top leadership always ensures the CIO \nhas direct access and has a seat at the table and their voice \nis heard.\n    The visibility and inclusion helps to ensure that the \ndecisions do not get made in a vacuum or in a siloed fashion, \nand that such resources are allocated such that the maximum \nbenefit is realized across the agency.\n    In closing, it bears repeating that the extensive \nimprovement in SBA operations is a direct result of the \nimplementation of FITARA.\n    Thank you for the opportunity to share SBA's progress on \nFITARA implementation, and we look forward to answering any \nquestions you may have.\n    Mr. Connolly. Thank you, Mr. Bluestein.\n    Mr. Brune, you are recognized for your five-minute summary \ntestimony.\n\n  STATEMENT OF SEAN BRUNE, CHIEF INFORMATION OFFICER, SOCIAL \n                    SECURITY ADMINISTRATION\n\n    Mr. Brune. Thank you.\n    Chairman Connolly, Ranking Member Hice, and members of the \nsubcommittee, I am Sean Brune, Social Security Administration's \nDeputy Commissioner for Systems and Chief Information Officer.\n    Thank you for inviting me to discuss the role of \ninformation technology and the Federal Information Technology \nAcquisition Reform Act, or FITARA, in delivering Social \nSecurity services to the public.\n    As a former regional commissioner, I know how vital modern \ntechnology is to carrying out our mission. I also appreciate \nthe importance of managing and monitoring information \ntechnology investments, a key tenet of FITARA.\n    Effective use of technology is mission essential. Our \nemployees use technology to collect and store information, pay \nbenefits, and identify and prevent fraud and improper payments.\n    We have known for years that we must modernize our IT and \nwe are well on our way, phasing out legacy systems and aligning \nour IT infrastructure with FITARA requirements. We began \nmodernizing our IT framework by building a virtual private \nnetwork, or VPN, nearly two decades ago.\n    Since then, we have continued these efforts. In 2015, we \nbegan replacing desktop computers with laptops. In 2017, we \nreleased an initial comprehensive five-year IT modernization \nplan, and in 2019, we converted to cell phones for improved \nmobility and established the role of the Chief Business Officer \nto partner with the CIO and ensure our IT investments are \ncustomer focused.\n    Our initial 2017 IT modernization plan focused on replacing \naging systems and improving service through technology. In \n2020, we updated this plan to accelerate delivery of modern \nsoftware and expand self-service options.\n    The 2020 update is our current roadmap, and we will \ncontinue to update it and prioritize IT initiatives as needed \nto align with the agency's strategic goals.\n    The pandemic underscored the importance of IT to our \nmission and highlighted the success of our modernization \nefforts.\n    Last March, when we shifted to telework to keep everyone \nsafe, our secure VPN, laptops and cell phones helped us \ntransition over 90 percent of Social Security employees and \nthousands of state employees who make medical determinations to \ntelework within a few weeks.\n    Technology has allowed us to continue to serve the public \nthrough online and telephone services, while we limited in-\nperson service to critical situations.\n    The pandemic also emphasized the need to further expand \nelectronic self-service options for the public and to \nrestructure outdated work processes.\n    To meet our customers' needs, we quickly implemented new \nelectronic signature options, modern processes for submitting \nforms online, and increased their use of video to conduct \ndisability hearings.\n    This year, we began rolling out a modern unified \ncommunications platform to improve customer service when people \ncall us. We are also revamping our public-facing website, \nsocialsecurity.gov, to streamline content and redesign the \nhomepage. We plan to fully implement the new website next year.\n    Technology supports improving public service. FITARA and \nthis committee's scorecard help us assess our progress in \nmanaging our IT infrastructure and provide guideposts for \nimprovement.\n    In accordance with FITARA, we make informed funding \ndecisions on IT investments by leveraging some commercial off-\nthe-shelf products and executing incremental product \ndeployment.\n    As a result, we have maximized resources, expanded digital \nservices on our online channel, My Social Security, and ensured \nthe security and stability of these new service options.\n    Moving forward, we will offer more streamlined and \nautomated self-service options and enhance in-office service \nfor people who need them while maintaining a robust \ncybersecurity program.\n    We appreciate President Biden's Fiscal Year 2022 \ndiscretionary request of $14.2 billion, which will help us \ncontinue to build the secure, efficient, customer-centric IT \ninfrastructure of tomorrow.\n    In closing, I want to thank our Social Security employees \nfor their resilience and dedication to our mission during this \nchallenging time.\n    I appreciate the opportunity to be here today to update you \non SSA's progress and I look forward to answering any questions \nyou may have.\n    Mr. Connolly. Thank you, Mr. Brune. Right on time. And we \njoin you in thanking all of our dedicated public servants in \nall of our Federal agencies who have continued to function and \nserve the American public during this unprecedented pandemic. \nThank you.\n    Ms. Harris, welcome back. What do we need to know?\n    Ms. Harris. Thank you.\n    Mr. Connolly. You are recognized.\n\nSTATEMENT OF CAROL C. HARRIS, DIRECTOR, INFORMATION TECHNOLOGY \n      AND CYBERSECURITY, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Ms. Harris. Chairman Connolly, Ranking Member Hice, and \nmembers of the subcommittee, I want to thank you and your \nexcellent staff for your continued oversight of Federal IT \nmanagement and cybersecurity with this twelfth set of grades.\n    Your scorecard continues to serve as a key barometer for \nmeasuring FITARA implementation as well as other essential IT \nreform initiatives.\n    Since the December 2020 scorecard, progress made by the \nagencies to implement FITARA has slowed a bit, with 18 \nagencies' overall grades unchanged, two with decreases, and \nonly four with increased grades.\n    Most agencies receiving a pass--most agencies received a \npassing C or higher grade, with DOJ receiving the only D. GSA \nwas the only agency to receive an A for this iteration. I will \nnow share some key highlights from this twelfth scorecard.\n    First, cybersecurity continues to be an area of struggle \nfor the agencies. One-third of them have a D or F and another \nthird are getting by with a C.\n    This is also consistent with our body of work in Federal \ncybersecurity. We have reported on the agencies' need to \naddress information security program weaknesses, including \nestablishing an enterprise-wide cyber risk management program.\n    For example, in July 2019, we found that while the 23 \ncivilian agencies almost always designated a risk executive, \nthey had not fully incorporated other key risk management \npractices, such as setting up a process for assessing agency-\nwide cybersecurity risks.\n    Having mature cyber risk management programs would help \nagencies improve in the areas that the IGs are looking at and, \nin turn, increase their cyber grades on the scorecard.\n    As another example, in December 2020, we found that few \ncivilian agencies had implemented foundational practices to \nmitigate global IT supply chain risks.\n    In the wake of the SolarWinds incident, which involved a \nsoftware supply chain compromise, the need for robust and \ncomprehensive supply chain risk management program is \nessential.\n    We have, roughly, 950 open recommendations to the agencies \nin OMB, covering a range of cyber-related issues, and actions \nare needed to--are needed on these to help improve our Nation's \ncybersecurity posture.\n    Now to my second point. About half of the agencies have an \nMGT Working Capital Fund or have plans to set one up by 2022. \nThese funding vehicles, along with the Technology Modernization \nFund, are intended to help agencies tackle their legacy IT \nproblem.\n    At least 60 percent of the Federal Government's IT spend \neach year goes toward maintaining aging systems. Only 13 \npercent is spent on modernization projects.\n    Establishing these funds are critical so that savings from \ndata center optimization and PortfolioStat efforts can be \nreinvested in agency IT modernization priorities, and the \nrecent gains by the agencies in this area would not have been \npossible without your persistent leadership. So, thank you very \nmuch there.\n    I will now turn my comments to SBA and SSA. These agencies, \ncollectively, plan to spend $2.1 billion on IT this year. SBA \nspends about 80 percent of its IT budget maintaining legacy \nsystems while SSA's is about 60 percent.\n    SBA has an overall C+ grade, which is a slight decrease \nfrom its solid B+ performance in years past. SSA has made some \nnoteworthy progress from its D grade on the first scorecard \nback in 2015 to a B+ today.\n    Some positive areas to highlight for both, they have \nachieved their data center closure goals as well as completed \nmost of their optimization and savings goals for the fiscal \nyear.\n    The SBA and SSA CIOs also report directly to the heads of \ntheir agencies. For SBA, progress in the area of IT portfolio \nreview continues to be lacking. Its savings ratio was ranked \n21st among the agencies with $14 million in reported savings \nand cost avoidances since 2012. For SSA, the level of \ntransparency in its evaluation of major IT investments could be \nimproved.\n    The agency spent $177 million on major IT in Fiscal Year \n2021 and did not rate any of those investments as red, leaving \nSSA ranked 20th among the agencies in risk transparency.\n    Mr. Chairman, that concludes my comments on the overall \nscorecard and the results for these two agencies, and I look \nforward to your questions.\n    Mr. Connolly. Thank you very much.\n    I just, editorially, want to remind everyone, the word Mr. \nIssa and I wrote into the law is consolidation, not \noptimization, and it is a legal requirement to consolidate data \ncenters.\n    When we began that effort, Mr. Vivek Kundra, then your--\nwell, I guess he was CTO. But he estimated, I want to say, and \nthis is 2009, that the Federal Government overall had something \nlike 1,800 data centers and he proposed we cut them in half.\n    And in our law, we basically said we will cut that in half \nagain. You know, get them down to 450 or something like that.\n    Well, when we had our first hearing on how are we doing, we \nnot only didn't make any progress in consolidation, the only \nprogress we made was in identifying the fact that we had a lot \nmore data centers than we thought, and I want--I want to say it \nwas something ridiculous like 12,000 or something like that, \nthe first iteration. So, we got really good at identifying, \nwell, there is one, there is another one.\n    But our point was it is inefficient and there are savings \nto be had and we have to do that. And so you inherit this \nslight contretemps from OMB that has sought, from our point of \nview, to dilute what the law stipulates. And it is not just \nthat we are being critical.\n    We, honestly, think it is a worthy goal to urge people to \nconsolidate and move to the cloud. So, we want to work with \nyou. And that is just an editorial comment, not a question, but \nwe can get into that later.\n    The chair now recognizes the distinguished Congresswoman \nfrom the District of Columbia, our friend, Ms. Norton for her \nfive minutes of questions.\n    Ms. Norton?\n    Ms. Norton. I thank my good friend and regional partner, \nMr. Connolly, for this hearing.\n    And I want to--I want to ask questions about how outdated \nour legacy systems are and what we can do to modernize them.\n    We saw examples of that during the pandemic, which is why I \nwant to raise this issue, because they prevented continuity of \nagency operations in some critical cases.\n    Let me start with Ms. Martorana, because I appreciate your \nremarks on the importance of modernizing Federal IT.\n    Now, I want to recognize the complexity of that process, \nwhich, unfortunately, gets oversimplified by thinking about \ncertain systems as either legacy or modern.\n    So, Ms. Martorana, can you talk about how to look at the \nmodernization process and the prioritization of Federal IT \nmodernization efforts?\n    Ms. Martorana. Thank you for that question. I appreciate \nit.\n    I think you hit on a key point, which is modernization is a \ncontinuous process. Every system is at a different stage of \nneeding modernization, and we have a complex set of \nenvironmental challenges with both end-of-life systems that we \nhave to modernize across the Federal enterprise, and also \ninnovative and evolving technology that we would like to \ncontinue to support, like the CloudSmart Initiative and \ncontinuing to move our Federal work force and our IT posture \ninto the safest, most secure disposition that we possibly can.\n    So, I think that the opportunity to utilize programs like \nTMF are really a significant movement forward in our ability to \nactually deal with the IT modernization challenges in front of \nthe government.\n    Ms. Norton. Thank you.\n    Let me go to Mr. Brune because of how far Social Security \nmay be. In 2017, Social Security spoke of a five-year IT \nmodernization plan. I would like to know how this plan has \nhelped Social Security prioritize the retirement of legacy \nsystems.\n    Mr. Brune. Thank you, Congresswoman, for the question.\n    We are in the tail end of the fourth year of our five-year \nmodernization plan. That plan has focused on addressing older \nlegacy core mission systems, the systems that are used to pay \nretirement insurance benefits, disability insurance benefits, \nand to issue Social Security number cards.\n    We are on track, on schedule, and on budget with our plan. \nWe appreciate that Congress has appropriated dedicated \nappropriations to support our multi-year plan, which has \nallowed us to plan and execute development and procurement \nacross fiscal years.\n    Some of the results of our plan are increased use of our \nonline channel. We have over 60 million persons across the \nNation who have a My Social Security account, a secure portal \nwhere they can see, as the Federal CIO said in her opening \nstatement, what the status of their Social Security benefits \nis.\n    If they are still working and planning for future \nretirement, they can get an online estimate of their \npersonalized retirement at any point in time. If they filed a \nclaim they can check on their--on the website or on their phone \nwhat the status of their claim is.\n    We have also improved our use of the online channel and the \nphone channel for handling work during the pandemic by allowing \nscheduled appointments and by increasing our use of video \nservice.\n    Ms. Norton. I see my time has expired. Thank you, Mr. \nChairman.\n    Mr. Connolly. Thank you, Ms. Norton.\n    And I would just add, Mr. Brune, to your list of impressive \nachievements I have been impressed with your ability to flag \nfraud or attempted fraud, which I think is really a protection \nfor the American consumer and beneficiary of Social Security.\n    I don't know quite how you do it, but I was almost a victim \nmyself and it was Social Security that caught it and had a \nsolution for it.\n    So, I was personally really impressed. If you are doing \nthat across the board that is a great use of technology to \nprotect the American people.\n    Mr. Hice is recognized for his five minutes of questions.\n    Mr. Hice. Thank you very much, Mr. Chairman.\n    Ms. Harris, let me begin with you. You brought up in your \ntestimony that some of the top items, in fact, really the top \nitem, I believe, was your wording, that GAO lists for action \ndeals with cybersecurity, and I certainly agree with you on \nthat.\n    But looking at the current scorecard that we have makes me \njust wonder a couple things. First of all, is cyber, in your \nopinion, weighed heavily enough in the FITARA scorecard?\n    Ms. Harris. Well, I think that is certainly--you know, I am \nalways happy to have my team work with you and your staff to \nmake sure that the purpose of the scorecard is meeting your \noversight needs, first and foremost.\n    When it comes to cybersecurity, I think that there--it is \nmulti-dimensional and, certainly, with the FISMA grade itself \nas it--as it is shown on the scorecard, I mean, that is \nmeasuring one dimension of cybersecurity, but there are \ncertainly others.\n    So, again, you know, when we take a look at the scorecard, \nit is--it is really ensuring that it is fulfilling the purposes \nof your committee and as far as oversight is concerned.\n    So, we are happy to take a look and evolve that at--you \nknow, at your direction.\n    Mr. Hice. Well, based on that, then would you be in favor \nor do you think it would be wise for us as a subcommittee to \nconsider cybersecurity as an independent issue? Should there be \na scorecard that focuses specifically on cyber?\n    Ms. Harris. We would be happy to entertain that and see \nwhat can be done. I think one of the challenges that we have as \nfar as either expanding the current FITARA scorecard to include \nadditional areas of cybersecurity or having a stand-alone cyber \nscorecard is the availability of public data because, \ncertainly, we don't want to put agencies at greater risk in \nidentifying those and pointing out those vulnerabilities \npublicly.\n    So, I think that is the greatest challenge that we face.\n    Mr. Hice. Yes, no doubt. That is--that is a challenge, and \nwe have got to be very careful with that. At the same time to \nhave appropriate oversight as it relates to cyber issues, we \nneed some sort of, within this context of this hearing, a \nscorecard to determine how are we doing on the cyber issues.\n    So, you would be willing to work with us on trying to \nfigure out some sort of plan? And when I say us, it would be me \nand the chairman as well. I mean, let us try to deal with this.\n    Let me ask you this, and this is a question I have had for \na long time and I think you are the one to ask.\n    In previous FITARA hearings, it was stated that over $22 \nbillion have been saved, attributed directly to FITARA. I can't \nfigure out where that figure comes from. What is the--what is \nthe metric? How is that figure determined?\n    Ms. Harris. It is agency-reported data, and that is coming \nout of data center consolidation as well as PortfolioStat \nefforts.\n    And we have not taken a systematic look at the savings that \nare being reported by the agencies in terms of how they are \nreinvesting that--well, first of all, collecting and reporting \nthe total savings that they are getting from these initiatives \nas well as how they are reinvesting it.\n    So, but I can tell you, though, that what you just cited \nright there comes from data center consolidation and \nPortfolioStat initiatives.\n    Mr. Hice. But we are not looking into it to see if it is \naccurate. Is that what I am hearing you say?\n    Ms. Harris. Well, we have not, but we are, certainly, happy \nto take a deeper look into that. I think that that would be a \nvery insightful review that we would be happy to do for you.\n    Mr. Hice. Yes, I think it would be very insightful, too, \nand, you know, obviously, we don't have the same--I don't have \naccess to the same information you have in looking at all this.\n    But I see those numbers thrown out there and I am just \ncurious. I mean, that is a great number, if it is accurate, but \nI want to know where does this come from and what is the \naccuracy of it, and it sounds like you really have the same \nkind of questions because you have not been able to dig deep to \nsee just--OK.\n    All right. Well, with that, Mr. Chairman, I will--I will \nyield back.\n    Mr. Connolly. I thank the chair--I thank the ranking member \nand I would just caution, let us verify that number right after \nour elections.\n    [Laughter.]\n    Mr. Connolly. All right. The incredible gentleman from \nMassachusetts, who represents my family back home in Boston, \nMr. Lynch.\n    Welcome, and you are recognized for your questioning.\n    Mr. Lynch. Well, thank you very much, Mr. Chairman, and \nthank you for this very, very important hearing.\n    You know, I would like to just offer this out for the \nwitnesses. You know, there is such a gap in IT talent, \ngenerally, but especially in the Federal Government, because \nwe--we have got this turnover.\n    We all have bright young people that come to work for us \nand when they gain a certain amount of ability and technical \nskill, they move on because of higher salaries that we cannot \noffer them.\n    But, generally, in the IT work force across the Federal \nGovernment, there is a real skills gap. I think right now we \nhave got about--a little more than three percent of the IT \nworkers in the Federal Government are under 30 years of age and \nhalf of the IT work force is over 50. So, we got about--we got \nto think about playing the long game here.\n    You know, China does this. They think in terms of decades, \nand one of the--one of the solutions, I think, is really to \nhave Federal resources. You know, encourage and build \nincentives for young people to get into STEM-related \nprofessions.\n    So, I found that in Boston I founded a charter school based \non STEM. Basically, we did--we took the curriculum that the \nregular public schools has in Boston and then we tripled the \namount of math and science that these kids are exposed to over \ntheir--over their, you know, grammar school and high school \nlives.\n    So, we are having great results, and that is without \nincentives, right. That is just offering that school, and it is \na lottery. We have probably one of the most diverse populations \nin that school--you know, kids of every race, ethnicity, you \nknow. It is--it is a model to behold.\n    But we need to do more on a bigger scale, and I am just \nwondering, do we have any programs that, let us say, offer \nthese young people help with their student loans or are there \nany programs where we actually support schools like my charter \nschool that focus on, you know, STEM education so that we \ncreate this work force of the future?\n    There is such a huge gap right now. We can't close it in \nthe short term, not under the existing circumstances. But over \ntime, you know, we can--we can close this gap, but only if we \ntake deliberate action and we stick to it.\n    And I am just wondering, on that skills gap issue if any of \nour witnesses have any recommendations or any examples that \nprovide best practices on how to--how to fill that gap and how \nto--how to put the right people in the right positions to move \nthe country forward and to protect us.\n    Mr. Connolly. Ms. Martorana, I think you are best \npositioned to begin to answer that question.\n    Ms. Martorana. Thank you very much for the question.\n    The administration is focused on building a world-class \nteam of professionals with skills in these critical technology \nareas. We have an enormous resource in our Federal Government \nwith our Federal employees.\n    I really encourage us to continue to look at re-skilling \nand up-skilling opportunities in our government with our own \nFederal work force.\n    In addition to that, there are numerous programs that are \ngoing on across the Federal Government: the United States \nDigital Service, 18F, the Civic Fellows Program. So, there is a \nlot of effort in this area and I think that we have a great \nopportunity because people have a desire to serve our country, \nand there are many different channels that we can plug into to \nmake that opportunity available.\n    I am a great example of someone who came to do a tour of \nservice and wound up being so inspired by the mission that I \nfelt the need to stay and continue to work in this environment.\n    So, I think that there are opportunities. I know the \nadministration is focused on making sure that our work force \nlooks like our country and that we have opportunities to \nrecruit cyber talent, IT talent, and other subject matter \nexperts across our government.\n    Mr. Lynch. I appreciate that, Ms. Martorana. But it is a \ndifferent--well, first of all, it is a very--it is a smaller \npool of people when you just look at our Federal employees, and \nI personally know some Federal employees that are still walking \naround with flip phones.\n    So, what we are trying to do is increase that pool of \ntalent. It will not only help the Federal Government, it will \nhelp private industry, and first of all, it will help those \nkids because, you know, we have found that regardless of \nbackground, if you have a program of total immersion with these \nyoung people, and you have a 12-year runway of their education, \nyou can really make a big impact on increasing the pool of \ntalent and the quality of that talent, going forward.\n    So, if we are--you know, if we are training somebody who is \n50 years old, you know, there is a limited horizon for that \nworker between investing, training, and then they are off into \nretirement.\n    So, what I am suggesting is to lengthen out that runway and \npopulate it with a much larger population that we could train. \nBut maybe that is something I need to work on in terms of, you \nknow, a scholarship program or something like that that would \nbe available to these grammar schools.\n    It does fit very neatly with the president's initiative to \noffer universal Pre-K where we get kids in at that early age \nand we provide them with, you know, the rudimentary beginnings \nof an education in STEM.\n    So, with that, Mr. Chairman, I thank you for your kindness. \nI thank you for all the great work that you do. I want to thank \nour witnesses. Very important issue.\n    And I yield back. Thank you.\n    Mr. Connolly. Thank you, Mr. Lynch, and you really raise a \ngood point about the need to recruit and retain the work force \nof the next generation, and I would love to work with you, Mr. \nLynch.\n    I have a bill I am developing on using the Federal--a \nFederal internship program to populate the vacancies we are \nprojecting for the future.\n    We do a lousy job of Federal interns compared to the \nprivate sector, and so it is something ripe for improvement \nthat could actually be a huge part of the solution, including \nin the IT sector itself.\n    So, I look forward to working with you, Mr. Lynch, on that.\n    Mr. Lynch. Happy to do that. Thank you, Mr. Chairman.\n    Mr. Connolly. Thank you, Mr. Lynch.\n    Mr. Keller is recognized for his five minutes.\n    Mr. Keller. Thank you, Chairman Connolly and Ranking Member \nHice, for having this hearing. Also, thank you to our witnesses \nfor participating and joining us this afternoon.\n    The FITARA scorecard remains a valuable tool in assessing \nthe modernization of the Federal Government's IT system and \ncybersecurity infrastructure. Strengthening our Nation's IT \ninfrastructure and cyber grid is a goal we can all work toward.\n    The Federal Government spends, roughly, $100 billion on \ncybersecurity and IT investments annually, yet we still face \nchallenges securing some of our Nation's most sensitive IT \nsystems.\n    These challenges have been highlighted by the recent events \nsuch as the Colonial Pipeline and SolarWind's cyber attacks. \nCongress and the administration must now look at cost-effective \nstrategies to improve our Nation's IT systems and cyber \nreadiness.\n    Ms. Martorana, I have concerns regarding the cost of \nimplementing technological changes. In December 2019, Congress \nappropriated about $125 million to the Technology Modernization \nFund.\n    However, agencies encountered financial problems with \nmonitoring the fund. As of June 2021, approximately $89 million \nof the fund has been awarded to 11 projects across seven \nFederal agencies. Not even 10 percent of the money allocated \nfor these--in this fund.\n    What tools can Congress provide to OMB to improve cost \nestimating practices?\n    Ms. Martorana. Thank you very much for that question.\n    It is--OMB is committed to full transparency in Federal IT \nspending and performance data. So, we would welcome feedback \nand continued collaboration on making sure that we are \ncompletely transparent on those numbers.\n    With relation to the Technology Modernization Fund, I can't \nspeak very in detail about what happened prior to me joining. \nBut I can tell you a little bit about how we are utilizing the \nTechnology Modernization Fund since we have been appropriated \nthe additional $1 billion under the American Rescue Plan.\n    We have--as I said in my opening statement, we have 108 \nprojects that have come in from 43 different agencies, and I \nthink it really represents the market demand for flexible IT \nmodernization funding and our ability to work collaboratively \nto continue on the IT modernization journey that most agencies \nhave a pretty significant backlog in their own portfolio for \nthese projects.\n    Mr. Keller. You had mentioned that you couldn't speak \nbefore you came into the agency. Are some of the same people in \nthe agency today that were in when we had appropriated the \nmoney before with this new money that you referenced in the--in \nthe American Rescue Plan?\n    Ms. Martorana. I am sure that there are some OMB employees \nthat are--have been in tenure during the length of TMF being \nstood up.\n    But I can really tell you since I have joined there is a \nreal commitment not only to the TMF and the IT Modernization \nFund, but we are having very active conversations with all of \nthe staff at OMB about agencies' needs, focused on \ncybersecurity as a primary, but IT modernization goes hand in \nhand with cybersecurity.\n    Mr. Keller. So, you have taken proactive steps to make sure \nthe same thing doesn't happen with this money as happened with \nthe previous money that you can't tell us about? I mean, that \nyou can't reference since you weren't there?\n    Ms. Martorana. Yes, we are working kind of on a two-pronged \nstrategy. One is when we identified the payment flexibility for \nTMF under the American Rescue Plan, we asked--put out a call to \nagencies saying, come and tell us in four category areas where \nyou need the most investment, and that was high-value assets \nthat need to be modernized, cybersecurity, public-facing \ndigital services that were identified through the COVID \npandemic, and shared services where multiple agencies could \nbenefit.\n    And so under that framework agencies came to us with this \n108 project proposals and they are still coming on a rolling \nbasis. We also, as a board, want to take a top-down look as \nwell to see where we can have the greatest impact across the \ngreatest number of agencies.\n    So, take an area like cybersecurity. We don't start from a \nblank piece of paper, right. Any of the--my fellow CIOs would \nprobably attest to the same. We are all trying to solve the \nsame problems whether we have legacy IT, end-of-life systems, \nor systems that are a little bit more modern but could benefit \nfrom innovation that is going on in the private sector.\n    So, we are looking from a top-down perspective as well as \nreally trying to source from agencies' need directly.\n    Mr. Keller. But no specific tools that Congress needs to \nprovide at this point in time to OMB to improve cost estimating \npractices? I mean----\n    Ms. Martorana. I think I would look forward to working with \nyou and your staff and continuing to have a conversation about \nthat.\n    Mr. Keller. OK. Thank you. I yield back.\n    Mr. Connolly. Thank you, Mr. Keller.\n    I would just observe that the witness said something I \nthink that is really important that goes to part of your \nquestion, and what Mr. Hice was getting at earlier.\n    Cybersecurity is not a separate topic compartmentalized \nfrom the IT system in place. If you are working on a legacy \nsystem, many of them were developed long before encryption was \ndeveloped and they aren't adaptable or not easily adaptable. \nThey are vulnerable systems.\n    That is why our effort here at modernizing IT is directly \nrelated to cyber capability. They are not separate subjects, \nand I think your question gets at that. And I really appreciate \nthe answer the CIO of the Federal Government, because that \noften gets overlooked. Thank you so much.\n    The gentlelady, our vice chair for this subcommittee, Ms. \nPorter, is recognized for her five minutes. Welcome.\n    Ms. Porter. Thank you very much.\n    In June 2019, about two years ago, the Office of Management \nand Budget issued a memorandum that updated the reporting \nrequirements for Federal data centers. Among other things, this \nguidance redefined the data center as a purpose-built \nphysically separate dedicated space that meets certain \ncriteria.\n    And as a result, agencies have excluded about 4,500 data \ncenters from their inventories.\n    Ms. Harris, is OMB's current guidance on Federal data \ncenters in compliance with FITARA?\n    Ms. Harris. The short answer is no.\n    Ms. Porter. I will take the short answer, Ms. Harris, \nbecause I get them so infrequently in Congress. Is OMB's \ncurrent guidance a good practice from a cybersecurity \nstandpoint?\n    Ms. Harris. Well, I mean, I think that from a cybersecurity \nstandpoint, there are other vehicles in place that may be able \nto address the cybersecurity risk exposure on the data centers.\n    So, I think the larger concern that we have in terms of \ndropping the non-tier data centers is our ability to have \ntransparency and be able to track these centers and be able to \nstay aggressive in consolidation efforts, because there is \nstill money that we are leaving on the table here.\n    So, from that perspective and also an optimization \nperspective, too, ensuring that these centers are fully \noptimized. We are not able to get that if we don't have a \nbetter idea of what is in the inventory.\n    Ms. Porter. And following this subcommittee's FITARA 10.0 \nhearing, OMB submitted responses to the chairman's questions \nfor the record on this data center guidance, and in its \nresponse to the question about this change in the data center \ndefinition, OMB stated that they, quote, ``removed requirements \nand reporting to align with industry standards, while also \nreducing the reporting burden that was time consuming and \nexpensive.''\n    OMB also said to focus on data centers deemed to be key \nmission facilities.\n    Ms. Harris, in GAO's work, have you seen non-tier data \ncenters that are key mission facilities?\n    Ms. Harris. Well, we certainly want to--I think that there \nis a middle ground here. I think the pendulum has swung a \nlittle too far in terms of what we have omitted in the data \ncenter inventory--or the data center definition.\n    But we don't necessarily want or need to track individual \ndesktops. I think that from a reporting perspective, that is \nburdensome to the agencies. But we also----\n    Ms. Porter. Reclaiming my time, Ms. Harris.\n    I think you are exactly right. So, I want to point out some \nof what is being left out. Since OMB issued its guidance, the \nState Department data center reporting has dropped by more than \nhalf.\n    And you are right, we don't need to track every laptop. \nBut, for example, State Department no longer reports on two \n10,000-plus-square-foot facilities.\n    The Social Security Administration, Mr. Brune, has seven \nfacilities between 4,500 and 9,600 square feet that are no \nlonger subject to these reporting requirements.\n    You mentioned the value of transparency. Why is \ntransparency so important when we are talking about these \nsignificantly sized facilities?\n    Ms. Harris?\n    Ms. Harris. I agree with you. I think that is--the examples \nthat you just mentioned are reasons why we should be \nreevaluating the definition of what constitutes a data center \nbecause we do want to keep track of some of the non-tier data \ncenters, particularly the fairly big ones that you just \nidentified, and make sure that they are, you know, following \nthe requirements of the DCOI initiative and are subject to \nthe--you know, the reporting requirements associated with that \ninitiative.\n    Ms. Porter. Thank you very much, Ms. Harris.\n    I think that is extremely helpful.\n    Having heard what you have to say, Ms. Martorana, will you \ncommit to working with this subcommittee to ensure proper \noversight and transparency into these significantly sized, \nmission-critical, non-tiered data centers?\n    Ms. Martorana. Thank you very much for that and I will \nmake--give you another easy answer. Yes, I will commit to \ncontinuing to have that conversation and working----\n    Ms. Porter. This my lucky day. I rarely get two yes and \nno's in the same hearing. I feel very, very blessed to be \nparticipating in this today.\n    I think it is really important that the American public \nunderstand that the lack of transparency makes it impossible to \nfully protect taxpayer money and ensure that agencies are \ntracking all potential security vulnerabilities.\n    So, I really appreciate OMB stepping up here and committing \nto doing what they can to not leave money on the table, to not \nleave us exposed to cyber attacks, because agencies simply find \nit difficult sometimes to follow best practices and the law.\n    Thank you very much, and with that, Mr. Chair, I yield \nback.\n    Mr. Connolly. Ms. Porter, thank you for your questioning, \nand let me just say you are a person after my own heart. Before \nyou joined us, this was the subject I focused on and made it \nvery clear that this subcommittee is going to insist on the \nletter of the law being complied with.\n    And I would say to Ms. Harris while we are not \nunsympathetic with the need for some latitude in exercising \njudgment, the idea of it is a burden to an agency to comply \nwith the law you will find us most unsympathetic to that and we \nwould expect your agency to be similarly unsympathetic to that.\n    When we pass a law, we expect it to be complied with. The \ntime to argue is while we are debating that draft legislation, \nnot after it becomes law.\n    And Ms. Porter is absolutely right. Transparency is \naffected. Compliance with the law is affected. And I can just \ntell you, the fact that we have had 12 hearings on this subject \nall about compliance with the law--no other committee in \nCongress that I am aware of has ever done that--I hope \ndemonstrates our determination to insist that this happen.\n    We see ourselves as your partner, but we are going to \ninsist that the various components of FITARA that Mr. Issa and \nI wrote be complied with, and we are prepared to pass more \nlegislation on a bipartisan basis, if necessary.\n    So, Ms. Porter's points are very well taken. There is a \ndifference between some latitude and a desire to circumvent the \nlaw. Those are two different things. And we are--I said at the \noutset of this hearing we are concerned about that word, \noptimization, because it is a euphemism, we fear, for \ncircumventing the requirement of the law, and that we are not \ngoing to go along with it. And that is not a new message from \nthis subcommittee on a bipartisan basis.\n    So, Ms. Porter, thank you. You have made the point and very \nwell, and we really appreciate the commitment coming out of OMB \nas we move forward.\n    Mr. Issa, you are recognized. Welcome back.\n    Mr. Issa. Thank you, Mr. Chairman. And as you said, this is \nan area where you and I had the opportunity to work together \nfor multiple years.\n    And if I can pick up where you just left off, Chairman, \nwhere Ms. Porter just left off, the intent--what you worked in \na bulldog type way for years on was to reduce the total number \nof distinct facilities that had to be managed, many of them \nhaving the basic problem of telling us they weren't large \nenough to be managed properly.\n    But in a cloud world, there is only one server farm because \nevery farm is connected. If there is only one server farm, \nthat--as Ms. Porter said, that 4,500-square-foot facility that \nis not reporting could, in fact, be the weak link within a \nsingle cloud that has dozens or hundreds of locations.\n    But at the end of the day, the bad guys only have to make a \ncyber penetration in one place. So, the very existence of those \nsmall facilities and then a claim that they cannot have the \nsame level of transparency and perhaps not the same level of \nprofessionalism begs the question, why do they exist at all?\n    And I want to commend the committee for continuing to work \non that and for holding this hearing today.\n    Ms. Harris, I have got a longer reaching one, a question \nyou were not probably prepared for. But as Congressman Connolly \nand myself envisioned modernization under FITARA, we created \nthe very positions or at least gave them real strength of these \nCIOs.\n    They were created and given power and a direct link to, \nessentially, their cabinet head or agency head because of a \nhistory of not having the kind of professionalism overseeing \n$100 billion-plus in expenditures and, ultimately, the $4 or $5 \ntrillion of government spending that depend on it, and then at \nthe end of the day, $22 or $23 trillion of the American economy \nthat, as we know, can shut down if portions of the government \nbecome inoperative.\n    Therefore, the question I have for you as our agency is, \nisn't it time for us to consider looking at stringing together \nthis network of CIOs and, particularly, as to cyber into a \nsingle point of accountability, similarly to the Office of \nPersonnel Management, the Office of Management and Budget, or \nany other cabinet head?\n    Isn't it time that the government accountability and the \ngovernment ops, which is our committee, Mr. Connolly's \ncommittee now, isn't it time that we look at a reorganization \nthat takes that $100 billion plus dollars and creates at least \none person accountable directly to the president who has the \nexpertise to--and the vision to bring together these disparate \nentities that are spread across the government?\n    Ms. Harris. Yes, I think that is a--that is what is needed, \nbecause when you look across the agencies with, you know, the \nproliferation of CIOs, it dilutes accountability.\n    And so having a single point of accountability is \nabsolutely a great idea and I think would go a long way in \nimproving IT management.\n    Mr. Issa. Well, I am going to give each of the CIOs an \nopportunity to weigh in on some of their frustrations. But I \nwould ask the chairman to consider tasking the Government \nAccountability Office with some further study on that to help \nthe committee.\n    But if any of the CIOs want to weigh in on some of the \nfrustrations they see by not having a higher level of person \nwho has the kind of expertise that each of you has.\n    And maybe we start off with the Office of Management and \nBudget.\n    Ms. Martorana. It is an interesting question to ponder. I \nhave not really given this an enormous amount of thought prior \nto the question. But I think that we are making an enormous \namount of progress working across the Federal CIO community in \nan incredibly collaborative way.\n    We are working on several projects together that are \nenterprise in mindset so that we are not learning, you know, \neach one starting from a blank piece of paper.\n    You know, this is--we think, as Federal CIOs, of \ncybersecurity and IT modernization is a team sport. This is not \nan endeavor that any of us takes on in a silo, thinking only of \nour own agency. We think about our fellow colleagues.\n    I know when I was a--an agency CIO, I was greatly benefited \nduring the beginning of COVID by other CIOs who had gone on a \njourney well in advance of where my technology part--my \ntechnology team and infrastructure was.\n    So, I think this is a team sport. We are all working very \ncollaboratively as CIOs. But I would look forward to continuing \nto work together on this----\n    Mr. Connolly. Brief--thank you. Briefly, because the \ngentleman's time has expired, I want to give Mr. Bluestein and \nMr. Brune an opportunity to respond briefly.\n    Mr. Bluestein. Sir, I appreciate the opportunity to respond \nto that. I echo Ms. Martorana's commentary. First of all, the \nenvironment amongst the CIO Council--the government CIOs has \nbeen very collaborative and there are certain things we are \ntrying to break down some of these barriers.\n    I think that that goes right to Congressman Issa's point \nabout collaboration in cybersecurity, having--whether it is \nsome cyber entity that oversees all that but can kind of break \nthrough some of those barriers.\n    FITARA has been realized in my agency. So, I don't want for \nthose kinds of things, if you will, in my organization. But as \nwe collaborate with other agencies, it would be nice in some \ncases if we could break down those silos while making sure that \nwe are secure.\n    Mr. Connolly. Mr. Brune, did you want to comment?\n    Mr. Brune. Thank you, Chairman, and thank you, Congressman, \nfor the question.\n    I would say that the enterprise focus is growing. Recently, \nthe Social Security Administration joined partnership with the \nGeneral Service Administration and other agencies on \nregistration authentication for secure online accounts.\n    The GSA administers a program, login.gov. We use that. So, \nit is done on behalf of the public and we can use--build it \nonce, use it multiple times. That is just one example where the \ncollaboration that the Federal CIO mentioned is occurring, and \nI see it growing.\n    Mr. Issa. Thank you, Mr. Chairman. This has been a great, \ngreat pleasure, and I appreciate your indulgence for the extra \nminutes.\n    Mr. Connolly. Thank you so much, Mr. Issa.\n    And I would just editorialize as a final thought, and it \ngoes back to a comment you made, Mr. Bluestein, about, you \nknow, the org chart and solid line versus dotted line and all \nthat.\n    But Mr. Issa will remember that when we wrote FITARA, among \n24 Federal agencies there were 250 people with the title of \nCIO.\n    Now, there is no private entity that would tolerate that. \nAnd even in writing the bill, we chose not to do it by fiat. We \nchose to hope that there would be an evolution, that somebody \nwould emerge as the primus inter pares.\n    And the reason we have emphasized the solid line is because \nof this proliferation. Someone has got to be in charge. Someone \nhas got to be designated as the responsible and accountable \nperson who is empowered to make decisions.\n    And in bureaucracies if you do not report to the boss, \nespecially public sector bureaucracies, everybody knows \nanything you have to say is ad referendum. I am using some \nLatin today. I am sorry. And that is what we are trying to get \nat, and if there is a better way to do it we would love to hear \nit.\n    But I think both Mr. Issa and I reflect on a private sector \nexperience and look at the Federal Government and say this is a \nsystem that can't possibly work with that many people with that \ntitle.\n    So, that is--that is what we are trying to get at. I think \nyou would concur, Mr. Issa. Yes. Thank you very much.\n    Mr. LaTurner, thank you for your patience. You are \nrecognized.\n    Mr. LaTurner. Thank you, Mr. Chairman.\n    Ms. Martorana, I would like to visit with you just a little \nbit about the Technology Modernization Fund. As you know, it \nwas established by Congress in 2017 to provide agencies \nadditional ways to fund IT projects in a timely manner.\n    Has the fund adequately lived up to its purpose?\n    Ms. Martorana. Thank you, Congressman, for that question.\n    I am so bullish on the Technology Modernization Fund, not \nonly in the way that it has managed IT projects that it did \nduring its kind of 1.0 phase. Now that we are in a 2.0 phase \nwith the $1 billion in the American Rescue Plan funding. I \nhave--I see just enormous possibility.\n    So, a couple things that really stand out to me is, one is \nthe board of TMF are all government officials that are real \nsubject matter experts. They take their responsibility as board \nmembers very seriously.\n    We are spending about 10 hours a week meeting and reviewing \nproposals currently. We have brought subject matter experts in \nwhere we feel that we might have an opportunity, as I mentioned \nearlier, to have a little more of a top-down view across the \nportfolio. So, that is making me incredibly optimistic about \nthis opportunity.\n    The second is, the repayment flexibility that has been \nextended to agencies under the American Rescue Plan is having a \nmeaningful impact on agencies' ability to participate in this, \nright.\n    Not all agencies have working capital funds. We know that \nthat is continuing to evolve. But it was really a barrier of \nentry for people being able to participate in TMF. With the \nrepayment flexibility loosened a bit, that has made all the \ndifference in the world, and we know that this will continue to \nhave an impact.\n    The third reason that I am really optimistic about TMF is \nwe are using best practices in how we are reviewing projects, \nawarding proposals to move forward, and managing them.\n    There is quarterly meetings with the TMF board to review \nprogress. We only give out funds on an incremental basis based \non accomplishments, milestones being met.\n    And we are also taking corrective actions when we see that \na project is not fulfilling where milestones or where we think \nit should be.\n    We are bringing in subject matter experts, again, to \npartner with those agencies on corrective actions and we are \nwilling to stop funding should we not believe that an agency is \ngoing to be successful.\n    So, we believe that TMF is going to have improved outcomes \nin the IT projects that we are funding and we hope to be able \nto continue to demonstrate that to the committee and to \nCongress.\n    Mr. LaTurner. I appreciate that. I have some additional \nquestions on that but I am going to run out of time. \nSpecifically, that my understanding is that there is $10 \nbillion of the $60 billion for Fiscal Year 1922 in the request \nthat has been earmarked for cybersecurity.\n    Could you drill down into that a little bit in the time \nthat we have left and talk about how those funds will be \nallocated and spent to strengthen our cybersecurity?\n    Ms. Martorana. Yes. Out of--I can speak specifically to the \nTMF proposals that had a primary, secondary, or tertiary \ncybersecurity component.\n    We asked agencies to self-identify when they were \nsubmitting a proposal. Forty-two percent of the proposals are \nmodernizing high-priority systems, and that is--those are \noftentimes mission-critical systems that are operating our \nFederal Government.\n    So, 42 percent are focused on upgrading, updating, and \nincreasing the cybersecurity posture of high-value systems.\n    The next are squarely cybersecurity requests, agencies that \nare coming to us and saying that they would like to begin on \nthe road to more modern security practices like zero trust, \nwhich is a framework for not trusting anything inside your \nenvironment and making sure that you are rigorously \ninterrogating everything within your boundaries.\n    It is actually eliminating boundaries. I won't get too \ntechnical. But we are focused on that, and so about 75 percent \nof all requests into TMF through the American Rescue Plan are \nfocused on cybersecurity.\n    Mr. LaTurner. I appreciate that. It is such an important \nsubject that I would love to spend more time on. But my time \nhas expired.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Connolly. Mr. LaTurner, thank you, and let me invite \nyou, if you do have followup questions please get them to my \nstaff and we will forward them to the appropriate witness.\n    Mr. LaTurner. Thank you, Mr. Chairman.\n    Mr. Connolly. There is that opportunity, if we can do it \nwithin five days, and we ask our witnesses to be as expeditious \nas possible but as thorough as possible in responding to \nwritten questions, because, obviously, we can't ask everything \nin the hearing. So happy to do that, Mr. LaTurner. Thank you.\n    And if I can close out this hearing with some questions of \nmy own, but I want to--Mr. Bluestein, I want to focus on you \nfor a minute because I think you joined the agency in June, but \nthe avalanche for SBA occurred in April and May.\n    So, we signed the CARES Act, big bipartisan bill. A lot of \nmoney for it. It was starting a new program, the PPP, and what \nwe did that, I think, put a burden on SBA, and you rightfully \npointed out the magnitude of scale.\n    So, I think your annual loan portfolio is something like \n$20 billion a year. We gave you $600 billion in one month. We \nalso lessened the requirements for eligibility. We really \nstreamlined them. We reduced paperwork.\n    We reduced documentation requirements because we were \npanicked, right. We wanted to get help to Main Street mom-and-\npops as quickly as possible so they didn't go under. A noble \ngoal.\n    And we also had a--that program had a provision that \nallowed loans to be converted to grants fairly easily.\n    Now, in doing all that with great intentions, we were \nrelying, in a sense, on the SBA IT system e-TRAN.\n    And what happened in the first few weeks--oh, we added--I \nam sorry. One other change, which was a big one, we broadened \nthe financial institutions eligible to manage the portfolios. \nWe wanted to get into communities, including communities we \nwere targeting--low income, communities of color--and that \nmeant we had to look at community-based financial institutions, \nnot the normal financial institutions that normally are the go-\nto managers of SBA's portfolio.\n    And what we found was that your IT system could not handle \nthat. It couldn't--it had trouble programming the changes. It \nhad trouble managing a huge avalanche of new money in a new \nprogram and it was overwhelmed by the demand.\n    And I am not citing that to criticize SBA. I cite it as an \nexample of why IT is so important, because no one could have \nforeseen these circumstances. But our whole mission up here was \nshared by your agency, which was rush aid--run, don't walk to \nget aid to these small businesses so we are saving them and \nthey are not going under, and while at the same time, we will \nhave a condition keep people on the payroll. That is the goal \nhere. We want to keep you open and we want to keep those people \non payroll so we are not adding to the massive unemployment, \nwhich we were experiencing in April 2020.\n    But if you don't invest in the IT system to have the \nagility and the flexibility for these kinds of changes, how can \nyou be surprised that it is overwhelmed and your mission is \ndefeated? Not by some nefarious, you know, person or persons \nwanting to muck up the works, but because the IT system can't \ndo it.\n    How often do we have to be reminded how critical and \nintegral the IT system is to the mission? And we see that in \nunemployment insurance systems across the country, in the 50 \nstate unemployment insurance systems.\n    We see it at the IRS in getting payments. We are changing \nthe IRS mission, in a sense, or broadening it, from a tax \ncollector to, you know, a benefit agency, and we are a little \nsurprised that it has some trouble and its IT systems are older \nand more multiplicitous than yours.\n    I just want to give you a chance to kind of--because you \ncame in June after all that happened and you were kind of in \nthe cleanup operation. But I am sure you have some reflections \nabout the good, the bad, and the ugly and what we have learned \nfrom that kind of experience.\n    And then I will be done.\n    Mr. Bluestein. Thank you for the opportunity to comment on \nthat, sir.\n    I did come in after the fact. One of the first things we \ndid was we took a look at the entire ecosystem, because they \nwere different systems that handled the PPP loans and the EIDL \nloans, and they were--while they were somewhat disconnected, \nthey still ran through the same system of systems that managed \nthe capital access process.\n    So, one of the first things we did is say let us take a \nlook at this end to end. How do you streamline all of this so \nit operates on some kind of plane, and let me diverge for just \na second.\n    When all of this happened last year and there was a \nPresidential tweet that said sba.gov, our website that normally \nhandled about 600 to 700 concurrent users went to 93,000 in a \nmatter of minutes.\n    Now, that was all set on a modern platform that immediately \nscaled to handle from about one terabyte a day of data to about \n25 terabytes a day. So, it was built to scale.\n    And we want to bring that same technology into these \nfinancial systems. Unfortunately, a lot of times in risk \nmanagement until we actually realize the risk--people talk \nabout it, but they won't take necessarily the measures to fix \nthat.\n    Now we have been in a situation where we saw the \nconsequence, and especially with all the different things that \nhave happened subsequent to that--different requirements, how \ndo we slice and dice some of these things to discreetly \nidentify either communities of interest, other things that we \nwant to do in the system--that technology is available out \nthere.\n    We are going through the process now of figuring out, OK, \nwhat do we do with the system that we have? We have e-TRAN, \nwhich has been there. It is legacy code. We know it.\n    And the next step is, OK, how do we move beyond that. We \nare working very, very closely with the capital access folks to \nwork through that.\n    Mr. Connolly. Thank you so much, and I look forward to \nhaving further discussion with you about what happened and what \nwe can take away, sir, because I think all of us benefit from \nthat experience in terms of--and I would commend to you, Ms. \nMartorana, on your agenda many things to get done.\n    But I really would look at lessons learned from the \npandemic in terms of IT because I think we could really, all of \nus, benefit from that. There were some great things. There were \nsome things that didn't work, some things that were disasters, \nand some things we could have done better.\n    The TMF is in that context, I think, as you were saying \nearlier in terms of how we might use it to help upgrade, to \nhelp people make other investments, better investments. But I \ndo think there are some very critical lessons to be learned \nfrom this experience, and you might very well want to take the \nlead on that.\n    And I think Mr. Issa suggested, Ms. Harris, that I might \nwant to join him in urging you to look at a couple of issues, \nand Mr. Hice also, and I gladly nod yes to add to your plate.\n    Mr. Hice, anything for the good of the order you want to \nadd?\n    Mr. Hice. I don't. I am----\n    Mr. Connolly. Yes, no problem. You are going to mischief.\n    [Laughter.]\n    Mr. Connolly. All right.\n    I want to thank our witnesses, and again, any member \nwishing to add--to submit written questions for the record, we \nwill be glad to provide them to our witnesses.\n    I think this has been a thoughtful dialog. Really \nappreciate the work of everybody involved. I think you can see \nour commitment. I know it is not the sexiest topic in the \nworld.\n    But to me, IT undergirds everything we are trying to do in \nthe mission, and the mission is jeopardized if the IT doesn't \nwork. And we have the added layer of being really concerned \nabout cyber and how do we protect ourselves.\n    And as Ms. Martorana, I think, astutely observed, the two \nare linked. If you have got an old clunky antique legacy system \nthat cannot be encrypted or cannot easily be encrypted, you are \nasking for trouble, and that is why making smart investments \nthat are cyber protected and that also take advantage of the \nmost advanced technology better serve our constituents and \nprotect their privacy and their interests and the national \nsecurity, while we are at it.\n    With that, this hearing is adjourned.\n    [Whereupon, at 3:52 p.m., the subcommittee was adjourned.]\n\n                                 <all>\n</pre></body></html>\n"