[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                      PROJECT FEDERAL INFORMATION
                        TECHNOLOGY: MAKE IT WORK

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS

                                 OF THE

                   COMMITTEE ON OVERSIGHT AND REFORM

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 16, 2022

                               __________

                           Serial No. 117-103

                               __________

      Printed for the use of the Committee on Oversight and Reform
      
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]      


                       Available at: govinfo.gov,
                         oversight.house.gov or
                             docs.house.gov
                             
                                __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
48-613 PDF                 WASHINGTON : 2022                     
          
-----------------------------------------------------------------------------------                              
                             
                             
                   COMMITTEE ON OVERSIGHT AND REFORM

                CAROLYN B. MALONEY, New York, Chairwoman

Eleanor Holmes Norton, District of   James Comer, Kentucky, Ranking 
    Columbia                             Minority Member
Stephen F. Lynch, Massachusetts      Jim Jordan, Ohio
Jim Cooper, Tennessee                Virginia Foxx, North Carolina
Gerald E. Connolly, Virginia         Jody B. Hice, Georgia
Raja Krishnamoorthi, Illinois        Glenn Grothman, Wisconsin
Jamie Raskin, Maryland               Michael Cloud, Texas
Ro Khanna, California                Bob Gibbs, Ohio
Kweisi Mfume, Maryland               Clay Higgins, Louisiana
Alexandria Ocasio-Cortez, New York   Ralph Norman, South Carolina
Rashida Tlaib, Michigan              Pete Sessions, Texas
Katie Porter, California             Fred Keller, Pennsylvania
Cori Bush, Missouri                  Andy Biggs, Arizona
Shontel M. Brown, Ohio               Andrew Clyde, Georgia
Danny K. Davis, Illinois             Nancy Mace, South Carolina
Debbie Wasserman Schultz, Florida    Scott Franklin, Florida
Peter Welch, Vermont                 Jake LaTurner, Kansas
Henry C. ``Hank'' Johnson, Jr.,      Pat Fallon, Texas
    Georgia                          Yvette Herrell, New Mexico
John P. Sarbanes, Maryland           Byron Donalds, Florida
Jackie Speier, California            Mike Flood, Nebraska
Robin L. Kelly, Illinois
Brenda L. Lawrence, Michigan
Mark DeSaulnier, California
Jimmy Gomez, California
Ayanna Pressley, Massachusetts

                     Russell Anello, Staff Director
  Wendy Ginsberg, Subcommittee on Government Operations Staff Director
                    Amy Stratton, Deputy Chief Clerk

                      Contact Number: 202-225-5051

                  Mark Marin, Minority Staff Director
                                 ------                                

                 Subcommittee on Government Operations

                 Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of   Jody B. Hice, Georgia Ranking 
    Columbia                             Minority Member
Danny K. Davis, Illinois             Fred Keller, Pennsylvania
John P. Sarbanes, Maryland           Andrew Clyde, Georgia
Brenda L. Lawrence, Michigan         Andy Biggs, Arizona
Stephen F. Lynch, Massachusetts      Nancy Mace, South Carolina
Jamie Raskin, Maryland               Jake LaTurner, Kansas
Ro Khanna, California                Yvette Herrell, New Mexico
Katie Porter, California
Shontel M. Brown, Ohio
                         
                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page

Hearing held on September 16, 2022...............................     1

                                Witness

Clare Martorana, Federal Chief Information Officer, Office of 
  Management and Budget
Oral Statement...................................................     5

Written opening statements and the statement for the witness are 
  available on the U.S. House of Representatives Document 
  Repository at: docs.house.gov.

                           Index of Documents

                              ----------                              


  * Six OMB memos regarding cybersecurity; submitted by Rep. 
  Connolly.

  * GAO guidance regarding reimbursement; submitted by Rep. 
  Connolly.

  * Questions for the Record: to Ms. Matorana; submitted by Rep. 
  Hice.

  * Questions for the Record: to Ms. Matorana; submitted by Rep. 
  Brown.

The documents are available at: docs.house.gov.

 
                      PROJECT FEDERAL INFORMATION
                        TECHNOLOGY: MAKE IT WORK

                              ----------                              


                       Friday, September 16, 2022

                   House of Representatives
                  Committee on Oversight and Reform
                      Subcommittee on Government Operations
                                                   Washington, D.C.

    The subcommittee met, pursuant to notice, at 9:07 a.m., in 
room 2154, Rayburn House Office Building, and via Zoom; Hon. 
Gerald E. Connolly (chairman of the subcommittee) presiding.
    Present: Representatives Connolly, Norton, Lynch, Khanna, 
and Hice.
    Mr. Connolly. The hearing will come to order.
    This June, the Office of the Federal Chief Information 
Officer, led by today's witness, Clare Martorana, published the 
Information Technology Operating Plan. This plan outlined the 
Office of Management and Budget's strategy to maximize the 
impact of Federal IT funds.
    As someone who's dedicated decades to championing IT 
modernization across both the private and public sectors, I was 
heartened to see the plan encompass many of the long-range 
priorities of this subcommittee.
    During our tenure, we've held 14 hearings, released 14 
scorecards, grading agencies' implementation of the Federal 
Information Technology Acquisition Reform Act.
    FITARA promotes proper IT practices across Federal 
agencies. Every scorecard iteration reflects contemporary 
shifts within the IT landscape, evolving as needed with changes 
in modernization and cybersecurity best practices to hold 
agencies' CIOs accountable for ensuring proper IT postures.
    Since the scorecard's inception, agencies have saved an 
estimated, according to GAO, $29 billion. There aren't many 
bills that can claim that.
    Similarly, the Federal Chief Information Officer's new 
technology plan provides a solid roadmap to continue the vital 
work of improving our Federal IT systems to better serve our 
constituents.
    Today, we will hear the Federal CIO present her vision for 
the future of Federal IT.
    This moment is a crossroads in how government operates. The 
pandemic fundamentally changed what people expect from their 
government and how they access programs, information, resources 
from it. We do not want to lose any lessons learned, and we 
want to empower Federal CIOs to scale IT solutions that, in 
fact, work.
    Today we will explore in-depth the Federal CIO's four IT 
focus areas: cybersecurity, IT modernization, digital-first 
customer experience, and the use of data as a strategic asset.
    I'm pleased that cybersecurity remains a top priority for 
the Biden administration. In 2020, the SolarWinds' supply chain 
cyber-attack blindsided top security experts across the world. 
This attack catalyzed the reevaluation and n modernization of 
our Nation's cybersecurity strategy.
    Since that attack, OMB has reengineered a new risk-based 
cybersecurity regime using new metrics to measure and assess 
Federal agencies' cyber posture. In December 2021, OMB shifted 
government toward a zero-trust architecture, focused on ground 
truth testing, observable security outcomes, and automation.
    Today we'll hear a lot more about the work OMB has done to 
change the culture of Federal IT, and we're eager to dig into 
their recently released memorandum on enhancing the security of 
the software supply chain through secure software development 
practices.
    We'll also discuss how the subcommittee can work with OMB 
to ensure that we have publicly available data for the FITARA 
scorecard, holding CIOs accountable, and empowering them to 
implement cybersecurity lessons.
    Additionally, as co-chair of the IT Modernization Caucus, I 
am quite familiar with the problems caused by agencies' failure 
to modernize. A GAO report found that, quote, ``The 
consequences of not updating legacy systems have contributed 
to, among other things, security risks, unmet mission needs, 
staffing issues, and increased costs,'' unquote.
    Successful modernization demands constant action and nimble 
solutions that keep pace with rapidly shifting IT ecosystems. 
I'm proud to have helped successfully secure, for example, a 
revolutionary $1 billion for the Technology Modernization Fund. 
The TMF reimagined the way agencies could receive financing, 
offering opportunities outside of the traditional 
appropriations process, facilitating long-term planning, and 
providing expert assistance. To date, the fund has awarded, I 
believe, almost $600 million to 28 unclassified projects across 
17 Federal agencies.
    Despite the massive investment, agencies need more. At our 
May hearing with TMF's executive director, she noted that 60 
agencies have applied for over 130 projects, totaling $2.5 
billion in prospective funding, more than double what was 
provided by Congress. We must continue to support this fund and 
seed agency efforts to ensure that their IT systems are 
prepared.
    I also want to highlight the Biden administration's 
executive order focused on improving Federal service delivering 
customer experience. These combined factors are key to 
rebuilding the public's trust in the government and preserving 
our democracy.
    The Federal CIO has told this committee in previous 
hearings that improving customer experience is their passion. 
We aim to find ways to jointly hold agencies accountable for 
making it easier for all people to interact with their Federal 
Government through user-friendly websites and careful attention 
to accessibility.
    Every day, people transition seamlessly between the digital 
and physical worlds. The pandemic pushed more of us to telework 
from home, scan a QR code, or order dinner at a restaurant, or 
zoom with loved ones, or even with your colleagues here in 
Congress, also loved ones.
    In the same way we depend on technology to serve the 
public, serving the public well depends on data. Data ensures 
that only those who qualify for Federal benefits can access 
them. Data helps agencies create hiring strategies to get the 
talent they need to serve the American public. Data helps 
agencies prioritize IT investments and finds ways to share 
services across Federal agencies.
    Today we're interested to hear from Ms. Martorana on how 
government can maximize both cost savings and better service 
delivery. I will also seek to find opportunities for the 
subcommittee to continue to work with the Biden administration 
to ensure that our government is meeting this pivotal 
technology moment.
    With that, the chair recognizes the ranking member, Mr. 
Hice of Georgia, for his opening statement.
    Mr. Hice.
    Mr. Hice. Thank you very much, Mr. Connolly, Chairman. I 
appreciate you calling this hearing. I must say you look good 
there in the hearing room. I wish I was able to join you in 
person, but I've got a full day here in the district after this 
hearing. But I do thank you for calling this--this hearing 
today.
    As I've said to you before, I really appreciate your 
insistence on bringing Biden administration witnesses before 
us. So, I appreciate that as well.
    And, Ms. Martorana, I appreciate you being here today, and 
sincerely express to you my condolences for the loss in your 
family, for not being able to join us in July. I hope you and 
the rest of your family are doing well as you deal with the 
grief of a loss like that.
    But as we gather here today, none of us can understate the 
importance of Federal information technology. We all know that 
it's critical, and I cannot think of any aspect of our 
government that does not rely on information technology to 
deliver services and the jobs that they are called to do.
    There's an underlying assumption that the vast amounts of 
funding somewhere in the neighborhood of $100 billion a year 
will somehow deliver the intended results. But in my time in 
Congress at least, and certainly during my time as ranking 
member of this subcommittee, I've learned that it's probably 
not wise to make that assumption.
    Our hearings just, for example, with the IRS have shown 
that simply spending billions and billions of dollars and then 
waiting decades does not mean that agencies will get their IT 
house in order.
    And while my Democratic colleagues claim the source of the 
problem is lack of funding, I, quite frankly, reject that 
premise. Simply pouring more money into a black hole is not a 
solution. What we need is solid oversight that is backed by 
reliable information in order to determine the true state of 
our Federal IT, to determine whether Federal IT projects are 
delivered on time and on budget. All of that requires 
oversight. It requires accountability. Whether IT projects 
deliver the intended results and whether Federal systems and 
networks are secure. I am far from convinced that all of this 
is taking place.
    In today's hearing, I'm eager to learn more about what 
exactly we do know about Federal IT and what ability the 
Federal CIO has to drive behavior and improvement. That's a 
question that we should know but, frankly, I don't know. So, I 
want to have that answer today.
    I also want to voice my concerns about what seems to be a 
pattern from this administration to ignore the law and the 
clear intent of Congress. The law requires OMB to develop 
management goals, the cross-agency priorities, or the CAP 
goals.
    Congress wanted a long-term management blueprint from each 
administration for improvement and reform. These not only 
should help improve agency performance, but give us here who 
are, in essence, the de facto board of directors of the Federal 
Government, a map for effective oversight. Yet the Biden 
administration has ignored this requirement.
    The CAP goals were due in February of this year, but it 
didn't happen. And at least I'm not aware of any discussion of 
this matter between the administration and this committee. I'm 
not aware of any request for an extension. They just simply did 
not do what the law requires. And, frankly, this directly 
impacted the last FITARA scorecard on perhaps the single most 
important issue and category, and that is cybersecurity.
    So, look, the administration simply cannot comply with the 
law when they want to and ignore it when they want to. There 
must be accountability.
    And with respect to the Technology Modernization Fund, this 
administration is ignoring the intent of the underlying 
Modernization Government Act. The focus of the TMF and the 
broader MGT, as we'll call it, was to modernize government IT 
systems. That meant doing away with the types of ancient 
systems that still run and--too many of our vital government 
programs. In addition, the tenet of the TMF was that it would 
create an efficient cycle.
    So, to paraphrase none other than Democratic Leader Steny 
Hoyer, agencies were to reimburse the fund ideally through 
these savings that were gained from doing away with costly 
legacy systems. But the Biden administration has opted for 
partial or even minimal reimbursements. I want to know why.
    It's also emphasizing cybersecurity and customer experience 
projects, which in and of themselves are fine, but doing so 
rather than retiring old systems.
    Taken together, even if the law requires these practices, 
again, it's not that these practices in and of themselves are 
bad, but it simply and clearly is not the intent of Congress. 
So, why is the administration doing this? We need answers.
    Does the savings-based model of the TMF not work or is it 
simply inconvenient? This committee needs to know.
    And what progress is being made to retire legacy systems? 
Is there even a definition of what a legacy system is?
    Do we know how well the billions of IT funding are being 
used?
    Is the Federal IT dashboard, which is supposed to give us 
the answer, is it at all reliable?
    Where does the underlying data come from? Is it even 
accurate data?
    Are requirements and definitions uniform? If not, what 
would it take for this to be the case?
    Finally, what ability does the Federal CIO have to drive 
and produce better practices?
    The title sounds lofty, indeed, but the GAO notes in a new 
report that the Federal CIO position was never even established 
in statute. The first reference of a Federal CIO came in a 
press release, the actual role of the administrator of the 
Office of E-Government.
    So, regardless of the title of the Federal CIO, certainly 
it would suggest the ability to direct agency CIOs and take a 
leading role. So, I want to know: Is that the case? Do you have 
that kind of authority?
    If Congress attempts to hold the agency CIOs accountable, 
as we do through the FITARA scorecard, then should we not also 
hold the Federal CIO accountable? But if we do, for what are we 
holding that position accountable? We don't even have a job 
description.
    So, I'm eager to have these questions answered today and in 
future conversations.
    Again, Chairman Connolly, I want to thank you for holding 
this hearing. And, with that, I yield back.
    Mr. Connolly. Thank you, Mr. Hice.
    And you've raised some really good questions. And I saw our 
witness shaking her head ``yes'' to some of what you were 
saying, so I look forward to getting some answers to those as 
well, and that's why we're having the hearing today. And I 
thank Ms. Martorana for joining us.
    So, we do have one witness, Clare Martorana, who currently 
serves as the Chief Information Officer of the Federal 
Government.
    I would ask--Ms. Martorana, it is our habit, our practice, 
to swear in all witnesses before this committee--if you would 
rise and raise your right hand.
    Do you swear to affirm that the testimony you're about to 
give is the truth, the whole truth, and nothing but the truth, 
so help you God?
    Ms. Martorana. I do.
    Mr. Connolly. Let the record show the witness answered in 
the affirmative. And I thank you so much.
    With that, you are invited to provide us with a five-minute 
summary of your testimony. And, of course, your full statement 
will be entered into the record.
    Welcome.

    STATEMENT OF CLARE MARTORANA, FEDERAL CHIEF INFORMATION 
            OFFICER, OFFICE OF MANAGEMENT AND BUDGET

    Ms. Martorana. Chairman Connolly, Ranking Member Hice, and 
members of the subcommittee, thank you so much for the 
invitation to testify about the state of Federal IT and to 
update you on our progress to highlight where we're heading.
    The President believes the government needs to deliver for 
all Americans, your constituents, and I do too. It's technology 
that powers our ability to deliver on this promise.
    Through the work of this subcommittee, you've provided 
consistent bipartisan support of IT modernization, reducing 
wasteful spending, and improving project outcomes. You've 
advocated for Federal CIOs to have a seat at the table. Now we 
need to give them a voice upstream in the decision-making 
process to ensure agencies are making the right IT investments 
at the right time, to ensure--to have a simple, seamless, and 
secure customer experience.
    Over the past two years, customer expectations have risen 
to new levels, as the chairman mentioned in his opening 
statement. We must keep pace and accelerate even faster. We can 
deliver as a government on par with our favorite consumer 
brands. By delivering products and services incrementally, with 
the right technologists and senior level support, it's not only 
possible, it's happening today in the Federal Government.
    Veterans can schedule appointments, refill a prescription, 
get push notifications for their claims and appeals with VA's 
new mobile app. And that new mobile app has a 4.8 out of 5-star 
rating, which is incredible.
    Recently married residents in five states, including my now 
home state of Georgia, who want to update their Social Security 
card to reflect their new name can now take care of that online 
versus traveling to a Social Security office and filling out 
paperwork.
    And passengers are now able to use an authenticated mobile 
ID during TSA's airport screening pilot, decreasing the 
processing time, and enabling a touchless experience.
    Through this work, we are demonstrating to agencies and the 
Federal work force that change is possible. We are building 
trust with the American people when they interact with our 
government. And, importantly, we are inspiring others to join 
us serving this great country.
    As Federal CIO, I have a really unique vantage point and 
the honor of bringing together leaders across government to 
drive progress. We are collaborating closely on cybersecurity, 
which remains our top priority. Working with the Office of the 
National Cyber Director and our OMB budget colleagues, we are 
assessing where agencies are on their IT journey and ensuring 
they are making the right investments to strengthen their 
cybersecurity foundation and accelerate IT modernization. This 
work will place agencies on a sustainable path to maximize 
investments from Fiscal Year to Fiscal Year and from 
administration to administration.
    Second, we are maximizing the impact of the funds entrusted 
to us as center-of-government technologists by aligning our 
work around strategic IT priorities, as you mentioned, Mr. 
Chairman. Outlined in our Federal Information Technology 
Operating Plan, the Office of the Federal CIO, the United 
States Digital Service, and our colleagues at GSA are aligning 
resources and tech teams to administration priorities and 
driving innovation through funding models like the Technology 
Modernization Fund.
    And third, we are providing technologists with the 
executive support needed to have a voice in agency C-suites. 
The government experience will improve by having technologists 
early and often in agency planning. Technologists are key to 
vetting strategies to drive down the failure rate of IT 
investments and reduce administrative burden for the Federal 
work force so they can work smarter, not harder.
    With each new product and service we launch, we're closing 
a chapter on the paper process, sadly, the main way that we are 
still conducting much of our business across government. Paper 
is not only slow and antiquated, it's inaccessible to the 
digital world, it's a burden for the Federal work force to have 
to process, and it does not meet the bar for modern service 
delivery. We must and can do better.
    Working together, we have the ability to drive digital 
transformation across the Federal enterprise. Partnering with 
agencies, our industry partners in Congress, we can deliver to 
the American people the government they deserve.
    So, thank you so much for the opportunity to testify today, 
and I look forward to your questions.
    Mr. Connolly. Thank you so much, Ms. Martorana, and we're 
glad to have you.
    And we will now turn to questions. And the chair recognizes 
the distinguished Congresswoman from the District of Columbia, 
Congresswoman Eleanor Holmes Norton, for her five minutes of 
questioning.
    Ms. Norton.
    Ms. Norton. I thank my good friend, Chairman Connolly, and 
I appreciate this important hearing.
    We all know that the Federal CIO is responsible for 
overseeing government IT security, and that includes 
everything, budget and planning, and all the rest of it.
    During the pandemic, we saw a further acceleration of 
government's reliance on Federal information technology to get 
individuals and families and businesses, to get them what they 
needed from government. These changes made it paramount that 
the Federal CIO sets enterprise-wide policies and structures 
that help agencies get IT right.
    Ms. Martorana, with so many responsibilities, how do you 
determine your priorities? And what are your current priorities 
as the Federal CIO?
    Ms. Martorana. Thank you so much for that question. You 
know, I fulfill many statutory responsibilities on behalf of 
the Director of OMB. The role is overall oversight of 
information security, management of IT resources, 
implementation of eGovernment services. And I also serve a role 
to convene across IT--across the entire IT enterprise of the 
Federal Government.
    So, we determine priorities based on both the environment 
that we're operating in when the administration began. We were 
in the midst, to your earlier comment, Mr. Chairman, on 
SolarWinds and the devastating impact that that had, not only 
to the nine impacted agencies but to every single Federal 
agency. Because when we do have a cyber event, we do have to 
both investigate and potentially remediate across our entire 
enterprise, because if one of us is impacted, all of us are 
potentially impacted.
    So, the role of the Federal CIO is really helping Federal 
CIOs in agencies manage this very complex operating environment 
with a complex set of rules, regulations, binding operational 
directives. And it is really incumbent upon this role to make 
sure we are playing an oversight role, that we are measuring 
where we are able to, that we are sharing best practices across 
agencies.
    Every Federal agency and CIO that I work with, we're all 
trying to solve the same problems. We don't want to start from 
a blank piece of paper. So, when one agency goes on an IT 
modernization journey, for example, we want to make sure that 
we share those best practices across the entire Federal 
enterprise.
    Ms. Norton. Well, may I ask you: How do you plan to 
operationalize CIO's leadership and accountability across 
Federal agencies?
    Ms. Martorana. Yes. Currently, Federal CIOs are responsible 
for making sure that their environment is safe, secure, and 
that they are fulfilling FITARA, FISMA, and the President's 
management agenda. So, we are receiving an enormous amount of 
data from Federal CIOs, which is really an important part of 
our entire--both our oversight mission at OMB as well as 
Congress' oversight mission.
    Ms. Norton. Well, as you know, empowering CIOs and then 
holding them accountable for using their authorities 
effectively is the goal of our subcommittee, its biannual 
FITARA scorecard.
    So, may I ask you: How will you work with Congress to 
provide the public data and information that will help you in 
your efforts to highlight IT leadership and accountability?
    Ms. Martorana. Yes. We work very closely. We try to be 
transparent in the reporting, so we have an IT dashboard which 
is publicly available. We also publish out in each agency's 
strategic plan. IT is a critical component of all of those. So, 
we are able to get a view, not only across the Federal 
Government from the compliance and reporting perspective, but 
also from the operational perspective.
    Ms. Norton. Thank you very much. My time has expired.
    Mr. Connolly. Thank you so much, Ms. Norton.
    The ranking member, Mr. Hice, is recognized for his five 
minutes of questioning.
    Mr. Hice.
    Mr. Hice. Thank you, Mr. Chairman.
    Ms. Martorana, as you know, and I mentioned just a little 
while ago, OMB is required to issue the cross-agency priority 
goals with an administration's first budget submission. That 
would have been February of this year, and for some reason, the 
Biden administration did not submit the CAP goals on time. And 
at least to my understanding, I'm not aware of whether it's 
issued the CAP goals even now. And as I referenced just a few 
moments ago, during the FITARA scorecard hearing in July, the 
lack of the CAP goals prevented this subcommittee from 
receiving an accurate assessment of agency cybersecurity 
readiness.
    So, my first question to you is really simple and that is: 
Why is the administration not complying with the law? Why are 
they not issuing the CAP goals on time?
    Ms. Martorana. Thank you for the question. I do--I did hear 
a little bit about what happened after the FITARA hearing, and 
we take our role being responsive to Congress and the American 
people incredibly seriously.
    It is my understanding that OMB is technically in 
compliance with GPRA. We are required to designate CAP goals, 
which we did on August 9 of this year. They are publicly 
available on performance.gov. We are required to do that by the 
end of the full first fiscal year, and that is this year. So, 
we are technically in compliance.
    But your point is really valid. We need data to make sure 
that we have transparency, that our data is accurate, that it 
is available and, again, transparent, and actionable. So, I am 
in agreement with you that this is a responsibility that we 
have, and we are working hard to fulfill that responsibility.
    Mr. Hice. Well, I would challenge a little bit that----
    Ms. Martorana. Sure.
    Mr. Hice [continuing]. that they're in compliance. The--
they're clearly not in compliance. The CAP goals are due in 
February--that is not complicated--and they were not there. We 
could not perform our job in this subcommittee of Oversight in 
July with the FITARA scorecard because this administration is 
not in compliance.
    We take it seriously. I know you said you do, and I don't 
have any reason to question you, but we in this committee take 
our job seriously, and we expect to have the information we 
need in order to do our job.
    The Biden administration is ignoring the intent of Congress 
with respect to the Technology and Modernization Fund. The 
primary focus of TMF, as well as the underlying Modernization 
Government Technology Act, the primary focus was to make 
meaningful progress in retiring legacy systems. I mean, that's 
what we're trying to do. I personally have been in government 
agencies that are still using DOS programs.
    Ms. Martorana. Yes.
    Mr. Hice. For crying out loud, this is unacceptable. We 
have got to retire these old legacy IT systems. And this--the 
whole thing was to create savings which would then be used to 
reimburse the Fund.
    But the Biden administration is only requiring partial or 
even minimal reimbursement in emphasizing cyber projects and 
customer experience projects. Again, in and of itself, nothing 
wrong with that, but it's not the intent of Congress.
    So, you know, the question obviously is: Why should we 
believe that under your leadership the TMF has become nothing 
more than a slush fund?
    Ms. Martorana. I really look forward to having a very 
robust conversation with you about this. The TMF board has 
always required repayment. We are focused on investing in 
projects that we know have a high likelihood of success. So, 
what we do is we actually have redesigned the entire TMF 
process.
    When I joined, we had three staff on the GSA side that were 
mostly doing financial administration of the TMF. We have, in 
the last year, put technologists on the TMF PMO so that we work 
closely with agencies in the beginning of their initial project 
proposals. We review them, and we review them with a set of 
complex guidelines.
    Are they--do they have the staff on the ground to do the 
work? Do they have the right procurement vehicles in place to 
do the work? Do they have the right contracting partners in 
place to do the work? What exactly--how are they designing the 
project that they are undertaking?
    We have seen many IT failures across government mostly 
because we have not taken the time up front to build an 
incremental plan to do IT modernization.
    So, I would look forward to working with you and your staff 
and doing a detailed review of any and all of the projects that 
we are supporting under TMF. I think within the next year you 
are going to see such dramatically improved outcomes from the 
TMF projects, because we are managing them in a completely 
different way than we did previously, by having technologists 
up front in every single part of the investment.
    We review our investments quarterly. If people are not 
hitting their milestones, we do not give them additional 
funding. We have brought all of government together. If teams 
are failing at a component, we rally people together to be able 
to support them with the subject matter expertise that will 
help them be effective and efficient.
    So, I look forward to speaking with you and your staff at 
any time about the way that we are changing fundamentally the 
delivery and the outcomes for TMF. But we are staying core to 
IT modernization and government, and repayment is a very 
critical part of that for the Fund.
    Mr. Hice. Mr. Chairman, thank you. I hope we'll have an 
opportunity for further questions since there's so few members 
that are here.
    But, Ms. Martorana, I appreciate your answer. But, quite 
frankly, I'm not convinced at all that you answered my 
question. But I hope we'll have an opportunity to speak 
further.
    Mr. Connolly. Let me assure the ranking member we will. We 
will. So, we'll have another round.
    And if the--if I may followup just real briefly for 
clarification on one of the questions the ranking member asked. 
You--the Office of Management and Budget has allowed sort of 
partial repayment from TMF. Is that correct?
    Ms. Martorana. Yes, that's correct.
    Mr. Connolly. And the legal validation of that authority 
was, in fact, either provided by or guidance was provided by 
approving that practice by GSA. Is that correct?
    Ms. Martorana. By both GSA and GAO----
    Mr. Connolly. And GAO.
    Ms. Martorana [continuing]. reviewed our repayment.
    Mr. Connolly. But if I understood your answer to Mr. Hice, 
but the intent, despite partial repayment, is full repayment.
    Ms. Martorana. Absolutely.
    Mr. Connolly. Yes. OK. Just wanted to clarify that for the 
record. So, the fact that there have been partial repayments is 
not a substitute for the ultimate full repayment, but it's 
providing more flexibility.
    Ms. Martorana. Correct. And we also, the appropriation--the 
American Rescue Plan appropriation was an emergency 
appropriation. We were dealing with dire circumstances in 
several agencies related to cybersecurity, and they did not 
have the ability to reprogram money quickly enough in order to 
meet the need at the agencies.
    Mr. Connolly. OK.
    Ms. Martorana. So, TMF plays a really critical role in that 
way as well.
    Mr. Connolly. OK. I know we'll come back to that, but I 
just wanted to clarify that part of it. Thank you.
    The distinguished gentleman from Massachusetts, Mr. Lynch, 
is recognized for his five minutes of questioning.
    Mr. Lynch.
    Mr. Lynch. Good morning, Mr. Chairman, Ranking Member. 
Thanks for doing this hearing.
    We've been here before, and I do share some of the 
frustration with the lack of progress.
    Ms. Martorana, thank you very much for your efforts. Thank 
you for your service.
    The last time we were together on FITARA, I had asked about 
the Log4j vulnerability. As you may remember, CISA reported 
that that vulnerability, which affected millions and millions 
of servers, was one of the worst vulnerabilities discovered in 
many, many years.
    Now, during our last hearing on this, we still didn't have 
a lot of information, and I did not get a satisfactory answer. 
But it'll be a year in December that we--we warned people 
about--the government warned this--people about this 
vulnerability. And I'm wondering what the level of progress has 
been in terms of trying to fix all of the--all of the 
vulnerabilities that have been discovered because of this Log4j 
code vulnerability.
    Do you have any type of assessment or report on that? I 
understand that the fix is rather cumbersome and complicated, 
so it's not like you just do a patch. It's a very complicated 
process. And because Apache Log4j is so--it's open source, so 
all these--all these software developers sort of imported it 
and now have, you know, lent themselves to that vulnerability.
    I do also want to, before you answer, I'm also disappointed 
that it was Alibaba that discovered the vulnerability and not 
our folks. Doesn't give me much confidence. But, you know, 
after the fact, I think Mandiant and CrowdStrike suspected that 
it was actually Chinese hackers that were able to implement 
this vulnerability across so many of our systems, including the 
government.
    So, where are we in cleaning up this mess?
    Ms. Martorana. Yes, thank you so much for that question. 
You know, cyber threats facing Federal agencies and the 
software that underpins the work of our Nation has to be 
developed in a resilient and secure manner. So this week, we 
released OMB memorandum, enhancing the security of the software 
supply chain through software--secure software development 
practices. And that is a critical part of how we are going to 
direct agencies to make sure that we're only using software 
from producers that comply with secure software development 
practices and standards.
    So, Log4j is quite complex. I think Director Easterly said 
it was one of the most challenging software vulnerabilities 
that she had seen in her career. And Federal agencies still 
continue, as does the private sector, to try and deal 
specifically with Log4j and the associated challenges in 
actually determining where it is, how it's being executed, and 
how it can be remediated.
    Mr. Lynch. Yes. Well, I understand. You know, we've got 
some lessons learned, right? So, we're not going to do that 
again. I appreciate that. But it's an outstanding vulnerability 
that's still extant, and I'm just worried about the situation 
with that process. It's--you know, the problem is locating the 
vulnerability and then implementing the fix. So, that's taking 
a long time. And I'm not hearing any timetable or percentages 
in terms of where do you think we are in, as I said, cleaning 
up that mess.
    So this is, again, a year later. So, I'm still asking the 
same question, and I'm not really getting an answer that's 
helpful. I do----
    Mr. Connolly. Mr. Lynch, if I may interrupt. I'm going to--
if you wish, I'm going to extend your questioning for another 
five minutes.
    And then, Mr. Hice, we'll come back to you also for another 
five minutes. OK?
    Mr. Lynch. Thank you. Thank you. Thanks, Mr. Chairman. I 
really do appreciate it. Thank you.
    Ms. Martorana. And----
    Mr. Lynch. So--go ahead. I'm sorry.
    Ms. Martorana. And, Mr. Lynch, I would--I will direct--take 
your question and direct it, working with my colleagues at 
CISA, and get back to you with some more specificity around 
timelines and percentage of remediation that's being completed, 
if our colleagues at CISA have that data.
    Mr. Lynch. Thank you.
    And what I might suggest is, let's just take the government 
vulnerability, because this is so widespread, so many companies 
imported that software, that maybe--maybe we can just get the--
our arms around the damage to government servers and clean that 
part of it up. And then, as you say, we've cleaned up our 
supply chain and acquisition process. Maybe we can firewall 
this thing. But maybe we can do that.
    And the best use of our time might be to do a classified, 
and you can tell me then or CISA can tell me what the 
vulnerabilities are right now, in a secure setting, and at 
least make me a little more comfortable that we're actually 
making progress, if those answers can't be given publicly.
    The second piece I had is I know that--I know that 
President Biden chose to discontinue some of the--some of the 
practices, cyber practices that were implemented by the 
previous President. And I'm wondering if that transition, where 
are we with that? And what's the nature of our changes in terms 
of, you know, gathering data and that practice?
    Ms. Martorana. Yes, I was fortunate to serve in the last 
two administrations. And we have not stopped focusing on 
cybersecurity. I have not seen anyone take their foot off the 
gas. This is a team sport. And while we might have to look at 
different ways to collect data, the burden that we put on 
agencies by constantly asking for manual data calls is really 
burdensome and we don't always get clean data. We don't 
certainly get machine-readable data which would allow us to 
automate some of our reporting.
    So, I think we have a real opportunity to continue to 
invest in getting more real-time reporting based on better 
tools that would be available both from at the agency level and 
also at the OMB level, so that we are not manually compiling 
these data-sets trying to, you know, clean the data, make sure 
that it is accurate and also then actionable so we can make 
really informed decisions from it.
    So, I look forward to continuing the work on that, and I 
think that that is something that will carry through. It 
carried through previous administrations, and it will carry 
forward into the next administration.
    Mr. Lynch. All right. Can you at least tell me--so the 
metrics have changed in terms of, you know, data gathering from 
the Trump administration to the Biden administration. I'm not 
sure, you know, where we are in that transition and how 
successful that's been so far. But what's the nature of the 
transition? Is it tightening or refocusing? Can you help me a 
little bit with that?
    Ms. Martorana. Yes. We are consistently looking at the data 
that agencies are providing us and trying to figure out the 
best way that we can assess risk from that agency data-set. And 
so we will constantly refine the data as we both deal with 
different threats, as well as make informed--different and 
informed decisions and also make progress.
    So, I think that we will never have a single set of data 
that will accurately reflect the threat environment that we're 
dealing in, but we will continually refine that. But it is 
really critical that we are--continue to be transparent and 
responsive to Congress. So, I think that is our foundational 
operating model.
    And I do understand there was frustration with this CAP 
goal issue, but I can really assure you that the data that we 
are collecting will be more accurate, it will be more 
actionable, and it will help us work together to make sure that 
we're making the right investments to help these agencies 
remediate many of these really critical security issues.
    Mr. Lynch. OK. Well, thank you for your efforts. And we'll 
continue to talk and--but I do appreciate your efforts.
    And, Mr. Chairman, thank you so much for your courtesy. 
Thank you to the ranking member as well. Thank you. I yield 
back.
    Mr. Connolly. Thank you, Mr. Lynch. Thank you so much.
    The ranking member is recognized for a second round of 
questioning.
    Mr. Hice.
    Mr. Hice. Thank you very much, Mr. Chairman.
    Ms. Martorana, can you give me a definition of a legacy 
system?
    Ms. Martorana. I'll give you my definition of a legacy 
system. A legacy system is a system that does not meet the 
mission needs of an agency.
    There are circumstances where an older system, if it is 
able to be patched, if it is available, high availability, 
sometimes we are able to run on some legacy systems that 
actually have still--have operational viability. But where--
where I consider a legacy system that wholesale needs IT 
modernization is a system that is failing an agency's mission 
so that we cannot deliver the right services to the American 
public.
    Mr. Hice. Does anyone else share your definition?
    Ms. Martorana. I think a lot of my IT colleagues share that 
same definition.
    Mr. Hice. We need--you know, look, and it's a good 
definition. I don't have any problem with your definition. But 
we don't have an official definition. Somehow you have your 
definition, somebody else has theirs. And, you know, the next 
question obviously is: How good are we doing at retiring legacy 
systems? We're spending hundreds of billions of dollars and 
we're not--we seem to get nowhere in retiring these old 
systems.
    A scale of 1 to 10, 10 being perfect, how well are we doing 
on retiring legacy systems?
    Ms. Martorana. I--that's a tough question to answer. I 
would probably give us a 5 out of 10. I think that it is----
    Mr. Hice. I think you're being very gracious, but I'll 
accept that.
    So can--where can we get a pretty accurate appraisal of the 
billions of dollars in IT funding, how it's being used?
    Ms. Martorana. I think the IT Dashboard is the first 
foundational place to look at what those investments are. Also, 
each agency budget has very--has specificity online items 
related to IT projects. Also, programs within those agencies, 
there's also specificity on IT investments.
    Mr. Hice. OK. So, let's talk about the Federal IT 
Dashboard. It's supposed to give us all the answers. Is it 
reliable?
    Ms. Martorana. It is reliable as it is up, running, and 
operating. But systems are only as good as the data that is 
input into them, and it is----
    Mr. Hice. Exactly. So, where is that data coming from?
    Ms. Martorana. Federal CIOs. It is their responsibility to 
enter data into the IT Dashboard on behalf of their agency and 
their program.
    Mr. Hice. But we don't know how accurate that information 
is.
    Ms. Martorana. You know, I think going back to my opening 
statement, talking a little bit about paper, these are manual 
processes, right? We have--in many technology areas, we've 
advanced so far. Having machine-readable data, having APIs and 
automated ways of collecting data, analyzing data, and creating 
actionable insights from that data, these are all manual data 
calls that agencies are submitting.
    And I say we can do better by investing in some of the 
tools at agencies so that all of us that have oversight roles 
are able to make more informed decisions from the data-sets 
available.
    Mr. Hice. Well, I would agree with you that we've got to do 
more, and we can do more.
    Is there--just a kind of a yes or no, because I've got a 
couple more questions. Is any of that data verified? Is there a 
third-party independent group verifying the information on the 
Dashboard?
    Ms. Martorana. My team spends an enormous amount of time 
doing that verification. It is one of the reasons that we are 
oftentimes late in meeting our deadlines is that these are very 
manual processes that rely on humans looking at the data, 
finding anomalies, reaching back out to agencies, cleaning that 
data so that we have a data-set that is more accurate and 
actionable.
    Mr. Hice. OK. So, you bring up your position. And I did 
have questions with that too, you know, with the ability that 
you do or do not have to actually produce change. I'm curious 
about that. And I see my time is running out. So, I'm going 
give you three questions that I would like for you to respond 
back to the committee so that I don't take more than the 
generous time the chairman has given right now.
    But question No. 1: Can you supply this committee with a 
copy of your job description?
    Second, who established that position? How did the process 
come about that the Federal CIO position was established?
    And then, third, do other CIOs recognize this position? And 
do they, for lack of a better word, submit to your proclaimed 
authority?
    If you could submit an answer to those questions here in 
the next week or so, I would appreciate it.
    Thank you, Mr. Chairman.
    Ms. Martorana. I'd be happy to. Thank you.
    Mr. Connolly. Thank you, Mr. Hice.
    And, Mr. Hice, if I could piggyback onto your request, I 
would add: And what is the relationship between your office and 
the CTO? How does that work?
    Because my recollection is those offices were created by 
President Obama, and we had Vivek Kundra and Aneesh Chopra from 
Virginia as the first two holders of those offices, CTO and CIO 
respectively. And they had a great working relationship.
    But to Mr. Hice's point, has it subsequently been more 
refined and delineated? I assume, of course, it has. So, I 
think we'd want to know that as well in your responding to Mr. 
Hice. And if you'll get the answers to the chair, we'll make 
sure that they are distributed to Mr. Hice and to other members 
of the subcommittee.
    I thank you, Mr. Hice.
    Mr. Hice. Thank you, Mr. Chairman.
    Mr. Connolly. The chair now recognizes himself for his line 
of questioning.
    Mr. Hice raised the question, and it's a good one. Do you 
believe that Congress should codify your office, your role in 
law so that it's not a position that could be dismissed with or 
abolished by some subsequent executive branch without 
consultation and consent of Congress and that you'd have 
statutory standing, obviously, in terms of your roles and 
responsibilities?
    Ms. Martorana. IT is such a critical part of how we operate 
the Federal Government and deliver services. I think that 
continuing to make sure that C-suites at every agency have 
capabilities, in addition to the CIO--in my private sector 
experience, I worked with other executives. While they didn't 
have the responsibilities that I had, they had a keen 
understanding and exposure to technology and the problems that 
we were trying to solve together to support our business or, in 
the case of government, mission.
    So, I think that continuing to focus on IT, Federal IT, and 
cybersecurity and how we can be best partners, both in 
supporting agencies doing their mission and our oversight, our 
critical oversight roles, I think we can continue to improve 
there. So, I would leave it to the committee to----
    Mr. Connolly. Well, I must say I'm biased in favor of 
codifying things in law because that gives it standing, that 
regularizes oversight, that empowers people in your job. And 
all of that's very important, frankly, in a large bureaucracy, 
both here in Congress and in the executive branch, as I know 
you struggle with every day in terms of are you empowered.
    And that goes to a different question. One of the--one of 
the scorecard items we have for FITARA that we added was: Who 
does the CIO report to? Now, background, before your time, but 
when we wrote FITARA 7 or 8 years ago, there were--we 
estimated, among 24 Federal agencies, there were 250 people 
with the title CIO.
    Now you know from your own private sector experience, and 
mine as well, I mean, generally, corporations have one CIO. The 
Federal Government as a Federal Government has one CIO, but 
agencies have multiple CIOs. And that can create confusion and 
delusion of responsibility and accountability.
    So we didn't--we didn't change that in law because we 
wanted to respect the culture and not be too radical. But we 
wanted to move toward a primus inter pares, right, that there'd 
be one primary CIO. And we felt empowerment, just like we're 
talking about codifying your job, was about reporting 
sequences, right? We want the primary CIO reporting to the 
boss.
    How do you think we're doing in sort of spreading that 
word, and how do you think we're doing in terms of evolving a 
management hierarchy that makes sense from any kind of 
management point of view, especially given your private sector 
experience?
    Ms. Martorana. FITARA has been critical in getting CIOs 
into the right conversations at the right time. So it--the work 
of the subcommittee has been mission critical for CIOs.
    Each agency has a unique structure, right? There are 
organizations that have that main headquarter CIO, and then 
they have component CIOs. So, I really think that it comes down 
to how technology is thought of as the decision-making process 
happens in an agency, right? You have to partner with your 
mission partners, with your program partners from the 
inception.
    So, there are high-functioning agencies that are federated, 
and there are small agencies that have a single CIO that are 
also successful. But I think this is an area we can continue to 
work together on and really improve our overall delivery of IT 
across the government.
    Mr. Connolly. Yes. I--again, we respected the culture. But 
I will remind you, there are very large corporations that also 
have many divisions that are disparate, and they have one CIO.
    So, we need to guard against the multiplicity of CIOs that 
contributes to managerial confusion and lack of accountability, 
at the end of the day. So I--our view is we want to see every 
primary CIO report to the head of the respective agency because 
he or she is then empowered, and everyone then knows it.
    Let me ask about FedRAMP. Congress, the House, has put a 
priority on FedRAMP. We've passed FedRAMP legislation five 
times on a bipartisan basis, five times. The first bill in this 
Congress--and I managed it--in January right after the 
insurrection was FedRAMP.
    And we continue to hear lots of complaints from the private 
sector about how FedRAMP, which was designed to be a low-cost, 
quick, efficient way of being certified to provide cloud 
services to the Federal Government, is anything but. It's 
complicated. It's duplicative. It forces people to reproduce, 
you know, documentation, certification processes already 
approved by some other Federal agency. And it costs a lot of 
money. And that is a barrier, especially to smaller, more 
innovative companies that simply can't afford to risk that 
money, not even knowing if they'll be certified.
    Now, that's not how it was supposed to work. And by the 
way, we talked about codification. FedRAMP is also a creature 
of the executive branch. It has no basis in statute. And our 
bill would, of course, change that too, and give it 
codification in law so that it has standing.
    What's your take on what's wrong with FedRAMP and what we 
can do to try to get it back to its original intent?
    Ms. Martorana. Yes. I really appreciate your efforts in 
this area because it is absolutely important to the 
codification of that program.
    We're on a path to really make sure that FedRAMP is the 
most robust marketplace it can possibly be, but it is not 
meeting the need today; that, to your point, there are many 
small companies, there's innovative software that we would love 
to be able to have go through a FedRAMP program, but it is cost 
prohibitive for some of these small organizations.
    So, we have actually asked members of my team to work 
collaboratively with GSA and the program team and really roll 
up our sleeves. We need to fix this to make sure that not only 
we are supporting the supply chain issues, making sure there's 
secure software development, but also making sure that we can 
meet the speed of the need of Federal agencies to have some 
innovative technology available to them with the umbrella 
security of the FedRAMP seal of approval in a way.
    So I fully applaud that, and we are spending time on that 
in my office.
    Mr. Connolly. So, one of the things I commend to you, you 
might want to take a look at, we wrote--which I think is 
absolutely necessary--we wrote a new standard that said 
presumption of adequacy. So, if you've been approved at one 
window, Federal window, to provide those services, it is 
presumed that you have already demonstrated adequacy for other 
windows.
    Now, that doesn't preclude a specialized need, but you 
shouldn't have to start all over again de novo. I mean, that's 
part of the problem.
    Ms. Martorana. Yes.
    Mr. Connolly. It's costly, duplicative, and in some cases 
eliminates people from even trying. And who knows what we're 
losing as a Federal client, right, from those services.
    So, I think that's a very important standard, and my hope 
is our FedRAMP bill this year, fifth time will be the charm and 
we'll finally get it into law. But I think it's really 
important that we do that.
    Legacy. I wanted to go back to Mr. Hice's question about 
legacy. And then my final question will be on TMF.
    But I heard your definition of legacy, but I'm not sure I 
agree with it. I mean, first of all, the word ``legacy'' 
implies old, right? I mean, the word has meaning. And so 
something that's a legacy comes from the past. And it isn't 
just ``doesn't meet my needs today,'' because that could be a 
new system that just doesn't work.
    So I think we have to--I think we need to be a little more 
specific in what legacy means.
    Now, let's take IRS. IRS has--they have some systems that 
use COBOL. And I've talked to people, vendors and some IRS 
employees, that say, ``You know, it still works though. And, I 
mean, it's good and it's reliable, and we're nervous about 
replacing it with something new that may not work, or, you 
know.''
    But the problem is, over time, a legacy system needs 
enormous maintenance, it's energy inefficient by definition if 
it's 40 years old or older, and the number of people who know 
how to use the language required is dying out.
    So, I take the point I think you made, and others have made 
that, well, you've got to distinguish, they're not all the 
same, and I agree.
    But aren't we concerned that legacy systems by definition 
bring a lot of inefficiency, they're costly and they're risky, 
because not only can they break down and thus our constituents 
are not served, but they're also hackable, right? Not all of 
them are easily encrypted and protected.
    And so moving to a new generation of technology to replace 
old legacy mainframes really ought to be a general goal, not a 
mindless goal but something we push pretty hard.
    What is your view about that point of view?
    Ms. Martorana. Legacy is--it's a tough subject. We should 
be operating the United States Federal enterprise on the most 
modern technology available, full stop. If we are going to 
deliver digital transformation for the American people in our 
lifetimes, we have got to improve the foundational 
cybersecurity as well as operating presence of our technology.
    That takes investment over, you know, years and years for 
us to get out of this tech debt that we have across almost 
every single agency.
    I did a mainframe migration project when I was at OMB. We 
had mainframes at risk in a subbasement. The challenging part 
was, we weren't able to recognize the cost savings as quickly 
as I would've hoped in my private sector experience.
    So you had to start, first reengineer all your business 
processes, because you can't just lift and shift and do exactly 
what you did on the mainframe without interrogating the way 
that you do business, because newer systems are differently 
efficient, and they potentially have the opportunity for us to 
really leapfrog.
    So, you want to make sure that you're thinking about the 
business process and not just moving old, antiquated, because 
that's the way we did it 25 years ago, to the cloud, for 
example. You want to interrogate all of that along the way.
    But I had originally planned, once we were able to get the 
new mainframes up and running that were cloud ready, doing all 
of the steps that we needed. I thought we would be able to 
sunset the old equipment. So, get rid of operations and 
maintenance cost and all of the ancillary costs and staffing 
that had to be burdened managing those systems instead of 
moving up with the new systems.
    It took years of compliance activity that we needed to go 
through in order to actually get those offline and stop paying 
for both. So, we were really challenged in recognizing cost 
savings.
    And I think that would be something it would be really 
worthwhile for us to partner together on interrogating, going 
through some of the programs that we've seen do this very 
efficiently and other ones maybe that took a little bit longer 
and see if we can come up with some best practices and really 
share them more widely across the Federal enterprise.
    Mr. Connolly. So, I think you've done a great job setting 
the goal about legacy. That's clear and unambiguous, and I 
think that's a good new standard--or maybe it's not so new, but 
it's declaratively stated. So thank you.
    And just my final--and I don't mean to impose on time--but 
I just wanted to clarify some things that Mr. Hice and others 
have raised.
    TMF, the Technology Modernization Fund, was directly 
related to this whole question of retiring legacy systems and 
upgrading technology. Is that correct?
    Ms. Martorana. That is correct.
    Mr. Connolly. And we provided a billion dollars and we 
celebrated that. Is that correct?
    Ms. Martorana. Correct.
    Mr. Connolly. However, replacing a big system at a Federal 
agency could be multiyears and multibillions of dollars, just 
that one system or that one agency. Is that correct?
    Ms. Martorana. Absolutely.
    Mr. Connolly. So, a billion dollars is great in 
incentivizing people to--and here's the--why do we need--
because Mr. Hice raised this question, it's a fair question--
why do we need extra money? We're spending almost $100 billion 
a year in IT that we know of, maybe more. Why do you need more 
money to incentivize agencies to retire their legacy systems?
    Ms. Martorana. Yes. TMF was really--the billion dollars for 
TMF was a down payment. The three years prior to the American 
Rescue Plan, the last year, TMF only saw one proposal. So, 
obviously something wasn't meeting the need of agencies if only 
one agency came forward with an IT modernization project for 
TMF.
    So, the billion-dollar down payment on kick-starting--re-
kick-starting TMF gave us the opportunity to really rethink the 
way that we were thinking about our projects and funding them.
    And in addition, the payment flexibility gave us the 
opportunity, it allowed agencies not to self-select out. Many 
of them selected out of the original TMF because of what we 
just spoke about with cost savings taking longer to recognize.
    So, I think that we're on a really good path to showing 
significantly improved outcomes on the programs, and I really 
hope that we continue to get the investment, because we are 
standing up something that is going to be transformative. It's 
a catalyst in helping agencies get started on some of these 
complicated projects.
    Mr. Connolly. Mr. Hice, I see you're still on. If you want 
to jump in at this point, take a few minutes to either ask 
additional questions or comment. I certainly want to be fair to 
you. So you're recognized.
    Mr. Hice. Thank you very much, Mr. Chairman. I was going to 
ask if I could have just a couple more minutes.
    Ms. Martorana, during our hearing in May on TMF, 
Congressman Biggs observed that in order to perform appropriate 
oversight this committee needs access to certain written 
agreements between agencies regarding the Technology 
Modernization Board; quite frankly, things like reimbursement 
requirement schedules, status of repayments. In fact, quite 
frankly, I think all of these things should be publicly 
available.
    So let me just ask you: As chair of TMF Board, will you 
commit to providing this committee with that type of 
information and, quite frankly, even make that information 
publicly available?
    Ms. Martorana. Thanks for that question.
    I believe GSA, in response to the May hearing, did provide 
everything that was requested by the committee. So, I will 
followup. I'm happy to followup with my colleagues at GSA about 
that.
    We are working on----
    Mr. Hice. Will you make that information available?
    Ms. Martorana. We are working to upgrade the TMF website so 
that we can continue to be more transparent about the 
investments that we are making. So, I do commit to us working 
on publishing out some of that data on the TMF website. But 
happy to----
    Mr. Hice. OK. My question is really twofold. I'm not asking 
for some of that information, but all of that information, 
first of all, to this committee, and second, publicly. But 
primarily, to begin with, this committee needs access to that 
information.
    Ms. Martorana. I absolutely will commit to us being as 
responsive to Congress as we should be and provide you, the 
committee, what you need.
    As far as----
    Mr. Hice. No, no, no. Listen, I don't want you determining 
what we need. I want this information, and I'm asking you to 
provide it.
    Ms. Martorana. And I'm concurring that I am agreeing with 
you and will provide the information that you have requested. 
It was my understanding GSA had already done that. So full 
stop----
    Mr. Hice. OK. Thank you. Thank you very much for your help 
with that.
    And my last real question. Cybersecurity is a notoriously 
decentralized issue in the Federal Government with various 
senior-level officials playing very important roles. We've seen 
the National Cyber Director, Chris Inglis, for example, and 
CISA Director Jen Easterly, just to name a couple.
    But now, with you as the Federal CIO, do you have a 
substantive seat at the table when it comes to protecting our 
Federal agency information systems? That to me is a very 
important issue.
    And if you do have a table there, what are your 
responsibilities? What does that consist of? What is your 
relationship with other IT-related cybersecurity offices and 
officials? That type of thing.
    Ms. Martorana. Thanks for the question.
    The National Cyber Director is the principal adviser to the 
President on cybersecurity policy and strategy. I am 
responsible for overseeing Federal cybersecurity programs and 
ensuring that they align with the national cyber directive 
strategy.
    The Federal Chief Information Officer, Mr. Chris DeRusha, 
who is on my team, is also a deputy in the National Cyber 
Director Office for Federal cybersecurity.
    This is an area where we have worked really closely in the 
last year, since the National Cyber Director Office has been 
stood up, to work collaboratively across the executive branch, 
and we work really closely with the CISA team.
    And I feel like we--this is an area--you've probably heard 
that--many of us say that cybersecurity is a team sport. This 
is a team sport where I feel like we are winning as 
collaborators.
    We still have risk to our Federal Government, but I think 
in this specific area the National Cyber Director role has been 
critical, and we have been very successful at working to 
safeguard the Federal enterprise by working so collaboratively 
with CISA, the National Cyber Director, and----
    Mr. Connolly. Thank you.
    And I thank the gentleman.
    Mr. Hice. So, do you have a seat at the table?
    Ms. Martorana. Absolutely. And my--Federal CISO is dual-
hatted to the--on to the National Cyber Director team. So, we 
not only have--I not only have a seat at the table, we work 
together every single day in that dual-hat role to make sure 
our teams are completely coordinated.
    Mr. Connolly. So thank you, Mr. Hice.
    Mr. Hice. Thank you, Ms. Martorana.
    And, Chairman, if I could just kick it back to you, but say 
thank you again for hosting this hearing and for leading us in 
this.
    This is an extremely complex discussion. All of us realize 
that cybersecurity is a major issue that must be addressed.
    I think collaboration, it is one thing. We've got to get 
beyond that. We've got to address the problems. We've got to 
get rid of legacy systems. We've got to improve this. We've got 
to have accountability.
    And, Ms. Martorana, I look forward to having further 
discussions with you, and we'll look forward to doing that.
    Mr. Connolly. Thank you, Mr. Hice, and I certainly agree 
with you about accountability.
    Let me also at this juncture, before I call on the 
gentleman from California, I have one, two, three, four, five, 
six, six memos from OMB that provide guidance on cybersecurity 
dating back to August 2021. And I would insert them in the 
record at this point.
    I would also insert into the record the GAO guidance with 
respect to reimbursement we discussed a little earlier on TMF.
    Without objection, so ordered.
    Mr. Connolly. We've been rejoined by the gentleman from 
California, Mr. Khanna.
    Mr. Khanna, you are recognized for your five minutes of 
questioning, and we're going to be generous in that five 
minutes if you need it.
    Mr. Khanna. Thank you, Chair Connolly. I will try to be 
brief. You continue to show exceptional leadership on 
everything concerning technology in our government.
    I particularly appreciate Ms. Martorana as the head of IT 
in appearing. And your strong and thoughtful leadership and 
your time in government make our government more 
technologically savvy and proficient.
    I've been discussing with the chair and with many people at 
the White House, senior leaders, about the creation of a 
Federal chief customer experience officer or an equivalent 
position directed to improve government service.
    The White House is very excited about the idea. They 
recognize, President Biden and others have, that it's more than 
customer experience. It's about more than technology. It's 
about making sure that we are serving people.
    And that's been the secret to a lot of Silicon Valley's 
success. It's about making sure that the community is working 
together, that we have the right mail and telephone services.
    So, Ms. Martorana, I just want to make sure we have your 
commitment, which I imagine we will, on working on this to make 
it a success and make sure we can get this win for President 
Biden.
    Ms. Martorana. If anyone knows anything about me, they know 
that customer experience is--has been what I've spent the 
majority of my career working on, making sure that we are 
delivering the right products and services to the people that 
need them and that they can engage with them seamlessly 
regardless of their abilities. It is absolutely the cornerstone 
of what we work on.
    It's also really a critical third--if you think of 
cybersecurity as the foundation, IT modernization and customer 
experience, they all work together in IT. I have never worked 
on a successful project that did not think of all of the 
dimensions both----
    Mr. Khanna. Terrific. So, I just wanted--so you'll work 
with us then on this legislation on the Federal chief customer 
experience officer. We've been working with folks at the White 
House on it, but I want to make sure, since you're integrally 
involved, that we can have your help with it as well.
    Ms. Martorana. I'd be happy to join any conversations 
related to it.
    Mr. Khanna. Thank you. Well, we'll look forward. I 
appreciate your commitment to support it and work on it, and 
really appreciate your leadership, and our team will be in 
touch. And the chairman has been extraordinary on this.
    Thank you very much.
    Thank you, Mr. Chair.
    Mr. Connolly. Thank you, Mr. Khanna, and I hope I can quote 
you in all of that praise.
    All right. Thank you for joining us today. And thank you 
for championing customer experience, because I think that's 
very important. And, in fact, I'm proud to be a cosponsor of 
the Federal Agency Customer Experience Act. So, we'll be 
talking about that as well.
    In closing, I want to thank Ms. Martorana for joining us. I 
want to commend my colleagues for their diligence and their 
dedication to this set of issues.
    It doesn't make headlines. It's not sexy. Everything hinges 
on technology. Everything. All of our programs, all of our 
aspirations, all of our goals, all of our objectives, all of 
our noble purposes rise or fall on the IT platform ultimately 
and its security. And those are investments critical to the 
American people and for our mission. So thank you.
    Without objection, all members will have five legislative 
days within which to submit additional written questions for 
the witness. And I would ask that those questions come through 
the chair and the answers come through the chair.
    Mr. Hice gave you three questions that he would like 
answered and I modified one of them. And if you need us to put 
that in writing, we will; or, if you don't, if you could just 
try to get back to us, I would very much appreciate that.
    And thank you again for joining us today.
    And thank you to my colleagues and our staff.
    And with that, this hearing is adjourned.
    [Whereupon, at 10:28 a.m., the subcommittee was adjourned.]

                                 [all]