[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]






 
                              FITARA 14.0

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS

                                 OF THE

                   COMMITTEE ON OVERSIGHT AND REFORM

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 28, 2022

                               __________

                           Serial No. 117-97

                               __________

      Printed for the use of the Committee on Oversight and Reform
      
      
      
      
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
 
 


                       Available at: govinfo.gov,
                         oversight.house.gov or
                             docs.house.gov
                             
                             
                               ______                       


             U.S. GOVERNMENT PUBLISHING OFFICE 
48-387 PDF           WASHINGTON : 2022 
                              
                             
                             
                             
                   COMMITTEE ON OVERSIGHT AND REFORM

                CAROLYN B. MALONEY, New York, Chairwoman

Eleanor Holmes Norton, District of   James Comer, Kentucky, Ranking 
    Columbia                             Minority Member
Stephen F. Lynch, Massachusetts      Jim Jordan, Ohio
Jim Cooper, Tennessee                Virginia Foxx, North Carolina
Gerald E. Connolly, Virginia         Jody B. Hice, Georgia
Raja Krishnamoorthi, Illinois        Glenn Grothman, Wisconsin
Jamie Raskin, Maryland               Michael Cloud, Texas
Ro Khanna, California                Bob Gibbs, Ohio
Kweisi Mfume, Maryland               Clay Higgins, Louisiana
Alexandria Ocasio-Cortez, New York   Ralph Norman, South Carolina
Rashida Tlaib, Michigan              Pete Sessions, Texas
Katie Porter, California             Fred Keller, Pennsylvania
Cori Bush, Missouri                  Andy Biggs, Arizona
Shontel M. Brown, Ohio               Andrew Clyde, Georgia
Danny K. Davis, Illinois             Nancy Mace, South Carolina
Debbie Wasserman Schultz, Florida    Scott Franklin, Florida
Peter Welch, Vermont                 Jake LaTurner, Kansas
Henry C. ``Hank'' Johnson, Jr.,      Pat Fallon, Texas
    Georgia                          Yvette Herrell, New Mexico
John P. Sarbanes, Maryland           Byron Donalds, Florida
Jackie Speier, California            Mike Flood, Nebraska
Robin L. Kelly, Illinois
Brenda L. Lawrence, Michigan
Mark DeSaulnier, California
Jimmy Gomez, California
Ayanna Pressley, Massachusetts

                     Russell Anello, Staff Director
  Wendy Ginsberg, Subcommittee on Government Operations Staff Director
                    Amy Stratton, Deputy Chief Clerk

                      Contact Number: 202-225-5051

                  Mark Marin, Minority Staff Director
                                 ------                                

                 Subcommittee on Government Operations

                 Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of   Jody B. Hice, Georgia Ranking 
    Columbia                             Minority Member
Danny K. Davis, Illinois             Fred Keller, Pennsylvania
John P. Sarbanes, Maryland           Andrew Clyde, Georgia
Brenda L. Lawrence, Michigan         Andy Biggs, Arizona
Stephen F. Lynch, Massachusetts      Nancy Mace, South Carolina
Jamie Raskin, Maryland               Jake LaTurner, Kansas
Ro Khanna, California                Yvette Herrell, New Mexico
Katie Porter, California
Shontel M. Brown, Ohio

                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page

Hearing held on July 28, 2022....................................     1

                               Witnesses

Vaughn Noga, Chief Information Officer, Environmental Protection 
  Agency
Oral Statement...................................................     5

John Sherman, Chief Information Officer, Department of Defense
Oral Statement...................................................     7

David A. Shive, Chief Information Officer, General Services 
  Administration
Oral Statement...................................................     7

Carol C. Harris, Director, Information Technology and 
  Cybersecurity, Government Accountability Office
Oral Statement...................................................     9

Written opening statements and statements for the witnesses are 
  available on the U.S. House of Representatives Document 
  Repository at: docs.house.gov.

                           Index of Documents

                              ----------                              


No additional documents were submitted for this hearing.


                              FITARA 14.0

                              ----------                              


                        Thursday, July 28, 2022

                   House of Representatives
                  Committee on Oversight and Reform
                      Subcommittee on Government Operations
                                                   Washington, D.C.

    The subcommittee met, pursuant to notice, at 9:08 a.m., in 
room 2154, Rayburn House Office Building, and via Zoom; Hon. 
Gerald E. Connolly (chairman of the subcommittee) presiding.
    Present: Representatives Connolly, Norton, Davis, Khanna, 
Brown, Hice, Keller, Clyde, and LaTurner.
    Mr. Connolly. The committee will come to order.
    Without objection, the chair is authorized to declare a 
recess of the subcommittee at any time.
    I want to welcome everybody to the hearing, which seeks to 
continue our oversight efforts of agency implementation and 
compliance with FITARA and other information technology laws. 
And I now recognize myself for an opening statement.
    Since the enactment of the Federal Information Technology 
Acquisition Reform Act, FITARA, in 2014, this subcommittee has 
maintained steady and bipartisan oversight of its 
implementation. In fact, I don't believe there is any other 
precedent in congressional history where we have had consistent 
oversight of the implementation of a piece of legislation as we 
have this one. This is our 14th hearing on the implementation 
of FITARA. We established and passed FITARA to establish a 
long-term framework through which Federal IT investments could 
be tracked, assessed, and managed. Since the Scorecard's 
inception, agencies have significantly reduced wasteful 
spending and improved project outcome, saving what we believe 
to be $24 billion of taxpayers' money.
    [Chart]
    Mr. Connolly. The table you see provides an overview of how 
the Federal Government performed for both the 13th hearing and 
the 14th hearing on the Scorecard. Compared to overall grades 
reported in the 13th Scorecard, FITARA 14, this one, has one 
fewer A grade, three fewer B grades, two more C grades, and two 
more D grades. While no agency has received an F since May 
2018, an A grade remains unfortunately unusual with two in the 
last Scorecard and only one in this Scorecard. The United 
States Agency for International Development grade remains the 
lone A. On an individual agency level, one grade improved, 8 
fell, and 15 stayed the same. In addition to the three 
testifying agencies, the Department of Defense overall grade 
has declined from C plus in 2021 to D plus this year. The 
Environmental Protection Agency declined from B plus to C plus, 
and GSA has maintained its B plus grade.
    FITARA is a biannual snapshot that allows Congress and the 
public to hold agencies accountable for improving their IT 
postures. As we have said before, grades are not scarlet 
letters. The Scorecard is a tool to promote better 
cybersecurity, enhance IT performance, and improve customer 
service across the Federal Government. These hearings offer 
Congress and the public a better understanding of the immense 
effort agencies, specifically, Federal chief CIOs, information 
officers dedicate to approving Federal IT. These hearings 
provide CIOs a forum to explore the stories behind those 
grades.
    As discussed during the January 2022 FITARA hearing, a 
variety of factors, including changing data availability, 
agency resolve, and an advancing IT landscape, catalyzed the 
subcommittee to once more evolve the Scorecard. Since then, the 
subcommittee engaged a multitude of stakeholders in the 
Government Accountability Office to explore potential 
improvements to the Scorecard's data and methodology. These 
conversations have resulted in our latest effort to use the 
Scorecard to incentivize agencies to advance their IT and 
acquisition priorities. As part of our efforts to enhance the 
Scorecard, the subcommittee sent a series of oversight letters 
to the Office of Management and Budget inquiring about its 
Fiscal Year 2023 changes to IT data collection and reporting. 
We aim to work with OMB and all FITARA agencies to employ the 
publicly available data best suited to improve how agencies use 
technology to achieve their missions.
    As technology and policy evolve, so must the FITARA 
Scorecard. It is with these goals in mind that we unveil 
Scorecard 14 today and provide a high-level vision of our 
intentions to use the Scorecard to drive agencies to even 
further progress. The Scorecard is a combination of short-term 
immediate changes and longer-term goals.
    Let us start with some of the immediate changes. FITARA 
requires CIOs to certify that they are adequately implementing 
incremental development to modernize their IT investments 
rather than pursuing the historically poor performing big bang 
approaches. In the past year, OMB released more granular data 
on incremental development. As a result, we updated the 
Scorecard methodology to focus specifically on agency progress 
with software development projects, projects in greater need of 
incremental development.
    I also want to acknowledge agencies' straight A's in the 
Federal data center optimization initiative category with 
Scorecard 13. It is time to shift this metric to make it more 
focused and relevant. As promised, the previous methodology is 
sunset in this scorecard, Scorecard 14. Finally, in addition to 
the closure of data centers, this Scorecard amended the 
calculation used to examine Federal cybersecurity postures.
    I want to be clear, the Scorecards by annual publication is 
not new. This is 14. The Federal Information Security 
Management Act FISMA category is not new. The use of annually 
required inspector general FISMA assessments to grade agency 
cybersecurity postures is not new. And the fact that this 
administration stopped publishing cybersecurity across agency 
priority goal metrics is not new. What is new and must be dealt 
with is the lack of data transparency for agencies' 
cybersecurity performance. The administration has only itself 
to blame for the grades we see in this metric today.
    The subcommittee looks forward to working with all 
stakeholders to populate the category with more robust data 
that captures Federal agencies' cybersecurity posture and now 
for where we hope to drive the Scorecard into the future. While 
all agencies achieved their self-determined Federal data center 
closures, a small handful of agencies have yet to complete 
their plan closures, even though we are rapidly closing in on 
the already twice-extended consolidation reporting requirement 
date.
    Earlier this month, agency CIOs received a letter from the 
subcommittee asking them to justify the need for the remaining 
respective data centers. The subcommittee plans to use these 
answers as part of a new methodology. The goal is to ensure 
agencies think strategically about their costly data center 
use, incentivize the closure of underutilized data centers, and 
save taxpayer dollars. It is our hope that focus on this 
category will enhance the Federal Government's movement to the 
cloud.
    Turning to the future of cyber, this subcommittee eagerly 
awaits the new and improved data behind the Biden 
administration's priority goals detailed on Performance.gov. I 
and many others look forward to hearing from OMB about the 
administration's new cyber strategy, which will help agencies 
remain resilient and adapt in the ever-changing cyber 
landscape. Last, when the subcommittee first added the CIO 
reporting structure metric to Scorecard 3.0, 12 CIOs had no 
reporting relationship to the Secretary or deputy secretary of 
their respective agencies. Today, 16 CIOs have direct reporting 
relationships. Six have partial direct reporting relationships, 
leaving only two CIOs with no direct reporting relationships. 
This evolution marks a rise from 50 percent to more than 90 
percent of CIOs now reporting to the agency head. We are 
pleased to claim a very successful victory for the IT community 
elevating CIOs to their rightful place at the helm of agencies' 
decisionmaking tables.
    As the pandemic taught us, policy falls flat without the 
technology to implement it. CIOs must remain integral 
components of agencies' C-suite officials. With Scorecard 15, 
the subcommittee will consider sunsetting this category if 
agency has demonstrated clear and reasonable plan to elevate 
the CIOs to a sufficient and necessary authority.
    During this year's January Scorecard 13 hearing, we spoke 
to industry. Today we hear from CIOs, in September we will hear 
from the Federal CIOs ideas on evolving the Scorecard and an 
update on the data they are collecting to measure cybersecurity 
and cloud activity. We need input from all corners to make sure 
we get this right, and that we build a tool that gives CIOs the 
authorities they need to drive transformational technology 
improvements at their agencies. As we evolve the Scorecard to 
keep pace with the IT landscape's ever-changing innovations and 
threats, we remain focused on continuity, and clarity, and more 
efficiency to better serve our constituents.
    And with that, the chair now calls on the distinguished 
ranking member for his opening statement.
    Mr. Hice. Thank you very much, Chairman Connolly. I 
appreciate your calling this hearing and agree with much of 
what you just said.
    Here we are on this 14th FITARA Scorecard, and obviously, 
the major issue that stands out is cyber metric. But more 
importantly to me, what stands out is the Biden administration 
ignoring the law. Since a cyber grade was included on the 
FITARA Scorecard, it has included an assessment of agency 
progress against cyber-related goals set by the administration. 
These were generally part of a larger set of cross-agency 
priority goals, which are required by law. But the grades for 
the Scorecard here did not reflect any cyber goals from the 
Biden administration because they haven't issued any. That is a 
mystery to me.
    From what I can tell, the Biden administration has not 
issued any goals at all. And while we are at it, the Biden 
administration has not delivered the annual cybersecurity 
report required by FISMA. So when it comes to the most 
important topic that we are dealing with here today, cyber, we 
don't have much of an idea of what is going on, and that is 
very, very frustrating. If I look at the Scorecard correctly, 
it says 10 agencies are failing in cyber. This should wave a 
red flag of concern for all of us, and, again, I believe this 
is a reflection of yet another Biden administration failure 
that is already on a long list of other issues.
    But this is similar to what is going on with the Technology 
Modernization Fund. As we heard in a hearing earlier this year, 
the Biden administration has turned that into what amounts to a 
slush fund. The idea behind the TMF was that agencies would 
create savings by retiring old systems. Those savings will then 
be used to repay the fund and allow for additional 
modernization projects. It was intended to create an efficient 
cycle. But the executive director of the TMF board gave us 
nonsensical answers about how the savings would be realized by 
the public. They are not going to make agencies pay back the 
TMF funds. This is clearly ignoring the intent of the 
Modernizing Government Technology Act. The Biden administration 
is yet again thumbing its nose at this committee, and it is not 
like this committee has been hard on the administration.
    Chairman Connolly has been a rare exception among committee 
Democrats in calling Biden administration officials to testify. 
I certainly give credit there, but these current cyber grades 
because of what I have just said are, frankly, of little value. 
OMB is depriving this subcommittee of insight on the most 
important FITARA metric and cybersecurity in general. The Biden 
administration needs to comply with the law and the will of 
Congress, and I hope that message comes through loud and clear 
today.
    And with that, Mr. Chairman, again, I thank you, and I 
yield back.
    Mr. Connolly. I thank the ranking member. I would like to 
now introduce our witnesses. Our first witness today is the 
chief information officer and deputy assistant administrator 
for the Environmental Protection Agency, Vaughn Noga. Welcome. 
Our second witness is the chief information officer of the 
Department of Defense, Mr. John Sherman. Welcome. Our third 
witness is the chief information officer for the General 
Services Administration, Mr. David Shive. Welcome. And our 
final witness is somebody familiar to us on this committee, and 
that is the director of information technology and 
cybersecurity of the Government Accountability Office, Carol 
Harris. Welcome.
    If the witnesses would be unmuted, and rise, and raise your 
right hand, it is our custom on this committee to swear in all 
witnesses.
    Do you swear or affirm that the testimony you are about to 
give is the truth, the whole truth, and nothing but the truth, 
so help you God?
    [A chorus of ayes.]
    Mr. Connolly. Thank you. Let the record show all of the 
witnesses answered in the affirmative.
    Without objection, your full written statements will be 
made part of the record.
    And with that, Mr. Noga, you are now recognized for your 
five minutes of oral testimony. Welcome.

     STATEMENT OF VAUGHN NOGA, CHIEF INFORMATION OFFICER, 
                ENVIRONMENTAL PROTECTION AGENCY;

    Mr. Noga. Chairman Connolly, Ranking Member Hice, and 
members of the subcommittee, thank you for the invitation to 
discuss Agency perspectives on improving the Federal----
    Mr. Connolly. Could you just speak up a little bit, Mr. 
Noga? It is a little hard to hear you. Thank you.
    Mr. Noga. The FITARA Score----
    Mr. Connolly. There you go.
    Mr. Noga. As the chair for the Federal CIO Council 
Enterprise Operations Committee, we were asked to work across 
the Federal CIO community to develop recommendations to improve 
existing measures and offer new measures for consideration. I 
commend this committee for its continued focus on improving how 
we manage and modernize our information technology portfolios. 
The FITARA Scorecard and the underlying measures provide focus 
and priority to the CIO community. And this committee's 
continuous review, consideration, and incorporation of new 
standards demonstrate how important a secure, available, and 
modernized IT environment are to the Federal Government.
    Throughout my career with EPA, I have worked with a deeply 
committed and passionate cadre of information technology and 
information security professionals. Collectively, we have 
shaped and modernized how IT services are delivered, enabling 
our work force to respond to mission priorities, regardless of 
where they perform their work. At the EPA, I use the results of 
the FITARA Scorecard to drive Agency priorities and 
investments. In the last four years the Scorecard has become a 
visual representation of our success and a reminder of areas we 
need to maintain continued focus. The evolution of this 
valuable tool will ensure that we continue to focus on the 
modernization, optimization, and security of our IT assets.
    The EPA has successfully consolidated EPA data centers in 
localized computer rooms. In addition to consolidating data 
centers, we identified opportunities to maximize space use by 
offering available space to the Federal family, reducing the 
need for other agencies to make data center investments. In the 
past four years, the Agency established enterprise cloud 
environments with two commercial cloud providers to help 
further expand virtualization and the cloud smart strategy. We 
are reaping the benefits of cloud computing capabilities, 
improving our agility, performance, and consistency with 
application deployments. EPA will continue to prioritize 
further reducing capital and support expenditures associated 
with legacy server and storage environments. Over the past two 
months, I have been meeting with all EPA regions and programs, 
and that has been the focus of our conversation. The forward 
focus for EPA will be a cloud smart rationalization of 
applications to drive application consolidation and cloud 
adoption.
    EPA's mission is to protect human health in the 
environment. One key component in delivering EPA's mission is 
to ensure we properly safeguard our information and information 
technology environment. As a result, cybersecurity is one of 
EPA's top priorities. And it is critically important that we 
maintain the necessary cyber defenses to enable us to identify 
and respond to the rising and increased sophistication of cyber 
threats.
    To safeguard its IT environments, EPA deployed several 
defense in-depth mechanisms, such as network segmentation for 
high value and critical assets, multi factor authentication, 
and data encryption. EPA's Continuous Diagnostics and 
Mitigation Program was a big driver of modernizing our asset 
and vulnerability management programs, enabling integration 
across EPA's on-premise and cloud environments, including 
integration into the DHS' CDM dashboard. As a result, EPA was 
able to quickly assess its environment and remediate the Log4j 
vulnerability across its enterprise.
    To buildupon this progress, EPA has developed Agency-wide, 
long-term performance goals for full compliance with the 
cybersecurity executive order, including maturing our Zero 
Trust architecture capabilities. We have implemented a cyber 
sprint focused on the continued implementation of the key 
security measures outlined in the Zero Trust architecture, 
including maturing our Enterprise login capability. Recognizing 
cybersecurity threats and attacks will continually increase in 
number and sophistication, it is important to maintain a 
Federal-wide awareness and priority on implementing collective 
defenses to safeguard our critical information and information 
systems. The CISA Zero Trust Maturity metric provides a 
baseline for departments and agencies to report and be 
evaluated at various maturity levels, and EPA is in complete 
support of its implementation.
    EPA continues to make great progress in recruiting, 
developing, and maintaining an IT work force to support the 
Agency's mission requirements in a rapidly developing IT 
environment. EPA maintains a robust cyber work force plan with 
dozens of actions across multiple fiscal years to ensure a 
highly skilled and agile IT and cyber work force. EPA has 
partnered with the Federal CIO Council Cybersecurity Reskilling 
Detail Program, where employees receive hands-on training in 
cybersecurity to build foundational skills in cyber defense 
analysis. EPA has also partnered with the U.S. Digital Service 
to deploy a subject matter expert qualification assessment for 
IT specialists. The SME-QA process grants agencies an 
alternative to using the traditional resume review and self-
assessment process, and, through the use of SMEs, provides the 
hiring manager the ability to confidently hire qualified 
talent. EPA will work to leverage direct hiring authorities for 
IT management specialists to enhance the hiring tools available 
to EPA IT managers.
    I look forward to working with members of the committee on 
this important issue, and we will be happy to answer any 
questions you may have.
    Mr. Connolly. Thank you. Mr. Sherman, you are recognized 
for your five minutes of oral testimony. Welcome.

     STATEMENT OF JOHN SHERMAN, CHIEF INFORMATION OFFICER, 
                     DEPARTMENT OF DEFENSE

    Mr. Sherman. Good morning, Chairman Connolly, ranking 
member Hice and distinguished members of the subcommittee.
    Thank you for the opportunity to testify before you today 
on the Department's implementation of the Federal Information 
Technology and Acquisition Reform Act. As noted, I am John 
Sherman, the Department of Defense chief information officer. 
Chairman Connolly and Ranking Member Hice, I want to thank you 
for your leadership with the distinguished members on FITARA. I 
can assure you the Department of Defense looks to the spirit of 
FITARA to drive efficiency, mission capabilities, and 
modernization of information technology. The Department has 
made strong progress in modernization overall, and I look 
forward to updating the subcommittee on our achievements.
    Moreover, as we discuss modernizing and securing our IT 
infrastructure and capabilities, I want to highlight the 
Department's significant strides on enterprise-level priorities 
such as cybersecurity, cloud computing, software modernization, 
and warfighting command, control, and communications. We have 
been able to move forward in these key areas through robust 
governance and teamwork across the Department. In 
cybersecurity, I am committed to ensuring the protection of the 
Department of Defense Information Network, or DODIN, 
implementing Zero Trust, hardening our secret-level super net, 
and addressing 20-plus years of technical debt, securing the 
defense industrial base, and enhancing our cyber and digital 
talent.
    Cloud computing remains a fundamental component of the 
DOD's global IT infrastructure. To that end, I will ensure that 
we provide modern enterprise cloud capabilities to enable 
everything from software modernization to enhanced user 
experience at every classification level. Finally, turning to 
command, control, and communications, or C-3, I remain driven 
to modernize our positioning navigation and timing capability, 
or PNT, lead the Department on electromagnetic spectrum 
operations development, move forward on 5G by providing 
economic opportunities for U.S. industry while ensuring DOD 
equities remain protected, strengthen transport, and ensure 
national leader command capabilities.
    In closing, I thank this subcommittee for its consistent 
and dedicated support and look forward to working with you in 
these critical areas. Thank you for the opportunity to testify 
this morning, and I look forward to your questions.
    Mr. Connolly. Thank you, Mr. Sherman. Mr. Shive, you are 
recognized for your five minutes of oral testimony. Welcome.

 STATEMENT OF DAVID SHIVE, CHIEF INFORMATION OFFICER, GENERAL 
                    SERVICES ADMINISTRATION

    Mr. Shive. Thank you. Chairman Connolly, Ranking Member 
Hice, and members of the committee, my name is David Shive, and 
I'm the CIO at the U.S. General Services Administration. I'm 
pleased to be here today to discuss the important role and 
impact of FITARA and the role that it plays to GSA and the 
larger Federal Government.
    In 2014, Congress passed FITARA to overhaul Federal IT and 
promote technology modernization here in government. We notice 
that FITARA strives to improve the acquisition and management 
of Federal information technology assets through CIO visibility 
into budget formulation and execution; pre-budget planning and 
program management; participation in agency and program 
governance boards; ongoing engagement, health checks, and risk 
assessments; and budget submissions, acquisition strategies, 
and plans.
    Our key objectives reacting and responding to FITARA, 
included placing the CIO in control of IT investments Agency-
wide; aligning IT resources with mission and business 
requirements; strengthening the CIO's accountability for IT 
cost, performance, and security; increasing transparency into 
utilization of IT resources associated with risk; enhancing 
effective budget planning and programming and execution; 
benchmarking IT spending for roll up comparison with other 
agencies; reducing duplication and waste; consolidating 
acquisition and management functions; and finally, focusing 
attention on optimization and consolidation of data centers.
    In Fiscal Year 2012, prior to the passage of FITARA, GSA IT 
had already begun the critical work of centralizing our 
operations and consolidating all IT functions into one 
organization. Some examples of those early successes include 
the consolidation of our infrastructure, including one email 
system, helpdesk consolidation, data center consolidation, 
singular visibility into the computing enterprise, centralized 
technology budget and acquisition authority, and direct 
reporting authority of component technology executives into one 
Agency CIO: me. The consolidation provided centralized 
oversight and authority for IT investment decisions across the 
Agency. Since the consolidation, GSA IT has streamlined the IT 
environment, reduced duplication, simplified technology, 
averted duplicative costs, increased customer satisfaction, and 
fostered an environment of technology reuse and collaborative 
sharing.
    First, I want to commend the committee for iterating the 
measures envisioned in FITARA over time. This is the right 
thing to do and allows for agile iterative measures to be 
responsive to increasingly agile and iterative technology 
implementation and use in the Federal enterprise. Because of 
this best practice, we believe the authorities and objectives 
within FITARA remain a valuable framework for delivering 
improved Federal IT. As a community, we should use this 
framework and focus on implementation to the fullest extent and 
continue to make sure that how we measure the successful use of 
technology tracks with technology trends. Today's focus should 
be around aligning IT resources with Agency missions, goals, 
programmatic priorities and statutory requirements, a key 
priority is getting legislative and executive agreement based 
on the priorities defined in FITARA. We need to gain visibility 
into the true cost and true value of IT and how it is critical 
to enabling the business of government focused around these 
priorities.
    FITARA did a good job of achieving data center 
consolidation, cloud migration across government, and defining 
the role of the CIO. We can utilize many of the mechanisms 
already in place to repeat some of those successes in new 
areas. For example, FITARA and its implementing memoranda 
requires strategic reviews, governance processes, and the 
utilization of shared services. We should continue to invest 
time and effort into those practices. Finally, I would suggest 
that one of the most powerful ways to utilize the Scorecard 
would be to measure meaningful change and rewarding agencies 
helping each other to be successful.
    The best outcome for the Federal Government will come 
through strategies that promote collaboration rather than 
competition. Leveraging FITARA by focusing on cost 
transparency, and trends, and benchmarks across agencies, and 
matching agencies that score poorly in a given category with 
partners that have practices in place that are leading to 
success, will lead to greater success for everyone.
    Thank you for the opportunity to appear before you today to 
discuss FITARA and its important role in the Federal 
Government. I look forward to answering any questions you may 
have.
    Mr. Connolly. Thank you, Mr. Shive. And I think we will 
take you up on your suggestion about shared expertise because 
you are right. If capabilities that exist somewhere don't 
migrate elsewhere, then we are not getting the full benefit of 
the investments we are making in IT, irrespective of where they 
originate or the purpose for which they might originally. So 
Carol, we got to make sure we take that into cognizance as we 
move forward. Thank you. Thank you so much.
    And now, a familiar face here before the subcommittee on 
this subject, Ms. Harris, you are recognized for your five 
minutes of oral testimony. Welcome.

STATEMENT OF CAROL HARRIS, DIRECTOR, INFORMATION TECHNOLOGY AND 
        CYBERSECURITY, GOVERNMENT ACCOUNTABILITY OFFICE

    Ms. Harris. Thank you, Chairman Connolly, Ranking Member 
Hice, and members of the subcommittee. As always, I want to 
thank you and your excellent staff for your continued oversight 
of Federal IT management in cybersecurity. Per your request, I 
will highlight some key aspects of this 14th iteration of the 
Scorecard.
    The overall grades for 15 agencies remain unchanged, 
increased for one, and decreased for the remaining eight. This 
downward pull was largely due to the sunset of the existing 
data center category and a change in the cyber category scoring 
due to the absence of cross-agency priority goal data. These 
changes resulted in all but two agencies receiving a passing C 
or higher. USAID maintained its A from the last Scorecard and 
was the only agency to achieve an A in this go-round. 
Additionally, the Scorecard is continuing to have a positive 
impact on the Agency's use of incremental development as called 
for by FITARA. Roughly 82 percent of the Agency's software 
projects are being developed using these best practice 
techniques.
    Similarly, we continue to see positive trends in the area 
portfolio stat as the amount of money agencies have reportedly 
saved or avoided as a result of this effort has risen from 
$23.5 billion to $24.8 billion. While portfolio stat is an OMB 
initiative, it should be noted that its sustained 
implementation and success would not have been possible had it 
not been codified in FITARA and monitored over the years 
through your Scorecard.
    With regard to the EIS category, 14 agencies have either a 
D or F. There were 17 agencies in this boat on the last 
Scorecard. It is an improvement, but agencies still aren't 
moving fast enough in their transition off of GSA's expiring 
telecommunications contracts. These contracts expire in May 
2023, and while GSA has taken action to enable services through 
May 2024, agencies must act with a sense of urgency as in 
September, a 100-percent transition date is on the imminent 
horizon. The previous transition took three years longer than 
planned, and had agencies transitioned on time, they would have 
saved roughly $329 million.
    Finally, on the cyber category, we have taken a step back 
in our attempt to measure progress using publicly available 
data. The absence of cybersecurity capital data is troubling, 
and OMB should take steps to remediate this gap immediately. I 
think we all agree this category should be expanded to better 
address the ongoing and emerging challenges facing our Nation, 
and we are working with your staff, with OMB, and the agencies 
to identify data, both public and sensitive, to support a more 
comprehensive grade. But in the meantime, we need to have clear 
and measurable cap goals in place because it is the law.
    We have appreciated the opportunity to be your partner all 
these years in developing the Scorecard, and we look forward to 
supporting your continued efforts to evolve the Scorecard so 
that it remains an effective tool in improving the management 
and security of our Nation's IT. Mr. Chairman, this concludes 
my comments, and I look forward to answering your questions.
    Mr. Connolly. Thank you so much, Ms. Harris. Maybe I didn't 
hear you correctly. What was that savings from FITARA that you 
cited?
    Ms. Harris. Twenty-four-point-eight billion dollars, and 
that is just on portfolio standalone. It does not include data 
center consolidation.
    Mr. Connolly. So there is more to come?
    Ms. Harris. Correct.
    Mr. Connolly. Thank you so much. That is music to our ears, 
isn't it? So the chair now recognizes distinguished 
Congresswoman from the District of Columbia, Ms. Eleanor Holmes 
Norton, for her five minutes of questioning. Welcome, 
Congresswoman Norton.
    [No response.]
    Mr. Connolly. You need to unmute, Eleanor. Congresswoman, 
you are muted.
    Ms. Norton. Can you hear me now?
    Mr. Connolly. Yes, you are fine.
    Ms. Norton. OK. Sorry for that. FITARA requires that each 
Federal Agency's chief information officer had a ``significant 
role'' in the decision processes and the management governance 
and oversight processes related to information technology. Now, 
to ensure agency operations are in line with congressional 
intent, the Scoreboard measures how directly an agency CIO 
reports to the head or deputy head of the agency. As D.C.'s 
Member of Congress, I am deeply familiar with the immeasurable 
value of having an equal seat at the decisionmaking table. The 
purpose of this metric is to ensure that Federal CIOs are an 
essential component of agencies' C-suite conversations 
regarding IT modernization efforts. Ms. Harris, what are the 
benefits of having CIOs report directly to agency heads?
    Ms. Harris. Well, the CIO is on equal footing with the 
other C-suite executives in the agency. I mean, that is a 
primary benefit, and this emphasis in the organizational 
structure cannot be emphasized enough. Our work has shown that 
CIOs are more fully empowered to carry out their legal 
authorities when they have this direct line as compared to 
their counterparts that do not.
    Ms. Norton. I appreciate that answer. Data from the private 
sector shows that CIOs perform better and can have greater 
impact when they are included in key conversations among senior 
leadership. DOD, EPA, and GSA all have organizational 
structures whereas the CIO reports directly to an agency head 
or deputy. So this is my question to the CIOs on the panel: how 
has your agency's IT modernization efforts improved by having 
you report directly to the head of or deputy of the agency?
    Mr. Connolly. That is addressed to all the CIOs, Ms. 
Norton?
    Ms. Norton. It is, yes.
    Mr. Connolly. Mr. Noga?
    Mr. Noga. Thank you for the question, Congresswoman. It 
certainly does have an effect. We are part of the conversations 
with respect to the IT portfolios and the IT investments. And I 
routinely meet with the deputy administrator providing updates 
on the portfolio. And also on cybersecurity, we meet with the 
deputy administrator every month and provide an update on 
cybersecurity, and where the Agency is at, and where we need to 
focus. I also meet with other senior leadership across the 
Agency, and I understand the importance of the portfolio and 
our investments, and also meet with the CFO at the Agency. We 
have a close relationship on the approval of the IT portfolio 
and the IT investments.
    Mr. Connolly. Thank you. Mr. Sherman?
    Mr. Sherman. Thank you for the question, Congresswoman. 
Everything Mr. Noga said would be applicable at DOD about being 
in the conversation. But one of the most tangible results at 
the Department of Defense is something I sign out in January of 
every year called the Capability Planning Guidance, which 
focuses on IT modernization cybersecurity, command and control, 
and related topics, which is a guiding document that goes out 
to the military services and other components that demand 
results on what I have to do for budget certification of 
Secretary Austin toward the end of each calendar year. And that 
drives many discussions throughout our budget bill and 
throughout the year with my fellow CIOs, and the military 
departments, and elsewhere, and the undersecretaries and others 
throughout the Department. So that is a tangible outcome of 
reporting directly to Secretary Austin and Deputy Secretary 
Hicks. Thank you.
    Mr. Connolly. And if I could freeze that clock for one 
second. And I would assume especially in DOD, who you report to 
matters because hierarchy matters.
    Mr. Sherman. It matters, sir, and I also get to attend the 
undersecretary's meeting since I was confirmed, which was not a 
historic CIO thing, so there has been quite a bit of movement 
on that front as well. Thanks.
    Mr. Connolly. Thank you. Mr. Shive?
    Mr. Shive. So I agree with everything that my colleagues 
said from EPA and DOD. One additional benefit is that being a 
part of the C-suite, being a part of the front office, I am a 
part of the discussions when the business leaders of GSA have a 
problem or ideating some new capability. I am a part of the 
solution and solution creation from the very beginning. And it 
is no surprise that here in the 21st century where technology 
is ubiquitous through the business enterprise in government and 
outside of government, that solutions to problems and 
technology solutions that support business that are baked in 
from the very beginning of the conversation provide the highest 
value.
    Mr. Connolly. I thank you, and I am going to call on the 
ranking member. But if you will allow me just an observation, 
when we wrote FITARA, looking at 24 Federal agencies, there 
were 250 people with the title ``CIO.'' That is almost unheard 
of.
    Eleanor, I think that is you. OK.
    And so, while we didn't, by fiat, in the legislation say, 
no, there is just going to be one CIO because we wanted to 
respect the culture, and we understand that every Federal 
agency--take the Pentagon--has multiple missions. We wanted to 
evolve to a premise into parse, a first among equals, who 
reported to the boss, because we know that in any bureaucracy, 
private sector or public, if you report to the deputy 
assistant, special assistant widget director in the bowels of 
the basement, no one is going to take you seriously. We are 
going to say thank you for your opinion, and off we go.
    If I know you are meeting with the boss every day or every 
other day and you have got his or her ear, I got to take 
seriously everything you say to me. And so, I mean, that is 
just how org charts work in any organization. And I think Ms. 
Harris made that point, that why this is so important to us 
because we want to evolve to a structure that empowers CIOs, 
but also makes them accountable and gives them the flexibility 
and the responsibility to make decisions that are meaningful in 
terms of IT investments and modernization. So that was the 
whole thrust of this, and it is a category where we have made 
enormous progress. And hopefully, we will get to the point 
where 100 percent of agencies have this kind of reporting 
sequence because that elevates the whole issue of IT as the 
critical platform for implementing policies.
    And thank you, Mr. Hice, for your indulgence. I just wanted 
to clarify the contents of the law. I now call on the 
distinguished ranking member for his line of questioning.
    Mr. Hice. Thank you, sir. In my opening statement, I 
expressed concern with this Scorecard, particularly as it 
relates to the cyber metric. I think all of us share that 
concern. Ms. Harris, let me ask you, since this particular 
scenario that we are experiencing right now is based only on 
the IG assessment, can you help me better understand what is 
going into these grades coming from the IG?
    Ms. Harris. Right. So coming from the IG, they are taking a 
look at the maturity of a subset of assets within an 
organization. And so they are doing checks to identify things 
like detection, intrusion, recovery, and they are basing it 
against the maturity model to identify how well the agency is 
performing in those particular areas. And again, it is a subset 
of systems that the IGs are assessing, so it is not necessarily 
generalizable across the organization. So when you take a look 
at the IG assessments and the grades or the overall rating that 
is provided in those assessments, it is not considered 
comprehensive.
    Mr. Hice. So if it is not comprehensive, this is kind of 
like check the box are you secure, can you recover, or is there 
an actual audit, if you will, going into test the systems?
    Ms. Harris. I think it varies by IGs. Some where it is more 
check the box, others where it actually is an audit where they 
are testing the internal controls, but there is no real 
consistency across the IGs. And how this is----
    Mr. Hice. OK. Well, that is a huge area that needs to be 
addressed just from the IG perspective, and then we have a 
whole other missing element here today. So with that, why are 
so many agencies failing? If it is a check the box or whatever 
it may be, why do we have so many failing right now?
    Ms. Harris. Well, I think, again, because it is a subset. I 
wouldn't characterize it as an accurate reflection of the 
agencies' overall cyber posture. There are many other inputs 
that should be incorporated if you want to have a comprehensive 
overall grade of what an organization's cyber posture is.
    Mr. Hice. So is this current Scorecard then, as it relates 
to cyber, relatively worthless at this point?
    Ms. Harris. I wouldn't say it is worthless. It provides one 
input of many, so it is not an accurate representation.
    Mr. Hice. OK. Let's jump off of that then. I just have an 
example. DHS, I remember, received a D. There are a lot of 
people who feel like they ought to be more involved in a 
governmentwide Federal cybersecurity involvement. So when we 
look at a D with DHS, is it something that is a red flag? 
Should it cause a great deal of concern? Are you saying it 
doesn't reflect where they really are?
    Ms. Harris. Yes. In the case of DHS, I would not say that 
the D is an accurate reflection of where the Agency is with 
regard to their cyber posture. I mean, we recently issued work 
this January and DHS was among 12 agencies who successfully 
achieved 90 percent or higher progress toward their previously 
reported cybersecurity cap goals. And in addition to that, we 
have identified that they have incorporated adequate 
protections associated with their data itself, for the reviews 
that we have performed. So I think that last iteration of the 
Scorecard's grade of a B is probably more in line with where 
they are as opposed to the D because, again, the D is a 
reflection of just one metric.
    Mr. Hice. OK. Well, then that sounds like the Scorecard, as 
it relates to cyber, is pretty worthless at this point, at 
least as it relates to DHS. We see a D. How are we to assess 
where we are? Mr. Vaughn, let me just go jump over to you with 
a similar type of thing. EPA received a D. Is that an accurate 
reflection? Why or why not?
    Mr. Noga. Thank you for the question, Congressman. I don't 
believe it is an accurate reflection. Just like what was 
previously stated, the current score is based on one aspect, 
which is the IG assessment, and at the EPA, the IG only 
assesses to the 3 level. So right off the bat, we are not able 
to be assessed at any level higher than 3.
    Mr. Hice. But you still only received a 60 percent, even as 
it is, with the IG assessment?
    Mr. Noga. We received a Level 3, but they can only assess 
up to a Level 3. They didn't assess us any higher than a Level 
3. So if you are looking at a 1 to 3 score, we received the 
highest on their score based on what they could assess.
    Mr. Hice. The highest D you can get. Yes. I mean, this is 
extremely frustrating, Mr. Chairman. I know it is to you as 
well, but this issue has to be addressed or taken to the next 
level.
    Mr. Connolly. I completely agree with you. And I will say 
we had a very positive conversation with OMB yesterday in which 
they freely expressed contrition about not being forthcoming 
sooner on cyber data that would have allowed these scores to 
reflect hopefully more accurate data. But, Ms. Harris, I want 
to clarify something in your answer to Mr. Hice. The Scorecard 
isn't based on what we think or what we feel a sense of. It is 
based on empirical data provided to us. Is that not correct?
    Ms. Harris. That is correct.
    Mr. Connolly. And the scores that are reflected in this 
category reflect the data that was provided. And the only data 
that was provided, unfortunately, or some of these agencies 
getting those scores was from the IG. Is that correct?
    Ms. Harris. That is correct.
    Mr. Connolly. Right. And we didn't get the data we wanted 
from OMB. Is that correct?
    Ms. Harris. That is correct. Yes.
    Mr. Connolly. And my understanding, based on the 
conversation I had yesterday, Mr. Hice, with OMB is that will 
change. In the next Scorecard we will have their input, and 
that will allow us, I hope, to better capture what you are 
getting at in terms of real performance. But with respect to 
the Scorecard itself and the process, it is what it is because 
that is the only data we were provided in this category.
    Ms. Harris. Absolutely.
    Mr. Connolly. I thank----
    Mr. Hice. Mr. Chairman, may I ask a question?
    Mr. Connolly. Yes, of course.
    Mr. Hice. Regarding the meeting discussion you had with 
OMB, did they give a timeframe and when? Will they submit where 
they are when they give an answer to the committee on both 
sides? Do we have a timeframe on those?
    Mr. Connolly. I don't know that we had a timeframe other 
than a solid commitment ``we are going to fix this,'' and I 
will work with you obviously----
    Mr. Hice. Please do.
    Mr. Connolly [continuing]. and try to make sure we get more 
specific. They initiated this call because I think they noticed 
because they have been hearing. Exactly. Exactly.
    Mr. Hice. Thank you.
    Mr. Connolly. But it was a positive conversation. They 
weren't defensive. They recognized the problem, and that gave 
me some hope that OK, we can move on. So your point is well 
taken I think, Mr. Hice, that there is a problem with this 
particular score, but it is not because of the Scorecard. It is 
because of a decision made not to provide the data, and that 
forced us to use the only data we had, which was the IG data. 
Ms. Harris, did you want to----
    Ms. Harris. Oh no. I just wanted to----
    Mr. Connolly. You are agreeing with that?
    Ms. Harris. The grades are derived from the available 
sources of data----
    Mr. Connolly. Right.
    Ms. Harris [continuing]. that we have. And in this 
particular case, the IG assessments were the only available 
public source that we could use.
    Mr. Connolly. Correct. All right. So thank you, and thank 
you, Mr. Hice, for allowing me to clarify.
    The distinguished gentleman from Chicago, Illinois, Mr. 
Davis, is recognized for his line of questioning. Welcome, Mr. 
Davis.
    Mr. Davis. Well, thank you, Mr. Chairman, and thanks to our 
witnesses, for a very informative hearing.
    In 2014, FITARA directed Federal agencies to optimize and 
consolidate their data centers by October 1, 2018. Since then, 
the consolidation reporting requirement date has been extended 
twice. Agencies now have until October 1, 2022, to complete 
reporting on consolidation effort, and that date is almost 
here. Today, several agencies still have a closure plan beyond 
the end of Fiscal Year 2022. A Federal chief information 
officer must justify these timelines. Agencies cannot run out 
the clock on data center consolidation. Since 2015, the Federal 
Government has closed more than 4,000 data centers, saving over 
$4.7 billion to this day. I am proud and pleased that this 
subcommittee has led these efforts.
    Mr. Sherman, just FITARA's enactment, how many data centers 
had the Defense of Department closed, and how have these 
closures impacted your Agency's cybersecurity posture and your 
IT budget?
    Mr. Sherman. Sir, since this has been under way, we have 
closed over 230 data centers. And to meet the requirement we 
have 12 more to go, which we are going to be done with by the 
end of the year. The holdup has been moving to some secret-
level systems that we needed to get moved over, but all the 
unclassified, we are basically done with that. This has been 
one thing that, among a number, that we have been very grateful 
for FITARA to help drive the way ahead on that, to get us to 
where we need to be as we move to cloud based-technology.
    So I don't have the exact savings. I can take that for the 
record, but it has been substantial. And this has been one area 
where the Department of Defense has really tried to step out on 
as we moved from what we would call a capital expenditure 
model, being in a brick and mortar data center, to an 
operations expenditure model where we are paying as we go for 
cloud-based technology that necessarily strengthens our 
cybersecurity with the constant updates, and patching, and 
everything you get from a cloud-based infrastructure. This has 
helped us with our national security and helped us with our 
cybersecurity overall. Thank you.
    Mr. Davis. Thank you very much. And, Mr. Noga and Mr. 
Shive, why do you believe that you have closed the maximum 
amount of data centers for your agency and there must be a 
reason to keep the remaining Federal data centers open?
    Mr. Noga. Thank you for the question, Congressman. At EPA, 
we have got two data centers. We have closed several data 
centers over the course of the years. We have got a primary and 
a backup for those, the capabilities that needs to be remained 
on premise. But we have made a significant investment in cloud 
computing, and we have moved a lot of our applications into the 
cloud space. We have actually been doing a lot of that, 
especially over the last three years, migrating a lot of our 
workload to the cloud.
    Mr. Davis. Thank you very much. And, of course, this 
subcommittee is committed to conducting thorough oversight over 
Federal data center consolidation. As promised, we are 
sunsetting the old methodology and evolving it in the agencies' 
new completion of their consolidation efforts. Before this 
hearing, the subcommittee sent out letters to each agency to 
inquire if they had closed the maximum number of agencies. If 
this evolved metric agency will be graded on their 
communication with the subcommittee and their progress for 
solid data and data centers, will each of these CIOs commit to 
continuing to work with our subcommittee to maximize data 
center closures and cloud adoption efforts to pass the 14.0 
Scorecard evaluation?
    Mr. Shive. Yes.
    Mr. Connolly. Mr. Shive, why don't we begin with you?
    Mr. Shive. Great. Yes. So we commit to do so. We are very 
proud of our data center consolidation initiative. We have shut 
down all 134 of our data centers, and 74 percent of our 
workloads now exist in the cloud, with the remaining workloads 
on-prem, what we call colo data centers. We consume service 
from EPA and NASA. They had extra capacity that we could use, 
and so 100 percent of our data centers have been closed. But we 
will continue to work with the committee to provide whatever 
transparency needed into the value of that work that we 
accomplished.
    Mr. Connolly. And before I call on Mr. Keller, Ms. Harris, 
do you want to comment on that, the data center question Mr. 
Davis asked?
    Ms. Harris. Well, I think what these gentlemen have done 
has been tremendous.
    Mr. Connolly. Ms. Harris, it is hard to hear you.
    Ms. Harris. I am sorry. I did want to say that if there are 
agencies that still have on-premise data centers within the 
Federal Government that are managing either all or a good 
portion of their IT infrastructure, then they better have a 
really good reason as to why they are doing that and not taken 
advantage of the cloud and virtualization technologies 
available. What we want to see, the goal of every agency is to 
employ a hybrid model where at least some of their 
infrastructure is cloud based and then others are onsite. But 
for agencies to have, again, a large amount of their 
infrastructure being operated in data centers, that is a red 
flag.
    Mr. Connolly. And let me just say, that is one of the 
reasons we wrote every agency as we are retooling this category 
of the Scorecard. We didn't want to lose this metric that Mr. 
Davis is talking about. And that is why we wrote every agency 
saying, tell us how many you got and what your plans are as you 
move forward for consolidation and moving to the cloud. So we 
are going to continue to update that data base and work with 
you in making sure, as you said, they got a good reason to 
justify what they have got and what their plans are.
    The chair now recognizes distinguished gentleman from 
Pennsylvania, Mr. Keller, for his line of questioning. Welcome.
    Mr. Keller. Thank you, Chairman Connolly, Ranking Member 
Hice, and our witnesses for being here today, and, of course, 
this being the 14th hearing into the Federal Information 
Technology Acquisition Reform Act, or I will just say 
``FITARA.'' Through the FITARA Scorecard, this committee is 
tasked with overseeing the agencies' progress and optimizing 
data centers with the goal of increasing efficiency and cutting 
costs across the Federal Government. The thing I guess I would 
ask Ms. Harris, how effective is the FITARA Scorecard in 
providing Congress with an accurate picture of agencies' 
performance?
    Ms. Harris. You mean relative to data centers?
    Mr. Keller. Well, just in relative to----
    Mr. Connolly. Forgive me, Ms. Harris. You were asking about 
the whole posture?
    Mr. Keller. Yes. The whole IT posture, the whole----
    Ms. Harris. I mean, I think it is still generally an 
accurate reflection of where agencies are relative to the 
categories on the Scorecard. But I do believe that the 
Scorecard does need to evolve to ensure that it maintains its 
effectiveness as we look at a new and emerging areas. I mean, 
legacy IT is one issue, for example, that could benefit from an 
addition on the Scorecard.
    Mr. Keller. I guess the question I would have, because then 
I heard, I believe, was Representative Hice asking, 
information, and you said, well, that one isn't really 
accurate. So how many of these on here aren't really accurate?
    Ms. Harris. I think that the challenge in this particular 
iteration on cyber, because there was only one metric available 
for us to utilize, I do believe that that is not an accurate 
reflection of where agencies are at with cyber, so I appreciate 
the clarification that you just made. But in all of the other 
areas, like incremental and portfolio stat, and, you know, 
incremental developments, those are an accurate reflection of 
where agencies are relative, again, to those particular areas 
of the law.
    Mr. Keller. OK. But you said the information technology on 
cybersecurity, whatever it was, was the one that wasn't 
accurate, right, because it didn't cover all the agencies 
activity?
    Ms. Harris. I think that is fair because of the absence of 
cap goals that OMB did not issue as required by law.
    Mr. Keller. OK. So what is going to give us any comfort in 
the future that when we get information, it will be accurate 
for us to be able to make decisions based upon what the 
Scorecard is telling us?
    Ms. Harris. OMB needs to comply with the law and to issue 
the information that they are required to do so with regard to 
updated IG assessments as well as cap goals.
    Mr. Keller. So you are saying who is that, OMB?
    Ms. Harris. Correct. OMB needs to comply with the law and 
issue cap goal data.
    Mr. Keller. Well, how long have they not been complying 
with the law?
    Ms. Harris. Well, OMB should have issued the cap goal data, 
I believe, in this. They are about at least four months out in 
terms of issuing the overall status of cyber, which would have 
been the FISMA assessments. In particular, they are four months 
out from now.
    Mr. Keller. When we were first aware of the fact that they 
weren't obeying the law in providing the information? When we 
were first aware of that?
    Ms. Harris. We have known about this. We have an open 
recommendation for OMB to comply as of 2018, so we have been 
aware for multiple years, at least, in particular, as it 
relates to the FISMA overall report that should be issued every 
March. So since 2018, OMB has not issued that on time.
    Mr. Keller. See, what has given me some concern is if we 
are not making sure we have the data on this, it doesn't give 
me a lot of confidence on any of the other categories, quite 
frankly. I mean, I didn't say this stuff is inaccurate. That is 
something that has been said here today by people that are 
dealing with the information, and it just really concerns me 
that we have one area that is not accurate. What assurance can 
you give me that the other areas of the Scorecard are accurate?
    Ms. Harris. Well, we do our best to scrub the data, that 
there are inputs into the other categories, like incremental 
development, that is using the information that is current. So 
we are scrubbing all of the sources of data for every single 
category that is on the Scorecard, and what I can tell you 
today is the area of cybersecurity is the one area that we are 
missing crucial information that we have had in the past.
    Mr. Keller. Are there any other areas where you are missing 
crucial information?
    Ms. Harris. Not that I am aware of, no.
    Mr. Keller. OK. And I guess I would just like to make sure 
that we have the information that this Scorecard is complete, 
and that will be some work, I guess. I would just ask that we 
really work on this because, as with any performance, if you 
are telling me part of it is not accurate, it makes me question 
the whole report. I mean, anybody logically that has done 
anything, run a business, done anything, you want to make sure 
that you are making good decisions. And with that, I will yield 
back. Thank you.
    Mr. Connolly. I thank the gentleman, and I think maybe 
before you came, we did cover this. And I want to be real 
clear: the issue isn't the Scorecard. The issue is the data 
provided in order to have a score. So, you know, if you are in 
grad school and you don't turn in your term paper, you are 
going to either get an incomplete as your grade or you are 
going to fail. And one of the consequences unfortunately, for 
the lack of data from OMB was that we had to rely only on the 
IG data, which is not complete, and as a result, every agency 
took a hit in the score. But it wasn't because there is a flaw 
in the design of the Scorecard. It was because of the lack of 
compliance with the data from OMB.
    And as I indicated before you arrived Mr. Keller, we did 
have a conversation with OMB, a good one yesterday. They freely 
confessed our mess. ``We got to fix it.'' ``We will fix it.'' 
``We commit to fixing it.: And just before, I think, you 
arrived, I said to Mr. Hice, he and I will work on setting 
deadlines for getting that data. So, in the 15th Scorecard, 
which will be this fall, we will have this data and a more 
accurate picture on that category.
    Mr. Keller. I appreciate that, and I like the fact that you 
are going to ask for a timeline and----
    Mr. Connolly. Oh yes.
    Mr. Keller [continuing]. and make them adhere to that 
because that is the most important thing that we need to be 
looking at, not that we just got a bunch of information, but it 
is timely and we can make decisions.
    Mr. Connolly. We would agree.
    Mr. Keller. Thank you.
    Mr. Connolly. We would agree. I don't see Ms. Brown, she 
went to the floor to give a speech, so the chair will now 
recognize himself briefly.
    Let me ask you, Ms. Harris, a different question. Overall, 
this Scorecard shows stagnation, and to what, overall, would 
you attribute that? Why is this Scorecard not showing kind of 
continued progression upwards that previous scorecards have 
shown?
    Ms. Harris. I think we need to change in some categories 
the metrics by which we score particular categories. So like 
incremental and the portfolio management categories, we are 
grading on a curve. That was appropriate early on in the 
beginning of FITARA to help these agencies give them a boost, 
but now they have matured in their processes in these areas. It 
is, in fact, disincentivizing them. So I wouldn't say it is 
real stagnation in those particular areas. We should do a 
better job of evolving. I shouldn't say ``better job,'' but we 
should be evolving the methodology commensurate with where 
agencies are at in their maturity in those areas.
    Mr. Connolly. Well, let me take issue with that a little 
bit. I mean, that is blaming the way we grade, and I am getting 
at, well, but there are basically 15 scores that didn't change. 
And only one A and a little bit of regression in some 
categories or some agencies that would suggest, you know, our 
foot is not on the gas pedal the way it had been in the past. 
We have had testimony from all of the CIOs, but including Mr. 
Shive, that actually the Scorecard has served a useful purpose, 
from his point of view, in driving change.
    So I guess I am skeptical that the answer is we need to 
update our methodology. I think I am concerned as a Member of 
Congress, as someone who wrote this bill, as somebody who came 
up with the idea of the Scorecard so we could try to measure 
progress, that in this particular case, we are not capturing 
the progress. We are not seeing the progress intended by the 
law, and I guess I am asking you to address that, because with 
respect to the Scorecard, it has evolved. We have made changes. 
We have taken into account other circumstances. We have had an 
iterative process with GAO, and with agencies, and with even 
the outside in terms of what is a fair score. We have tried to 
get cooperation, and by and large, have gotten it, except in 
the case of cyber within OMB this year. We have sunsetted some 
categories because we felt, OK, great job, well done, move on. 
Let's have a new category. We are trying to move toward 
capturing cyber as a critical part of the IT picture, of 
course.
    So I guess, going back to my question, I am asking you to 
address the issue of how is it that we arrived to the point 
where we didn't see the kind of progress previous Scorecards 
shown or a more dramatic progress?
    Ms. Harris. Well, I think in some of these cases, in 
certain initiatives, the data center is the great example as 
well as software licensing where agencies have done a great job 
of fully implementing those areas. So like within the area of 
IT portfolio management, the way that it is applied in the 
Scorecard and in practice with the agencies, the focus is on 
commodity IT. And I think the agencies, these three in 
particular, have done a great job to identify a reduction in 
commodity IT. Where I think there are improvements that could 
be made is, for example, FITARA. In your great wisdom in 
crafting FITARA, the portfolio management process could be 
applied to legacy IT, for example, because today, we have just 
focused on commodity IT.
    Now, I think we can replicate that same success in the 
legacy IT management area because what the law will provide, if 
it is enacted properly, for legacy IT is it will have a 
systematic dialog between senior executive leaders in the 
agencies, and the Federal CIO, as well as Congress to identify 
the legacy IT systems in need of most attention. And perhaps 
one of the metrics that we could use on the Scorecard is to 
change it from measuring cost savings to measuring progress 
made in decommissioning these antiquated systems.
    Mr. Connolly. OK.
    Ms. Harris. That is one example where I think, you know, we 
have achieved success in certain respects of FITARA. But we 
should go further because you have made the law broad enough 
where we can apply these great management practices to other 
areas of IT, like legacy.
    Mr. Connolly. Well, we look forward to working with you, 
Ms. Harris, in incorporating that as we move forward because we 
want to make sure it is accurate, that it does capture where we 
are in the progress we have made or not. And again, the purpose 
is to try to update IT in the Federal Government so that is 
better utilized and serves the people we all serve. So it is 
not to put a scarlet letter on anyone's back. It is actually to 
move forward with progress.
    And I found that heartening to hear from CIOs, and you are 
not the only CIOs we have heard about who have found both 
FITARA and the Scorecard useful tools inside the agency to push 
for that progress, and that is really a key part of what we are 
trying to do here. And I want to thank GAO for being a partner 
in this enterprise and helping us create the Scorecard and 
update it. And we will continue to work together to try to make 
sure it is as accurate a gauge as we can make it and reflects 
accurately where agencies are.
    The chair now recognizes the gentleman from Kansas, Mr. 
LaTurner, for his five minutes of questioning. Welcome.
    Mr. LaTurner. Thank you, Mr. Chairman. Ms. Harris, how are 
you today?
    Ms. Harris. I am well. Thank you, sir.
    Mr. LaTurner. Good. The Technology Modernization Fund was 
created to update legacy systems, though it does grant 
discretion in the types of IT projects eligible for funding. In 
light of notable cyberattacks over the past couple of years, do 
you think it is worth attaching more conditions to TMF funds to 
ensure they are used to update legacy systems or adding 
additional metrics to the FITARA Scorecard which would track 
the progress of updating legal systems?
    Ms. Harris. I think that is a great question. I think that 
agencies should be fully carrying out TMF as it was intended in 
the law, which is to address legacy issues. So I think that is 
the criteria that the Selection Board utilizes, that emphasis 
on legacy IT would be a great thing. I also think that agencies 
need to focus on the open recommendations that we have made in 
TMF relative to ensuring that they have reliable cost estimates 
for their projects, as well as reliable savings that they 
expect to achieve once those projects are fully deployed.
    Mr. LaTurner. Thank you. I appreciate that. I will stick 
with you if that is OK. FITARA is generally credited for 
helping agencies bolster their IT posture, in part because of 
this Committee's comprehensive oversight of the law in 
Scorecard. GAO continues to identify Federal IT security as a 
governmentwide, high-risk area. How do we change from holding 
congressional box-checking hearing exercises twice a year, 
which is a lot of what we have done, to doing something that is 
going to help Federal agencies and GAO by delisting Federal IT 
security from the high-risk list?
    Ms. Harris. A couple of things. I mean, we are working very 
closely with your staffs, too, as well as OMB and the agencies 
to identify information, both public and sensitive, that can be 
utilized to create a more comprehensive cyber grade, that is 
one. And then, No. 2, you know, we have work under way to 
identify and focus on the areas of, for example, continuous 
diagnostic monitoring, where we can focus on the enterprise-
wide tools that agencies should be utilizing to identify 
vulnerabilities. So we want to raise that bar for the agencies 
to ensure that they are taking advantage of these comprehensive 
enterprise tools.
    Mr. LaTurner. Thank you. For Mr. Noga, and Mr. Sherman, and 
Mr. Shive, in your opinion, is FITARA an effective tool in your 
effort to modernize Federal IT security? We would love your 
perspective. Let's start with Mr. Noga.
    Mr. Noga. Thank you for the question, Congressman. I do 
believe it is. Like I said in my opening, we look at FITARA. We 
look at where we have done well, and, quite frankly, we focus 
on where we have got room for improvement. So FITARA is an 
effective mechanism. I think we have heard that we would like 
to evolve the FITARA Scorecard. We would like to improve the 
measures, and that is one of the things that certainly the CIOs 
want to partner with this committee and GAO on as what does 
that look like.
    Mr. LaTurner. Same question for Mr. Sherman.
    Mr. Sherman. Yes, sir. It is an effective tool for us as 
well. But because cybersecurity is my top priorities, the 
Department of Defense CIO, we are already actively moving out 
with concepts of Zero Trust, getting after technical debt on 
our weapon systems, and securing the United States' defense 
industrial base of the 300,000 companies across this Nation 
that provides supply chain to the DOD. So FITARA helps push 
this along, but I can promise you this has already got a lot of 
wind in its sails because of what we faced with China, Russia, 
and other potential challenges, sir. Thank you.
    Mr. LaTurner. I appreciate that. And Mr. Shive?
    Mr. Shive. Thank you for the question. Yes, the FITARA has 
been imminently helpful to me as a CIO in a couple of ways. 
One, it allows us to narrow our focus on the things that really 
matter because I believe FITARA actually captures many of the 
things that really matter here in Federal Government and IT. 
But it has also been a super-valuable tool for me to focus 
conversation with a variety of stakeholders outside of my 
Agency and, specifically, inside of my Agency. It provides a 
recurring mechanism for focus to pivot back to IT for 
decisionmakers in my Agency, and they ask me about it. They ask 
me about why my scores are fluctuating the way they do. And it 
also generates the opportunity for discussion for them to say, 
what resources do we need to be able to continue to do well in 
this space.
    Mr. LaTurner. Let me stick with you. I don't have much time 
left, but are there any potential FITARA reforms that haven't 
been discussed?
    Mr. Shive. Yes. Yes. There is a fair number of discussions, 
both formally and informally: formally with staffers and 
informally with our partners at GAO about iterating the FITARA 
scoring to be reflective of modern agile, iterative IT.
    Mr. LaTurner. Real quick, Mr. Sherman?
    Mr. Connolly. And, Mr. LaTurner--sorry--I remember you have 
talked about shared expertise that you would like to see 
captured. Do you mind mentioning that?
    Mr. Shive. Yes. So everything we do here in government is 
funded by considerable taxpayer dollars. And one of the ways 
that we can extend the value of those investments that 
taxpayers make to us to provide good government service is to 
share everything that we do. That doesn't just mean code and 
configuration management scripts. It means playbooks, know-how, 
and knowledge. And the community envisioned by FITARA, if it is 
operating in its best self, would have those who do well in 
particular places share those learnings with agencies that are 
struggling.
    Mr. Connolly. The gentleman's time has expired, but if Mr. 
Sherman or Mr. Noga want to comment on that particular 
question, you are welcome to.
    Mr. Sherman. Just very briefly. Everything Mr. Shive said 
is spot on. I would argue that FITARA has been and remains a 
very valuable tool. But as things evolved as we move not only 
toward ensuring we are the best stewards of the taxpayer 
dollar, but modernizing and focusing on mission outcomes, in my 
case with the Department of Defense, we are postured against 
outpacing the challenge of China for areas like edge computing, 
capitalizing on commercial SATCOM, and having the very best 
cybersecurity. Areas beyond just savings, but mission outcome 
would be an area that we want to continue to inject into the 
discussion. Thank you.
    Mr. Noga. Certainly from EPA perspective, one of things we 
have been focused on is optimizing and delivery of 
infrastructure services. And so I think, you know, there is an 
opportunity here to look at how we are doing that, how we will 
maximize the investment dollar across the Agency. And we have 
done that in the EPA where we look at where can we elevate 
these things that were once done at the component or bureau 
level to an enterprise-wide offering, right? How can we drive 
those efficiencies within the Agency? And that is something 
that we are distinctly focused on with an EPA.
    Mr. LaTurner. Thank you for your indulgence, Mr. Chairman.
    Mr. Connolly. Yes, thank you Mr. LaTurner. And I would just 
say, before you came, I mean, you made reference to just 
checking the box. I hardly think the Scorecard is just checking 
the box because we heard testimony before that the savings 
directly attributable to this law is at least $24.8 billion. 
That is not checking a box. The fact that we have moved from 
fewer than half of CIOs reporting to the boss to 90 percent of 
CIOs reporting to the boss, empowering that CIO and having more 
accountability is also hardly checking the box.
    So I don't want this subcommittee to be selling itself 
short in terms of what, in fact, we have accomplished with not 
only a bill we passed in law, but in insisting on its 
implementation, and we will continue to remain flexible as that 
Scorecard evolves. But the end game here is, as Mr. Shive puts 
it, to find it a useful tool to move us forward in IT 
modernization and implementation in cyber protection. I thank 
my friend.
    The chair now recognizes the distinguished gentlelady from 
Ohio, Ms. Brown, for her line of questioning.
    Ms. Brown. Thank you, Chairman Connolly, for holding this 
important bipartisan hearing. One metric that the FITARA 
Scorecard measures is how agencies are transitioning off legacy 
telecommunication contracts that are out of date and will soon 
expire. If Federal agencies fail their transition to new 
telecom contracts, they will be unable to serve those who 
depend on agency services the most. You should see a graphic, 
and as it stands, only 14 out of 24 agencies are even 50 
percent of the way to a successful transition----
    [Chart]
    Ms. Brown [continuing]. a milestone originally set to be 
achieved by March 31, 2021. In fact, only four agencies have 
successfully hit the latest milestone of a 90-percent 
transition, which was on March 31, 2022. So my question Ms. 
Harris, if agencies fail to transition their legacy services by 
May 31, 2023, what consequences will there be for agencies and 
for customers?
    Ms. Harris. The immediate consequence is the potential 
disruption in service if any issues that result in transition 
delays occur. And this could be as a result of inadequate human 
resource outlays or the need to transition previously 
unidentified services. And let me say something about the 
latter. That is something that could very well happen because 
what we have found through our body of work in this area is 
that agencies don't have a very good comprehensive inventory of 
their telecommunication services. So as they are transitioning 
and moving those services onto the new contracts, they could 
identify services that they didn't even know they had, and that 
could incur a delay. And if there is a delay, then agencies 
will miss out on potential cost savings because the services 
that are provided on the legacy have higher rates than the ones 
on EIS. And in addition to that, they could be missing out on, 
you know, hundreds of millions of dollars in savings, as what 
happened in the previous transition.
    Ms. Brown. Thank you for that. Now, none of the agencies 
before have achieved the most recent transition milestone up to 
90 percent completion in 2022. And as of today, the DOD and EPA 
have 15 grades with GSA being slightly ahead with the DOD. The 
CIOs, why are your agencies struggling to meet these transition 
milestones?
    Mr. Noga. Thank you for the question, Congresswoman. I 
don't necessarily think the EPA is struggling to meet the 
milestone. Going back to the Scorecard and the visibility of 
the score, certainly it is a visual representation of where we 
need to focus. And I would say the EPA is very focused on 
ensuring that we migrate our telecommunications over to EIS. 
One of things that we have done at the EPA since, you know, 
networks is we have consolidated how we deliver network 
services at the enterprise level, so we have a strong 
understanding of inventory. We have awarded a contract, and we 
are working with the carrier to migrate that, and so that is 
what is going on right now. We awarded the contract in December 
2021, and we are actively migrating services. And we feel very 
confident that we will migrate those services before the end of 
the contract.
    Ms. Brown. OK. I appreciate that. Please, go ahead.
    Mr. Sherman. I am sorry, ma'am. I am John Sherman here from 
DOD. I would echo what Mr. Noga said. On the Department of 
Defense side, part of it is our scale at the $4 million plus 
size enterprise and the inherent number of contracts we have 
moving out with alacrity to get after this. But I can commit to 
you, Congresswoman, this has my undivided attention. Checking 
with my team, we are going to be at 80 percent by later this 
year and 100 percent by next spring to round up all the 
contracts we have and get onto the new GSA platform for that. 
So this has our attention, ma'am. Thank you.
    Ms. Brown. Thank you.
    Mr. Shive. Thank you for the question. Oh, go ahead.
    Ms. Brown. No. You go ahead, please. Thank you.
    Mr. Shive. Sorry. Thank you for the question. In GSA's 
instance, the way things are measured don't give a particularly 
accurate representation of where we are. The way that the 
measures are designed is when you decommission a circuit and 
move to a new circuit or a new line, that increases your 
percentage of success. And at GSA, we did a lot of the work to 
transform from line-based communications technologies to 
digital voice over IP technology 7 or 8 years ago, and as we 
implement EIS now, we are using it more as a transformation 
play. So the number of circuits that we are moving is much 
smaller denominator in that calculus.
    The second most part is because we are using it as a 
transformation play, the vast majority of the work in the 
beginning is done in a planning state phase. And when we go to 
implement, it literally will flip overnight. Massive numbers of 
our lines that are measured will go from decommissioned to 
commissioned on the new platform. So it is really a flip-the-
switch type of model. And so what you are seeing now is 
representative of lot of our planning work ahead of that 
transformation play.
    Mr. Connolly. Thank you. And thank you, Ms. Brown. The 
gentleman from Georgia, Mr. Clyde, is recognized for his line 
of questioning.
    Mr. Clyde. Thank you, Mr. Chairman. An important part of 
this committee and its actual role is government reform and 
oversight, even though my colleagues on the other side have had 
the term ``government'' removed from its name. The key part of 
this is FITARA, which is why we are here today. The Federal 
Data Center Consolidation Category was initially created to 
optimize the use of data centers and cut costs, but it is 
unclear how much potential remains in this initiative today. 
The government should not be wasting time, or effort, or tax 
dollars. And while we are in this hearing, an important aspect 
as the committee charged with government oversight and reform 
is determining the effectiveness of FITARA and the way, in 
practice, that it is actually operating. I was in another 
office, so this was one of the concerns of mine.
    Ms. Carol Harris, the FITARA Scorecard is supposed to grade 
agencies on their implementation of the provisions of the 
FITARA Law, but the current Scorecard includes some categories 
that were not in the law. Has the addition over the years of 
non-FITARA related categories to the Scorecard made it more or 
less effective in serving its intended purpose?
    Ms. Harris. I think the addition of the other categories 
relative to MGT and other statutes has enhanced the Scorecard. 
I also think that, I mean, the fact that the Scorecard 
categories relative to FITARA are still in there has given a 
focus, as these gentlemen have talked about, in agencies' 
operations and their focus areas, what should be the priority. 
So I do think that it has been an overall very positive benefit 
to the implementation of the law using the Scorecard as a means 
for oversight.
    Mr. Clyde. OK. All right. Now, those additional categories 
would incur additional costs, right?
    Ms. Harris. I don't believe it is incurring additional 
costs. I mean, we utilize data that is publicly available and 
it is data that would have been, you know, submitted 
regardless, so we are utilizing what is available today for 
these other areas. And so I think the net benefit has been, you 
know, has been the implementation of both FITARA as well as the 
other statutes that the other categories are hinged upon.
    Mr. Clyde. OK. All right. Well now, I have a question for 
each of you, and we will start over here on this end. Can you 
provide a rough estimate of the resources required for each of 
your representative agencies to put together the data feeding 
into the Scorecard?
    Mr. Noga. Thank you very much for that question, 
Congressman. I would have to get back to you on that, on the 
rough----
    Mr. Clyde. OK.
    Mr. Noga [continuing]. estimate on what it would take to.
    Mr. Clyde. So you can't give me an estimate of what you 
think it actually costs you to comply with this?
    Mr. Noga. Not at this time, sir.
    Mr. Clyde. OK.
    Mr. Clyde. Now, Mr. Sherman?
    Mr. Sherman. I would have to take it for the record to get 
the exact amount. I would just say, though, what FITARA 
embodies is part of our normal job with the Department of 
Defense, so both drive out efficiencies and modernize. So it 
would be kind of marbleized in the rest of what we are just 
doing as CIO, but we would have to take for the record for the 
exact amount, sir.
    Mr. Clyde. OK. All right. Mr. Shive?
    Mr. Shive. My answer is actually quite similar to Mr. 
Sherman's. The IT shop that is doing its job well, measures its 
performance across multiple spectrum, and most of those are 
already captured in the creation of FITARA. I would say my 
estimate was it is a de minimis amount. We are already 
capturing this data, putting it into a format that we can, you 
know, share out on public forums, which is always the right 
thing to do. It is a de minimis.
    Mr. Clyde. OK. Ms. Harris, do you agree? All right.
    Ms. Harris. Sorry. I do agree.
    Mr. Clyde. Looking at the final product in the overall 
grade, you consider this Scorecard to be an accurate reflection 
of your agencies' posture in the various categories?
    Mr. Connolly. Somebody needs to mute. I think that is you, 
Mr. Khanna. I am sorry. Mr. Clyde, to whom was your question?
    Mr. Noga. Thank you for the question, Mr. Congressman. OK. 
So we have talked about cybersecurity, I would say, of the 
areas of the Scorecard. Certainly it is not an accurate 
reflection, in my view, of our posture relative to 
cybersecurity. We have actually spent a lot of time and focused 
energy on improving cyber across the Agency, and we have done 
so, you know, since the start of the pandemic. The pandemic 
really forced us to rethink how we are, you know, managing our 
ITSS remotely, how we are protecting them, how we are securing, 
how we are patching them. So I don't necessarily think it is an 
accurate reflection, but we talked about that that it is just 
one perspective, which is the IG assessment, and so that is 
where my position is on that, sir.
    Mr. Clyde. OK. Go ahead, Mr. Sherman.
    Mr. Sherman. Sir, with respect to FITARA and the value it 
has brought to us, I do not believe, particularly the FITARA 
14.0 we are on, is an accurate reflection of the Department of 
Defense. It is pushing us in the right direction on a number of 
things, like to transition to the telecom contract. But if we 
look across the board of what we are doing to modernize for our 
warfighting mission, we are not accurately capturing what we 
are doing on there. And indeed, some of the metrics are with 
kind of an absolutist, either we have moved or not, is not 
accurate for an enterprise the size of the Department of 
Defense. We are better than the D plus we have on the Scorecard 
right now in terms of supporting our women and men in uniform, 
sir.
    Mr. Clyde. OK. Fair enough. Mr. Shive?
    Mr. Shive. Yes, thank you. The FITARA notational is 
notionally correct in assessing the status of an organization. 
Earlier in the hearing, we talked about how FITARA has iterated 
in response to changing business priorities, changing 
technology priorities. Part of iteration is there is a 
separation and a gap sometimes, as you change the measures, to 
be responsive to changes in those business or technology 
priorities or strategies, and so you see these blips. But 
notionally, it is notionally correct, in my opinion.
    Mr. Clyde. Thank you, and thank you, Mr. Chairman, for 
yielding.
    Mr. Connolly. Thank you. Thank you, Mr. Clyde. The chair 
now recognizes the gentleman from California, Mr. Khanna, for 
his line of questioning. Welcome.
    Mr. Khanna. Thank you, Mr. Chair. Thank you for your 
incredible leadership on these issues. No one has done more in 
modernizing our Federal Government than you have, Chair 
Connolly. I am introducing a bill to develop a pilot program 
that enhances our government's use of metadata, not just in one 
agency, but across government. We must rethink and invest in 
whole-of-government approaches that promote collaboration 
across agencies and then prompt us to work together to fight 
America's adversaries.
    Let me ask Mr. Shive and Mr. Noga, as you know, OMB's memo 
related to improving response to cyber incidents, M-21-31 
guidance implementation of logging, log retention, and log 
management with the focus on ensuring centralized access and 
visibility into agency cybersecurity. How would metadata 
regarding network traffic assist you in achieving your 
responsibilities under this OMB memo?
    Mr. Shive. So it is critically important in prosecuting 
good defensive posture here in the Federal Government. 
Capturing data and knowing things that exist within that data 
is critically important. But if we are going to use the best, 
most practical tools, including machine learning and 
augmentation like AI, we have to have that captured metadata to 
be able to apply those forward-leaning tools to those datasets.
    Mr. Khanna. Thank you. Mr. Noga?
    Mr. Noga. Thank you for the question, Congressman. I 
totally agree with Mr. Shive. You know, I think it is 
invaluable to make sure that we collect all data as we start 
looking at how we can better improve and protect our IT assets 
and infrastructure.
    Mr. Khanna. Thank you both. So I look forward to working 
with both of you on this legislation on the use of metadata. In 
2018, I worked with Chair Connolly and many of the colleagues 
on this committee to pass the 21st Century IDEA Act. However, 
since the passage of this important measure, the executive has 
been struggling to implement some of the reforms we have worked 
so hard to codify, and we have been working very constructively 
with the committee here to see if we can have a Federal CXO 
officer or an equivalent. Do you think that a Federal CXO 
officer or equivalent would increase the chances of success of 
ongoing future initiatives, and if so, why? And any of the 
witnesses can answer.
    Mr. Noga. Thank you very much for the question, 
Congressman. I really can't speak to the Federal CXO, but I can 
speak to the EPA. And one of the things that we have actually 
prioritized is customer experience, and what we have been 
looking at is certainly internal. What is the customer 
experience to our internal employees? And I naturally think 
that extends out.
    Mr. Khanna. So you would be supportive of some kind of 
Federal CXO?
    Mr. Noga. Congressman, I guess I would have to see exactly 
what we are talking about.
    Mr. Khanna. Sure.
    Mr. Noga. I am certainly supportive of customer experience 
and improving that.
    Mr. Khanna. All right. Any other folks on the panel who 
would be supportive of the Federal CXO or some equivalent, or 
interested in working on that kind of legislation?
    Ms. Harris. Sir, we currently have work that we will be 
starting very soon on customer experience and the 
implementation of both the law and the executive order, and 
that work will be starting by this fall. And so we are happy to 
collaborate and work with your office to share with you, you 
know, the details of what we are finding relative to that 
implementation and certainly work with you to identify ways to 
better implement the laws around CX as well as the executive 
order. And if a Federal CX officer would help promote and 
better enable the agencies to execute the laws, then that is 
something that we are happy to work with you on.
    Mr. Khanna. Wonderful. Well, I appreciate that. And Mr. 
Shive, I know GSA has its own internal office of customer 
experience. Has that been successful, and do you think similar 
initiatives that other agencies would help if we sort of 
Federalize an officer?
    Mr. Shive. Yes. The position has been wildly effective at 
not only helping GSA operate more effectively internally, 
providing internal services, but also that has been extensible 
out into the service that we provide. Regarding a Federal CXO, 
there is probably some value in something like that, that the 
need for us to present our government services to the citizens 
we serve in a holistic manner that provides value to them is 
paramount. And having somebody that is their primary focus who 
can look across agency boundaries, agency individual 
appropriations, and serve in the best interest of the citizen, 
the person that we are all serving in this community, is 
probably a good idea.
    Mr. Khanna. Thank you. Thank you, Mr. Chairman. Thank you 
to you for your leadership to your staff, and I look forward to 
continuing to work with them on the metadata bill and something 
on customer experience. They have been fantastic, as always, to 
work with and really appreciate your leadership and your 
staff's leadership.
    Mr. Connolly. Thank you so much, Mr. Khanna. Thank you for 
your kind remarks, and thank you for your legislative 
initiatives. We look forward to working with you.
    Before I adjourn this hearing, I want to thank our 
panelists. Mr. Sherman, I took note of your remarks, and I am 
not unsympathetic to the fact that when we give a grade, it 
doesn't always capture the gray areas, and sometimes it doesn't 
even capture the essence of what is happening, but it is a shot 
at a moment in time. And to be honest with you, the Pentagon 
often, not you personally, but often kind of sets itself as 
unique, you know, whether it is procurement of off-the-shelf 
items and being on the normal list of procurement, whether it 
is a fiscal unqualified audit. It is the only agency of the 
government that doesn't have one.
    And, frankly, when we began this effort on IT because, you 
know, not everything is unique to the Pentagon, and so trying 
to make progress even there. And when we wrote FITARA, we were 
very careful so that we didn't get into jurisdictional issues 
here in Congress with the Armed Services Committee. So we were 
a little kind of light on the Pentagon. But I found your 
testimony today heartening because you are making strides in 
complying with FITARA and in seeing the value of the goals we 
set. And so, I thank you for that and congratulate you for 
that, and we look forward to continuing to work with you and 
the Pentagon, particularly.
    And, Ms. Harris, I want to thank you as GAO was a partner. 
FITARA grew out of the fact that GAO in its high-risk list 
every year identified IT, and we decided to do something about 
it. And I partnered with the then chairman of this committee, 
Darrell Issa. We are an unlikely pair to partner, but we did 
because we both had a commitment to this subject, and it has 
been bipartisan since day one and has stayed that way: Mark 
Meadows, Will Hurd, Robin Kelly, now Jody Hice, Mr. Comer, and 
so many others, and of course, for the full support of our 
chairperson, Carolyn Maloney.
    So we are going to continue to try to make progress. We 
want your input to make sure that that Scorecard serves your 
needs but also captures progress. We will fix the cyber problem 
that we have been talking about today. As I said, heartened by 
a conversation we had yesterday, I want to be committed to 
doing that. So I think we are all going to be operating from 
the same page as we move forward, and Ms. Harris, she will make 
sure we do.
    And again, I want to thank everybody for participating 
today. I want to thank my staff. This is the 14th oversight 
hearing, and as this hearing has documented, we have made a lot 
of progress, but we don't want to let up on that because IT is 
an ever-evolving subject. The challenges and the potential are 
also ever evolving. We know that we are under attack from 
malign actors, both domestic and foreign, who would compromise 
data bases, would steal intellectual property, would try to 
disrupt operations, especially in the security area, but we 
know in the civilian sector as well. So this isn't just a nice 
academic subject that has no headlines to it. It is vital to 
the operations of government. So thank you so much.
    And everyone has five days in which to submit additional 
questions, and we would ask our witnesses, should we give you 
written questions through the chair, if you could answer them 
as expeditiously as possible.
    Mr. Connolly. And again, I thank you all for participating 
today, and I thank my colleagues for thoughtful questioning.
    We are adjourned.
    [Whereupon, at 10:47 a.m., the subcommittee was adjourned.]