[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
FITARA 15.0
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON GOVERNMENT OPERATIONS
OF THE
COMMITTEE ON OVERSIGHT AND REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
SECOND SESSION
__________
DECEMBER 15, 2022
__________
Serial No. 117-113
__________
Printed for the use of the Committee on Oversight and Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available at: govinfo.gov,
oversight.house.gov or
docs.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
50-157 PDF WASHINGTON : 2023
COMMITTEE ON OVERSIGHT AND REFORM
CAROLYN B. MALONEY, New York, Chairwoman
Eleanor Holmes Norton, District of James Comer, Kentucky, Ranking
Columbia Minority Member
Stephen F. Lynch, Massachusetts Jim Jordan, Ohio
Jim Cooper, Tennessee Virginia Foxx, North Carolina
Gerald E. Connolly, Virginia Jody B. Hice, Georgia
Raja Krishnamoorthi, Illinois Glenn Grothman, Wisconsin
Jamie Raskin, Maryland Michael Cloud, Texas
Ro Khanna, California Bob Gibbs, Ohio
Kweisi Mfume, Maryland Clay Higgins, Louisiana
Alexandria Ocasio-Cortez, New York Ralph Norman, South Carolina
Rashida Tlaib, Michigan Pete Sessions, Texas
Katie Porter, California Fred Keller, Pennsylvania
Cori Bush, Missouri Andy Biggs, Arizona
Shontel M. Brown, Ohio Andrew Clyde, Georgia
Danny K. Davis, Illinois Nancy Mace, South Carolina
Debbie Wasserman Schultz, Florida Scott Franklin, Florida
Peter Welch, Vermont Jake LaTurner, Kansas
Henry C. ``Hank'' Johnson, Jr., Pat Fallon, Texas
Georgia Yvette Herrell, New Mexico
John P. Sarbanes, Maryland Byron Donalds, Florida
Jackie Speier, California Mike Flood, Nebraska
Robin L. Kelly, Illinois
Brenda L. Lawrence, Michigan
Mark DeSaulnier, California
Jimmy Gomez, California
Ayanna Pressley, Massachusetts
------
Subcommittee on Government Operations
Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of Jody B. Hice, Georgia Ranking
Columbia Minority Member
Danny K. Davis, Illinois Fred Keller, Pennsylvania
John P. Sarbanes, Maryland Andrew Clyde, Georgia
Brenda L. Lawrence, Michigan Andy Biggs, Arizona
Stephen F. Lynch, Massachsetts Nancy Mace, South Carolina
Jamie Raskin, Maryland Jake LaTurner, Kansas
Ro Khanna, California Yvette Herrell, New Mexico
Katie Porter, California
Shontel M. Brown, Ohio
Russ Anello, Staff Director
Wendy Ginsberg, Government Operations SubcommitteeStaff Director
Aidan Miller, Clerk
Contact Number: 202-225-5051
Mark Marin, Minority Staff Director
------
C O N T E N T S
----------
Page
Hearing held on December 15, 2022................................ 1
Witnesses
Jason Gray, Chief Information Officer, United States Agency for
International Development
Oral Statement................................................... 3
Chris DeRusha, Federal Chief Information Security Officer, Office
of Management and Budget
Oral Statement................................................... 3
Carol C. Harris, Director, Information Technology and
Cybersecurity, Government Accountability Office
Oral Statement................................................... 4
(Joining Ms. Harris) Jennifer Franks, Director, Information
Technology and Cybersecurity, Government Accountability Office
Oral Statement...................................................
Written opening statements and statements for the witnesses are
available on the U.S. House of Representatives Document
Repository at: docs.house.gov.
Index of Documents
----------
* Questions for the Record: to Mr. DeRusha, Federal Chief
Information Security Officer, Office of Management and Budget;
submitted by Chairman Connolly.
* Questions for the Record: to Mr. Gray, Chief Information
Officer, United States Agency for International Development;
submitted by Chairman Connolly.
* Questions for the Record: to Ms. Harris, Director,
Information Technology and Cybersecurity, Government
Accountability Office; submitted by Chairman Connolly.
These documents are available on the U.S. House of
Representatives Document Repository at: docs.house.gov.
FITARA 15.0
----------
Thursday, December 15, 2022
House of Representatives
Committee on Oversight and Reform
Subcommittee on Government Operations
Washington, D.C.
The subcommittee met, pursuant to notice, at 11:01 a.m., in
room 2154, Rayburn House Office Building, Hon. Gerald E.
Connolly (chairman of the subcommittee) presiding.
Present: Representatives Connolly, Norton, Brown, Hice, and
Clyde.
Mr. Connolly. The committee will come to order.
Without objection, the chair is authorized to declare a
recess of the committee at any time.
I want to welcome everyone to the hearing which seeks to
continue our oversight efforts of agency implementation and
compliance with FITARA and other information technology laws.
Let me just say, I think this is our 16th--15th oversight
hearing on a--on one law. I don't believe there is any
precedent in Congress for that. I think we're unique, and it
shows bipartisan commitment to making sure that FITARA is
implemented and that IT modernization is the priority we
recognized when we passed that bill into law. I credit GAO
particularly for highlighting this issue as one of its high-
risk categories, which Congress actually listened to and
responded to and wrote a law to try to address it.
Implementation, however, is key. Passing a law is only part of
the process. Making sure that law is implemented is also really
important.
We made changes to the scorecard. We created a scorecard to
try to monitor and get metrics for that implementation. We have
modified that scorecard, over the years, on a bipartisan basis.
We've added more emphasis on cyber. We've also added more
emphasis on personnel management issues like reporting in the
org chart, who do you report to if you're the CIO. You know, we
want to make sure that that person is imbued with the authority
required.
Because of the interest of time, I'm not going to give any
more of an opening statement than that. I will enter my opening
statement into the record.
Mr. Connolly. We are going to have votes starting at 11:30.
Unfortunately, there are going to be four votes. If there was
one, that would be easy. Four, that's not easy.
Eleanor Holmes Norton, when votes are called, would you be
available to take the gavel?
Ms. Norton. I certainly will.
Mr. Connolly. You're wonderful, as always. Thank you so
much.
I now call on the distinguished ranking member, my friend,
Jody Hice, from Georgia. This is his last hearing as a Member
of Congress. He's been a partner, and he's been sometimes a
foil, but we've always--we've always been civil, and we have
really tried to make as much music as we could together, and
certainly in the realm of IT that we're talking about today,
that has been the case.
So I thank Jody for his service to the American people, the
people of Georgia, and call on him now for any opening
statement he wishes to make.
Mr. Hice. Thank you very much, Chairman Connolly.
If I could take a moment of personal privilege to respond
to that. Likewise, it's been an incredible honor to serve in
Congress for eight years and represent the great state of
Georgia and the 10th District. To work with you, it's been a
great honor, and I really appreciate working underneath the
umbrella, specifically of Gov Ops here, and your desire really
to make government work better for the American people, and all
the efforts to find common ground. It has been an honor, and I
wish you the absolute best, and your family, and a wonderful
Merry Christmas as well. So I thank you for the opportunity.
Mr. Connolly. Thank you, Mr. Hice, and right back at you.
Mr. Hice. OK. Thank you.
Mr. Connolly. Thank you so much.
Mr. Hice. Yes, I'll just say, here we are again, 15th
iteration of FITARA. We've got to have teeth to this thing.
We've got to have some answers. Again, the administration, why
they refuse to submit information as required by law is getting
extremely frustrating, and I know you share that as well.
But I'll, likewise, forego my opening statement. I
appreciate the witnesses being here.
Mr. Connolly. Thank you, Mr. Hice.
Our first witness for today is the chief--oh, well--all
right. I'll introduce and then we'll swear you in.
Our first witness is chief information officer for the
Agency for International Development, Jason Gray. Welcome.
Our second witness is the Federal chief information
security officer in the Office of Management and Budget, Chris
DeRusha. Welcome.
Our final witness--actually, not our final witness. We have
Carol Harris, director of information technology and
cybersecurity at the Government Accountability Office. And she
is joined by Jennifer Franks, also director of information
technology and cybersecurity, to provide her thoughts on zero
trust implementation. Our kind of implementation, zero trust.
Mr. Hice. And Ms. Franks is from Georgia.
Mr. Connolly. Oh, Lord.
Mr. Hice. As she shares the Georgia nation, Go Dawgs.
Mr. Connolly. All right. Well, that commends you too.
If our witnesses would rise and raise their right hand to
be sworn in.
As you know, it's the custom of our committee and
subcommittees to swear in our witnesses.
Do you swear or affirm that the testimony you're about to
give is the truth, the whole truth, and nothing but the truth,
so help you God?
Thank you. You may be seated.
Let the record show that the witnesses all answered in the
affirmative.
Without objection, your full written statements will be
entered into the record. We ask you now for your five-minute
summary, keeping in mind that when they call votes--yes. We can
accept all the written statements. Oh, if you want--well, they
may want to just say something briefly, and then we'll go to
questions.
So if you can do what Mr. Hice and I just did, we'd
appreciate that. Because we're just worried about time and we
will want to get to substance just as quickly as we can.
Mr. Gray, anything you want to share with us briefly for
the record?
STATEMENT OF JASON GRAY, CHIEF INFORMATION OFFICER, UNITED
STATES AGENCY FOR INTERNATIONAL
Mr. Gray. Thank you for the invitation to testify to you
today. I will keep my comments brief. I do have prepared oral
remarks, but because of the circumstances, I will keep them
brief.
Mr. Connolly. That will be entered into the record without
objection.
Mr. Gray. Thank you, Congressman. That is it.
Mr. Connolly. Everything's fine at AID.
Mr. Gray. Well, sorry, I have a five-minute written
response----
Mr. Connolly. All right. We'll come back to you.
Mr. DeRusha.
STATEMENT OF CHRISTOPHER J. DERUSHA, FEDERAL CHIEF INFORMATION
SECURITY OFFICER, OFFICE OF MANAGEMENT AND BUDGET
Mr. DeRusha. Chairman Connolly, Ranking Member Hice, and
members of the subcommittee, thank you for holding this
important hearing on FITARA.
The FITARA scorecard plays a very important role in
providing insight into the progress agencies are making to
enhance their cybersecurity. I will keep my remarks briefer
than I would have, but there are a few things----
Mr. Connolly. Yes, Mr. DeRusha, you will.
Mr. DeRusha. Just really quick, though, sir. The reality
facing day one of this administration was we were weeks into
one of the most significant events that our Nation's faced in
SolarWinds. We realized the status quo approach to
cybersecurity had failed us, and so we issued Executive Order
14028 to take some bold transformational actions there. Just a
quick outline of that plan, and then I'll conclude my remarks.
You know, our transformation plan includes making our
systems more defensible by employing zero trust principles;
meaning, we've got to move so that trust is never implicitly
granted. It must be continuously evaluated.
Across the Federal Government, we are replacing ineffective
deterrents like passwords with multifactor authentication and
encryption. We're also leveraging the same methods used by our
adversaries to continuously identify risks to Federal systems,
to--and leverage threat intelligence so that we can prioritize
remediation of those risks. Finally, we're working to infuse
security design practices across new technology throughout the
supply chain.
Just summarizing, much like that paradigm shift that we're
working on in securing our networks, we've also begun to evolve
how we measure success. So for Fiscal Year 2022, OMB and CISA
have established a new baseline on FISMA metrics, many of which
were selected around components of the EO. These data have been
used to measure trends and work with agencies to identify areas
where additional attention and resources are needed.
So, I look forward today to discussing that and what we've
released on performance.gov. I'll also look forward to the
opportunity to testify today and take your questions.
Mr. Connolly. Thank you.
Ms. Harris.
STATEMENT OF CAROL C. HARRIS, DIRECTOR, INFORMATION TECHNOLOGY
AND CYBERSECURITY, GOVERNMENT ACCOUNTABILITY OFFICE
Ms. Harris. I will keep my remarks brief.
Mr. Chairman, Ranking Member Hice, and members of the
subcommittee, so we are here with the 15th iteration of the
scorecard. It has just been a tremendous pleasure to work with
you and your excellent staff as you continue, you know, your
tremendous oversight of Federal IT issues.
I do want to take this opportunity now to thank the
dedicated staff at GAO who do the behind-the-scenes work in
putting the scorecard together for you. I don't know if you
know this, but there are about 15 to 17 staff that support this
effort. My then-assistant director, Kevin Walsh, led the first
11 iterations for you, and then Assistant Director Teresa Yost
took over and has since led the last four.
I want to thank Teresa and Kevin in particular for their
tremendous leadership, as well as our team at GAO for just
their excellent work over these past seven years.
Now, just in terms of just--just very briefly, I did want
to highlight a couple of things on the scorecard. So as you
know, the overall grades for 17 agencies remain unchanged and
have increased for seven. All 24 agencies have received a
passing ``C'' or higher. And with Mr. Gray here, you'll see
USAID remains the only one with an ``A.''
I do want to say a couple of positive things. Incremental
development still appears to be very strong, according to the
scorecard. Roughly 90 percent of agencies' software projects
are being developed to using these best practice techniques
which are called for by FITARA.
Another key positive mention is Portfolio Stat. The results
of this effort have contributed to cost savings from moving the
bar from $24.8 billion to $25.5 billion in cost savings and
avoidances through Portfolio Stat. That is not insignificant.
Again, I will reiterate, $25.5 billion is tremendous.
In contrast, when you take a look at the scorecard, I did
want to mention EIS. There are 19 agencies that have an ``F''
here because they failed to meet GSA's goal to fully get off of
the legacy contracts by September 30 of this year. There are
variations across those agencies. There are a few that are
closer to the 100 percent goal, but there are 17 that are less
than 80 percent complete. And agencies need to act with
tremendous urgency to move the bar here and get off of those
legacy contracts as quickly as possible.
The legacy contracts are set to expire May 2023. GSA has
already taken action to enable continuity of services through
May 2024. We just don't want to have further delay because that
is going to cause cost overruns. But the last transition was
three years delayed and cost about $329 million in lost
savings.
Finally, I just want to mention cybersecurity grades. They
are, again, based solely on the Fiscal Year 2021 IG
assessments. This means that there is an absence of cyber CAP
Goals yet again for this hearing. I raised it last hearing.
This absence is very troubling. OMB needs to take steps to
remediate this gap immediately. We need to have clear and
measurable IT CAP Goals because it's the law.
Finally, I just wanted to again mention my appreciation for
working with you all these years. Thank you. I look forward to
your questions, myself and Ms. Franks. Thank you.
Mr. Connolly. Thank you so much.
Ms. Franks, you don't have testimony?
Ms. Franks. I do not.
Mr. Connolly. OK.
And, Mr. Gray, given the fact that others had a minute or
two, I do want to give you that opportunity. We didn't mean to
cut you off.
Mr. Gray. OK. I'd be happy to start a little bit, if that's
OK. Thank you.
So, Chairman Connolly, Ranking Member Hice, members of the
subcommittee, thank you for inviting me to testify today. USAID
is grateful for your support, for our information technology
innovation efforts, as well as our progress in complying with
and integrating into the cultures the standards set out in
FITARA.
When asked about the evolution of FITARA and the scorecard,
from my years of experience across Federal agencies and long
tenures as CIO, the yearend is always a good time to look at
the past, the present, and where we want to go for our future.
In the past, the Federal IT environment was writhe with
outdated IT infrastructure and little to no measurement or
accountability of value for investment. The present environment
shows the definitive impact that FITARA has had on improving
critical technology modernization, security, and cost savings
initiatives. Now, as the subcommittee looks toward the future
of the scorecard, it will be important for agencies to look
beyond FITARA as merely a grade and imbed FITARA holistically
in the operational budget and performance structure of the
entire agency.
I have been honored to serve as the CIO for USAID for four
months; and prior to that, at the Department of Education for
six years; and prior to that, several technology management
positions in both the private and public sector. These
experiences have taught me that change is not only constant,
can also be good. With change comes opportunity, experience,
and expertise.
I would like to offer a few suggestions to the subcommittee
on how to adapt or change the scorecard in the categories for
the future, and I promise I will be brief.
For cyber, I would offer that there should be more than one
metric, with all metrics aligning with the priorities Federal
agencies are working on to better measure cybersecurity
performance, and metrics should be regularly recalibrated to
meet the evolving cyber landscape and reflect leading practices
and standards of cybersecurity community.
For cost savings, when we look at cost savings and
avoidance, over a three-year period, those cost ratios are
based on both development, modernization and enhancement, DME,
and operations and maintenance, which is O&M. Agencies may be
penalized in that calculation by the money they are spending on
modernization efforts. The measurement would be more accurate
from a cost savings ratio if only the O&M were used to show the
savings on ``run the business.''
And for DCOI, a better measure might be looking at the
administrative and human capital burdens that are reduced, with
fewer data centers mean fewer administrative overhead managing
those data centers.
USAID looks forward to the continued benefit the scorecard
and its measurements have provided to Federal CIOs and the
clearly defined priorities that help agencies deliver mission
outcomes, provide excellent service, and effectively steward
taxpayer dollars on behalf of the American people.
I would like to thank Members of Congress, in particular
members of this subcommittee for your continued leadership,
interest, and support for our work. USAID looks forward to
collaborating with you to address future challenges and new
opportunities for reform.
Thank you for your time. I look forward to your questions.
Mr. Connolly. Thank you.
The chair now calls on the distinguished gentlelady from
Ohio, Shontel Brown, for her five minutes of questioning.
Welcome.
Ms. Brown. Thank you. Thank you, Mr. Chairman.
At our last FITARA hearing, we found bipartisan consensus
on many things, including our disappointment with the
administration's unwillingness to work with this subcommittee
to provide meaningful and accurate data to score agencies'
cybersecurity postures.
Ten of the 24 agencies received a failing grade last time.
I am happy to report that for the past six months, we have
worked with the Office of Management and Budget and Dr. DeRusha
to develop cybersecurity metrics for the scorecard. Today, we
offer agencies and the public a preview of a new meaningful
cybersecurity metric.
So my question, Mr. DeRusha, can you explain the
methodology behind these new cybersecurity metrics and why you
think these are the correct metrics to incentivize agency best
practices?
Mr. DeRusha. Yes. Absolutely, Representative. I appreciate
the question.
So the metrics that we put up on performance.gov yesterday
are a good representative sample of where we've been focused in
EO implementation. So, for example, if you look in the protect
category, we focused on four things there.
One is ensuring we understand and are prioritizing risk as
our adversaries look at our networks. We're talking about smart
patching, which is using intelligence to prioritize our risk
remediation.
Second, we're looking at multifactor authentication. That
is one of the most effective ways to keep our adversaries out
when they are knocking on the door.
And last, we focused on encryption. So if those defenses
fail, you know, the harm is lessened or reduced to zero if
you've got encryption in place.
So for us, we've been really focused on ensuring that we're
putting the most attention in understanding where there may be
gaps in implementation and opportunities for new policy
interventions.
So, happy to continue to discuss our methodology beyond
that, but those are the areas that I think deserve the most
focus.
Ms. Brown. Thank you very much.
Mr. Gray, how do you interpret the new metrics? Do you see
them as an accurate reflection of your agency's posture and
that they point you in the right direction as you seek to keep
your agency on top of evolving threats?
The cybersecurity metric is unique on the scorecard by its
nature, an effective approach to cybersecurity demands
nimbleness and agility, an ability to predict and defend
against evolving attacks and evermore determined adversaries.
As a result, the scorecard cybersecurity metric has evolved
over time using publicly available data to hold agencies
accountable for making real progress in making their systems
more secure. The need for transparency and access must be
balanced against the legitimate need to protect sensitive data
and information.
Mr. Gray. Thank you for your question, Representative.
Mr. Connolly. Mr. Gray, if you'll speak into the mic,
closer. That's it.
Mr. Gray. Sorry.
Mr. Connolly. Thank you.
Mr. Gray. Thank you for your--much better. Thank you for
your question, Representative.
So I have as even during my opening remarks commented about
the need for additional metrics for cybersecurity, because the
FISMA scores that we get every year are great, but they're
dated. So I am certainly an advocate for more metrics in terms
of capturing the cybersecurity risk that agencies are able to
manage.
So I think it's a good start. I know we've been briefed on
it. Much like FITARA, I think--and look forward to it evolving
over time. I know the CIO Council has been briefed on the
metrics and the methodology.
I would say that for the metrics that are captured in what
I have seen, yes, it is accurate as it relates to those
metrics. I do think that there needs to be more, and even OMB
stated this when it was briefed to the CIO Council, that it's
going to mature. So I look forward to working closely with OMB
and the CIO Council to look for additional metrics that could
be used to capture the holistic risk the agencies are managing
every day.
Ms. Brown. Thank you so much.
Mr. DeRusha, the Russia--the administration has prioritized
zero trust as a bold and fundamental strategy to secure Federal
information technology systems. Can you speak more to what a
zero trust strategy involves and how this approach has been
incorporated into the scorecard metrics?
Mr. DeRusha. Yes. Absolutely, Representative. So our zero
trust strategy's been based on extensive coordination with the
private sector. This is essentially a security modernization
strategy. What we learned in events like SolarWinds is that the
old approach to being able to rely on our network boundaries as
the perimeter of trust and then once you are vetted and in you
can access resources freely, no longer works.
So what we're talking about here is focusing on a new
approach to identity access management and control, and so that
we are validating every user and device every time it tries to
access a resource, to ensure that they are who they say they
are, or the device is safe to operate in that environment. So
it is really based around that and a number of other
fundamental capabilities to ensure quicker detection of
adversary activity.
Mr. Connolly. Thank you. And thank you so much, Ms. Brown.
Ms. Brown. Thank you.
Mr. Connolly. By the way, Mr. Gray, if I were getting an
``A'', I would say the metrics are perfect, don't change a
thing. But good for you in saying no, it's got to evolve.
The distinguished ranking member, Mr. Hice, is recognized
for his round of questioning.
Mr. Hice. Thank you very much, Mr. Chairman.
You know, the metrics have changed, but really nothing has
changed. That's what's kind of disturbing to me. The data used
to compute this scorecard was the same data that was used last
year, and really nothing changed but the grade. And because--so
a little more weighted approach to scoring.
For example, last year, the EPA got a ``D.'' This time it
got a ``C'', but nothing has changed; just the way we score. So
we're not getting anywhere. We may pat ourselves on the
shoulder and say, hey, we got better grades. But we don't have
better grades, we just have a different way of grading, and
nothing has changed from last year. That's disturbing to me.
Mr. DeRusha, let me ask you this. And we do have your
written testimony and have looked through it. In there you
mentioned 20 references to the President's executive order on
cybersecurity but no references to the Cross-Agency Priority
Goals. So this is, likewise, a bit confusing to me.
Is this administration, in your opinion, prioritizing an
executive order over the Federal law that requires CAP Goals,
No. 1? And No. 2, what is Congress supposed to do with this?
Are we supposed to now prioritize an executive order over
Federal law?
Mr. DeRusha. So, Ranking Member, appreciate the question.
The answer is they are both important. OMB's position is that
we are complying with the law, and we made a decision to weave
IT and cybersecurity throughout the President's Management
Agenda and several CAP Goals. We had a very aggressive
executive order which we needed to measure our progress on. So
we repurposed our FISMA metrics to really align with all of the
goals and objectives that we've laid out there. For example,
OMB has issued nine memoranda, nine cybersecurity policy
memoranda, since the order was issued.
So we're very active and busy here. And there's just a
whole body of work that we feel needs to be managed through
that other process. But they are both extremely important.
Mr. Hice. Well, if they're both extremely important, why
didn't you even mention CAP Goals? Why did you mention the
executive order 20 times but not a single mention of the
responsibility of Federal law?
I mean, this is backward to me. Just because there's an
executive order does not give you nor anybody else the right to
ignore Federal law, including the administration. It's time
this stuff gets cleared up. The law is the law and it means
something. It does not mean that we can ignore it.
I would think the chairman shares my frustration with this.
The law is significant. It's the law, for crying out loud. Even
in your own written statement, you ignored it and placed
priority on emphasizing the executive order.
Let me--instead of the law--let me ask you this. You are
now wearing two hats, the National Cyber Director and the chief
information security officer. The NCD, relatively new, which,
in fairness, I voted against it because it's confusing to me.
It's like, what is it going to do? What is it supposed to do?
And that was never clear to me. It's still not clear to me.
So if you could, in the two hats--the dual hats that you're
wearing, explain what's the different between these two
positions.
Mr. DeRusha. So, Representative, my experience of being the
first Deputy National Cyber Director, dual-hatted also as the
Federal CISO, is that it's worked really well. Look, the Office
of National Cyber Director is a brand-new organization. I think
it's going to add a ton of value over a long term. Already
we've seen it. You know, the office has grown to almost 75
people, and we're out there coordinating, communicating with
the entire Nation and really getting everybody on the same
consistent path toward, you know, modernization agenda.
So for me, being one foot in both organizations just
ensures that we are congruent in all of our policy directions,
so you don't have, you know, separate officials making
different decisions. What that decision made was just kind of
ensure that----
Mr. Hice. So which one is involved in policy?
Mr. DeRusha. Well, I'm the same person, so they're both
involved in policy in the end. But, you know, OMB generally
still issues the policy memorandum per FISMA 2014 authorities,
and we're just ensuring that Office of National Cyber Director
staff are always aligned and supportive.
Mr. Hice. So is one more leaning toward policy and strategy
or whatever, and the other more involved in enforcement, if you
will, of the policies, or what----
Mr. DeRusha. I would describe the No. 1 benefit of being in
the NCD organization is that I'm aligned to and part of the
entire organization's daily activities, so that I can stay
apprised of where the entire strategic decisions are being made
for the whole office and then bring that into everything that
we're doing for Federal. So I--you know, that's kind of how I
would just draw the distinction.
Mr. Hice. OK. My time has expired. It's still unclear to
me.
Thank you. I yield.
Mr. Connolly. Thank you, Mr. Hice.
The chair recognizes himself.
Mr. Gray, I know you've only been there four months, but
you've got a perspective having come from a previous agency. I
guess I'd invite you to talk a little bit about, how did AID do
it?
I remember when AID got a low grade, and now you're kind of
the archetype of how to do it and get an ``A''. So can you
share with us a little bit your observation of what were the
elements, management elements, resources deployed, personnel
decisions, policy decisions, that went into AID taking a
different direction and consciously so?
Mr. Gray. Thank you for the question, Mr. Chairman. I would
say that, while it has only been four months, I have certainly
been on this FITARA journey for a number of years. The embrace
by the agency of FITARA in totality--I have only been there
four months, but there is not one week that goes by where
FITARA is not referenced in one meeting or another. Focusing on
cybersecurity or governance or modernization and the key
tenants of FITARA has been fully embraced. Policy has driven
it. Senior leadership's involvement has driven it. Resources
being applied toward complying with and making sure that we are
leading FITARA in implementing to really ensure that we're
making better informed decisions.
I look at FITARA in a way like a navigational roadmap for a
CIO, that you know where those critical landmarks are that keep
you on track. And as it has evolved, those landmarks become
clearer and we can measure month over month, day over day, year
over year, to see, are we making it toward that goal.
So from what I have seen in the time is the full embrace of
FITARA, it's not just a compliance activity. The outcome is
better informed decisions, better management in terms of
resources, and that's funding in individuals, and applying
those resources to the appropriate projects and activities that
are going to lead us to the future. That's what I would
attribute.
The team has been phenomenal. I will share, and I was
sharing earlier, that inheriting the team is just amazing. It's
a phenomenal team that's fully embraced it, supported it, and
is a hundred percent behind it, Congressman.
Mr. Connolly. And obviously, for that to be successful the
way you describe it, also requires the leadership to be fully
onboard?
Mr. Gray. Yes, Mr. Chairman. Absolutely.
Mr. Connolly. Have you found that other agencies are
approaching AID to say, how did you do it? I mean, is there
some cross-fertilization going on? Is there curiosity, if not a
desire to emulate, what AID has achieved in other agencies of
the Federal Government?
Mr. Gray. Well, I couldn't say that; I've been there such a
short period of time. I will tell you that at the Federal CIO
Council, there's a lot of conversations specifically on lessons
learned and best practices and how do we do this and how did
you do that, which even myself coming in new, there were a lot
of questions that I had of, how did you tackle this, and what
was a really good way to manage this component or this part of
FITARA.
Mr. Connolly. Well, I guess I would urge you to document
it. I mean, let's capture it and share it with other agencies,
because you are a model. And while we want to talk about other
metrics we may want to capture in a future scorecard, we don't
want to lose the metrics we've got now and what they've
accomplished. And you are an example of that.
Ms. Harris, did you want to comment on that from GAO's
perspective, specifically about what AID has--the
transformation they've gone through? And from your observation,
how do they do it and why are they so successful, and can
others emulate?
Ms. Harris. Well, I think Mr. Gray covered it very well. I
think because they live and breathe FITARA and they have fully
embraced it and they have executive leadership at the top that
is fully promoting the important tenets of FITARA, that has
made all the difference. And when you compare the agencies that
are not doing as well as USAID, that is one of the key factors
as to why, plain and simple.
Mr. Connolly. Just calling it Connolly Issa just is so much
easier than FITARA, but all right. That's a different subject.
Thank you. My time has expired.
Mr. Clyde, you are recognized for your line of questioning.
Mr. Clyde. Thank you. Thank you.
I'm going to start off with a question regarding the new
metric. And we'll go to GAO, Ms. Harris and Ms. Franks, in that
order, if you don't mind.
What is your perspective on this new metric?
Ms. Harris. Well, I'm going to let Ms. Franks talk about
the new metric.
Mr. Clyde. All right.
Ms. Harris. But what I do want to go back to is the
existing metric right now for cybersecurity is incomplete. It's
not a perfect metric. It is not intended to measure cyber
comprehensively. I think Mr. Gray is probably on to it, where
you're going to have to have multiple metrics to give that
holistic picture. But I think what's important is that these
CAP Goals need to be addressed because it is the law. And
having IT weaved into existing CAP Goals as an enabler is a
great thing, but it is not what the law says. Real property and
IT need to have standalone CAP Goals because these are
longstanding IT management issues.
So I'm going to just mention that, but Ms. Franks will talk
about the new metrics.
Mr. Clyde. Ms. Franks?
Ms. Franks. Yes. I agree with Mr. Gray and Ms. Harris. So
the metrics are not as comprehensive as one would think they
need to be. So for an issue as complex and dynamic as
cybersecurity, using a few selected measures cannot really just
give us a holistic picture of what is going to be needed to
really substantially paint this picture of what's going to be
needed to fully and comprehensive give us what the Federal
Government needs to fully comply with the evolving cyber
threats across the Federal Government, the sophisticated
evolving events that plague us day in and day out.
So, what's going to be needed from these metrics is for
OMB's guidance to give us that automated approach to really
staying abreast of the cyber curve and really helping us to
really fundamentally give us some up-to-date metrics. The smart
patching, the multifactor authentication, the event logging,
all of those are going to help us, but we really are going to
need some metrics that are going to help all of the agencies
with where they are.
All of the agencies' missions are different. They're
fundamentally designed different. They're federated. They're
just going to have to be designed differently for every single
agency.
Mr. Clyde. OK. Thank you very much.
Mr. Gray, USAID's cyber grade went from a ``B'' in the
FITARA 14 scorecard to an ``A'' in today's scorecard. The
improved grade reflects a change in the methodology as the
scores in this scorecard are based on a weighted average.
Consequently, the four attained by USAID, which was a ``B'' in
the 114th scorecard is now presented as an ``A'' in this
scorecard, as I see it. So I'm concerned that this appears to
be simply a lowering of standards to show better results.
Do you see it this way too? Or if not, please explain.
Mr. Gray. Thank you for the question, Representative. I
think more work needs to be done, to be honest. I am so new to
the agency, that I would be hesitant to respond specifically to
the changes that have happened since last year and this year
because it's only been four months. But I will say that the--
there's a lot of activities that agencies are doing to manage
risk that are not captured in a FISMA audit or even an
additional cyber score, which really gets to my earlier point
is that we capture a lot of data and look forward to working
across government to figure out what is the right data to
present the holistic risk associated with each agencies'
portfolio.
So, I do think it's a great start. Much like I said
earlier, the evolution of it is--and the maturation of it is
really where we need to go so that we can truly represent the
totality of what the metrics are showing us, because I have
tons of metrics on a bunch of different activities that, in my
view, is rather consistent across agencies. So----
Mr. Clyde. OK. Well, thank you.
Mr. Chairman, I would like to take a moment of personal
privilege in this last minute I have or so, and I want to thank
my good friend and colleague, Congressman Jody Hice, for his
leadership on this committee, as today is his last subcommittee
hearing on Government Operations.
He's done an incredible job leading Republicans on this
crucial subcommittee, and particularly the past two years
during the Biden administration. Congressman Hice has stood for
truth and conservative values. He's been a warrior in the fight
for smaller and more accountable government. He's been a
colleague of mine, and he has been my mentor.
Thank you.
Congressman Hice, you will be deeply missed, and you will
leave very large shoes to fill. So thank you very much for your
being here and your leadership, Congressman.
Mr. Hice. Well, thank you for those kind words, my dear
friend. I deeply appreciate that. Thank you.
Mr. Connolly. Thank you, Mr. Clyde. I certainly share your
sentiments.
And before I call on Ms. Norton who's been so patient and
kind, I want to thank my subcommittee staff for several years
of extraordinary output. This subcommittee has had the most
hearings of any subcommittee on the Oversight and Reform
Committee. We've written the most letters. We've produced the
most bills, by far, and that couldn't happen without capable,
wonderful staff.
I want to thank Wendy Ginsberg, staff director; Annaliese
Yukawa, my legislative assistant for this committee; Brian
Maney, who is on loan to us as a fellow; and Asher Moss from
Wesleyan University, who is interning with us. Of course,
there've been people who've gone before who have done wonderful
work.
I also want to thank Bill Womack and the Republican staff
for usually their cooperation. Bill and I go way back to his
former boss, and Tom Davis, who was the former chairman of this
committee. I succeeded him in the 11th District of Virginia,
and some day I hope to succeed him as chairman of the
committee. But that's a different subject too.
I also want to thank Aidan Miller who is here with us
today, who also worked in my office.
So, thank you all very much for wonderful efforts.
We're going to continue next year in the minority,
hopefully temporarily, and hopefully we'll continue the
tradition of this subcommittee in terms of bipartisan
cooperation on this subject area. I've worked with Will Hurd;
I've worked with Todd Platts; I've worked with Mark Meadows;
I've worked with Jody Hice. We've got a long bipartisan
tradition when it comes to trying to modernize IT and the
Federal Government. And indeed, FITARA was co-written with
Darrell Issa, also chairman of this committee, Republican
chairman of this committee. So we want to keep that tradition.
We want to make sure that we are monitoring and setting the
right metrics for progress to serve--better serve the American
people and to make sure that we are cyber secure. And your
input and your experience are really important. That's why we
have these oversight hearings, not only to score people but to
try to nudge them toward that progress that AID has been able
to succeed at.
With that, the gentlelady, the Congresswoman from the
District of Columbia, Eleanor Holmes Norton, is recognized for
her round of questioning. Welcome, Delegate Norton.
Eleanor, you're muted.
Ms. Norton. Thank you, Mr. Chairman. May I also applaud the
extraordinary role you have played as chair on this committee.
And let me ask Mr. Gray a question. Mr. Gray, FITARA will
require CIOs, and here I'm quoting, to have a significant role
in the decisions, processes and management, governance and
oversight process related to information technology, end quote.
Since the subcommittee added a CIO reporting authority
metric on the scorecard, the percentage of CIOs with a direct
or partial reporting relationship rose from 50 percent to over
90 percent. CIOs have previously testified to how helpful
FITARA was at giving them a spot in the C-suite conversations.
So, Mr. Gray, as a member of the Federal CIO Council, you
have seen the transition firsthand. What are the benefits of
having a direct reporting relationship to your agency head?
Mr. Gray. Thank you for the question, Representative. I
absolutely support the CIO reporting to the agency head for
numerous reasons. For example--and I have been fortunate enough
to hold this role in two agencies that reported directly to the
agency head--the value is not just having a seat at the table,
but it is ensuring that I am able, or this position is able to
brief senior leadership on how are things going from a
cybersecurity standpoint. How are things going from a
government standpoint? How are operations going? How are we
modernizing? What are we doing for user experience and customer
satisfaction? How is the work force doing? And it gives that
direct feed to agency leadership, so when they are needing to
make decisions across the entire agency that go beyond
technology, that they have that critical information to inform
those decisions.
So it has been instrumental to ensure that I am able to
give regular updates so that the agency head is informed and
making the best decisions with the information that's available
at the time.
Ms. Norton. Well, thank you.
Now, Ms. Harris, Federal CIOs have a seat in the boardroom
but may not have a voice in--at the decisionmaking table. So
considering all this progress for Scorecard 15.0, the
subcommittee is reviewing an evolution of this category to
include additional metrics on the CIOs' influence on IT budget
and acquiescing decisions.
So, Ms. Harris, GAO requested a report in the 2018 Federal
chief information--on the Federal chief information officers.
Could you briefly describe the results of that report?
Ms. Harris. Yes, ma'am. So the bottom line of the report is
that none of the 24 agencies had policies that fully addressed
the role of the CIO consistent with Federal laws and other
guidance.
So there are roughly six areas of responsibility for CIOs.
They include things like IT strategic planning, the IT work
force, as well as IT budgeting, just to name a few. The
agencies told us that CIOs are implementing the
responsibilities in these areas even when they are not required
by policy, but in our surveys to the CIOs, all of them
acknowledged that they were not always very effective in
implementing in those six areas. So there's a linkage of how
critical it is to have it in policy at the agency, the impact,
to empower these CIOs.
Right now, there are eight of the 24 agencies that have
since addressed those policy gaps. So there are still 16 that
continue to have gaps. We also made recommendations to OMB to
provide additional guidance related to CIO authorities relative
to the IT work force, as well as to providing a complete
definition of the authority that CIOs should have relative to
the IT spend.
So these recommendations remain open. That means that there
is still work that needs to be done to fully empower CIOs. It
is great that they have that seat at the table, they have that
direct line reporting to the head of their--of the agencies,
but there are still additional responsibilities that they carry
that need to be fully flushed out. So I am very pleased to see
this category in the scorecard expanded to address some of
those areas.
Ms. Norton. Thank you. I see my time has expired.
Mr. Connolly. Thank you, Ms. Norton. And thank you for
making yourself available to chair the hearing, although it
looks like we may not need to do that. But thank you so much
for always being gracious with your time.
Let me followup on the last question just real briefly, Ms.
Harris. At our last scorecard hearing, I believe we had some
problems with OMB getting data to us, which then distorted
scores for agencies. Has that issue been addressed?
Ms. Harris. Are you referring to the cybersecurity scores?
Mr. Connolly. I believe it was, but the issue was OMB
sitting on--either sitting on that or not providing it to the
committee.
Ms. Harris. That's correct. The OMB did not provide that
publicly as they are expected to do so. It's unclear to me
whether they are sitting on that information or whether they
just don't have that information. The main issue at hand is
that there are, at this time, no specific IT CAP Goals. That is
clearly and distinctly in the law, that they should have
distinct IT CAP Goals as well as real property goals, and at
this time, we don't see that coming out.
Mr. Connolly. Mr. DeRusha, both Mr. Hice and now Ms. Harris
have--have reminded us all, it's in the law. So can you address
that issue on behalf of OMB?
Mr. DeRusha. Chairman, I can. OMB----
Mr. Connolly. Did you say I can?
Mr. DeRusha. I can, sir.
Mr. Connolly. All right.
Mr. DeRusha. OMB's perspective is that we are complying
with the law. If you look at the CAP Goals that we have woven
IT throughout, they're all focused on digital delivery, right,
and they've got security principles and the best of IT
delivery, digital delivery principles embedded throughout. So I
think we do feel we have that.
But the important thing to us is that, again, I said nine--
nine policies we've issued. I mean, there's been a huge
emphasis in body of work. Yesterday we released the performance
metrics on performance.gov for cybersecurity. We are very open
to continuing to evolve those. That is our plan. We've adjusted
some of our metrics for 2023. We're open to continuing
conversations with the committee on other focus areas.
So, you know, our view is that it's important that we've
got the metrics out in public, and we're going to continue to
evolve this as we go.
Mr. Connolly. So at our next--I don't think GAO is
satisfied with that answer.
Mr. Hice. No, neither am I.
Ms. Harris. Mr. Chairman, if I may?
Mr. Connolly. Neither is Mr. Hice.
Ms. Harris.
Ms. Harris. The law clearly states that these IT CAP Goals
need to be standalone in order to address these longstanding IT
management challenges that we face. It's a great thing that OMB
has infused and weaved technology into these other CAP Goals to
use IT as an enabler for, for example, customer experience. All
for that. But it's not--and digital delivery. But it is not
addressing these longstanding issues that we have had with IT
relative to cybersecurity and IT management.
Mr. Connolly. OK.
Mr. Hice. Mr. Chairman, if I could just add.
Mr. DeRusha, just remember you are sworn in under
testimony. And to say that you are abiding by the law, I would
be very, very careful, because you probably are alone in that
opinion.
Mr. Connolly. I would simply say, we--by the time we have
our next FITARA hearing, hopefully, Mr. DeRusha, OMB, and
hopefully Ms. Harris, GAO, can reconcile these approaches and
make sure they're constant with the law. And the end goal here
is to be able accurately to measure progress, and that's why
it's in the law, and so we want to make sure that works. So we
thank you for that.
Mr. Hice, anything more for the record?
Mr. Hice. I'm good. Thank you.
Mr. Connolly. Really?
Mr. Hice. Yes, sir.
Mr. Connolly. All right. Let the record show he's good.
At any rate, I wish everyone happy holidays. Thank you so
much for coming to our 15th hearing on OMB, and I assure you--I
mean, excuse me, on FITARA, and I assure you, it will not be
our last. Happy holidays, everyone.
We are adjourned.
[Whereupon, at 11:51 a.m., the subcommittee was adjourned.]
[all]