[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
FITARA 14.0
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON GOVERNMENT OPERATIONS
OF THE
COMMITTEE ON OVERSIGHT AND REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
SECOND SESSION
__________
JULY 28, 2022
__________
Serial No. 117-97
__________
Printed for the use of the Committee on Oversight and Reform
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available at: govinfo.gov,
oversight.house.gov or
docs.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
48-387 PDF WASHINGTON : 2022
COMMITTEE ON OVERSIGHT AND REFORM
CAROLYN B. MALONEY, New York, Chairwoman
Eleanor Holmes Norton, District of James Comer, Kentucky, Ranking
Columbia Minority Member
Stephen F. Lynch, Massachusetts Jim Jordan, Ohio
Jim Cooper, Tennessee Virginia Foxx, North Carolina
Gerald E. Connolly, Virginia Jody B. Hice, Georgia
Raja Krishnamoorthi, Illinois Glenn Grothman, Wisconsin
Jamie Raskin, Maryland Michael Cloud, Texas
Ro Khanna, California Bob Gibbs, Ohio
Kweisi Mfume, Maryland Clay Higgins, Louisiana
Alexandria Ocasio-Cortez, New York Ralph Norman, South Carolina
Rashida Tlaib, Michigan Pete Sessions, Texas
Katie Porter, California Fred Keller, Pennsylvania
Cori Bush, Missouri Andy Biggs, Arizona
Shontel M. Brown, Ohio Andrew Clyde, Georgia
Danny K. Davis, Illinois Nancy Mace, South Carolina
Debbie Wasserman Schultz, Florida Scott Franklin, Florida
Peter Welch, Vermont Jake LaTurner, Kansas
Henry C. ``Hank'' Johnson, Jr., Pat Fallon, Texas
Georgia Yvette Herrell, New Mexico
John P. Sarbanes, Maryland Byron Donalds, Florida
Jackie Speier, California Mike Flood, Nebraska
Robin L. Kelly, Illinois
Brenda L. Lawrence, Michigan
Mark DeSaulnier, California
Jimmy Gomez, California
Ayanna Pressley, Massachusetts
Russell Anello, Staff Director
Wendy Ginsberg, Subcommittee on Government Operations Staff Director
Amy Stratton, Deputy Chief Clerk
Contact Number: 202-225-5051
Mark Marin, Minority Staff Director
------
Subcommittee on Government Operations
Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of Jody B. Hice, Georgia Ranking
Columbia Minority Member
Danny K. Davis, Illinois Fred Keller, Pennsylvania
John P. Sarbanes, Maryland Andrew Clyde, Georgia
Brenda L. Lawrence, Michigan Andy Biggs, Arizona
Stephen F. Lynch, Massachusetts Nancy Mace, South Carolina
Jamie Raskin, Maryland Jake LaTurner, Kansas
Ro Khanna, California Yvette Herrell, New Mexico
Katie Porter, California
Shontel M. Brown, Ohio
C O N T E N T S
----------
Page
Hearing held on July 28, 2022.................................... 1
Witnesses
Vaughn Noga, Chief Information Officer, Environmental Protection
Agency
Oral Statement................................................... 5
John Sherman, Chief Information Officer, Department of Defense
Oral Statement................................................... 7
David A. Shive, Chief Information Officer, General Services
Administration
Oral Statement................................................... 7
Carol C. Harris, Director, Information Technology and
Cybersecurity, Government Accountability Office
Oral Statement................................................... 9
Written opening statements and statements for the witnesses are
available on the U.S. House of Representatives Document
Repository at: docs.house.gov.
Index of Documents
----------
No additional documents were submitted for this hearing.
FITARA 14.0
----------
Thursday, July 28, 2022
House of Representatives
Committee on Oversight and Reform
Subcommittee on Government Operations
Washington, D.C.
The subcommittee met, pursuant to notice, at 9:08 a.m., in
room 2154, Rayburn House Office Building, and via Zoom; Hon.
Gerald E. Connolly (chairman of the subcommittee) presiding.
Present: Representatives Connolly, Norton, Davis, Khanna,
Brown, Hice, Keller, Clyde, and LaTurner.
Mr. Connolly. The committee will come to order.
Without objection, the chair is authorized to declare a
recess of the subcommittee at any time.
I want to welcome everybody to the hearing, which seeks to
continue our oversight efforts of agency implementation and
compliance with FITARA and other information technology laws.
And I now recognize myself for an opening statement.
Since the enactment of the Federal Information Technology
Acquisition Reform Act, FITARA, in 2014, this subcommittee has
maintained steady and bipartisan oversight of its
implementation. In fact, I don't believe there is any other
precedent in congressional history where we have had consistent
oversight of the implementation of a piece of legislation as we
have this one. This is our 14th hearing on the implementation
of FITARA. We established and passed FITARA to establish a
long-term framework through which Federal IT investments could
be tracked, assessed, and managed. Since the Scorecard's
inception, agencies have significantly reduced wasteful
spending and improved project outcome, saving what we believe
to be $24 billion of taxpayers' money.
[Chart]
Mr. Connolly. The table you see provides an overview of how
the Federal Government performed for both the 13th hearing and
the 14th hearing on the Scorecard. Compared to overall grades
reported in the 13th Scorecard, FITARA 14, this one, has one
fewer A grade, three fewer B grades, two more C grades, and two
more D grades. While no agency has received an F since May
2018, an A grade remains unfortunately unusual with two in the
last Scorecard and only one in this Scorecard. The United
States Agency for International Development grade remains the
lone A. On an individual agency level, one grade improved, 8
fell, and 15 stayed the same. In addition to the three
testifying agencies, the Department of Defense overall grade
has declined from C plus in 2021 to D plus this year. The
Environmental Protection Agency declined from B plus to C plus,
and GSA has maintained its B plus grade.
FITARA is a biannual snapshot that allows Congress and the
public to hold agencies accountable for improving their IT
postures. As we have said before, grades are not scarlet
letters. The Scorecard is a tool to promote better
cybersecurity, enhance IT performance, and improve customer
service across the Federal Government. These hearings offer
Congress and the public a better understanding of the immense
effort agencies, specifically, Federal chief CIOs, information
officers dedicate to approving Federal IT. These hearings
provide CIOs a forum to explore the stories behind those
grades.
As discussed during the January 2022 FITARA hearing, a
variety of factors, including changing data availability,
agency resolve, and an advancing IT landscape, catalyzed the
subcommittee to once more evolve the Scorecard. Since then, the
subcommittee engaged a multitude of stakeholders in the
Government Accountability Office to explore potential
improvements to the Scorecard's data and methodology. These
conversations have resulted in our latest effort to use the
Scorecard to incentivize agencies to advance their IT and
acquisition priorities. As part of our efforts to enhance the
Scorecard, the subcommittee sent a series of oversight letters
to the Office of Management and Budget inquiring about its
Fiscal Year 2023 changes to IT data collection and reporting.
We aim to work with OMB and all FITARA agencies to employ the
publicly available data best suited to improve how agencies use
technology to achieve their missions.
As technology and policy evolve, so must the FITARA
Scorecard. It is with these goals in mind that we unveil
Scorecard 14 today and provide a high-level vision of our
intentions to use the Scorecard to drive agencies to even
further progress. The Scorecard is a combination of short-term
immediate changes and longer-term goals.
Let us start with some of the immediate changes. FITARA
requires CIOs to certify that they are adequately implementing
incremental development to modernize their IT investments
rather than pursuing the historically poor performing big bang
approaches. In the past year, OMB released more granular data
on incremental development. As a result, we updated the
Scorecard methodology to focus specifically on agency progress
with software development projects, projects in greater need of
incremental development.
I also want to acknowledge agencies' straight A's in the
Federal data center optimization initiative category with
Scorecard 13. It is time to shift this metric to make it more
focused and relevant. As promised, the previous methodology is
sunset in this scorecard, Scorecard 14. Finally, in addition to
the closure of data centers, this Scorecard amended the
calculation used to examine Federal cybersecurity postures.
I want to be clear, the Scorecards by annual publication is
not new. This is 14. The Federal Information Security
Management Act FISMA category is not new. The use of annually
required inspector general FISMA assessments to grade agency
cybersecurity postures is not new. And the fact that this
administration stopped publishing cybersecurity across agency
priority goal metrics is not new. What is new and must be dealt
with is the lack of data transparency for agencies'
cybersecurity performance. The administration has only itself
to blame for the grades we see in this metric today.
The subcommittee looks forward to working with all
stakeholders to populate the category with more robust data
that captures Federal agencies' cybersecurity posture and now
for where we hope to drive the Scorecard into the future. While
all agencies achieved their self-determined Federal data center
closures, a small handful of agencies have yet to complete
their plan closures, even though we are rapidly closing in on
the already twice-extended consolidation reporting requirement
date.
Earlier this month, agency CIOs received a letter from the
subcommittee asking them to justify the need for the remaining
respective data centers. The subcommittee plans to use these
answers as part of a new methodology. The goal is to ensure
agencies think strategically about their costly data center
use, incentivize the closure of underutilized data centers, and
save taxpayer dollars. It is our hope that focus on this
category will enhance the Federal Government's movement to the
cloud.
Turning to the future of cyber, this subcommittee eagerly
awaits the new and improved data behind the Biden
administration's priority goals detailed on Performance.gov. I
and many others look forward to hearing from OMB about the
administration's new cyber strategy, which will help agencies
remain resilient and adapt in the ever-changing cyber
landscape. Last, when the subcommittee first added the CIO
reporting structure metric to Scorecard 3.0, 12 CIOs had no
reporting relationship to the Secretary or deputy secretary of
their respective agencies. Today, 16 CIOs have direct reporting
relationships. Six have partial direct reporting relationships,
leaving only two CIOs with no direct reporting relationships.
This evolution marks a rise from 50 percent to more than 90
percent of CIOs now reporting to the agency head. We are
pleased to claim a very successful victory for the IT community
elevating CIOs to their rightful place at the helm of agencies'
decisionmaking tables.
As the pandemic taught us, policy falls flat without the
technology to implement it. CIOs must remain integral
components of agencies' C-suite officials. With Scorecard 15,
the subcommittee will consider sunsetting this category if
agency has demonstrated clear and reasonable plan to elevate
the CIOs to a sufficient and necessary authority.
During this year's January Scorecard 13 hearing, we spoke
to industry. Today we hear from CIOs, in September we will hear
from the Federal CIOs ideas on evolving the Scorecard and an
update on the data they are collecting to measure cybersecurity
and cloud activity. We need input from all corners to make sure
we get this right, and that we build a tool that gives CIOs the
authorities they need to drive transformational technology
improvements at their agencies. As we evolve the Scorecard to
keep pace with the IT landscape's ever-changing innovations and
threats, we remain focused on continuity, and clarity, and more
efficiency to better serve our constituents.
And with that, the chair now calls on the distinguished
ranking member for his opening statement.
Mr. Hice. Thank you very much, Chairman Connolly. I
appreciate your calling this hearing and agree with much of
what you just said.
Here we are on this 14th FITARA Scorecard, and obviously,
the major issue that stands out is cyber metric. But more
importantly to me, what stands out is the Biden administration
ignoring the law. Since a cyber grade was included on the
FITARA Scorecard, it has included an assessment of agency
progress against cyber-related goals set by the administration.
These were generally part of a larger set of cross-agency
priority goals, which are required by law. But the grades for
the Scorecard here did not reflect any cyber goals from the
Biden administration because they haven't issued any. That is a
mystery to me.
From what I can tell, the Biden administration has not
issued any goals at all. And while we are at it, the Biden
administration has not delivered the annual cybersecurity
report required by FISMA. So when it comes to the most
important topic that we are dealing with here today, cyber, we
don't have much of an idea of what is going on, and that is
very, very frustrating. If I look at the Scorecard correctly,
it says 10 agencies are failing in cyber. This should wave a
red flag of concern for all of us, and, again, I believe this
is a reflection of yet another Biden administration failure
that is already on a long list of other issues.
But this is similar to what is going on with the Technology
Modernization Fund. As we heard in a hearing earlier this year,
the Biden administration has turned that into what amounts to a
slush fund. The idea behind the TMF was that agencies would
create savings by retiring old systems. Those savings will then
be used to repay the fund and allow for additional
modernization projects. It was intended to create an efficient
cycle. But the executive director of the TMF board gave us
nonsensical answers about how the savings would be realized by
the public. They are not going to make agencies pay back the
TMF funds. This is clearly ignoring the intent of the
Modernizing Government Technology Act. The Biden administration
is yet again thumbing its nose at this committee, and it is not
like this committee has been hard on the administration.
Chairman Connolly has been a rare exception among committee
Democrats in calling Biden administration officials to testify.
I certainly give credit there, but these current cyber grades
because of what I have just said are, frankly, of little value.
OMB is depriving this subcommittee of insight on the most
important FITARA metric and cybersecurity in general. The Biden
administration needs to comply with the law and the will of
Congress, and I hope that message comes through loud and clear
today.
And with that, Mr. Chairman, again, I thank you, and I
yield back.
Mr. Connolly. I thank the ranking member. I would like to
now introduce our witnesses. Our first witness today is the
chief information officer and deputy assistant administrator
for the Environmental Protection Agency, Vaughn Noga. Welcome.
Our second witness is the chief information officer of the
Department of Defense, Mr. John Sherman. Welcome. Our third
witness is the chief information officer for the General
Services Administration, Mr. David Shive. Welcome. And our
final witness is somebody familiar to us on this committee, and
that is the director of information technology and
cybersecurity of the Government Accountability Office, Carol
Harris. Welcome.
If the witnesses would be unmuted, and rise, and raise your
right hand, it is our custom on this committee to swear in all
witnesses.
Do you swear or affirm that the testimony you are about to
give is the truth, the whole truth, and nothing but the truth,
so help you God?
[A chorus of ayes.]
Mr. Connolly. Thank you. Let the record show all of the
witnesses answered in the affirmative.
Without objection, your full written statements will be
made part of the record.
And with that, Mr. Noga, you are now recognized for your
five minutes of oral testimony. Welcome.
STATEMENT OF VAUGHN NOGA, CHIEF INFORMATION OFFICER,
ENVIRONMENTAL PROTECTION AGENCY;
Mr. Noga. Chairman Connolly, Ranking Member Hice, and
members of the subcommittee, thank you for the invitation to
discuss Agency perspectives on improving the Federal----
Mr. Connolly. Could you just speak up a little bit, Mr.
Noga? It is a little hard to hear you. Thank you.
Mr. Noga. The FITARA Score----
Mr. Connolly. There you go.
Mr. Noga. As the chair for the Federal CIO Council
Enterprise Operations Committee, we were asked to work across
the Federal CIO community to develop recommendations to improve
existing measures and offer new measures for consideration. I
commend this committee for its continued focus on improving how
we manage and modernize our information technology portfolios.
The FITARA Scorecard and the underlying measures provide focus
and priority to the CIO community. And this committee's
continuous review, consideration, and incorporation of new
standards demonstrate how important a secure, available, and
modernized IT environment are to the Federal Government.
Throughout my career with EPA, I have worked with a deeply
committed and passionate cadre of information technology and
information security professionals. Collectively, we have
shaped and modernized how IT services are delivered, enabling
our work force to respond to mission priorities, regardless of
where they perform their work. At the EPA, I use the results of
the FITARA Scorecard to drive Agency priorities and
investments. In the last four years the Scorecard has become a
visual representation of our success and a reminder of areas we
need to maintain continued focus. The evolution of this
valuable tool will ensure that we continue to focus on the
modernization, optimization, and security of our IT assets.
The EPA has successfully consolidated EPA data centers in
localized computer rooms. In addition to consolidating data
centers, we identified opportunities to maximize space use by
offering available space to the Federal family, reducing the
need for other agencies to make data center investments. In the
past four years, the Agency established enterprise cloud
environments with two commercial cloud providers to help
further expand virtualization and the cloud smart strategy. We
are reaping the benefits of cloud computing capabilities,
improving our agility, performance, and consistency with
application deployments. EPA will continue to prioritize
further reducing capital and support expenditures associated
with legacy server and storage environments. Over the past two
months, I have been meeting with all EPA regions and programs,
and that has been the focus of our conversation. The forward
focus for EPA will be a cloud smart rationalization of
applications to drive application consolidation and cloud
adoption.
EPA's mission is to protect human health in the
environment. One key component in delivering EPA's mission is
to ensure we properly safeguard our information and information
technology environment. As a result, cybersecurity is one of
EPA's top priorities. And it is critically important that we
maintain the necessary cyber defenses to enable us to identify
and respond to the rising and increased sophistication of cyber
threats.
To safeguard its IT environments, EPA deployed several
defense in-depth mechanisms, such as network segmentation for
high value and critical assets, multi factor authentication,
and data encryption. EPA's Continuous Diagnostics and
Mitigation Program was a big driver of modernizing our asset
and vulnerability management programs, enabling integration
across EPA's on-premise and cloud environments, including
integration into the DHS' CDM dashboard. As a result, EPA was
able to quickly assess its environment and remediate the Log4j
vulnerability across its enterprise.
To buildupon this progress, EPA has developed Agency-wide,
long-term performance goals for full compliance with the
cybersecurity executive order, including maturing our Zero
Trust architecture capabilities. We have implemented a cyber
sprint focused on the continued implementation of the key
security measures outlined in the Zero Trust architecture,
including maturing our Enterprise login capability. Recognizing
cybersecurity threats and attacks will continually increase in
number and sophistication, it is important to maintain a
Federal-wide awareness and priority on implementing collective
defenses to safeguard our critical information and information
systems. The CISA Zero Trust Maturity metric provides a
baseline for departments and agencies to report and be
evaluated at various maturity levels, and EPA is in complete
support of its implementation.
EPA continues to make great progress in recruiting,
developing, and maintaining an IT work force to support the
Agency's mission requirements in a rapidly developing IT
environment. EPA maintains a robust cyber work force plan with
dozens of actions across multiple fiscal years to ensure a
highly skilled and agile IT and cyber work force. EPA has
partnered with the Federal CIO Council Cybersecurity Reskilling
Detail Program, where employees receive hands-on training in
cybersecurity to build foundational skills in cyber defense
analysis. EPA has also partnered with the U.S. Digital Service
to deploy a subject matter expert qualification assessment for
IT specialists. The SME-QA process grants agencies an
alternative to using the traditional resume review and self-
assessment process, and, through the use of SMEs, provides the
hiring manager the ability to confidently hire qualified
talent. EPA will work to leverage direct hiring authorities for
IT management specialists to enhance the hiring tools available
to EPA IT managers.
I look forward to working with members of the committee on
this important issue, and we will be happy to answer any
questions you may have.
Mr. Connolly. Thank you. Mr. Sherman, you are recognized
for your five minutes of oral testimony. Welcome.
STATEMENT OF JOHN SHERMAN, CHIEF INFORMATION OFFICER,
DEPARTMENT OF DEFENSE
Mr. Sherman. Good morning, Chairman Connolly, ranking
member Hice and distinguished members of the subcommittee.
Thank you for the opportunity to testify before you today
on the Department's implementation of the Federal Information
Technology and Acquisition Reform Act. As noted, I am John
Sherman, the Department of Defense chief information officer.
Chairman Connolly and Ranking Member Hice, I want to thank you
for your leadership with the distinguished members on FITARA. I
can assure you the Department of Defense looks to the spirit of
FITARA to drive efficiency, mission capabilities, and
modernization of information technology. The Department has
made strong progress in modernization overall, and I look
forward to updating the subcommittee on our achievements.
Moreover, as we discuss modernizing and securing our IT
infrastructure and capabilities, I want to highlight the
Department's significant strides on enterprise-level priorities
such as cybersecurity, cloud computing, software modernization,
and warfighting command, control, and communications. We have
been able to move forward in these key areas through robust
governance and teamwork across the Department. In
cybersecurity, I am committed to ensuring the protection of the
Department of Defense Information Network, or DODIN,
implementing Zero Trust, hardening our secret-level super net,
and addressing 20-plus years of technical debt, securing the
defense industrial base, and enhancing our cyber and digital
talent.
Cloud computing remains a fundamental component of the
DOD's global IT infrastructure. To that end, I will ensure that
we provide modern enterprise cloud capabilities to enable
everything from software modernization to enhanced user
experience at every classification level. Finally, turning to
command, control, and communications, or C-3, I remain driven
to modernize our positioning navigation and timing capability,
or PNT, lead the Department on electromagnetic spectrum
operations development, move forward on 5G by providing
economic opportunities for U.S. industry while ensuring DOD
equities remain protected, strengthen transport, and ensure
national leader command capabilities.
In closing, I thank this subcommittee for its consistent
and dedicated support and look forward to working with you in
these critical areas. Thank you for the opportunity to testify
this morning, and I look forward to your questions.
Mr. Connolly. Thank you, Mr. Sherman. Mr. Shive, you are
recognized for your five minutes of oral testimony. Welcome.
STATEMENT OF DAVID SHIVE, CHIEF INFORMATION OFFICER, GENERAL
SERVICES ADMINISTRATION
Mr. Shive. Thank you. Chairman Connolly, Ranking Member
Hice, and members of the committee, my name is David Shive, and
I'm the CIO at the U.S. General Services Administration. I'm
pleased to be here today to discuss the important role and
impact of FITARA and the role that it plays to GSA and the
larger Federal Government.
In 2014, Congress passed FITARA to overhaul Federal IT and
promote technology modernization here in government. We notice
that FITARA strives to improve the acquisition and management
of Federal information technology assets through CIO visibility
into budget formulation and execution; pre-budget planning and
program management; participation in agency and program
governance boards; ongoing engagement, health checks, and risk
assessments; and budget submissions, acquisition strategies,
and plans.
Our key objectives reacting and responding to FITARA,
included placing the CIO in control of IT investments Agency-
wide; aligning IT resources with mission and business
requirements; strengthening the CIO's accountability for IT
cost, performance, and security; increasing transparency into
utilization of IT resources associated with risk; enhancing
effective budget planning and programming and execution;
benchmarking IT spending for roll up comparison with other
agencies; reducing duplication and waste; consolidating
acquisition and management functions; and finally, focusing
attention on optimization and consolidation of data centers.
In Fiscal Year 2012, prior to the passage of FITARA, GSA IT
had already begun the critical work of centralizing our
operations and consolidating all IT functions into one
organization. Some examples of those early successes include
the consolidation of our infrastructure, including one email
system, helpdesk consolidation, data center consolidation,
singular visibility into the computing enterprise, centralized
technology budget and acquisition authority, and direct
reporting authority of component technology executives into one
Agency CIO: me. The consolidation provided centralized
oversight and authority for IT investment decisions across the
Agency. Since the consolidation, GSA IT has streamlined the IT
environment, reduced duplication, simplified technology,
averted duplicative costs, increased customer satisfaction, and
fostered an environment of technology reuse and collaborative
sharing.
First, I want to commend the committee for iterating the
measures envisioned in FITARA over time. This is the right
thing to do and allows for agile iterative measures to be
responsive to increasingly agile and iterative technology
implementation and use in the Federal enterprise. Because of
this best practice, we believe the authorities and objectives
within FITARA remain a valuable framework for delivering
improved Federal IT. As a community, we should use this
framework and focus on implementation to the fullest extent and
continue to make sure that how we measure the successful use of
technology tracks with technology trends. Today's focus should
be around aligning IT resources with Agency missions, goals,
programmatic priorities and statutory requirements, a key
priority is getting legislative and executive agreement based
on the priorities defined in FITARA. We need to gain visibility
into the true cost and true value of IT and how it is critical
to enabling the business of government focused around these
priorities.
FITARA did a good job of achieving data center
consolidation, cloud migration across government, and defining
the role of the CIO. We can utilize many of the mechanisms
already in place to repeat some of those successes in new
areas. For example, FITARA and its implementing memoranda
requires strategic reviews, governance processes, and the
utilization of shared services. We should continue to invest
time and effort into those practices. Finally, I would suggest
that one of the most powerful ways to utilize the Scorecard
would be to measure meaningful change and rewarding agencies
helping each other to be successful.
The best outcome for the Federal Government will come
through strategies that promote collaboration rather than
competition. Leveraging FITARA by focusing on cost
transparency, and trends, and benchmarks across agencies, and
matching agencies that score poorly in a given category with
partners that have practices in place that are leading to
success, will lead to greater success for everyone.
Thank you for the opportunity to appear before you today to
discuss FITARA and its important role in the Federal
Government. I look forward to answering any questions you may
have.
Mr. Connolly. Thank you, Mr. Shive. And I think we will
take you up on your suggestion about shared expertise because
you are right. If capabilities that exist somewhere don't
migrate elsewhere, then we are not getting the full benefit of
the investments we are making in IT, irrespective of where they
originate or the purpose for which they might originally. So
Carol, we got to make sure we take that into cognizance as we
move forward. Thank you. Thank you so much.
And now, a familiar face here before the subcommittee on
this subject, Ms. Harris, you are recognized for your five
minutes of oral testimony. Welcome.
STATEMENT OF CAROL HARRIS, DIRECTOR, INFORMATION TECHNOLOGY AND
CYBERSECURITY, GOVERNMENT ACCOUNTABILITY OFFICE
Ms. Harris. Thank you, Chairman Connolly, Ranking Member
Hice, and members of the subcommittee. As always, I want to
thank you and your excellent staff for your continued oversight
of Federal IT management in cybersecurity. Per your request, I
will highlight some key aspects of this 14th iteration of the
Scorecard.
The overall grades for 15 agencies remain unchanged,
increased for one, and decreased for the remaining eight. This
downward pull was largely due to the sunset of the existing
data center category and a change in the cyber category scoring
due to the absence of cross-agency priority goal data. These
changes resulted in all but two agencies receiving a passing C
or higher. USAID maintained its A from the last Scorecard and
was the only agency to achieve an A in this go-round.
Additionally, the Scorecard is continuing to have a positive
impact on the Agency's use of incremental development as called
for by FITARA. Roughly 82 percent of the Agency's software
projects are being developed using these best practice
techniques.
Similarly, we continue to see positive trends in the area
portfolio stat as the amount of money agencies have reportedly
saved or avoided as a result of this effort has risen from
$23.5 billion to $24.8 billion. While portfolio stat is an OMB
initiative, it should be noted that its sustained
implementation and success would not have been possible had it
not been codified in FITARA and monitored over the years
through your Scorecard.
With regard to the EIS category, 14 agencies have either a
D or F. There were 17 agencies in this boat on the last
Scorecard. It is an improvement, but agencies still aren't
moving fast enough in their transition off of GSA's expiring
telecommunications contracts. These contracts expire in May
2023, and while GSA has taken action to enable services through
May 2024, agencies must act with a sense of urgency as in
September, a 100-percent transition date is on the imminent
horizon. The previous transition took three years longer than
planned, and had agencies transitioned on time, they would have
saved roughly $329 million.
Finally, on the cyber category, we have taken a step back
in our attempt to measure progress using publicly available
data. The absence of cybersecurity capital data is troubling,
and OMB should take steps to remediate this gap immediately. I
think we all agree this category should be expanded to better
address the ongoing and emerging challenges facing our Nation,
and we are working with your staff, with OMB, and the agencies
to identify data, both public and sensitive, to support a more
comprehensive grade. But in the meantime, we need to have clear
and measurable cap goals in place because it is the law.
We have appreciated the opportunity to be your partner all
these years in developing the Scorecard, and we look forward to
supporting your continued efforts to evolve the Scorecard so
that it remains an effective tool in improving the management
and security of our Nation's IT. Mr. Chairman, this concludes
my comments, and I look forward to answering your questions.
Mr. Connolly. Thank you so much, Ms. Harris. Maybe I didn't
hear you correctly. What was that savings from FITARA that you
cited?
Ms. Harris. Twenty-four-point-eight billion dollars, and
that is just on portfolio standalone. It does not include data
center consolidation.
Mr. Connolly. So there is more to come?
Ms. Harris. Correct.
Mr. Connolly. Thank you so much. That is music to our ears,
isn't it? So the chair now recognizes distinguished
Congresswoman from the District of Columbia, Ms. Eleanor Holmes
Norton, for her five minutes of questioning. Welcome,
Congresswoman Norton.
[No response.]
Mr. Connolly. You need to unmute, Eleanor. Congresswoman,
you are muted.
Ms. Norton. Can you hear me now?
Mr. Connolly. Yes, you are fine.
Ms. Norton. OK. Sorry for that. FITARA requires that each
Federal Agency's chief information officer had a ``significant
role'' in the decision processes and the management governance
and oversight processes related to information technology. Now,
to ensure agency operations are in line with congressional
intent, the Scoreboard measures how directly an agency CIO
reports to the head or deputy head of the agency. As D.C.'s
Member of Congress, I am deeply familiar with the immeasurable
value of having an equal seat at the decisionmaking table. The
purpose of this metric is to ensure that Federal CIOs are an
essential component of agencies' C-suite conversations
regarding IT modernization efforts. Ms. Harris, what are the
benefits of having CIOs report directly to agency heads?
Ms. Harris. Well, the CIO is on equal footing with the
other C-suite executives in the agency. I mean, that is a
primary benefit, and this emphasis in the organizational
structure cannot be emphasized enough. Our work has shown that
CIOs are more fully empowered to carry out their legal
authorities when they have this direct line as compared to
their counterparts that do not.
Ms. Norton. I appreciate that answer. Data from the private
sector shows that CIOs perform better and can have greater
impact when they are included in key conversations among senior
leadership. DOD, EPA, and GSA all have organizational
structures whereas the CIO reports directly to an agency head
or deputy. So this is my question to the CIOs on the panel: how
has your agency's IT modernization efforts improved by having
you report directly to the head of or deputy of the agency?
Mr. Connolly. That is addressed to all the CIOs, Ms.
Norton?
Ms. Norton. It is, yes.
Mr. Connolly. Mr. Noga?
Mr. Noga. Thank you for the question, Congresswoman. It
certainly does have an effect. We are part of the conversations
with respect to the IT portfolios and the IT investments. And I
routinely meet with the deputy administrator providing updates
on the portfolio. And also on cybersecurity, we meet with the
deputy administrator every month and provide an update on
cybersecurity, and where the Agency is at, and where we need to
focus. I also meet with other senior leadership across the
Agency, and I understand the importance of the portfolio and
our investments, and also meet with the CFO at the Agency. We
have a close relationship on the approval of the IT portfolio
and the IT investments.
Mr. Connolly. Thank you. Mr. Sherman?
Mr. Sherman. Thank you for the question, Congresswoman.
Everything Mr. Noga said would be applicable at DOD about being
in the conversation. But one of the most tangible results at
the Department of Defense is something I sign out in January of
every year called the Capability Planning Guidance, which
focuses on IT modernization cybersecurity, command and control,
and related topics, which is a guiding document that goes out
to the military services and other components that demand
results on what I have to do for budget certification of
Secretary Austin toward the end of each calendar year. And that
drives many discussions throughout our budget bill and
throughout the year with my fellow CIOs, and the military
departments, and elsewhere, and the undersecretaries and others
throughout the Department. So that is a tangible outcome of
reporting directly to Secretary Austin and Deputy Secretary
Hicks. Thank you.
Mr. Connolly. And if I could freeze that clock for one
second. And I would assume especially in DOD, who you report to
matters because hierarchy matters.
Mr. Sherman. It matters, sir, and I also get to attend the
undersecretary's meeting since I was confirmed, which was not a
historic CIO thing, so there has been quite a bit of movement
on that front as well. Thanks.
Mr. Connolly. Thank you. Mr. Shive?
Mr. Shive. So I agree with everything that my colleagues
said from EPA and DOD. One additional benefit is that being a
part of the C-suite, being a part of the front office, I am a
part of the discussions when the business leaders of GSA have a
problem or ideating some new capability. I am a part of the
solution and solution creation from the very beginning. And it
is no surprise that here in the 21st century where technology
is ubiquitous through the business enterprise in government and
outside of government, that solutions to problems and
technology solutions that support business that are baked in
from the very beginning of the conversation provide the highest
value.
Mr. Connolly. I thank you, and I am going to call on the
ranking member. But if you will allow me just an observation,
when we wrote FITARA, looking at 24 Federal agencies, there
were 250 people with the title ``CIO.'' That is almost unheard
of.
Eleanor, I think that is you. OK.
And so, while we didn't, by fiat, in the legislation say,
no, there is just going to be one CIO because we wanted to
respect the culture, and we understand that every Federal
agency--take the Pentagon--has multiple missions. We wanted to
evolve to a premise into parse, a first among equals, who
reported to the boss, because we know that in any bureaucracy,
private sector or public, if you report to the deputy
assistant, special assistant widget director in the bowels of
the basement, no one is going to take you seriously. We are
going to say thank you for your opinion, and off we go.
If I know you are meeting with the boss every day or every
other day and you have got his or her ear, I got to take
seriously everything you say to me. And so, I mean, that is
just how org charts work in any organization. And I think Ms.
Harris made that point, that why this is so important to us
because we want to evolve to a structure that empowers CIOs,
but also makes them accountable and gives them the flexibility
and the responsibility to make decisions that are meaningful in
terms of IT investments and modernization. So that was the
whole thrust of this, and it is a category where we have made
enormous progress. And hopefully, we will get to the point
where 100 percent of agencies have this kind of reporting
sequence because that elevates the whole issue of IT as the
critical platform for implementing policies.
And thank you, Mr. Hice, for your indulgence. I just wanted
to clarify the contents of the law. I now call on the
distinguished ranking member for his line of questioning.
Mr. Hice. Thank you, sir. In my opening statement, I
expressed concern with this Scorecard, particularly as it
relates to the cyber metric. I think all of us share that
concern. Ms. Harris, let me ask you, since this particular
scenario that we are experiencing right now is based only on
the IG assessment, can you help me better understand what is
going into these grades coming from the IG?
Ms. Harris. Right. So coming from the IG, they are taking a
look at the maturity of a subset of assets within an
organization. And so they are doing checks to identify things
like detection, intrusion, recovery, and they are basing it
against the maturity model to identify how well the agency is
performing in those particular areas. And again, it is a subset
of systems that the IGs are assessing, so it is not necessarily
generalizable across the organization. So when you take a look
at the IG assessments and the grades or the overall rating that
is provided in those assessments, it is not considered
comprehensive.
Mr. Hice. So if it is not comprehensive, this is kind of
like check the box are you secure, can you recover, or is there
an actual audit, if you will, going into test the systems?
Ms. Harris. I think it varies by IGs. Some where it is more
check the box, others where it actually is an audit where they
are testing the internal controls, but there is no real
consistency across the IGs. And how this is----
Mr. Hice. OK. Well, that is a huge area that needs to be
addressed just from the IG perspective, and then we have a
whole other missing element here today. So with that, why are
so many agencies failing? If it is a check the box or whatever
it may be, why do we have so many failing right now?
Ms. Harris. Well, I think, again, because it is a subset. I
wouldn't characterize it as an accurate reflection of the
agencies' overall cyber posture. There are many other inputs
that should be incorporated if you want to have a comprehensive
overall grade of what an organization's cyber posture is.
Mr. Hice. So is this current Scorecard then, as it relates
to cyber, relatively worthless at this point?
Ms. Harris. I wouldn't say it is worthless. It provides one
input of many, so it is not an accurate representation.
Mr. Hice. OK. Let's jump off of that then. I just have an
example. DHS, I remember, received a D. There are a lot of
people who feel like they ought to be more involved in a
governmentwide Federal cybersecurity involvement. So when we
look at a D with DHS, is it something that is a red flag?
Should it cause a great deal of concern? Are you saying it
doesn't reflect where they really are?
Ms. Harris. Yes. In the case of DHS, I would not say that
the D is an accurate reflection of where the Agency is with
regard to their cyber posture. I mean, we recently issued work
this January and DHS was among 12 agencies who successfully
achieved 90 percent or higher progress toward their previously
reported cybersecurity cap goals. And in addition to that, we
have identified that they have incorporated adequate
protections associated with their data itself, for the reviews
that we have performed. So I think that last iteration of the
Scorecard's grade of a B is probably more in line with where
they are as opposed to the D because, again, the D is a
reflection of just one metric.
Mr. Hice. OK. Well, then that sounds like the Scorecard, as
it relates to cyber, is pretty worthless at this point, at
least as it relates to DHS. We see a D. How are we to assess
where we are? Mr. Vaughn, let me just go jump over to you with
a similar type of thing. EPA received a D. Is that an accurate
reflection? Why or why not?
Mr. Noga. Thank you for the question, Congressman. I don't
believe it is an accurate reflection. Just like what was
previously stated, the current score is based on one aspect,
which is the IG assessment, and at the EPA, the IG only
assesses to the 3 level. So right off the bat, we are not able
to be assessed at any level higher than 3.
Mr. Hice. But you still only received a 60 percent, even as
it is, with the IG assessment?
Mr. Noga. We received a Level 3, but they can only assess
up to a Level 3. They didn't assess us any higher than a Level
3. So if you are looking at a 1 to 3 score, we received the
highest on their score based on what they could assess.
Mr. Hice. The highest D you can get. Yes. I mean, this is
extremely frustrating, Mr. Chairman. I know it is to you as
well, but this issue has to be addressed or taken to the next
level.
Mr. Connolly. I completely agree with you. And I will say
we had a very positive conversation with OMB yesterday in which
they freely expressed contrition about not being forthcoming
sooner on cyber data that would have allowed these scores to
reflect hopefully more accurate data. But, Ms. Harris, I want
to clarify something in your answer to Mr. Hice. The Scorecard
isn't based on what we think or what we feel a sense of. It is
based on empirical data provided to us. Is that not correct?
Ms. Harris. That is correct.
Mr. Connolly. And the scores that are reflected in this
category reflect the data that was provided. And the only data
that was provided, unfortunately, or some of these agencies
getting those scores was from the IG. Is that correct?
Ms. Harris. That is correct.
Mr. Connolly. Right. And we didn't get the data we wanted
from OMB. Is that correct?
Ms. Harris. That is correct. Yes.
Mr. Connolly. And my understanding, based on the
conversation I had yesterday, Mr. Hice, with OMB is that will
change. In the next Scorecard we will have their input, and
that will allow us, I hope, to better capture what you are
getting at in terms of real performance. But with respect to
the Scorecard itself and the process, it is what it is because
that is the only data we were provided in this category.
Ms. Harris. Absolutely.
Mr. Connolly. I thank----
Mr. Hice. Mr. Chairman, may I ask a question?
Mr. Connolly. Yes, of course.
Mr. Hice. Regarding the meeting discussion you had with
OMB, did they give a timeframe and when? Will they submit where
they are when they give an answer to the committee on both
sides? Do we have a timeframe on those?
Mr. Connolly. I don't know that we had a timeframe other
than a solid commitment ``we are going to fix this,'' and I
will work with you obviously----
Mr. Hice. Please do.
Mr. Connolly [continuing]. and try to make sure we get more
specific. They initiated this call because I think they noticed
because they have been hearing. Exactly. Exactly.
Mr. Hice. Thank you.
Mr. Connolly. But it was a positive conversation. They
weren't defensive. They recognized the problem, and that gave
me some hope that OK, we can move on. So your point is well
taken I think, Mr. Hice, that there is a problem with this
particular score, but it is not because of the Scorecard. It is
because of a decision made not to provide the data, and that
forced us to use the only data we had, which was the IG data.
Ms. Harris, did you want to----
Ms. Harris. Oh no. I just wanted to----
Mr. Connolly. You are agreeing with that?
Ms. Harris. The grades are derived from the available
sources of data----
Mr. Connolly. Right.
Ms. Harris [continuing]. that we have. And in this
particular case, the IG assessments were the only available
public source that we could use.
Mr. Connolly. Correct. All right. So thank you, and thank
you, Mr. Hice, for allowing me to clarify.
The distinguished gentleman from Chicago, Illinois, Mr.
Davis, is recognized for his line of questioning. Welcome, Mr.
Davis.
Mr. Davis. Well, thank you, Mr. Chairman, and thanks to our
witnesses, for a very informative hearing.
In 2014, FITARA directed Federal agencies to optimize and
consolidate their data centers by October 1, 2018. Since then,
the consolidation reporting requirement date has been extended
twice. Agencies now have until October 1, 2022, to complete
reporting on consolidation effort, and that date is almost
here. Today, several agencies still have a closure plan beyond
the end of Fiscal Year 2022. A Federal chief information
officer must justify these timelines. Agencies cannot run out
the clock on data center consolidation. Since 2015, the Federal
Government has closed more than 4,000 data centers, saving over
$4.7 billion to this day. I am proud and pleased that this
subcommittee has led these efforts.
Mr. Sherman, just FITARA's enactment, how many data centers
had the Defense of Department closed, and how have these
closures impacted your Agency's cybersecurity posture and your
IT budget?
Mr. Sherman. Sir, since this has been under way, we have
closed over 230 data centers. And to meet the requirement we
have 12 more to go, which we are going to be done with by the
end of the year. The holdup has been moving to some secret-
level systems that we needed to get moved over, but all the
unclassified, we are basically done with that. This has been
one thing that, among a number, that we have been very grateful
for FITARA to help drive the way ahead on that, to get us to
where we need to be as we move to cloud based-technology.
So I don't have the exact savings. I can take that for the
record, but it has been substantial. And this has been one area
where the Department of Defense has really tried to step out on
as we moved from what we would call a capital expenditure
model, being in a brick and mortar data center, to an
operations expenditure model where we are paying as we go for
cloud-based technology that necessarily strengthens our
cybersecurity with the constant updates, and patching, and
everything you get from a cloud-based infrastructure. This has
helped us with our national security and helped us with our
cybersecurity overall. Thank you.
Mr. Davis. Thank you very much. And, Mr. Noga and Mr.
Shive, why do you believe that you have closed the maximum
amount of data centers for your agency and there must be a
reason to keep the remaining Federal data centers open?
Mr. Noga. Thank you for the question, Congressman. At EPA,
we have got two data centers. We have closed several data
centers over the course of the years. We have got a primary and
a backup for those, the capabilities that needs to be remained
on premise. But we have made a significant investment in cloud
computing, and we have moved a lot of our applications into the
cloud space. We have actually been doing a lot of that,
especially over the last three years, migrating a lot of our
workload to the cloud.
Mr. Davis. Thank you very much. And, of course, this
subcommittee is committed to conducting thorough oversight over
Federal data center consolidation. As promised, we are
sunsetting the old methodology and evolving it in the agencies'
new completion of their consolidation efforts. Before this
hearing, the subcommittee sent out letters to each agency to
inquire if they had closed the maximum number of agencies. If
this evolved metric agency will be graded on their
communication with the subcommittee and their progress for
solid data and data centers, will each of these CIOs commit to
continuing to work with our subcommittee to maximize data
center closures and cloud adoption efforts to pass the 14.0
Scorecard evaluation?
Mr. Shive. Yes.
Mr. Connolly. Mr. Shive, why don't we begin with you?
Mr. Shive. Great. Yes. So we commit to do so. We are very
proud of our data center consolidation initiative. We have shut
down all 134 of our data centers, and 74 percent of our
workloads now exist in the cloud, with the remaining workloads
on-prem, what we call colo data centers. We consume service
from EPA and NASA. They had extra capacity that we could use,
and so 100 percent of our data centers have been closed. But we
will continue to work with the committee to provide whatever
transparency needed into the value of that work that we
accomplished.
Mr. Connolly. And before I call on Mr. Keller, Ms. Harris,
do you want to comment on that, the data center question Mr.
Davis asked?
Ms. Harris. Well, I think what these gentlemen have done
has been tremendous.
Mr. Connolly. Ms. Harris, it is hard to hear you.
Ms. Harris. I am sorry. I did want to say that if there are
agencies that still have on-premise data centers within the
Federal Government that are managing either all or a good
portion of their IT infrastructure, then they better have a
really good reason as to why they are doing that and not taken
advantage of the cloud and virtualization technologies
available. What we want to see, the goal of every agency is to
employ a hybrid model where at least some of their
infrastructure is cloud based and then others are onsite. But
for agencies to have, again, a large amount of their
infrastructure being operated in data centers, that is a red
flag.
Mr. Connolly. And let me just say, that is one of the
reasons we wrote every agency as we are retooling this category
of the Scorecard. We didn't want to lose this metric that Mr.
Davis is talking about. And that is why we wrote every agency
saying, tell us how many you got and what your plans are as you
move forward for consolidation and moving to the cloud. So we
are going to continue to update that data base and work with
you in making sure, as you said, they got a good reason to
justify what they have got and what their plans are.
The chair now recognizes distinguished gentleman from
Pennsylvania, Mr. Keller, for his line of questioning. Welcome.
Mr. Keller. Thank you, Chairman Connolly, Ranking Member
Hice, and our witnesses for being here today, and, of course,
this being the 14th hearing into the Federal Information
Technology Acquisition Reform Act, or I will just say
``FITARA.'' Through the FITARA Scorecard, this committee is
tasked with overseeing the agencies' progress and optimizing
data centers with the goal of increasing efficiency and cutting
costs across the Federal Government. The thing I guess I would
ask Ms. Harris, how effective is the FITARA Scorecard in
providing Congress with an accurate picture of agencies'
performance?
Ms. Harris. You mean relative to data centers?
Mr. Keller. Well, just in relative to----
Mr. Connolly. Forgive me, Ms. Harris. You were asking about
the whole posture?
Mr. Keller. Yes. The whole IT posture, the whole----
Ms. Harris. I mean, I think it is still generally an
accurate reflection of where agencies are relative to the
categories on the Scorecard. But I do believe that the
Scorecard does need to evolve to ensure that it maintains its
effectiveness as we look at a new and emerging areas. I mean,
legacy IT is one issue, for example, that could benefit from an
addition on the Scorecard.
Mr. Keller. I guess the question I would have, because then
I heard, I believe, was Representative Hice asking,
information, and you said, well, that one isn't really
accurate. So how many of these on here aren't really accurate?
Ms. Harris. I think that the challenge in this particular
iteration on cyber, because there was only one metric available
for us to utilize, I do believe that that is not an accurate
reflection of where agencies are at with cyber, so I appreciate
the clarification that you just made. But in all of the other
areas, like incremental and portfolio stat, and, you know,
incremental developments, those are an accurate reflection of
where agencies are relative, again, to those particular areas
of the law.
Mr. Keller. OK. But you said the information technology on
cybersecurity, whatever it was, was the one that wasn't
accurate, right, because it didn't cover all the agencies
activity?
Ms. Harris. I think that is fair because of the absence of
cap goals that OMB did not issue as required by law.
Mr. Keller. OK. So what is going to give us any comfort in
the future that when we get information, it will be accurate
for us to be able to make decisions based upon what the
Scorecard is telling us?
Ms. Harris. OMB needs to comply with the law and to issue
the information that they are required to do so with regard to
updated IG assessments as well as cap goals.
Mr. Keller. So you are saying who is that, OMB?
Ms. Harris. Correct. OMB needs to comply with the law and
issue cap goal data.
Mr. Keller. Well, how long have they not been complying
with the law?
Ms. Harris. Well, OMB should have issued the cap goal data,
I believe, in this. They are about at least four months out in
terms of issuing the overall status of cyber, which would have
been the FISMA assessments. In particular, they are four months
out from now.
Mr. Keller. When we were first aware of the fact that they
weren't obeying the law in providing the information? When we
were first aware of that?
Ms. Harris. We have known about this. We have an open
recommendation for OMB to comply as of 2018, so we have been
aware for multiple years, at least, in particular, as it
relates to the FISMA overall report that should be issued every
March. So since 2018, OMB has not issued that on time.
Mr. Keller. See, what has given me some concern is if we
are not making sure we have the data on this, it doesn't give
me a lot of confidence on any of the other categories, quite
frankly. I mean, I didn't say this stuff is inaccurate. That is
something that has been said here today by people that are
dealing with the information, and it just really concerns me
that we have one area that is not accurate. What assurance can
you give me that the other areas of the Scorecard are accurate?
Ms. Harris. Well, we do our best to scrub the data, that
there are inputs into the other categories, like incremental
development, that is using the information that is current. So
we are scrubbing all of the sources of data for every single
category that is on the Scorecard, and what I can tell you
today is the area of cybersecurity is the one area that we are
missing crucial information that we have had in the past.
Mr. Keller. Are there any other areas where you are missing
crucial information?
Ms. Harris. Not that I am aware of, no.
Mr. Keller. OK. And I guess I would just like to make sure
that we have the information that this Scorecard is complete,
and that will be some work, I guess. I would just ask that we
really work on this because, as with any performance, if you
are telling me part of it is not accurate, it makes me question
the whole report. I mean, anybody logically that has done
anything, run a business, done anything, you want to make sure
that you are making good decisions. And with that, I will yield
back. Thank you.
Mr. Connolly. I thank the gentleman, and I think maybe
before you came, we did cover this. And I want to be real
clear: the issue isn't the Scorecard. The issue is the data
provided in order to have a score. So, you know, if you are in
grad school and you don't turn in your term paper, you are
going to either get an incomplete as your grade or you are
going to fail. And one of the consequences unfortunately, for
the lack of data from OMB was that we had to rely only on the
IG data, which is not complete, and as a result, every agency
took a hit in the score. But it wasn't because there is a flaw
in the design of the Scorecard. It was because of the lack of
compliance with the data from OMB.
And as I indicated before you arrived Mr. Keller, we did
have a conversation with OMB, a good one yesterday. They freely
confessed our mess. ``We got to fix it.'' ``We will fix it.''
``We commit to fixing it.: And just before, I think, you
arrived, I said to Mr. Hice, he and I will work on setting
deadlines for getting that data. So, in the 15th Scorecard,
which will be this fall, we will have this data and a more
accurate picture on that category.
Mr. Keller. I appreciate that, and I like the fact that you
are going to ask for a timeline and----
Mr. Connolly. Oh yes.
Mr. Keller [continuing]. and make them adhere to that
because that is the most important thing that we need to be
looking at, not that we just got a bunch of information, but it
is timely and we can make decisions.
Mr. Connolly. We would agree.
Mr. Keller. Thank you.
Mr. Connolly. We would agree. I don't see Ms. Brown, she
went to the floor to give a speech, so the chair will now
recognize himself briefly.
Let me ask you, Ms. Harris, a different question. Overall,
this Scorecard shows stagnation, and to what, overall, would
you attribute that? Why is this Scorecard not showing kind of
continued progression upwards that previous scorecards have
shown?
Ms. Harris. I think we need to change in some categories
the metrics by which we score particular categories. So like
incremental and the portfolio management categories, we are
grading on a curve. That was appropriate early on in the
beginning of FITARA to help these agencies give them a boost,
but now they have matured in their processes in these areas. It
is, in fact, disincentivizing them. So I wouldn't say it is
real stagnation in those particular areas. We should do a
better job of evolving. I shouldn't say ``better job,'' but we
should be evolving the methodology commensurate with where
agencies are at in their maturity in those areas.
Mr. Connolly. Well, let me take issue with that a little
bit. I mean, that is blaming the way we grade, and I am getting
at, well, but there are basically 15 scores that didn't change.
And only one A and a little bit of regression in some
categories or some agencies that would suggest, you know, our
foot is not on the gas pedal the way it had been in the past.
We have had testimony from all of the CIOs, but including Mr.
Shive, that actually the Scorecard has served a useful purpose,
from his point of view, in driving change.
So I guess I am skeptical that the answer is we need to
update our methodology. I think I am concerned as a Member of
Congress, as someone who wrote this bill, as somebody who came
up with the idea of the Scorecard so we could try to measure
progress, that in this particular case, we are not capturing
the progress. We are not seeing the progress intended by the
law, and I guess I am asking you to address that, because with
respect to the Scorecard, it has evolved. We have made changes.
We have taken into account other circumstances. We have had an
iterative process with GAO, and with agencies, and with even
the outside in terms of what is a fair score. We have tried to
get cooperation, and by and large, have gotten it, except in
the case of cyber within OMB this year. We have sunsetted some
categories because we felt, OK, great job, well done, move on.
Let's have a new category. We are trying to move toward
capturing cyber as a critical part of the IT picture, of
course.
So I guess, going back to my question, I am asking you to
address the issue of how is it that we arrived to the point
where we didn't see the kind of progress previous Scorecards
shown or a more dramatic progress?
Ms. Harris. Well, I think in some of these cases, in
certain initiatives, the data center is the great example as
well as software licensing where agencies have done a great job
of fully implementing those areas. So like within the area of
IT portfolio management, the way that it is applied in the
Scorecard and in practice with the agencies, the focus is on
commodity IT. And I think the agencies, these three in
particular, have done a great job to identify a reduction in
commodity IT. Where I think there are improvements that could
be made is, for example, FITARA. In your great wisdom in
crafting FITARA, the portfolio management process could be
applied to legacy IT, for example, because today, we have just
focused on commodity IT.
Now, I think we can replicate that same success in the
legacy IT management area because what the law will provide, if
it is enacted properly, for legacy IT is it will have a
systematic dialog between senior executive leaders in the
agencies, and the Federal CIO, as well as Congress to identify
the legacy IT systems in need of most attention. And perhaps
one of the metrics that we could use on the Scorecard is to
change it from measuring cost savings to measuring progress
made in decommissioning these antiquated systems.
Mr. Connolly. OK.
Ms. Harris. That is one example where I think, you know, we
have achieved success in certain respects of FITARA. But we
should go further because you have made the law broad enough
where we can apply these great management practices to other
areas of IT, like legacy.
Mr. Connolly. Well, we look forward to working with you,
Ms. Harris, in incorporating that as we move forward because we
want to make sure it is accurate, that it does capture where we
are in the progress we have made or not. And again, the purpose
is to try to update IT in the Federal Government so that is
better utilized and serves the people we all serve. So it is
not to put a scarlet letter on anyone's back. It is actually to
move forward with progress.
And I found that heartening to hear from CIOs, and you are
not the only CIOs we have heard about who have found both
FITARA and the Scorecard useful tools inside the agency to push
for that progress, and that is really a key part of what we are
trying to do here. And I want to thank GAO for being a partner
in this enterprise and helping us create the Scorecard and
update it. And we will continue to work together to try to make
sure it is as accurate a gauge as we can make it and reflects
accurately where agencies are.
The chair now recognizes the gentleman from Kansas, Mr.
LaTurner, for his five minutes of questioning. Welcome.
Mr. LaTurner. Thank you, Mr. Chairman. Ms. Harris, how are
you today?
Ms. Harris. I am well. Thank you, sir.
Mr. LaTurner. Good. The Technology Modernization Fund was
created to update legacy systems, though it does grant
discretion in the types of IT projects eligible for funding. In
light of notable cyberattacks over the past couple of years, do
you think it is worth attaching more conditions to TMF funds to
ensure they are used to update legacy systems or adding
additional metrics to the FITARA Scorecard which would track
the progress of updating legal systems?
Ms. Harris. I think that is a great question. I think that
agencies should be fully carrying out TMF as it was intended in
the law, which is to address legacy issues. So I think that is
the criteria that the Selection Board utilizes, that emphasis
on legacy IT would be a great thing. I also think that agencies
need to focus on the open recommendations that we have made in
TMF relative to ensuring that they have reliable cost estimates
for their projects, as well as reliable savings that they
expect to achieve once those projects are fully deployed.
Mr. LaTurner. Thank you. I appreciate that. I will stick
with you if that is OK. FITARA is generally credited for
helping agencies bolster their IT posture, in part because of
this Committee's comprehensive oversight of the law in
Scorecard. GAO continues to identify Federal IT security as a
governmentwide, high-risk area. How do we change from holding
congressional box-checking hearing exercises twice a year,
which is a lot of what we have done, to doing something that is
going to help Federal agencies and GAO by delisting Federal IT
security from the high-risk list?
Ms. Harris. A couple of things. I mean, we are working very
closely with your staffs, too, as well as OMB and the agencies
to identify information, both public and sensitive, that can be
utilized to create a more comprehensive cyber grade, that is
one. And then, No. 2, you know, we have work under way to
identify and focus on the areas of, for example, continuous
diagnostic monitoring, where we can focus on the enterprise-
wide tools that agencies should be utilizing to identify
vulnerabilities. So we want to raise that bar for the agencies
to ensure that they are taking advantage of these comprehensive
enterprise tools.
Mr. LaTurner. Thank you. For Mr. Noga, and Mr. Sherman, and
Mr. Shive, in your opinion, is FITARA an effective tool in your
effort to modernize Federal IT security? We would love your
perspective. Let's start with Mr. Noga.
Mr. Noga. Thank you for the question, Congressman. I do
believe it is. Like I said in my opening, we look at FITARA. We
look at where we have done well, and, quite frankly, we focus
on where we have got room for improvement. So FITARA is an
effective mechanism. I think we have heard that we would like
to evolve the FITARA Scorecard. We would like to improve the
measures, and that is one of the things that certainly the CIOs
want to partner with this committee and GAO on as what does
that look like.
Mr. LaTurner. Same question for Mr. Sherman.
Mr. Sherman. Yes, sir. It is an effective tool for us as
well. But because cybersecurity is my top priorities, the
Department of Defense CIO, we are already actively moving out
with concepts of Zero Trust, getting after technical debt on
our weapon systems, and securing the United States' defense
industrial base of the 300,000 companies across this Nation
that provides supply chain to the DOD. So FITARA helps push
this along, but I can promise you this has already got a lot of
wind in its sails because of what we faced with China, Russia,
and other potential challenges, sir. Thank you.
Mr. LaTurner. I appreciate that. And Mr. Shive?
Mr. Shive. Thank you for the question. Yes, the FITARA has
been imminently helpful to me as a CIO in a couple of ways.
One, it allows us to narrow our focus on the things that really
matter because I believe FITARA actually captures many of the
things that really matter here in Federal Government and IT.
But it has also been a super-valuable tool for me to focus
conversation with a variety of stakeholders outside of my
Agency and, specifically, inside of my Agency. It provides a
recurring mechanism for focus to pivot back to IT for
decisionmakers in my Agency, and they ask me about it. They ask
me about why my scores are fluctuating the way they do. And it
also generates the opportunity for discussion for them to say,
what resources do we need to be able to continue to do well in
this space.
Mr. LaTurner. Let me stick with you. I don't have much time
left, but are there any potential FITARA reforms that haven't
been discussed?
Mr. Shive. Yes. Yes. There is a fair number of discussions,
both formally and informally: formally with staffers and
informally with our partners at GAO about iterating the FITARA
scoring to be reflective of modern agile, iterative IT.
Mr. LaTurner. Real quick, Mr. Sherman?
Mr. Connolly. And, Mr. LaTurner--sorry--I remember you have
talked about shared expertise that you would like to see
captured. Do you mind mentioning that?
Mr. Shive. Yes. So everything we do here in government is
funded by considerable taxpayer dollars. And one of the ways
that we can extend the value of those investments that
taxpayers make to us to provide good government service is to
share everything that we do. That doesn't just mean code and
configuration management scripts. It means playbooks, know-how,
and knowledge. And the community envisioned by FITARA, if it is
operating in its best self, would have those who do well in
particular places share those learnings with agencies that are
struggling.
Mr. Connolly. The gentleman's time has expired, but if Mr.
Sherman or Mr. Noga want to comment on that particular
question, you are welcome to.
Mr. Sherman. Just very briefly. Everything Mr. Shive said
is spot on. I would argue that FITARA has been and remains a
very valuable tool. But as things evolved as we move not only
toward ensuring we are the best stewards of the taxpayer
dollar, but modernizing and focusing on mission outcomes, in my
case with the Department of Defense, we are postured against
outpacing the challenge of China for areas like edge computing,
capitalizing on commercial SATCOM, and having the very best
cybersecurity. Areas beyond just savings, but mission outcome
would be an area that we want to continue to inject into the
discussion. Thank you.
Mr. Noga. Certainly from EPA perspective, one of things we
have been focused on is optimizing and delivery of
infrastructure services. And so I think, you know, there is an
opportunity here to look at how we are doing that, how we will
maximize the investment dollar across the Agency. And we have
done that in the EPA where we look at where can we elevate
these things that were once done at the component or bureau
level to an enterprise-wide offering, right? How can we drive
those efficiencies within the Agency? And that is something
that we are distinctly focused on with an EPA.
Mr. LaTurner. Thank you for your indulgence, Mr. Chairman.
Mr. Connolly. Yes, thank you Mr. LaTurner. And I would just
say, before you came, I mean, you made reference to just
checking the box. I hardly think the Scorecard is just checking
the box because we heard testimony before that the savings
directly attributable to this law is at least $24.8 billion.
That is not checking a box. The fact that we have moved from
fewer than half of CIOs reporting to the boss to 90 percent of
CIOs reporting to the boss, empowering that CIO and having more
accountability is also hardly checking the box.
So I don't want this subcommittee to be selling itself
short in terms of what, in fact, we have accomplished with not
only a bill we passed in law, but in insisting on its
implementation, and we will continue to remain flexible as that
Scorecard evolves. But the end game here is, as Mr. Shive puts
it, to find it a useful tool to move us forward in IT
modernization and implementation in cyber protection. I thank
my friend.
The chair now recognizes the distinguished gentlelady from
Ohio, Ms. Brown, for her line of questioning.
Ms. Brown. Thank you, Chairman Connolly, for holding this
important bipartisan hearing. One metric that the FITARA
Scorecard measures is how agencies are transitioning off legacy
telecommunication contracts that are out of date and will soon
expire. If Federal agencies fail their transition to new
telecom contracts, they will be unable to serve those who
depend on agency services the most. You should see a graphic,
and as it stands, only 14 out of 24 agencies are even 50
percent of the way to a successful transition----
[Chart]
Ms. Brown [continuing]. a milestone originally set to be
achieved by March 31, 2021. In fact, only four agencies have
successfully hit the latest milestone of a 90-percent
transition, which was on March 31, 2022. So my question Ms.
Harris, if agencies fail to transition their legacy services by
May 31, 2023, what consequences will there be for agencies and
for customers?
Ms. Harris. The immediate consequence is the potential
disruption in service if any issues that result in transition
delays occur. And this could be as a result of inadequate human
resource outlays or the need to transition previously
unidentified services. And let me say something about the
latter. That is something that could very well happen because
what we have found through our body of work in this area is
that agencies don't have a very good comprehensive inventory of
their telecommunication services. So as they are transitioning
and moving those services onto the new contracts, they could
identify services that they didn't even know they had, and that
could incur a delay. And if there is a delay, then agencies
will miss out on potential cost savings because the services
that are provided on the legacy have higher rates than the ones
on EIS. And in addition to that, they could be missing out on,
you know, hundreds of millions of dollars in savings, as what
happened in the previous transition.
Ms. Brown. Thank you for that. Now, none of the agencies
before have achieved the most recent transition milestone up to
90 percent completion in 2022. And as of today, the DOD and EPA
have 15 grades with GSA being slightly ahead with the DOD. The
CIOs, why are your agencies struggling to meet these transition
milestones?
Mr. Noga. Thank you for the question, Congresswoman. I
don't necessarily think the EPA is struggling to meet the
milestone. Going back to the Scorecard and the visibility of
the score, certainly it is a visual representation of where we
need to focus. And I would say the EPA is very focused on
ensuring that we migrate our telecommunications over to EIS.
One of things that we have done at the EPA since, you know,
networks is we have consolidated how we deliver network
services at the enterprise level, so we have a strong
understanding of inventory. We have awarded a contract, and we
are working with the carrier to migrate that, and so that is
what is going on right now. We awarded the contract in December
2021, and we are actively migrating services. And we feel very
confident that we will migrate those services before the end of
the contract.
Ms. Brown. OK. I appreciate that. Please, go ahead.
Mr. Sherman. I am sorry, ma'am. I am John Sherman here from
DOD. I would echo what Mr. Noga said. On the Department of
Defense side, part of it is our scale at the $4 million plus
size enterprise and the inherent number of contracts we have
moving out with alacrity to get after this. But I can commit to
you, Congresswoman, this has my undivided attention. Checking
with my team, we are going to be at 80 percent by later this
year and 100 percent by next spring to round up all the
contracts we have and get onto the new GSA platform for that.
So this has our attention, ma'am. Thank you.
Ms. Brown. Thank you.
Mr. Shive. Thank you for the question. Oh, go ahead.
Ms. Brown. No. You go ahead, please. Thank you.
Mr. Shive. Sorry. Thank you for the question. In GSA's
instance, the way things are measured don't give a particularly
accurate representation of where we are. The way that the
measures are designed is when you decommission a circuit and
move to a new circuit or a new line, that increases your
percentage of success. And at GSA, we did a lot of the work to
transform from line-based communications technologies to
digital voice over IP technology 7 or 8 years ago, and as we
implement EIS now, we are using it more as a transformation
play. So the number of circuits that we are moving is much
smaller denominator in that calculus.
The second most part is because we are using it as a
transformation play, the vast majority of the work in the
beginning is done in a planning state phase. And when we go to
implement, it literally will flip overnight. Massive numbers of
our lines that are measured will go from decommissioned to
commissioned on the new platform. So it is really a flip-the-
switch type of model. And so what you are seeing now is
representative of lot of our planning work ahead of that
transformation play.
Mr. Connolly. Thank you. And thank you, Ms. Brown. The
gentleman from Georgia, Mr. Clyde, is recognized for his line
of questioning.
Mr. Clyde. Thank you, Mr. Chairman. An important part of
this committee and its actual role is government reform and
oversight, even though my colleagues on the other side have had
the term ``government'' removed from its name. The key part of
this is FITARA, which is why we are here today. The Federal
Data Center Consolidation Category was initially created to
optimize the use of data centers and cut costs, but it is
unclear how much potential remains in this initiative today.
The government should not be wasting time, or effort, or tax
dollars. And while we are in this hearing, an important aspect
as the committee charged with government oversight and reform
is determining the effectiveness of FITARA and the way, in
practice, that it is actually operating. I was in another
office, so this was one of the concerns of mine.
Ms. Carol Harris, the FITARA Scorecard is supposed to grade
agencies on their implementation of the provisions of the
FITARA Law, but the current Scorecard includes some categories
that were not in the law. Has the addition over the years of
non-FITARA related categories to the Scorecard made it more or
less effective in serving its intended purpose?
Ms. Harris. I think the addition of the other categories
relative to MGT and other statutes has enhanced the Scorecard.
I also think that, I mean, the fact that the Scorecard
categories relative to FITARA are still in there has given a
focus, as these gentlemen have talked about, in agencies'
operations and their focus areas, what should be the priority.
So I do think that it has been an overall very positive benefit
to the implementation of the law using the Scorecard as a means
for oversight.
Mr. Clyde. OK. All right. Now, those additional categories
would incur additional costs, right?
Ms. Harris. I don't believe it is incurring additional
costs. I mean, we utilize data that is publicly available and
it is data that would have been, you know, submitted
regardless, so we are utilizing what is available today for
these other areas. And so I think the net benefit has been, you
know, has been the implementation of both FITARA as well as the
other statutes that the other categories are hinged upon.
Mr. Clyde. OK. All right. Well now, I have a question for
each of you, and we will start over here on this end. Can you
provide a rough estimate of the resources required for each of
your representative agencies to put together the data feeding
into the Scorecard?
Mr. Noga. Thank you very much for that question,
Congressman. I would have to get back to you on that, on the
rough----
Mr. Clyde. OK.
Mr. Noga [continuing]. estimate on what it would take to.
Mr. Clyde. So you can't give me an estimate of what you
think it actually costs you to comply with this?
Mr. Noga. Not at this time, sir.
Mr. Clyde. OK.
Mr. Clyde. Now, Mr. Sherman?
Mr. Sherman. I would have to take it for the record to get
the exact amount. I would just say, though, what FITARA
embodies is part of our normal job with the Department of
Defense, so both drive out efficiencies and modernize. So it
would be kind of marbleized in the rest of what we are just
doing as CIO, but we would have to take for the record for the
exact amount, sir.
Mr. Clyde. OK. All right. Mr. Shive?
Mr. Shive. My answer is actually quite similar to Mr.
Sherman's. The IT shop that is doing its job well, measures its
performance across multiple spectrum, and most of those are
already captured in the creation of FITARA. I would say my
estimate was it is a de minimis amount. We are already
capturing this data, putting it into a format that we can, you
know, share out on public forums, which is always the right
thing to do. It is a de minimis.
Mr. Clyde. OK. Ms. Harris, do you agree? All right.
Ms. Harris. Sorry. I do agree.
Mr. Clyde. Looking at the final product in the overall
grade, you consider this Scorecard to be an accurate reflection
of your agencies' posture in the various categories?
Mr. Connolly. Somebody needs to mute. I think that is you,
Mr. Khanna. I am sorry. Mr. Clyde, to whom was your question?
Mr. Noga. Thank you for the question, Mr. Congressman. OK.
So we have talked about cybersecurity, I would say, of the
areas of the Scorecard. Certainly it is not an accurate
reflection, in my view, of our posture relative to
cybersecurity. We have actually spent a lot of time and focused
energy on improving cyber across the Agency, and we have done
so, you know, since the start of the pandemic. The pandemic
really forced us to rethink how we are, you know, managing our
ITSS remotely, how we are protecting them, how we are securing,
how we are patching them. So I don't necessarily think it is an
accurate reflection, but we talked about that that it is just
one perspective, which is the IG assessment, and so that is
where my position is on that, sir.
Mr. Clyde. OK. Go ahead, Mr. Sherman.
Mr. Sherman. Sir, with respect to FITARA and the value it
has brought to us, I do not believe, particularly the FITARA
14.0 we are on, is an accurate reflection of the Department of
Defense. It is pushing us in the right direction on a number of
things, like to transition to the telecom contract. But if we
look across the board of what we are doing to modernize for our
warfighting mission, we are not accurately capturing what we
are doing on there. And indeed, some of the metrics are with
kind of an absolutist, either we have moved or not, is not
accurate for an enterprise the size of the Department of
Defense. We are better than the D plus we have on the Scorecard
right now in terms of supporting our women and men in uniform,
sir.
Mr. Clyde. OK. Fair enough. Mr. Shive?
Mr. Shive. Yes, thank you. The FITARA notational is
notionally correct in assessing the status of an organization.
Earlier in the hearing, we talked about how FITARA has iterated
in response to changing business priorities, changing
technology priorities. Part of iteration is there is a
separation and a gap sometimes, as you change the measures, to
be responsive to changes in those business or technology
priorities or strategies, and so you see these blips. But
notionally, it is notionally correct, in my opinion.
Mr. Clyde. Thank you, and thank you, Mr. Chairman, for
yielding.
Mr. Connolly. Thank you. Thank you, Mr. Clyde. The chair
now recognizes the gentleman from California, Mr. Khanna, for
his line of questioning. Welcome.
Mr. Khanna. Thank you, Mr. Chair. Thank you for your
incredible leadership on these issues. No one has done more in
modernizing our Federal Government than you have, Chair
Connolly. I am introducing a bill to develop a pilot program
that enhances our government's use of metadata, not just in one
agency, but across government. We must rethink and invest in
whole-of-government approaches that promote collaboration
across agencies and then prompt us to work together to fight
America's adversaries.
Let me ask Mr. Shive and Mr. Noga, as you know, OMB's memo
related to improving response to cyber incidents, M-21-31
guidance implementation of logging, log retention, and log
management with the focus on ensuring centralized access and
visibility into agency cybersecurity. How would metadata
regarding network traffic assist you in achieving your
responsibilities under this OMB memo?
Mr. Shive. So it is critically important in prosecuting
good defensive posture here in the Federal Government.
Capturing data and knowing things that exist within that data
is critically important. But if we are going to use the best,
most practical tools, including machine learning and
augmentation like AI, we have to have that captured metadata to
be able to apply those forward-leaning tools to those datasets.
Mr. Khanna. Thank you. Mr. Noga?
Mr. Noga. Thank you for the question, Congressman. I
totally agree with Mr. Shive. You know, I think it is
invaluable to make sure that we collect all data as we start
looking at how we can better improve and protect our IT assets
and infrastructure.
Mr. Khanna. Thank you both. So I look forward to working
with both of you on this legislation on the use of metadata. In
2018, I worked with Chair Connolly and many of the colleagues
on this committee to pass the 21st Century IDEA Act. However,
since the passage of this important measure, the executive has
been struggling to implement some of the reforms we have worked
so hard to codify, and we have been working very constructively
with the committee here to see if we can have a Federal CXO
officer or an equivalent. Do you think that a Federal CXO
officer or equivalent would increase the chances of success of
ongoing future initiatives, and if so, why? And any of the
witnesses can answer.
Mr. Noga. Thank you very much for the question,
Congressman. I really can't speak to the Federal CXO, but I can
speak to the EPA. And one of the things that we have actually
prioritized is customer experience, and what we have been
looking at is certainly internal. What is the customer
experience to our internal employees? And I naturally think
that extends out.
Mr. Khanna. So you would be supportive of some kind of
Federal CXO?
Mr. Noga. Congressman, I guess I would have to see exactly
what we are talking about.
Mr. Khanna. Sure.
Mr. Noga. I am certainly supportive of customer experience
and improving that.
Mr. Khanna. All right. Any other folks on the panel who
would be supportive of the Federal CXO or some equivalent, or
interested in working on that kind of legislation?
Ms. Harris. Sir, we currently have work that we will be
starting very soon on customer experience and the
implementation of both the law and the executive order, and
that work will be starting by this fall. And so we are happy to
collaborate and work with your office to share with you, you
know, the details of what we are finding relative to that
implementation and certainly work with you to identify ways to
better implement the laws around CX as well as the executive
order. And if a Federal CX officer would help promote and
better enable the agencies to execute the laws, then that is
something that we are happy to work with you on.
Mr. Khanna. Wonderful. Well, I appreciate that. And Mr.
Shive, I know GSA has its own internal office of customer
experience. Has that been successful, and do you think similar
initiatives that other agencies would help if we sort of
Federalize an officer?
Mr. Shive. Yes. The position has been wildly effective at
not only helping GSA operate more effectively internally,
providing internal services, but also that has been extensible
out into the service that we provide. Regarding a Federal CXO,
there is probably some value in something like that, that the
need for us to present our government services to the citizens
we serve in a holistic manner that provides value to them is
paramount. And having somebody that is their primary focus who
can look across agency boundaries, agency individual
appropriations, and serve in the best interest of the citizen,
the person that we are all serving in this community, is
probably a good idea.
Mr. Khanna. Thank you. Thank you, Mr. Chairman. Thank you
to you for your leadership to your staff, and I look forward to
continuing to work with them on the metadata bill and something
on customer experience. They have been fantastic, as always, to
work with and really appreciate your leadership and your
staff's leadership.
Mr. Connolly. Thank you so much, Mr. Khanna. Thank you for
your kind remarks, and thank you for your legislative
initiatives. We look forward to working with you.
Before I adjourn this hearing, I want to thank our
panelists. Mr. Sherman, I took note of your remarks, and I am
not unsympathetic to the fact that when we give a grade, it
doesn't always capture the gray areas, and sometimes it doesn't
even capture the essence of what is happening, but it is a shot
at a moment in time. And to be honest with you, the Pentagon
often, not you personally, but often kind of sets itself as
unique, you know, whether it is procurement of off-the-shelf
items and being on the normal list of procurement, whether it
is a fiscal unqualified audit. It is the only agency of the
government that doesn't have one.
And, frankly, when we began this effort on IT because, you
know, not everything is unique to the Pentagon, and so trying
to make progress even there. And when we wrote FITARA, we were
very careful so that we didn't get into jurisdictional issues
here in Congress with the Armed Services Committee. So we were
a little kind of light on the Pentagon. But I found your
testimony today heartening because you are making strides in
complying with FITARA and in seeing the value of the goals we
set. And so, I thank you for that and congratulate you for
that, and we look forward to continuing to work with you and
the Pentagon, particularly.
And, Ms. Harris, I want to thank you as GAO was a partner.
FITARA grew out of the fact that GAO in its high-risk list
every year identified IT, and we decided to do something about
it. And I partnered with the then chairman of this committee,
Darrell Issa. We are an unlikely pair to partner, but we did
because we both had a commitment to this subject, and it has
been bipartisan since day one and has stayed that way: Mark
Meadows, Will Hurd, Robin Kelly, now Jody Hice, Mr. Comer, and
so many others, and of course, for the full support of our
chairperson, Carolyn Maloney.
So we are going to continue to try to make progress. We
want your input to make sure that that Scorecard serves your
needs but also captures progress. We will fix the cyber problem
that we have been talking about today. As I said, heartened by
a conversation we had yesterday, I want to be committed to
doing that. So I think we are all going to be operating from
the same page as we move forward, and Ms. Harris, she will make
sure we do.
And again, I want to thank everybody for participating
today. I want to thank my staff. This is the 14th oversight
hearing, and as this hearing has documented, we have made a lot
of progress, but we don't want to let up on that because IT is
an ever-evolving subject. The challenges and the potential are
also ever evolving. We know that we are under attack from
malign actors, both domestic and foreign, who would compromise
data bases, would steal intellectual property, would try to
disrupt operations, especially in the security area, but we
know in the civilian sector as well. So this isn't just a nice
academic subject that has no headlines to it. It is vital to
the operations of government. So thank you so much.
And everyone has five days in which to submit additional
questions, and we would ask our witnesses, should we give you
written questions through the chair, if you could answer them
as expeditiously as possible.
Mr. Connolly. And again, I thank you all for participating
today, and I thank my colleagues for thoughtful questioning.
We are adjourned.
[Whereupon, at 10:47 a.m., the subcommittee was adjourned.]