[Senate Hearing 117-424]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 117-424

     GAO'S 2021 HIGH RISK LIST: ADDRESSING WASTE, FRAUD, AND ABUSE

=======================================================================

                                HEARING

                               before the


                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS


                             FIRST SESSION

                               ----------                              

                             MARCH 2, 2021

                               ----------                              

        Available via the World Wide Web: http://www.fdsys.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
             
             
              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
              

     GAO'S 2021 HIGH RISK LIST: ADDRESSING WASTE, FRAUD, AND ABUSE


                                                        S. Hrg. 117-424

     GAO'S 2021 HIGH RISK LIST: ADDRESSING WASTE, FRAUD, AND ABUSE

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS


                             FIRST SESSION

                               __________

                             MARCH 2, 2021

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
       		
       		[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
       				
		
		   U.S. GOVERNMENT PUBLISHING OFFICE

44-783 			    WASHINGTON : 2022       		
       		

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
            Lena C. Chang, Director of Governmental Affairs
              Yelena L. Tsilker, Professional Staff Member
              Yogin J. Kothari, Professional Staff Member
                Pamela Thiessen, Minority Staff Director
    Andrew Dockham, Minority Chief Counsel and Deputy Staff Director
Amanda H. Neely, Minority Director of Governmental Affairs and General 
                                Counsel
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Peters...............................................     1
    Senator Portman..............................................     2
    Senator Carper...............................................    12
    Senator Hassan...............................................    15
    Senator Rosen................................................    18
    Senator Lankford.............................................    20
    Senator Ossoff...............................................    23
    Senator Scott................................................    27
    Senator Sinema...............................................    31
    Senator Romney...............................................    33
    Senator Padilla..............................................    35
Prepared statements:
    Senator Peters...............................................    39
    Senator Portman..............................................    41

                               WITNESSES
                         Tuesday, March 2, 2021

Hon. Eugene L. Dodaro, Comptroller General of the United States, 
  U.S. Government Accountability Office; accompanied by J. 
  Christopher Mihm, Managing Director, Strategic Issues; Mark 
  Gaffigan, Managing Director, Natural Resources and Environment; 
  Nick Marinos, Director, Information Technology and 
  Cybersecurity; and David Trimble, Managing Director, Physical 
  Infrastructure
    Testimony....................................................     5
    Prepared statement...........................................    44

                                APPENDIX

GAO High Risk Report.............................................    59
Responses to post-hearing questions for the Record:
    Mr. Dodaro...................................................   361

 
     GAO'S 2021 HIGH-RISK LIST: ADDRESSING WASTE, FRAUD, AND ABUSE

                              ----------                              


                         TUESDAY, MARCH 2, 2021

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:35 p.m., via 
Webex and in room SD-342, Dirksen Senate Office Building, Hon. 
Gary C. Peters, Chairman of the Committee, presiding.
    Present: Senators Peters, Carper, Hassan, Sinema, Rosen, 
Padilla, Ossoff, Portman, Lankford, Romney, Scott, and Hawley.

            OPENING STATEMENT OF CHAIRMAN PETERS\1\

    Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appear in the Appendix 
on page 39.
---------------------------------------------------------------------------
    I want to thank Comptroller General Gene Dodaro for being 
here and for your service to the American people. This year 
marks the 100th anniversary of the founding of the Government 
Accountability Office (GAO), and we are grateful for all of the 
work that you do to help ensure the government is working 
efficiently for all taxpayers.
    Since its creation, the Government Accountability Office, 
has acted as Congress' watchdog, giving us the independent, 
nonpartisan analysis that we need to ensure that Federal 
agencies and programs are working effectively.
    GAO plays a critical role in reviewing operations and 
activities across the Federal Government, from cybersecurity to 
health care services for our Nation's veterans. At the start of 
every new Congress, GAO presents some of its most important 
findings in the High-Risk List, which we will be discussing 
here today.
    The High-Risk List report examines government programs and 
operations considered to be the most at risk of waste, fraud, 
abuse, or mismanagement. The list also focuses on government 
functions most in need of reform. This important report is not 
only an essential tool for saving taxpayer dollars, but it also 
helps us ensure that government works better for every 
American.
    Over the last 15 years, Federal agencies, lawmakers, and 
this Committee have been able to save hardworking American 
taxpayers nearly $575 billion by addressing key issues in the 
High-Risk List. In the past two years alone, we have saved 
taxpayers more than $225 billion by implementing changes based 
on recommendations from the GAO. However, there are still many 
pressing challenges raised by GAO that we will still need to 
make progress on and must address in the near future.
    For example, I have long pressed the Federal Government to 
help prevent exposure to toxic polyfluoroalkyl substances 
(PFAS) chemicals that are harming the health of Michiganders 
and people all across our country. The GAO report\1\ that I 
helped release yesterday found that the previous administration 
did not take significant steps to keep our communities safe 
from these harmful substances and made limited progress in 
protecting communities and drinking water resources from PFAS, 
and that much of the progress identified in the report was 
exclusively due to congressional efforts.
---------------------------------------------------------------------------
    \1\ The GAO report referenced by Senator Peters appear in the 
Appendix on page 59.
---------------------------------------------------------------------------
    The recent SolarWinds breach at multiple Federal agencies 
shows the urgent need for Congress to take additional action on 
Federal cybersecurity protections, and the ongoing crisis 
caused by the Coronavirus Disease 2019 (COVID-19) pandemic 
continues to raise new and unprecedented challenges for the 
Federal Government to address.
    I appreciate the work the GAO has done to conduct critical 
and timely analysis of the emergency spending Congress has 
authorized in the past year to ensure that these funds are 
getting to the people, to small businesses, and to communities 
who need them the most. Overall, this year's list highlights 36 
areas GAO has determined as being high risk and that Congress 
must take action to improve.
    I look forward to hearing today's testimony from Mr. Dodaro 
who has led the GAO since December 2010 and has worked at the 
agency for more than 45 years. That is an amazing career. Thank 
you for your service. We appreciate your work and the efforts 
of everyone at the GAO that allows us to continue working 
together on a bipartisan basis to ensure that the Federal 
Government can and does better serve the American people.
    With that, I am happy to turn this over to Ranking Member 
Portman.

            OPENING STATEMENT OF SENATOR PORTMAN\2\

    Senator Portman. Thank you, Chair Peters. Mr. Dodaro, good 
to see you again. Thank you for being here. I know you are 
going to bring some of your experts with you as well today, and 
we look forward to your testimony.
---------------------------------------------------------------------------
    \2\ The prepared statement of Senator Portman appears in the 
Appendix on page 41.
---------------------------------------------------------------------------
    The subject of the hearing today, examining Federal 
programs identified by GAO as vulnerable to fraud, waste, 
abuse, and mismanagement, coincides exactly with the oversight 
responsibilities of this Committee, which aims to ensure that 
government programs are both cost-effective to root out waste 
and misconduct in Federal spending. This is a great hearing for 
us. I enjoy it every year and enjoy reading your report.
    This year's report, the GAO 2021 High-Risk report, can 
serve as a road map to maximizing the effectiveness of Federal 
expenditures. It is sort of a to-do list for this Committee. We 
had a good meeting this morning with you, with some of the 
media, talking about some of the highlights of it. I am glad in 
particular that this report identifies some important new 
areas, one of which is the national efforts to prevent, respond 
to, and recover from drug misuse and drug abuse. That is the 
first time it has been one of your important high-profile, 
high-risk issues.
    Illicit drugs, as we know, and the misuse of prescription 
drugs in particular has devastated so many people's lives in my 
home State of Ohio and around the country, and the opioid 
epidemic, in effect, has been started by prescription drug 
abuse. Not that there were not uses of heroin and other opioids 
previously, but that is really what spawned so much expansion 
of it. Unfortunately, we continue to see a lot of misuse of 
prescription drugs. I appreciate your doing it.
    We introduced legislation over time, including in December 
new legislation, the Comprehensive Addiction and Recovery Act 
(CARA) 2.0, and that will provide Federal resources for 
evidence-based education and prevention, treatment, recovery 
programs. It focuses a lot on this misuse of prescription drugs 
as well.
    We have used you all as a source of information. I 
appreciate that, and we will continue to use you. I think what 
you have done here in this report is pointed out the need for 
better coordination, which is really important. The Office of 
National Drug Control Policy (ONDCP), I think can play a more 
active role in coordinating the Federal response. You also talk 
about data, which I think is really important, to have better 
information to be able to legislate.
    We have been in the middle of this pandemic with 
coronavirus, and yet underneath it the epidemic of drug abuse 
has grown. As you point out, in the last 12-month period we 
have data for, which would be May 2019 to May 2020, you have 
the highest number of overdose deaths in the history of our 
country. Very sad. It is really heartbreaking given that we 
were making progress, including on Federal legislation that was 
making a difference in our communities.
    I am looking forward to hearing from you more on that and 
how we can implement some of your recommendations to address 
this issue, particularly on leadership and coordination.
    You have also identified cybersecurity as one of the five 
high-risk areas found to have regressed since you issued your 
2019 High-Risk List. That concerns me a lot because we are 
going to in the wrong direction in terms of cybersecurity based 
on your analysis. I think that is correct. Probably the most 
obvious example of that is SolarWinds where we had this massive 
hack into our system, sensitive Federal agencies being hacked, 
but also the private sector through the Federal agencies and 
through some of the contractors. I appreciate the fact that you 
have identified not just this as a problem, but as a problem 
that is getting worse, not better. This would track our report 
we did in this Committee and our Subcommittee called 
``Permanent Subcommittee on Investigations (PSI),'' which I 
know you were a part of. We basically showed how eight Federal 
agencies over the course of two administrations had failed to 
address their vulnerabilities in information technology (IT) 
infrastructure and how that is going to lead to problems. And 
sure enough it did, and it has made our personal information as 
Americans more subject to theft.
    The lack of a central authority to implement and 
coordination the Nation's cybersecurity strategy is a problem, 
and you identify that. I happen to agree with you on that, and 
I am hopeful that we can have legislation to address it, in 
particular using the Department of Homeland Security (DHS) more 
effectively where we do have the ability to organize around 
Cybersecurity and Infrastructure Security Agency (CISA).
    I know that the National Cyber Director position has yet to 
be filled, so I look forward to talking to you about that and 
how to work with the administration to ensure that we have a 
position in the White House that effectively helps coordinate 
this. Recently, we learned of this SolarWinds hack, and that 
should be a wake-up call for all Americans.
    Finally, the report today highlights a number of high-risk 
areas this Committee has prioritized and will continue to 
prioritize as we progress through this Congress. The areas 
include the enforcement of tax laws, managing Federal real 
property. This is one of the great frustrations I have had. We 
passed a couple of bills now to try to do that, but we still 
have not figure out how to move Federal property much more 
quickly. There is a lot of excess property, so many thousands 
and so many billions of dollars wasted. Improving Federal 
oversight of food safety, something that is increasingly a 
concern, and, of course, the U.S. Postal Service's (USPS) 
financial viability. We have heard from the Postmaster General 
about his new reform. He just initiated some new reform ideas 
last week, so we hope to be able as a Committee to take that on 
with your help. We need you. We need GAO's help to deal with 
all these high-risk areas. Essentially, you have given us a 
checklist of some urgent priorities and on other issues as 
well.
    Thank you, Mr. Chairman. I look forward to hearing from Mr. 
Dodaro and our other witnesses today, and I look forward to 
using this GAO data information to help us do our work more 
effectively.
    Chairman Peters. Thank you, Ranking Member Portman.
    It is the practice of this Committee to swear in this, so, 
Mr. Dodaro, and those from the GAO who may be testifying 
remotely, if you would stand and raise your right hand, the 
folks who are remotely as well, if you may be giving some 
testimony today.
    Do you swear the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Mr. Dodaro. I do.
    Mr. Mihm. I do.
    Mr. Gaffigan. I do.
    Mr. Marinos. I do.
    Mr. Trimble. I do.
    Chairman Peters. Everyone has answered in the affirmative.
    Gene Dodaro has served as Comptroller General of the U.S. 
Government Accountability Office since 2010 following two years 
as Acting Comptroller General, and in his over 45 years of 
service at the GAO, he has held a number of leadership 
positions, including Chief Operating Officer (COO) and head of 
GAO's Accounting and Information Management Division.
    Mr. Dodaro, once again, welcome to our Committee. You may 
proceed with your opening remarks.

  TESTIMONY OF THE HONORABLE EUGENE L. DODARO,\1\ COMPTROLLER 
 GENERAL OF THE UNITED STATES, U.S. GOVERNMENT ACCOUNTABILITY 
OFFICE; ACCOMPANIED BY J. CHRISTOPHER MIHM, MANAGING DIRECTOR, 
  STRATEGIC ISSUES; MARK GAFFIGAN, MANAGING DIRECTOR, NATURAL 
RESOURCES AND ENVIRONMENT; NICK MARINOS, DIRECTOR, INFORMATION 
   TECHNOLOGY AND CYBERSECURITY; AND DAVID TRIMBLE, MANAGING 
               DIRECTOR, PHYSICAL INFRASTRUCTURE

    Mr. Dodaro. Thank you very much, Mr. Chair, Ranking Member, 
Senator Portman. It is very good to see both of you today. I 
appreciate the opportunity to be here to talk about GAO's 
latest High-Risk List update.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Dodaro appears in the Appendix on 
page 44.
---------------------------------------------------------------------------
    There have been some bright spots of improvement since 2019 
when we last updated the list. But, overall, there has been 
limited progress.
    In 20 of the high-risk areas, the ratings substantially are 
not changed from what they were in 2019, and in five areas, 
they have actually regressed. Senator Portman referenced one. 
There are others. I am not satisfied with the progress that has 
been achieved, and I do not believe that Congress should be 
either. I think there is a lot of room for improvement here.
    Now, on the positive side, seven areas did improve, one to 
the point of removal from the list. That is the Department of 
Defense (DOD) support infrastructure. They actually reduced 
office space, warehouse space. They were able to get rid of 
some properties. Senator Portman, they were a big part of the 
government's efforts that were able to receive progress in that 
area. They reduced their leasing costs, and they have struck 
deals with local governments now to provide support services 
that have reduced their costs. We felt they were in good shape. 
They have also promised to implement all our recommendations if 
Congress ever authorizes another base closure round. I was very 
pleased with that. DOD in particular has made some very good 
progress over the past couple years.
    Now, we are adding two areas. Senator Portman, you 
referenced the one, which is on Federal efforts to prevent, 
respond to, and recover from drug misuse. From 2002 to 2019, 
800,000 Americans lost their lives to drug overdose, and the 
May 2019 to May 2020 period has the highest recorded annual 
increase, according to preliminary data from the Centers for 
Disease Control (CDC) of 80,000 people on an annual basis. We 
need greater national leadership, coordination, not only among 
Federal agencies but with State and local partners and partners 
in the private sector, in the health care industry, and in the 
law enforcement community as well. This is a multi-faceted 
issue. We have 67 open recommendations yet that need to be 
fulfilled.
    The other area we have added is the emergency loan programs 
created for Small Business Administration (SBA): the Paycheck 
Protection Program (PPP) and the Economic Injury Disaster Loan 
(EIDL) programs. Now, these programs have been very important 
components of helping small businesses, so I do not want to 
take anything away from the positive impact that they have had. 
But they are far short of transparency and accountability 
goals. We made recommendations back in June, a few months after 
they had gotten started, recognizing they needed to get the 
money out, but they needed to have oversight plans to protect 
program integrity, to protect against fraud. There has been 
fraud in the programs. Their financial auditors could not give 
an opinion on SBA's financial statements this past year because 
they could not support documentation for loan balances and the 
fact that they had flagged a lot of ineligible potential 
recipients and not had good controls in place both at their 
level or with the financial intermediaries that they hired to 
provide the loans. This area needs a lot of attention in order 
to take care of it.
    Now, there are several existing high-risk areas that I 
think are worthy of additional focus by the Congress. First is 
cybersecurity to protect our Nation, both among Federal 
agencies as well as critical infrastructure protection. I first 
designated this as a high-risk area across the entire Federal 
Government in 1997, so I have been trying to get Congress' and 
the agency's attention on this area. Unfortunately, the 
government is still not operating at a pace commensurate with 
the evolving and serious threats that are continuing to emerge. 
We have many recommendations in that area, and I am happy to 
elaborate on those further.
    I am also concerned about the State of the Federal 
workforce. Twenty-two of the high-risk areas are on the list 
because of skill gaps and critical shortages of both numbers of 
people and the type of skills that they need. I do not think 
the Federal Government's workforce is well postured to meet 
21st century challenges. So that is in need of attention as 
well.
    Limiting the Federal Government's exposure by better 
managing climate risk is another area that needs considerable 
attention. Focusing in on the government's growing 
environmental liabilities is another. Senator Portman 
referenced the Postal Service travails and financial issues, 
and their business model needs attention. These are among the 
areas.
    Importantly, I want to emphasize that only 12 of the 
areas--36 on the list--have demonstrated the leadership needed 
that we look for to begin the process of coming off the list. 
The areas that we have taken off the list in the past have all 
had essential ingredients: top agency leadership support, 
support from the Office of Management and Budget (OMB), which 
has been lacking recently, and also support from the Congress 
and leadership. When those three ingredients are present, that 
is the prescription for success here and dealing successfully 
with these high-risk areas, and achieving what we all want, is 
to get them off the list, to save billions of dollars, provide 
better services to the public and public safety and other 
matters, and to help build confidence in our government.
    Thank you very much, Mr. Chairman. I am happy to answer 
questions.
    Chairman Peters. Thank you, Comptroller.
    There is certainly an awful lot in the report that you have 
put out. I am going to focus on a couple of those items, and I 
am sure you are going to get questions on an awful long list of 
these over the course of the hearing.
    I want to start with the U.S. Government's environmental 
liability, which continues to stay on the list and grows, but I 
am going to focus on the DOD's liability in particular in my 
question to you.
    The Department of Defense, as I know you are aware, has 
identified more than 600 military installations and surrounding 
communities, including 14 of those installations in my home 
State of Michigan, that could be affected by highly toxic 
chemicals known as ``PFAS.'' That is why I am concerned about 
the lack of progress that has been made by the DOD to address 
this public health and environmental crisis, and I understand 
that GAO is reviewing the military's response to PFAS 
contamination.
    My question to you, sir, is: Can you give us some more 
information on that review and what can we expect?
    Mr. Dodaro. We are looking at how DOD is approaching this 
issue both identifying the existence of PFAS chemicals--thee 
are mostly firefighting foams at installations to put out 
fires, but they can get into the groundwater and contaminate 
things, so it is very serious. So we are looking at the 
prevalence of how DOD is going about identifying these 
dangerous chemicals and then remediating the action that has 
been placed.
    We are looking at the estimate cost of attending to this 
issue, and we are also going to be looking at DOD's efforts to 
identify products to provide these important services that do 
not have PFAS or other dangerous contaminants. We should have 
that report out later this year.
    Chairman Peters. Thank you. Ranking Member Portman, you had 
a quick question before I think you have another commitment?
    Senator Portman. Yes, thank you for the PFAS question. That 
is one we are deeply concerned about in the Wright-Patterson 
Air Force Base in the Dayton area, and thanks for your 
leadership on that, and we look forward to working with GAO on 
coming up with better ways to deal with it nationally.
    Just a quick question on the High-Risk List now including 
the drug misuse question, as you talked about. This has been 
going on, as you know, for decades, and specifically the opioid 
issue over the last 10 or 15 years. Why now? Why did you put it 
on the High-Risk List? What has changed?
    Mr. Dodaro. I was concerned about the escalating rate of 
overdose deaths, and I was also concerned--as has been 
mentioned, I have been in government for decades now. This has 
always been an issue as long as I have been present in 
government, and I wanted to try to do something about it and 
raise the profile.
    I do not believe we are dealing with the demand side of 
this issue as much as we need to. We need to deal with 
interdiction. We need to deal with treatment, of course. But 
unless we reduce the demand for these products through 
education and prevention and other things, we are never going 
to make headway.
    Drugs has always been a problem. The only thing has been 
drug of choice and, what is happening, and then this 
prescription drug element that added to it brought a different 
dimension to it as well. I am concerned. As a father of three 
and a grandfather of eight, I am concerned----
    Senator Portman. I am glad you included it this year, and I 
think one thing I thought you might say is that ONDCP clearly 
has not followed the national drug policy, which is what you 
lay out in your report, that they have actually missed putting 
out the strategies they are supposed to put out under law. 
Specifically, they have statutory requirements that they are 
supposed to be talking about in their five-year projections 
that they have not done.
    So my hope is that these recommendations would improve 
ONDCP's leadership role, clarify their mission, and make them a 
better coordinating body. So we appreciate you are doing that.
    The second question is with regard to this issue of worker 
training. I appreciate the fact that you got into that a little 
bit in your report. I hear back home the same thing. I heard it 
before the pandemic, which is we are looking for workers, but 
skilled workers, we cannot find them. So whether it is a welder 
or whether it is an IT professional, a coder, or whether it is 
a truck driver, the skilled workers are in demand again. In 
fact, there are lots of companies in Ohio who are advertising. 
I am told there are more people now looking for work than there 
have been since the pandemic began, which is good news for the 
economy, but, again, the same issue that was present before.
    In terms of how you get at this issue, have you looked much 
at what the Federal Government does vis-a-vis someone who wants 
to go to college versus somebody who wants to get a short-term 
training program? And shouldn't there be some more parity 
there, not to take, for instance, Pell grants away from 
colleges or universities at all, but to also offer a Pell if 
you want to get what is pretty expensive but which is a 
training program that gets you an industry-recognized 
credential like a welding degree?
    Mr. Dodaro. Right.
    Senator Portman. And shouldn't that be something that we 
should be promoting given our need right now and our workforce 
shortage with skilled workers. Any thoughts on that.
    Mr. Dodaro. I agree with you completely. There is a range 
of skills that are needed. There are things that people can 
adapt to. I will go back and take a look at that issue and see 
what we have done in the past. But I will certainly look more 
carefully at that issue in the future. The same thing is true 
of even community college degrees and things of that nature. I 
think the Federal Government can diversify. What we also find 
is there are a lot of best practices occur in some of the 
worker training programs, but the Department of Labor (DOL) 
does not share that among the States, so they do not really 
have ideas on how they can refine their practices. So we made 
that recommendation as well.
    But I agree completely with you, and we will look more 
carefully at that issue.
    Senator Portman. Great. The final thing I want to mention 
is the cyber issue, and Senator Peters and I have worked on 
this issue over time, and it is so frustrating to have this 
massive hack, and hopefully it is a wake-up call for all of us. 
But specifically with regard to Federal coordination, you talk 
about the fact that we have yet to fill this position, which is 
really a White House position, as I understand it. But we also 
have not given CISA, which is the Department of Homeland 
Security cybersecurity entity, all of the resources it needs 
along with the authority that we have provided.
    What is your thought on that? Who should be coordinating 
this? We have DOD involved; we obviously have the intelligence 
agencies involved; and we have DHS involved; we have the White 
House involved; OMB is involved to make sure agencies are doing 
what they are supposed to do. But who should be coordinating? 
And shouldn't there be more accountability in this process?
    Mr. Dodaro. Absolutely. that is one of the reasons we rated 
them down, was there was not enough accountability and clear 
delineation of roles and responsibilities. My thought on this 
is you need a whole-of-government approach to this issue. CISA 
can play a very important role, but they do not decide who 
appoints the Chief Information Officers (CIOs) in the agencies. 
They do not pick the Chief Information Security Officers 
(CISO). That is the agency head's responsibility, so they need 
to be involved. OMB needs to be involved, and they have not 
been as involved as they have been in the past and need to be 
in the future. They can help both in making sure the resource 
investments are there, properly set out the right policies and 
guidance and make sure that they get vetted during the budget 
preparation process. As a former head of OMB, you recognize how 
powerful that process can be. CISA is basically the civilian 
side of things. They are not DOD. So you need the National 
Security Council (NSC) and DOD involved with the intel 
agencies. That is why I think this statutory provision in the 
White House is so important.
    The other thing that is important, Senator, is to get the 
message out that anybody that touches a Federal computer, 
whether it be a Federal employee or a contractor, or touches a 
system is a potential risk to the system in introducing 
malware. We need a whole-of-government thing. This has some 
technical dimensions, but in large part, it is a management 
problem, an awareness and trying to deal with having the right 
workforce associated with doing this. I think you need it at 
the White House level. CISA will play a role, the National 
Security Council, DOD. But, also, we need to build trust with 
the private sector to exchange information. We talked a little 
bit about that this morning at the press event. That is 
critical because, most of the assets, computing assets, are in 
the private sector hands. Unless we have sharing between the 
government and the private sector on a more easily flow basis, 
we are never going to get ahead of this issue, because it is 
like having intelligence but having it compartmentalized and 
not sharing it.
    Senator Portman. Right.
    Mr. Dodaro. That is dangerous.
    Senator Portman. We want to work with you on this one, and 
I think the report is very helpful. But we have talked about a 
legislative response to increase the coordination and the 
accountability, as you say, and I think there is only so much 
you can do from the legislative perspective if you authorize a 
position and it is not filled, so we also have to put pressure 
on the administration to step up. I assume that they would want 
to do that.
    But thank you again for all your work. We look forward to 
continuing to work with you every day on these issues of 
oversight that are a critical part of the mission of this 
Committee.
    Thank you for your indulgence, Mr. Chairman.
    Mr. Dodaro. Thank you, Senator.
    Chairman Peters. Absolutely, Ranking Member.
    Comptroller Dodaro, to continue going down the list, we 
talked about PFAS contamination with the Department of Defense, 
but also on your list is transforming the Environmental 
Protection Agency (EPA's) process for assessing and controlling 
toxic chemicals, which has also declined as well. The 
Environmental Protection Agency and other public health 
agencies have found that PFAS exposure above certain levels may 
lead to some very significant negative health impacts. Yet 
there has been little action across the Federal agencies to 
help families and their communities either reduce or eliminate 
their exposure to PFAS in drinking water or in the broader 
environment.
    My question to you, sir, is: What specific actions do you 
believe the Federal agencies should be considering right now in 
order to address the widespread public health and environmental 
crisis associated with PFAS?
    Mr. Dodaro. They need to fully identify and investigate all 
the different dimensions of that issue. Let me turn to one of 
our experts in the area, Mark Gaffigan, Senator, if I might. 
Mark, would you help respond here, please?
    Mr. Gaffigan. Sure, I would be happy to, Senator. Thanks 
for the question. I would say they can help in two areas.
    Mr. Dodaro. Mark, you need to speak up, if you can, please. 
We are not hearing you very well.
    Mr. Gaffigan. OK. Can you hear me a little better now?
    Chairman Peters. Yes, that is great. That is good.
    Mr. Gaffigan. OK. I would say there are two areas. There is 
the area of finding out more about these things, which the 
Comptroller General alluded to. Then the other area is to 
establish some standards as to what level we are going to clean 
this up to, and that can be a complicated thing. We have 
several considerations at the Federal level both, for example, 
in the Drinking Water Act and through Comprehensive 
Environmental Response, Compensation and Liability Act 
(CERCLA), which is the act of the Superfund, which would deal 
with existing sites.
    It is really important to figure out what standard we are 
going to clean that up to, and then as you go around these 
communities, they are all going to have a stake in this. To 
what extent that they want to have this cleaned up, and so 
there is a huge effort that needs to go in terms of regulating 
and then involving the other stakeholders and making sure that 
we are cleaning up to the right levels.
    Chairman Peters. Thank you for that.
    Comptroller Dodaro, Federal cybersecurity, as was mentioned 
in previous questions, once again is on your High-Risk List, 
and it remains there again after many years. Despite the 
existence of Federal information security standards, we 
continue to suffer unacceptable breaches.
    This Committee is going to be taking a close look at making 
some significant improvements to Federal cybersecurity. You 
mentioned some, but what are some of the key issues that you 
believe that we should be looking at in this Committee? What 
should the government and individual agencies be doing 
differently than they are doing right now?
    Mr. Dodaro. First, we have identified ten critical actions 
that need to be taken in the cybersecurity area in four areas.
    First, Mr. Chairman, is that we need a comprehensive both 
national and global cyberspace strategy, and it needs to be 
implemented effectively. It needs to address supply chain risk. 
We issued a report in December showing that none of the 23 
agencies we looked at had implemented the full range of best 
practices to managing supply chain risk, which was at the heart 
of the SolarWinds incident.
    We need to focus on the workforce issues. We need to deal 
with global issues. There needs to be some cyber diplomacy in 
this area and some norms set that there are in other areas that 
are very dangerous, whether it be chemical weapons or other 
matters. We need to look at emerging technologies. This issue 
is going to get more complicated with artificial intelligence 
(AI), quantum computing, and other factors. The strategy has to 
be holistic; it has to be domestic and international; and it 
has to focus on existing and emerging technologies.
    The second area is getting the Federal agencies to fix 
their problems, known weaknesses. These are weaknesses that 
have existed. Very few agencies have good, holistic IT security 
programs, including the Department of Homeland Security, by the 
way. They need to fix the problem and have good responses when 
incidents do occur to respond in a quick manner. There is more 
attention that needs to be done in those areas.
    We have 750 open recommendations right now. Since 2010, we 
have made 3,300 recommendations. These are very specific 
vulnerabilities that need to be closed. In the supply chain 
area, we made 145 recommendations to these agencies, so 
Congress can, you know, make sure that the agencies implement 
those recommendations.
    The third area is critical infrastructure protection. Now, 
here the standards for the private sector, except in a few 
instances where the Federal Government has regulatory 
responsibilities, are voluntarily implemented by the private 
sector. The Federal agencies have sector liaisons, and they are 
supposed to help promote the adoption of those standards in the 
private sector. But the fact remains that the Federal 
Government really does not have a good handle on the extent to 
which the private sector has adopted the standards from the 
National Institute of Technology (NIT) in those areas.
    Then the last area is protecting consumer information that 
is collected over the Internet. We have called for a number of 
years that Congress legislate a comprehensive consumer privacy 
protection framework that can protect the collection of the 
data, the reselling of that data, to make sure the public 
understands what is happening in those areas. There has not 
been any real serious legislation to deal with privacy issues 
since 2002, and, of course, the landscape has changed 
dramatically.
    Chairman Peters. Absolutely. I have a quick question for 
you, because I have to run off to vote, and when I vote, 
Senator Ossoff will assume the chair, but I will call on 
Senator Lankford before I leave. Comptroller Dodaro, our Nation 
is in the midst of a pandemic, and we have invested significant 
taxpayer dollars, as you know, to ensure that our communities 
have the support that they need. But oversight of these 
resources is absolutely critical for ensuring that the taxpayer 
money is actually going where it was intended and is being 
spent wisely.
    Will you commit to continuing GAO's strong oversight of the 
COVID-19 response and associated spending and keeping this 
Committee informed all along the way if you face any challenges 
whatsoever in your work or need for additional resources?
    Mr. Dodaro. I definitely commit to that. We have been 
giving monthly briefings since March 2020 and bimonthly public 
reports. We just issued our sixth bimonthly report. Going 
forward, we plan on issuing quarterly public reports but 
continue the monthly briefings, and I will definitely let this 
Committee know if we run into any difficulties obtaining 
information.
    Chairman Peters. Thank you. I will be running off to vote, 
but we have someone who just came in who was on the list. Sorry 
about that, Senator Lankford. As I run off, I recognize Senator 
Carper for your questions, Senator.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks, Mr. Chairman. Can you hear me, Mr. 
Chairman?
    Chairman Peters. Yes, we can hear you well.
    Senator Carper. Good. Can you see me?
    Mr. Dodaro. Yes, we can see you now, Senator.
    Senator Carper. Mr. Dodaro, how are you doing?
    Mr. Dodaro. I am doing just fine, Senator. How are you?
    Senator Carper. I really enjoyed talking to you the other 
day. Thank you for taking the time with us then and today as 
well.
    As the title of GAO's 2021 high-risk report clearly states, 
committed leadership is essential to making progress in 
addressing high-risk areas. I always like to say leadership is 
the most important ingredient in anything that has something to 
do with success of the organization. Leadership is always the 
key to success.
    In 2019, GAO reported that about half of the high-risk 
areas identified had met the leadership commitment criteria, 
and of the 36 high-risk areas included in the 2021 report, only 
12 met the leadership commitment criteria. We dropped from a 
couple years ago, when we had 36--there were only just a very 
few relatively high-risk problems that were tied in with 
leadership. We have gone to hell in a hand basket here the last 
couple years in this report. It is not the direction we want to 
be trending.
    I just want to ask if you would take a moment to discuss 
with us the importance of leadership attention to these areas, 
these issues, and OMB leadership in particular given the many 
high-risk areas in multiple agencies. Could you do that for us, 
please?
    Mr. Dodaro. Yes. OMB leadership is essential because a 
number of the high-risk areas involve multiple agencies or 
governmentwide in scope, whether it be strategic human capital 
management, which is governmentwide; cybersecurity is 
governmentwide. A number of the other IT acquisitions and 
operations is governmentwide; personnel security clearance is 
governmentwide. OMB plays a very important role.
    Unfortunately, over the past few years, the practice that 
we had in place with previous administrations, both Democratic 
and Republican, of having meetings between OMB, GAO, and the 
agencies on the High-Risk List fell by the wayside. And that 
efforts needs to be restored. I am going to be talking to the 
new leaders at OMB, and hopefully we can--once they are 
confirmed and we have people in place, and hopefully we can get 
those meetings back on. They were extremely helpful in getting 
the attention of the agency leaders, and it was important for 
the agency leaders to know that OMB cared about these areas and 
would be sensitive to them when they reviewed their budget 
submissions as part of the President's budget development 
process. That was very helpful as well. Congress needs to stay 
involved as well.
    I also plan to meet with new agency leaders once they are 
in place and confirmed to keep up my practice of dealing with 
agency leaders as well as trying to engage OMB again in a 
tripartite type of dialog on this issue.
    Senator Carper. That would be great if you could do that. 
Let me go to my second question so I do not run out of time. I 
understand that in the past the OMB Deputy Director for 
Management would meet regularly with agency leaders and GAO to 
discuss high-risk areas and monitor progress. I think you just 
alluded to this, but, however, you note that these regular 
meetings stopped occurring in recent years. You have already 
spoken a little bit to that, and is there anything you could 
say to speak to the value of OMB maintaining regular 
communications with Federal agencies and GAO? What advice would 
you offer to President Biden's nominee for OMB Deputy Director 
Shalanda Young and the President's nominee for Deputy Director 
for Management, Jason Miller, both of whom are scheduled to 
appear before our Committee I think later this week?
    Mr. Dodaro. Yes, these high-risk areas, there are a couple 
things I would suggest to them. First, the high-risk areas 
permeate some of the most important areas across the 
government, and some of the fastest-growing programs in the 
health care area, for example--Medicare and Medicaid are fast-
growing programs; the DOD weapons systems portfolio is $1.8 
trillion. There is a lot of money at stake in these areas and a 
lot of potential savings of tens of billions of dollars that 
could occur. There is a fiscal component of this which should 
interest both the Deputy Director for Budget as well as the 
Management Director. OMB has a large set of responsibilities by 
statute to address a lot of these cross-cutting management 
issues that are in place, over a period of time. It is very 
important for them to do this.
    Second is that I have seen administrations get consumed by 
crises and fires that occur, and the last two administrations, 
both had the double hat, the Deputy Director for Management 
with the Director of Office of Personnel Management (OPM), 
which diluted the attention of the Deputy for Management over 
there. Both happened in the Obama Administration and the Trump 
administration. That is one of the reasons OMB has kind of lost 
this focus over time.
    There is also by statute and this Committee sponsored 
legislation on performance management in government that 
requires OMB to do a portfolio analysis of any area identified 
by GAO as a high-risk area, and so far they have not complied 
with that requirement as well. That gives this Committee 
additional leverage to require the attention of OMB on these 
very important issues, any of which can lead to management 
breakdowns.
    Senator Carper. One more quick one, if I could, General. It 
just deals with applying lessons learned from the 2009 American 
Recovery and Reinvestment Act (ARRA). I think it was in 
February 2009 President Obama signed into law the American 
Recovery and Reinvestment Act. We think of it as the Great 
Recession, but the economic stimulus package authorized I think 
about $800 billion in emergency appropriations to counteract 
the worsening economic conditions following the 2008 financial 
crisis.
    To evaluate agency spending of those funds, the bill 
established certification requirements, quarterly reports, a 
board of agency Inspectors General (IG) that was responsible 
for directing oversight and maintaining a public website with 
information about how agencies were using the money. Similarly, 
to conduct oversight of funds appropriated under the CARES Act, 
Congress created the Pandemic Response Accountability Committee 
(PRAC), the Congressional Oversight Commission, and the Special 
Inspector General for Pandemic Recovery. Each task had specific 
oversight responsibility. The CARES Act also directed GAO to 
monitor and report on the Federal Government's pandemic 
response efforts.
    Mr. Dodaro, with regard to oversight and accountability, 
what are the most significant differences you see between 
recovery efforts during the Great Recession and now as we 
combat the COVID-19 pandemic? Second, what are some of the 
lessons learned from that time period that we could apply, 
should apply to these oversight efforts today? Thank you.
    Mr. Dodaro. Yes, first, the global financial crisis efforts 
were targeted largely in the financial institutions area, so it 
was a much more sector-focused issue. The pandemic has a wide 
impact across various sectors, virtually all sectors of the 
economy. The scope of them is different and the construct of 
the efforts are different, but there are some lessons to be 
learned. I would contrast the Troubled Asset Relief Program 
(TARP) that was set up with $700 billion to provide support to 
the financial markets and the banks and the auto makers and 
others with what was done in the SBA with the emergency loan 
programs, so about similar size and scale.
    The TARP program, we worked hand in glove, starting with 
the Bush Administration through the Obama Administration, to 
build in internal controls up front, and they were able to get 
a clean opinion on their financial statements in the very first 
year, even though this was a brand-new, multi-hundred-billion-
dollar kind of program. SBA, I made the same offer there and 
did not really get any traction with the people, and so they 
were unable to pass their audit, and they did not build in 
enough controls up front--not before they started lending, but 
soon thereafter, to build in the safeguards as soon as 
practicable without holding up the release of the money.
    So building in transparency and accountability issues early 
is very important. The legislation for the Recovery Act 
required a public website, which was true in the pandemic, but 
SBA decided not to initially release the recipients of loans 
under $150,000, and it was not until a Freedom of Information 
Act (FOIA) request and the courts ordered them to release the 
information did they release the information.
    The other part of this is there is a need for clear, 
consistent communication, particularly with the State and local 
governments. During the Recovery Act, I received a letter from 
a lot of State budget officers, procurement officials, IT 
professionals, asking for coordination with the Federal 
Government. I worked with the OMB Director at the time, and we 
had regular meetings with them on a regular basis.
    In the coronavirus, the coordination with the State and 
local governments was not as robust as it needed to be, in my 
opinion, and so you had a lot of confusion, the most recent 
being in the vaccine area, but, before that it was in who is 
responsible for what. Is the Federal Government responsible for 
providing Personal Protective Equipment (PPE)? Is it the 
States' responsibility since they are the locus of 
responsibility for public health service? We were sorting those 
things out in the middle of a pandemic, and that is not the 
time to do it.
    You need to have clearer lines of authority and 
communication. You need to build in transparency and 
accountability earlier. You need to have better data to make 
good decisions. Right now this pandemic has laid bare the 
frailties of our public health system being on a very 
decentralized basis, and we do not have good national data for 
surveillance purposes and targeting our responses. We have made 
a lot of recommendations in those areas, including dealing with 
racial disparities and the impact of the pandemic and now the 
distribution and the administration of the vaccines going 
forward.
    Those are the key lessons learned on all these things that 
I have been involved with for many decades now.
    Senator Carper. I want to thank you for your leadership. I 
want to thank Chris Mihm for his good work and your entire 
team. We are blessed by you. You have more than earned your pay 
in the last year, but you have been doing it forever, so thank 
you very much. Keep up the great work. God bless.
    Mr. Dodaro. Thank you, Senator Carper. I appreciate it.
    Senator Ossoff [presiding.] Thank you, Senator Carper.
    Senator Hassan is recognized.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you. I want to thank the Chair and 
our Ranking Member and our substitute Chair right now for this 
hearing. Comptroller General Dodaro, thank you and your 
dedicated team for your testimony today.
    I also want to congratulate the Government Accountability 
Office as it celebrates 100 years of service. I am particularly 
grateful, as Chair of the Emerging Threats and Spending 
Oversight Subcommittee (ETSO), for GAO's work to help the 
Federal Government save taxpayer dollars and operate more 
effectively. To that end, Senator Paul and I plan to circulate 
a bipartisan resolution to recognize GAO's 100th anniversary, 
and I will invite all of our colleagues to join.
    My first question to you today, Comptroller General, is 
about IT acquisitions and operations. The pandemic has put into 
sharp relief something many of us already knew, namely, that 
aging Federal IT systems lagged behind those of private 
organizations in terms of their ability to innovate and adapt 
to the ever-changing technological landscape.
    Last summer I wrote to the 10 agencies with the most 
critical legacy IT systems identified by a 2019 GAO report, and 
I asked them for their plans to move away from legacy IT. Yet 
several months later, as the High-Risk List notes, three out of 
those ten agencies had yet to produce plans to reduce reliance 
on these outdated systems that are costly, opened Federal 
systems up to security vulnerabilities, and do not meet the 
level of customer service that Americans expect in the 21st 
century.
    Why is it important, Comptroller General, for all agencies 
to have a plan in place to transition away from legacy IT 
systems?
    Mr. Dodaro. This is critical to improving services to the 
public, First, and particularly during a pandemic when you are 
limited to virtual amounts. The disability claims have been 
backlogged both at the Department of Veterans Affairs (VA) and 
Social Security Administration (SSA) because things were not 
set up to do things smoothly virtually and to conduct 
transactions and conduct business. Citizens are used to dealing 
with the private sector and getting more regular, better 
service from them. To be more responsive, efficient, and have 
greater transparency, but also these security issues cannot be 
overestimated. These legacy systems are a millstone around the 
neck of Federal agencies and the efforts of the Federal 
Government to secure its systems. They were designed 40 and 50 
years ago with nowhere near the concern about cybersecurity 
that we have today, and they desperately need to be changed. 
They are not nimble when things occur and things happen.
    I thought the Congress, in setting up the Technology 
Modernization Fund (TMF), which is a good move--and I would 
encourage Congress to look at funding that properly because 
things could be rapidly approved there and they could have some 
efforts underway to be able to begin to modernize these 
systems. But it is also why you need to have authorities to the 
Chief Information Officers in the agencies.
    Now, I first worked with this Committee in the 1990s to 
pass the Clinger-Cohen Act, which first established Chief 
Information Officers in the government, and they were supposed 
to have a seat at the table and really control this. It did not 
really pan out that way. The agencies did not give them a full 
set of authorities. In 2014, Congress passed the Federal 
Information Technology Reform Act (FITRA) to really emphasize 
CIOs having these authorities. They still do not have them 
completely across government. This would be an important issue 
as well.
    Senator Hassan. That is very helpful feedback, and it 
brings me to my next concern, which is really a follow-up on 
what you just said on cybersecurity and Continuous Diagnostics 
and Mitigation (CDM) programs, too. Cybersecurity has been on 
the High-Risk List for 24 years, and over the past 2 years, the 
leadership commitment in this area has declined. This is 
disturbing, especially, of course, in light of the SolarWinds 
attack, and I look forward to working with the Biden-Harris 
administration and all of my congressional colleagues to ensure 
that we have the necessary leadership in place to coordinate 
Federal cybersecurity efforts to anticipate and prevent these 
attacks.
    Along those lines, this year's report also shows how 
Federal agencies struggle to implement programs to monitor and 
address cybersecurity risks. These programs include the 
Department of Homeland Security's Continuous Diagnostics and 
Mitigation Program.
    What obstacles are preventing agencies from fully 
implementing these types of monitoring programs? How can 
Congress help agencies overcome these obstacles? Then after you 
answer that, I have one more question, so if you can be fairly 
brief here, that would be great.
    Mr. Dodaro. OK. I will ask Nick Marinos, who is our 
cybersecurity expert, to respond to your question. He is 
younger. He will be briefer than me. [Laughter.]
    Senator Hassan. I would appreciate that very much, not the 
briefer part but just getting fully up to speed on what we need 
to do.
    Mr. Dodaro. Sure.
    Senator Hassan. My last question is----
    Mr. Dodaro. No. He is here. He is on----
    Senator Hassan. Oh, is he on? OK.
    Mr. Dodaro. Nick, could you please respond?
    Mr. Marinos. Yes. Can you hear me OK?
    Mr. Dodaro. Yes, just talk up a little more.
    Senator Hassan. There we go.
    Mr. Marinos. Sure, will do. Senator, I think to be very 
brief on this, CDM is a governmentwide initiative that CISA has 
put out there, and it has several others, and the reality is 
that for these things to be successful, it requires agencies to 
be best positioned to actually leverage the skill, the 
capabilities that DHS is providing. In many cases, we have seen 
challenges from agencies in using some of these tools because 
they themselves do not have a good accounting of what is 
connected to their environments. In other words, you cannot 
protect what you do not know is on your network. We need to see 
improvements not only from Federal agencies, but also DHS in 
providing them assistance to get better at that.
    Senator Hassan. OK. Thank you very much. I appreciate that. 
I am glad you are here.
    So now my third question. Mr. Dodaro, as part of the year-
end COVID-19 relief package, Senator Collins and I negotiated 
$10 billion in flexible funding for the United States Postal 
Service. That money was intended to assist the Postal Service 
in addressing its immediate financial hardship while upholding 
service standards expected by the American people. As the High-
Risk List notes, even with this funding to cover its operating 
costs, the Postal Service anticipates that it still will not be 
able to meet its required payments under its current business 
model.
    In your view, what statutory reforms to the current 
business model are required to bring the Postal Service back 
from the brink of insolvency without sacrificing service?
    Mr. Dodaro. I think there needs to be a clear agreement 
between the Congress and the Postal Service that is immutable 
about what service is expected to be provided and then to 
figure out how to pay for it. I am not sure the current 
business model that relies on First-Class mail is a sustainable 
model on how to pay for that over time. While the Postal 
Service may be able to deal with the margins with that, I am 
not sure that they are going to be able to operate like a 
business, if you will, which has been the expectation, and 
finance that level of service.
    The Federal Government provides support and carries out 
functions that are not viable functions for the private sector. 
Unfortunately, the postal operations are sort of moving in that 
direction and has been slowly for years and been precipitated 
even more by the global financial crisis, now by the pandemic. 
With the advent of technology and generational change 
statistics are coming with expectations of younger people 
dealing not with paper mail, I do not think the prospects are 
there that the Postal Service by itself is going to be able to 
generate the revenue necessary to meet the Congress' 
expectation for services. Some other arrangement for financing 
and governance needs to be struck, in my opinion.
    Senator Hassan. OK. Thank you for that feedback as well. 
Again, thank you and your entire team for its excellent work, 
and congratulations on 100 years.
    Mr. Dodaro. Thank you for the recognition you plan to give 
us.
    Senator Hassan. You are welcome.
    Senator Ossoff. Thank you, Senator Hassan.
    Senator Rosen is recognized.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Mr. Chair, and, first, thank you 
Mr. Dodaro, and your whole team for the tireless work that you 
do every day.
    I want to build a little bit on what Senator Hassan was 
talking about on cybersecurity, and I want to focus a little 
bit on data centers because the GAO notes in this report that 
information security has been designated as a governmentwide 
high-risk area since 1997. In 2003, GAO expanded this hearing 
area to include protection of critical cyber infrastructure. 
Chair Peters, Senator Hassan, and I all supported cybersecurity 
legislation. It was signed into law as part of the National 
Defense Authorization Act (NDAA) last year, but there is so 
much more to do, and I hope that we are going to continue to do 
that work here in Congress.
    But in the report, GAO has a section on page 173 on what 
remains to be done. In cybersecurity, one of the 
recommendations is, like we talked about, protecting cyber 
critical infrastructure. One idea my office has been working on 
is legislation that would require OMB to develop a new set of 
standards for Federal data centers in areas such as resilience 
against natural disasters, against power failures like the ones 
that we saw with the winter storm just the last few weeks, 
particularly in Texas, and, of course, cyber intrusions. Nevada 
is home to numerous data centers, and we know the major role 
that they play in both our economy and our national security. 
As the United States faces a growing number of serious cyber 
attacks, I think it is safe to say data centers are critical 
infrastructure.
    Mr. Dodaro, GAO had issued that report that we want to OMB 
to continue to report on data centers because of their 
potential to be targets for cyber attack. Could you give us a 
progress update on that report? Have you been following what 
OMB has been doing and if they have been implementing their 
recommendations?
    Mr. Dodaro. Yes, we have been following that carefully. 
There have been data center consolidations that have saved 
billions of dollars. Unfortunately, OMB changed the definition 
of what they consider to be a data center, which we do not 
think was a good development. I will ask Nick Marinos to 
explain a little bit more about that and what the potential is, 
but I definitely think the remaining data centers that the 
government needs to keep need to be protected and be resilient 
and protected from cyber attacks.
    Nick.
    Mr. Marinos. Sure. Yes, Senator Rosen, I would just add 
that specific to the OMB definition, the change last year in 
how OMB categorized or identified what was considered a data 
center presents some security problems as well, because 
previous to that change in the definition, OMB had recognized 
that many of those facilities that had been previously 
identified as data centers presented security vulnerabilities.
    Now looking forward, if you are tracking less of these data 
centers, you are also tracking the potential that they could be 
exploited, those security vulnerabilities could be exploited. I 
think anything that Congress can do to help encourage OMB to 
accurately depict what data centers are continuing to still be 
out there will help. They have definitely made progress in 
implementing a lot of our recommendations, and we have seen an 
additional $440 million in savings. But the security risk is 
still there.
    Senator Rosen. Thank you. I want to follow up on that 
because GAO also wrote in the report that it has suggested 
revisions to the Privacy Act of 1974 and the E-Government Act 
of 2002. They have still not been enacted as of December 2020. 
Could you speak a little bit to those revisions and why GAO 
believes they are important for protecting sensitive data?
    Mr. Dodaro. Yes. The Federal Government's requirements in 
this area are terrible outdated and do not really reflect 
proper focus on protecting the privacy of information, 
particularly the information reselling that is occurring on the 
Internet. A lot of people are unaware of these issues, so I 
think there needs to be some minimum standards.
    There have been a lot of discussions about social media and 
other collection of information and the marketing of that 
information. But right now, the consumers are at a decided 
disadvantage, and it has been particularly acute during the 
pandemic when they do not have other alternatives and have to 
turn to doing a lot of things virtually and online that they 
maybe not would have done previously in order to protect their 
health. Congress needs to modernize these areas so that also is 
important. When there are breaches in the private sector, that 
there are standards for notifications to people to be able to 
have them figure out how to protect themselves and what kind of 
rights they have during that period of time.
    Nick, did I miss anything there?
    Mr. Marinos. I would just add that on the Federal side, in 
terms of the Privacy Act, we are sadly coming to the 50th 
anniversary of that act, and to recognize what the Comptroller 
General articulated, how much technology has changed the way 
that we collect and use information, there are really three key 
things that we have talked to needing revisions when it comes 
to the Federal privacy law.
    The first is making sure that we are applying privacy 
protections consistently across all information, so that means 
getting a better understanding of what is really identified as 
personally identifiable information (PII) at Federal agencies.
    The second is making sure that whatever we are collecting 
the personal information for is the only thing that we are 
using that information for. Making sure that agencies 
understand how they can actually use the information and what 
they cannot use it for.
    Then the last is making sure there are effective ways to 
communicate to the public what information the Federal 
Government has on them and then how can they find out that 
information as well. We need better redressing to be 
articulated within a future law.
    Senator Rosen. I think that is great. I think that everyone 
agrees that there needs to be some kind of robust conversation 
in regards to all of our personal information. But, quickly--I 
only have 30 seconds--I am just going to ask this question. I 
will take the answers off the record, but I would like to have 
you talk a little bit about the skills gap in the Federal 
workforce. It poses a high risk to our Nation that we do not 
have--the root cause of some of our problems is we do not have 
a highly skilled workforce, particularly in the cybersecurity 
area, and the Department of Defense really in particular. DOD 
acknowledges that workforce planning across the Department is 
inconsistent, and we need to be sure, especially in DOD, that 
we attract top talent, that we up-skill everyone with all the--
as we do IT modernization, it also means we have to train folks 
to come up, to do those skills, to know what is going on, to 
pay attention to new technology and be forward thinking. We are 
going to have to address that skill gap.
    Do you think there is motivation in DOD to do that? I guess 
my time has expired. I do not know if I am the last person, so 
if I am, I can let you answer. If not, I will be glad to take 
it off the record.
    Chairman Peters [presiding.] We do have other folks here 
asking questions.
    Senator Rosen. Thank you. I will take it off the record. 
Thank you very much.
    Chairman Peters. Thank you, Senator.
    Senator Lankford, you are recognized for your questions.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you, Mr. Chairman. Gene, it is good 
to see you again.
    Mr. Dodaro. Good to see you, Senator.
    Senator Lankford. We have seen each other year after year 
for several years, and each year we have talked a little bit 
about the Taxpayer's Right to Know, and each year you have said 
we really need that if we are going to get accurate information 
and we are going to be able to get it to Congress fast.
    Guess what? In December, we finally passed that bill that I 
have been working on for a decade to be able to get through 
this process. It is now going through the process at OMB and 
then will be coming to you. What do you anticipate with the 
Taxpayer's Right to Know, with that bill? What do you need from 
it first?
    Mr. Dodaro. First we need an unequivocal commitment from 
OMB to implement it properly. There have been previous bills 
that have been passed--the Government Performance and Results 
Act (GPRA). We still do not have a complete program inventory 
even though that law passed 10 years ago now, the Modernization 
Act. They committed to it in the Digital Accountability and 
Transparency (DATA) Act; they made good headway, them and 
Treasury. It was a good partnership, and that is coming along. 
we need that commitment.
    I also plan, even though the requirements for GAO to 
evaluate the implementation of that do not trigger in for a few 
years, that I am going to engage right away and try to build 
in--that is what we did on the DATA Act, right from the 
beginning, and I plan to be very engaged in that.
    I want to offer my congratulations to you on getting that 
legislation passed. I think it is a great accomplishment for 
you and for the country. I think it will yield tremendous 
results if implemented properly.
    Senator Lankford. Yes, we will stay on top of that for 
implementation as well, so I appreciate the partnership to be 
able to help get that done. It does not help anyone if it is 
sitting on the shelf somewhere and they are thinking about it 
at that point.
    Let me shift to some other issues. Census has been a 
challenge this year, obviously, with the pandemic. This 
Committee, I understand, is planning to have a census hearing 
to be able to go through some of the issues that they have had. 
They are obviously very delayed. It is causing a constitutional 
problem in multiple States, including my own, when Census is 
not going to turn over their data until months after when our 
State Constitution requires that all of our redistricting be 
complete, and that is in multiple States that are out there.
    At the same time, the Internal Revenue Service (IRS) was 
given additional time. They communicate with just as many 
Americans--in a different format, obviously. I think my 
question is: What can Census learn from IRS on how to be able 
to make a connection with that many Americans? As we look 10 
years into the future, as you all have looked at Census, are 
there ways to be able to combine that work with IRS and Census 
every 10 years so that they are not having to replicate, so we 
do not have one part of the government connecting with every 
American in IRS and another part of the government connecting 
with every American through Census, as if the two of them 
cannot actually talk to each other? Are there ways we can 
actually gain some insight?
    Mr. Dodaro. Right. I am going to ask Chris Mihm, who is in 
charge of both IRS and the Census in the work at the GAO, to 
respond quickly, Senator.
    Senator Lankford. Thanks. Chris.
    Mr. Mihm. Thank you, Senator Lankford. It was wonderful to 
see you, sir.
    Senator Lankford. Good to see you again.
    Mr. Mihm. First, one of the things that was new this time 
is the use of administrative records to help take some of the 
final census counts, and in part, the Census Bureau did rely on 
IRS records to help them identify and do some of the 
fundamental enumeration. That willingness to engage in 
partnerships and use administrative records that have been 
validated and verified for their quality and completeness is an 
important step that the Census Bureau has taken and that we 
have been encouraging at least since the 1990 census, and they 
need to keep exploring additional opportunities to do that not 
just in the enumeration but, building address lists and all the 
rest.
    There are plenty of opportunities for them to work not just 
with IRS but with agencies across government that have all of 
these data sets. As I am sure you have heard from people, and 
we certainly have, people seem to be of two minds when they are 
answering the census and say, first, ``Why are you asking me 
these invasive questions?'' Second, ``The government already 
has this information.''
    Let us make it easier on people to the extent that we can, 
and that is one of the key things that we need to be looking 
for as we get to the 2030 census.
    When you talk about the Committee holding a hearing, we 
would certainly look to support you as part of that hearing. I 
think just one of the vital steps that I would urge you to be 
looking at is how are they beginning the early planning for the 
2030 census? Because if we only begin to care about that in 
year 5, 6, or 7, then we are basically flying a plane that 
someone else has built. The fundamental design decisions are 
going to be made early in the decade, and that is when 
Congress' intervention and oversight is most needed on the 
census.
    Senator Lankford. I would agree on that, and that is 
something I have been pushing for years as well on this. There 
is no reason why we cannot use the IRS collection of data, and 
when people turn their taxes in that year in 2030, also they 
have additional questions on their tax forms that completes 
their census as well. There is no reason we need to have two 
sets of mail, two sets of connection points, if we can only 
have one and have a pretty efficient system and then get a 
chance to be able to do cleanup connections with other people 
that did not turn in tax forms, of which there are millions of 
people that do not.
    Let me ask about telework. This is something I have looked 
at for a long time, that suddenly a government that has been 
dragging their feet on it for a long time suddenly became 
experts at it in 2020. We have lots of agencies that said, ``We 
do not have many people that could do telework.'' In 2019 they 
said that. Then in 2020, the vast majority of the folks did 
telework on it.
    What are the lessons learned? What can we begin to examine 
for the future in this?
    Mr. Dodaro. Definitely there are advantages to this, both 
in terms of broadening out the diversity of your hires, in many 
areas, if you did not have a physical location, people would 
not want to be employed there. But they could be employed in a 
lot of different locations now and not be tied to that physical 
location. It can gain the government access, and people, to 
other individuals that normally would not potentially be in 
your pool of potential employees. That is number one.
    Number two, you need IT systems to be able to do this, to 
operate effectively as well. Fortunately, just to use GAO's 
experience, we were already allowing our people to telework up 
to 66 out of 80 hours every two weeks. When the pandemic hit, 
we went to 100 percent telework, no problem, and we did not 
really lose any efficiency, except for classified work that you 
need it to be.
    There are a lot of lessons. You also do not need as much of 
a physical footprint for office space, so you can reduce costs 
that way. When we did this, we reduced our footprint in our 11 
field offices almost by 40 percent in terms of office space. 
Then you can hire more people rather than pay for buildings.
    Senator Lankford. Is there a gain of doing remote work 
rather than telework, where remote work is a title that you 
would never be expected to be able to physically come into an 
office rather than you are expected to come in one day a week 
or something when you do telework, often, but to actually--you 
could hire someone in South Dakota or Oklahoma or other places 
to be able to work for a Federal agency here?
    Mr. Dodaro. There are definitely possibilities for doing 
that. If you look at the private sector and call center 
operations, I mean, you talk to people around the world if you 
call and ask for help from a company or whatever. I was having 
a problem during the pandemic. I called and was talking to 
somebody in Central America, and he helped me fix my problem. 
It was not a problem.
    Yes, there are more opportunities for that. It has to be in 
select areas. It has to be monitored and supervised 
appropriately, but there are opportunities for that.
    Senator Lankford. Good. I look forward to that dialog. 
Thank you.
    Chairman Peters. Thank you, Senator Lankford.
    The Chair recognizes Senator Ossoff for your questions.

              OPENING STATEMENT OF SENATOR OSSOFF

    Senator Ossoff. Thank you, Mr. Chairman. Thank you to you 
and your team for joining us.
    I appreciate that you lay out a specific list of programs 
requiring oversight, requiring improvement of performance, 
because naming names and being specific is vital to 
accountability. I want to ask if you can extend that 
specificity and name those Federal contractors or vendors 
specifically who are the worst offenders when it comes to 
performance, when it comes to cost discipline, when it comes to 
the honesty and integrity of their engagement with the U.S. 
Government.
    Mr. Dodaro. That would take additional research to be able 
to do that. I do not have that off the top of my head, so I 
cannot respond to that right now.
    Senator Ossoff. Your colleague who has the strategic 
jurisdiction, that includes the Department of Defense. Is that 
correct?
    Mr. Dodaro. Yes.
    Senator Ossoff. Sir, could you please name those specific 
defense contractors whose performance, whose adherence to 
procurement guidelines, whose keeping with budgets and 
responsiveness perhaps to GAO increase, is most deficient?
    Mr. Dodaro. Yes, I do not think that I have anybody on the 
line that can answer that specific question.
    Senator Ossoff. The GAO does not know which Federal 
contractors are the worst offenders when it comes to 
procurement contracting performance cost?
    Mr. Dodaro. There are shared responsibilities here in these 
areas. In some cases the Federal agencies were not specific in 
their requirements, in setting the requirements, so it is hard 
to adjudicate. I mean, our list focuses on--like, for example, 
we have the DOD weapons systems development on the High-Risk 
List. We have National Aeronautics and Space Administration 
(NASA) on the High-Risk List. We focus on how the Federal 
agencies are managing the contractors, not evaluating the 
contractors' performance themselves. That is the agency's 
responsibility.
    Our responsibility is to evaluate how well the agencies are 
managing the contractors, and so that is why you have the 
accountability pinpointed by us----
    Senator Ossoff. OK.
    Mr. Dodaro [continuing]. On the agencies at this point.
    Senator Ossoff. Within the Department of Defense, which 
specific program offices have shown the least competence and 
discipline at managing contractors and procurement processes?
    Mr. Dodaro. It varies, I mean, across the defense weapons 
portfolio and other areas. Defense is a big enterprise. I would 
have to go back and take a look and see if we can do that. Part 
of the problem there is they rotate a lot of individuals over a 
period of time. They are also going to through a big 
transformation right now where they are moving to delegate more 
responsibilities to the three services to manage the 
contractors and the weapons systems development and move away 
from centralized management across the defense portfolio. They 
are undertaking a lot of reforms at this point, which makes it 
a little bit more difficult to----
    Senator Ossoff. You and your staff pore through the details 
of these programs and program offices such that you can 
generate specific lists of the worst offenders, and so I would 
like to ask again if you cannot name specifically some program 
offices within the Department of Defense that have been most 
deficient in their responsibility to competently and in a 
disciplined way execute their obligations to manage defense 
programs and procurement processes?
    Mr. Dodaro. Yes, I would have to go back and see if I could 
provide something.
    Senator Ossoff. OK. You can provide that?
    Mr. Dodaro. I will see what we can do, what I can provide 
for the record.
    Senator Ossoff. OK. I am looking forward to that.
    We have discussed in this hearing the financial viability 
of the U.S. Postal Service. Could you specify the causes of the 
widely reported and universally observed slowdown in mail 
service over the last year?
    Mr. Dodaro. Yes, I have our postal expert on. Dave?
    Mr. Trimble. Yes, thank you for the question. The quality 
of service during the last year was a problem for the post 
office. The service performance was in the 80 to 90 percent 
range in terms of meeting their targets. But by the end of the 
years, in terms of November and December, that dropped down 
much closer to 60 percent in some cases.
    According to the post office, a lot of that was due to, 
obviously, COVID had a huge impact both in terms of employees--
a lot of employees were out sick--but also in terms of 
fundamental things like getting transportation services. With 
the decrease in air travel, there are a to of challenges in 
terms of the logistics meeting service delivery. Those are 
pretty big hurdles they had to handle, and, of course, they had 
a huge surge in package volumes, which also taxed their 
systems.
    Senator Ossoff. Thank you. I appreciate that. And you say 
``according to the post office.'' I am curious what steps GAO 
takes to corroborate the explanations provided by agencies 
where you make such inquiries and what steps specifically you 
took to investigate this matter with the Postal Service.
    Mr. Dodaro. Yes, go ahead, Dave. We look at their data, 
their performance data. We just do not take their word for it.
    Senator Ossoff. But when it comes to causes of poorer 
performance--because the fact that performance declined is not 
controversial, but we are trying to understand why. In addition 
to requesting explanations from the relevant agency, what steps 
did you take to corroborate or validate their claims?
    Mr. Dodaro. Yes, go ahead, Dave.
    Mr. Trimble. Yes, so we have an ongoing review looking at 
performance as a result of COVID, during the time of COVID, if 
you will. We would obtain detailed documentation from them in 
terms of employees out sick, employees taking sick leave. They 
have had to do a lot of hirings. We have gotten a lot of data 
on actual hiring as they have attempted to backfill those 
vacant spots. Then the service performance changes, we are also 
doing data analysis to track that by location to map that to 
the employee disruptions, but also just to highlight the 
national numbers on performance do not really tell the story, 
where if you can say it is at 70 or 80 percent, but, for 
example, in Baltimore or New York it is getting closer to 60 
percent a certain month, there is a huge disparity in the 
performance that some communities have seen.
    Senator Ossoff. Thank you. One final question, if I might. 
I know that your mandate includes to assess where the efficacy 
of Federal programs and the impact on the public is inadequate 
and where harm results. One of the concerns that I have--and I 
think there may be room for bipartisanship to resolve some of 
these issues--is that the complexity and the number of 
different Federal programs, different Federal support and 
assistance programs, that people who are already in 
economically precarious situations must navigate to access 
support can be overwhelming for people who are already time-
poor.
    For example, during this pandemic, to obtain federally 
funded food assistance, a person has to apply for Supplemental 
Nutrition Assistance Program (SNAP) benefits through a local 
county Department of Children And Family Services (DFCS) 
office. To obtain federally funded emergency rental or housing 
assistance, a person must navigate their local government or 
nonprofit websites to apply for help. To obtain federally 
funded utility assistance under the Low Income Home Energy 
Assistance Program (LIHEAP), you have to apply through a 
community action agency. To obtain health care coverage in the 
special open enrollment period, you have to go to the Federal 
marketplace.
    Navigating this bureaucracy is challenging for anyone even 
in good times. For people who are short on money and short on 
time, it can be overwhelming. What is your assessment of how 
policymakers can make navigating the bureaucracy of Federal 
assistance and Federal support more streamlined and easier for 
people who need help?
    Mr. Dodaro. There are ample opportunities to consolidate 
and eliminate overlap, fragmentation, duplication in the 
Federal Government. We have a special effort that was started 
by a Senator from this Committee years ago, Senator Coburn from 
Oklahoma, and we issue a regular report on that, and we look 
forward opportunities across government.
    In dealing with that issue, though, you also have to tackle 
how the Federal Government is using intermediaries, whether it 
be the State governments and whether or not the States use 
county or local governments, and each State is set up 
differently, and each health care department, their employment 
services, their foster care, whatever the support services. 
There is an extra level of complexity when the Federal 
Government uses State and local governments to administer these 
services. Many of these services you talked about are through 
either State and local governments or nonprofits or others. 
There is not direct Federal involvement.
    There has to be some encouragement of States to combine 
these activities and some ability of the Federal Government to 
allow for that to happen while still retaining some sort of 
accountability over those services.
    We have a very complex, probably overly complex, as you are 
pointing out, intergovernmental delivery system in the United 
States, and it is very hard for people looking for these 
services. Many people do not know which part of government is 
funding their services, whether they are getting it--is it 
Federal funding, State funding? They do not really care. They 
just want the help and the service.
    But it is a worthy issue to pursue, but it is very complex, 
but there are opportunities there, and it is a very expensive 
system. If you look at the administrative costs of these 
systems and how much is going for administrative costs and not 
going for actual service delivery, I think you would be 
surprised.
    Senator Ossoff. Thank you. I hope we can work together to 
make it easier for people who need help to get it.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Ossoff.
    Senator Scott, you are recognized for your questions.

               OPENING STATEMENT OF SENATOR SCOTT

    Senator Scott. Thank you, Mr. Chairman.
    First, Gene, I want to thank you and your team. The 
information you put out is really helpful. Having been up here 
a couple years, the reports you guys put out, you guys do a 
good job. Thanks for doing it.
    What do you think about the fact we now are sitting on $27 
trillion worth of debt? If we pass the next reconciliation 
bill, it will be another $2 trillion, so we are going to be 
close to $30 trillion for the debt. We are already at 140 
percent of gross domestic product (GDP). Our debt is 140 
percent of GDP. We are already seeing interest rates go up 
since November quite a bit, actually, 10 years, up quite a bit. 
We are seeing a lot of inflation impacts. Families like mine 
growing up, food prices are up, gas prices are up, impacts the 
poorest families in the country.
    What do you think about this?
    Mr. Dodaro. The last four years I have called for the 
Federal Government to have a plan to deal with the long-term 
finances. We are basically on an unsustainable long-term fiscal 
path. The pandemic has obviously complicated that situation, 
and we need to deal with whatever we need to deal with to 
protect the public health and get the economy back in. But as 
soon as we achieve our public health goals and that the economy 
is moving in the proper, stable, robust direction, we need to 
quickly pivot to have a plan in place to deal with this long-
term situation. Some of these windows that we have had to deal 
with these things are rapidly closing.
    This year the Highway Trust Fund is insolvent except for 
some of the revenues that they will collect. But for the past 
few years, instead of having the gas tax revenue support it, 
there has been general appropriations to the tune of $155 
billion. For the next 10 years, if you want to maintain 
spending for the Highway Trust Fund, you have to come up with 
$195 billion, and that is going to be general appropriations 
unless there is another revenue source. It was initially 
intended to be self-financing.
    The Medicare Hospital Insurance Fund by 2024--now, this 
might even change depending on how the economy goes in the next 
few years--will only have 83 cents on the dollar to make 
payments for the hospital Part A part of that program.
    The date for Social Security to not have enough revenues to 
make full payments, the latest estimate is 2031. Again, that 
may change depending on economics. In that case, the Social 
Security Administration, the trust fund revenues would only be 
enough to pay 75 cents on the dollar. It would be like a 25 
percent cut. If you combine that for people who are elderly 
with Medicare and Social Security, I mean, you are talking 
about now our government will probably never let that happen, 
but it shows the magnitude of the change that has to be made 
and the weighty decisions that have to be made, and the sooner 
we make those decisions, the better off we are going to be, 
because compounding is working against us.
    One of the things that has actually saved us is, while the 
interest rates are creeping up a little bit, they have been 
relatively low by historic records. But we pay to finance our 
debt, in 2019 we paid $360 billion just for interest rate cost. 
Now, if interest rates go up in the future, they conceivably 
could get in the next 10 years to where we are almost paying $1 
trillion a year just for interest costs. Our Social Security 
program is already $1 trillion a year by itself, all the Social 
Security program. Medicare and Medicaid are each heading in 
that direction.
    This is a huge problem, and we need to deal it. The sooner 
we deal with it, the better options that we have. I will again 
be issuing a report in another month or two that will call for 
this plan. I think we also need to change how we set the debt 
ceiling, Senator. The approach we have now does nothing to 
control the debt. All it does is authorize Treasury to borrow 
the money necessary to pay the bills Congress has appropriated 
and the President has signed into law. When that is not done, 
when there are questions about it being done in time, it roils 
the markets. We end up paying more interest to borrow the 
money.
    The other danger in this whole thing is we are relying on a 
lot of foreign sources to lend us money to finance our debt, 
and given global uncertainties and issues, I do not think this 
is a time you want to be dependent on others.
    Now, we have learned this lesson in the pandemic, being 
dependent on foreign sources for our drugs and medical products 
and things. But there is not much difference to leap to go to 
being dependent on them to lend us money to finance our debt.
    Senator Scott. Have you ever done a report on the impact on 
a poor family of rising gas prices and rising inflation, like 
what we saw back in the 1970s?
    Mr. Dodaro. Not recently. I can go back. We can take a look 
at doing that. I think it would have a lot of advantages. I am 
sure we have done it in the past, and, so I would be happy to 
do something like that again.
    Senator Scott. My biggest concern is that is who is going 
to get hurt the most. This spending without a return is that--
inflation is going--interest rates are going to go up, 
inflation is going to go up, and the poorest families pay the 
most.
    Mr. Dodaro. Right.
    Senator Scott. Whether it is paying for their mortgage, 
paying the rent, or paying for their food.
    When you take Medicare as an example, what are the options 
then? I mean, we have what, three years to go and we are not 
going to have enough money to pay our providers? Is that what 
is going to happen?
    Mr. Dodaro. Yes, to pay the hospitals and the providers, 
right. The question about what kind of co-pays you are going to 
have in these areas. Now, we have some recommendations that 
would save money, save billions of dollars if Congress would 
implement them, but, part of the issue is there has been 
reluctance to implement some of these recommendations for fear 
that it may interfere with the provision of services, and that 
has been the preeminent issue, is making sure people have a lot 
of options and get whatever services they want. But that comes 
at a cost, and we are about ready to cross that threshold.
    The biggest problem we have--and this is immutable for the 
large part--is demographics. We are moving to a situation where 
we only have two people working for every one retired person in 
the United States. When Social Security and Medicare were set 
up in their financing arrangements, we had five, six, seven 
people working for every one retired person. The payroll taxes 
were enough for current workers to pay for retirees. That is 
inverted now, and this whole thing, we need a whole new 
financing arrangement for Medicare and Social Security to be 
sustainable over the next several decades.
    Senator Scott. All right. Thank you.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Scott.
    I am going to go to a brief second round. The Ranking 
Member and I have a few questions. But we are going to go to 
five minutes instead of the normal seven for this second round. 
There may be a Senator that will join us during that time. We 
will have the seven minutes for that particular Senator. But I 
will start.
    Under the Federal Information Security Modernization Act 
(FISMA), OMB and the DHS set minimum standards that Federal 
agencies must meet. But each Federal agency is given full 
authority and responsibility for their own cybersecurity 
protections, as you are well aware.
    My question is: Given that we just continue to see these 
breaches, as you have discussed throughout this hearing, across 
Federal agencies, do you believe that this is the right 
framework and balance of responsibility? Or would the GAO 
recommend a more centralized Federal approach?
    Mr. Dodaro. Unfortunately, I think a more centralized 
approach has merit for consideration. However, it is going to 
be very difficult to implement it given the state of the 
systems right now. It is hard even for some of these agencies 
to consolidate and centralize within their own department and 
agency let alone to do it across the government. I think there 
needs to be greater enforcement of the standards as a first 
starting point, but I would ask Nick Marinos, our expert, to 
see if he has any other thoughts, Senator. But I think the 
problem is IT in particular and IT security broadly is viewed 
as a technical issue, and it is really not as much as it is a 
management issue. It is not on the radar screen of top agency 
officials the way it should be, in my opinion. If you take that 
responsibility further away from them, I think it would be 
difficult to be able to hold them accountable for some of the 
programs and activities.
    Nick.
    Mr. Marinos. Yes, Chair Peters, I think what I would add to 
the Comptroller General's statements regarding the importance 
of agency leadership having responsibility, the reality is our 
current situation is that agency leadership has authority, 
statutory responsibility, in addition to the Chief Information 
Officer, for protecting information and also holding others 
accountable for protecting it as well. Obviously, our Federal 
agencies rely on contractors; they rely on vendors. Ultimately 
it is the agency's responsibility to protect.
    Now, that does not mean they should be doing it alone, and 
you can just look at, obviously, the NDAA and the multitudes of 
provisions that were placed intended to help improve 
cybersecurity, help to assert additional authorities to CISA. I 
think that is a good step in the right direction. We saw the 
most recent legislation in 2014, the FISMA version in 2014, 
articulate a more central role for DHS in providing supporting 
services to other Federal agencies. We think that that is 
important.
    We do actually have a report coming out next week, 
actually, that was requested by yourself and by several other 
Members of the Committee looking specifically at CISA's 
transformation. I think that is really important here. If we 
are going to see CISA take a more centralized role in not only 
helping Federal agencies get better at cybersecurity but also 
interfacing with the private sector, they are going to need to 
get to that full transformation, and we will be coming out with 
some recommendations on how they can do that next week.
    Chairman Peters. Thank you. We are going to look forward to 
that report and look forward to continuing to work with you on 
that area because it is something we clearly have to focus on.
    The other area related to the cyber challenges is the 
workforce, and despite more than 20 years of laws and guidance 
that have prioritized the recruitment and expanding and 
maintaining of a strong cohort of cybersecurity and IT 
professionals, strengthening our cyber workforce just continues 
to be an ongoing and a significant challenge. That was in your 
report, and you were very clear in the one that you are 
presenting here today that that is the case. GAO found that 
many agencies do not even prioritize IT and cybersecurity 
workforce planning, which is somewhat shocking given the 
importance of it.
    How can we strengthen existing programs to meet the gap in 
cybersecurity talent at the Federal Government? What would be 
your main recommendations for us after 20 years of still not 
getting it right?
    Mr. Dodaro. Yes, this whole thing is kind of baffling to 
me, but I will tell you, every year I send a letter to each 
major head of a department and agency outlining priority 
recommendations that I think they need to implement, and 
cybersecurity is always on that issue. But if you go to try to 
talk to anybody about it, there was a famous Senator from this 
Committee, Senator John Glenn, who I had the privilege of 
testifying before and working with, and he would say some of 
these management issues are like watching mud dry. A lot of 
managers do not understand the issues, and so they do not 
understand the importance of it.
    But, clearly, here I think that we need to look beyond the 
Federal Government and how do we increase the size of the 
workforce throughout the United States in the cyber areas and 
turn more to our universities and colleges? I met with the 
University of Maryland. They have started a cybersecurity 
program, so they are generating graduates now where they never 
had a cybersecurity line of academic study before. Virginia 
Tech is doing the same thing, and other universities. I think 
we need to find ways to support our university system, and to 
go to Senator Portman--even community colleges and vocational 
schools to teach people how to do these areas, to increase the 
whole size of the pie. The competition with the private sector 
is keen. But unless we generate more of a pool of cyber 
workforce in these areas, we are not really going to gain much, 
in my opinion. This is a nationwide need, and the Federal 
Government has the leverage to create the incentives to create 
more people that have these skills.
    Chairman Peters. Absolutely. I could not agree with you 
more. Thank you for that response.
    We are going to deviate from our 5-minute second round 
briefly. Senator Sinema has joined us for her first round, so, 
Senator Sinema, you are recognized for seven minutes to deliver 
your questions.

              OPENING STATEMENT OF SENATOR SINEMA

    Senator Sinema. Thank you, Chair Peters, and thank you to 
Ranking Member Portman for holding this hearing.
    Arizonans expect a government that is efficient, effective, 
responsive, and transparent. The GAO High-Risk List report is 
critical to help Congress identify and track progress on 
vulnerable Federal Government programs to prevent waste, fraud, 
and mismanagement of the American people's money.
    The need to ensure the cybersecurity of our Nation was 
highlighted in Arizona with the recent cyber attack against the 
computer systems for the city of Kingman. This attack shows 
clearly the disruption and damage that cyber criminals can 
inflict on local communities. While there were some areas of 
limited improvement since the 2019 review, this cyber attack 
lays bare the need for continued action.
    Mr. Dodaro, ensuring the cybersecurity of the Nation is an 
area that remains on the GAO's High-Risk List. Friday's cyber 
attack against the computer systems for the city of Kingman 
highlights how pressing this need is from a local level. 
Federal, State, local, and tribal entities need to take urgent 
actions to implement comprehensive cybersecurity strategies, 
perform effective oversight, secure their systems, and protect 
privacy and sensitive data of its people.
    As highlighted in the GAO report, can you expand upon the 
importance of the Federal response to cyber attacks and its 
coordination with State, local, and tribal entities such as in 
places like the city of Kingman and what gaps continue to need 
attention?
    Mr. Dodaro. Thank you, Senator, for that question. I will 
ask Nick Marinos to add to my comments, but this is an area 
where, as troubled as the Federal Government is in terms of its 
security vulnerabilities, I believe the State and local sector 
and others are even potentially more vulnerable and in need of 
help and support and assistance.
    Now, the CISA organization at DHS was helpful recently with 
the elections issue and securing our election systems, which 
are administered, as you know, at the State and local level. I 
believe we need greater that type of assistance at the State 
and local level more broadly in the cyber arena.
    Nick, do you have anything to add?
    Mr. Marinos. Yes, I would just express, Senator Sinema, it 
is a major challenge for a lot of these smaller organizations 
to be able to protect themselves, so to think that they have to 
do it alone is almost untenable. Seeing what happened just 
within your respective State just last week, unfortunately it 
is becoming more and more common. We are seeing ransomware 
double in terms of the number of attacks that have taken place 
just in the last three years.
    It is going to take an all-of-government effort to really 
make sure that we are not only supporting the Federal but the 
State and local levels as well. We are seeing CISA try to build 
out their capabilities. It is going to require careful 
attention and oversight from this Committee as well as from 
others to make sure that they can actually get to full 
capability that will allow them to have the resources and 
technical expertise to help States and local municipalities.
    But this is also a workforce issue. We ultimately see that 
many of those municipalities were, in fact, doing work on 
behalf of yourself, a request that we got from you and Senator 
Rosen and Senator Hassan, looking at K-12 cybersecurity as a 
good example. We organizations have finite resources, and so 
ultimately if they have to constantly be sort of on the 
defensive as opposed to proactive, they are going to be 
challenged.
    It is going to really require CISA and the Federal 
Government to step up and provide additional support and 
effort.
    Senator Sinema. Thank you. The report also focuses in part 
on challenges of hiring and retaining cybersecurity risk 
management personnel, highlighted that many agencies have not 
done a full needs assessment for their cybersecurity workforce. 
I am sure this is in large part keeping them from bringing on 
the right talent in both numbers and skill set.
    How do you recommend the agencies address this? Is there a 
role for the Chief Human Capital Officers (CHCO) Council and 
Chief Information Officers Council to play working together to 
do these assessments?
    Mr. Dodaro. I believe that there is a role for the Chief 
Human Capital Officers in the individual agencies and also at 
the Office of Personnel Management. We have talked to them in 
the past about the skill across government, the skill gaps 
across government in the cybersecurity area. They could be 
providing much greater leadership in helping develop the 
workforce through contacts with colleges, universities, 
community colleges, trade schools, et cetera, if they so desire 
to do that.
    But, also, there needs to be some more education to the 
Chief Human Capital Officers and people about the specific 
needs that agencies need in the cyber arena. It is not a well-
established discipline like if you are hiring accountants or 
economists or things of that nature. And so it is a new terrain 
for them, and they need to understand the different aspects of 
cybersecurity and what kind of skills they are looking for.
    So if properly supported and brought up to speed, the Human 
Capital Officers can be important leverage to help the agencies 
acquire the skills that they need. But I would also encourage 
this Committee, when they have the nominee for the Office of 
Personnel Management, to talk to them about their important 
leadership role potentially in this area as well.
    Senator Sinema. Thank you.
    Mr. Dodaro, regarding the emerging issues of leadership and 
coordination of public health emergencies at the Department of 
Health and Human Services (HHS), in early January 2021 then-
Secretary Azar announced that the administration would no 
longer hold second vaccine doses in reserve and would 
immediately make them available to States along with the first-
shot doses. The Secretary urged States to expand prioritization 
to those 65 and older, warning that States could see their 
future allocations reduced if they did not immediately get 
shots into arms.
    I worked immediately with the Arizona leaders at all levels 
to do this. But days later, it was reported that no such 
reserve even existed. The administration had already been 
shipping out second doses beginning in December, and States had 
told seniors to get in line for vaccines and then were told 
that they would see minimal increases, if any at all, in their 
doses.
    Has GAO looked into incidents such as this one as part of 
its planned review of HHS leadership and coordination of public 
health emergencies?
    Mr. Dodaro. Yes, we are working on this very closely. I 
will ask Nikki Clowers to add to my comments, but we made a 
recommendation, Senator, in September 2020 that HHS create a 
vaccine communication and distribution plan with milestones in 
communication. They never have--until this day that has not 
been fully implemented. Congress has mandated they do so.
    This is an area that was a classic example of 
miscommunication and is in need of attention going forward. We 
are on that case. We are working on it carefully.
    Senator Sinema. Thank you.
    Mr. Chairman, I see that my time has expired. Thank you.
    Chairman Peters. Thank you, Senator Sinema.
    The Chair now recognizes Senator Romney for his questions.

              OPENING STATEMENT OF SENATOR ROMNEY

    Senator Romney. Thank you. I very much appreciate the 
benefit of this hearing, and, Mr. Dodaro, your testimony in 
response to the questions that came from Senator Scott was most 
revealing to me. We seem like we have a national emergency we 
ought to be concerned about, which is the amount of our 
national debt yielding interest costs, I think you said $390 
billion with the potential of going to almost $1 trillion. At 
this stage we are talking about another $1.9 trillion in COVID 
relief measures. We are looking down the road at an 
infrastructure bill which might be an extra $2 or $3 trillion. 
We keep on adding to the debt.
    At what point do you consider this to be a real national 
emergency and something that we need to address and, that is 
the mounting amount of debt we have and the interest associated 
with it?
    Mr. Dodaro. Yes, what I have been trying to do, Senator 
Romney, is to get the government's attention to this, both the 
Congress and the administration, so it does not become a 
national emergency. If there is a spike in interest rate cost 
or there is an unwillingness of foreign investors to purchase 
our debt, there could be concerns ultimately down the road.
    One of the other advantages we have is we are the world's 
reserve currency, but that does not always have to be the case 
in the future, if people lose confidence, and we have 
competitors in these areas. Right now we are in a good position 
to begin dealing with this issue before it becomes a crisis and 
before we have to take draconian measures.
    I am very concerned that we quickly pivot to this issue as 
soon as we deal with the public health emergencies that we have 
right now and get the economy on a stable basis. We need to 
quickly turn our attention to this area. I mentioned to Senator 
Scott, if you heard that, all the impending issues to deal with 
these trust funds, and I know you have been concerned about the 
trust funds and have some legislation to deal with that. Those 
are very important services that our citizens rely on and count 
on the government to keep on good financial footing. They are 
going to be teetering here, if not right now, teetering soon on 
that issue. We need a plan. We need a long-term plan. The plan 
has to be rooted in law.
    I have suggested that part of the plan is we need to 
target, a debt-to-GDP target. Right now we do not have a 
national policy. How much debt do we think we should service 
over a period of time? We have no targets, no goals, no 
guardrails. We just decide how much we are going to spend, and, 
fortunately, we have been a wealthy country and we have able to 
operate that way. But that is not going to be the case going 
forward with these issues.
    I have been working with the Senate Budget Committee. You 
need a debt-to-GDP target. Then you need some interim 
safeguards in place to make sure you could move toward that 
target over time. You need some relief valves, if we have an 
emergency that we have not been able to plan for comes up, so 
that you have some flexibility. But you need to have these 
things and have a regular score kept on how well you're doing 
in achieving your goals and objectives.
    But we do not have these guardrails in place going forward. 
I think we could find ourselves in a very chaotic situation if 
world events change that we are not prepared for. We have to 
get our fiscal house in order.
    Senator Romney. I would be one of many, I am sure, that 
would welcome your recommendations as to what some of those 
targets might be.
    Let me turn also to the trust funds which you described. 
Obviously, each of them is coming to a point where they are 
going to become insolvent or rely on a massive infusion from 
the general fund. Is there a pathway to solvency for these 
funds? Simpson-Bowles tried to make an effort. It was not 
successful. Other than raising taxes--and if one raises taxes, 
of course, you are going to have a reduction in economic 
growth, and at some point you find yourself chasing your tail.
    I wonder, as you look at these various trust funds, is 
there a realistic solution to get them on a basis where they 
are, at least over the next several decades, not going to 
become insolvent?
    Mr. Dodaro. Yes, I think as it relates to the Highway Trust 
Fund, there is debate about using miles traveled rather than 
the gas tax as a means of dealing with that. I think there are 
some alternatives for the Highway Trust Fund, particularly with 
the advent of electronic vehicles and things. The concept of 
user pay, which is what we had been operating on in the Highway 
Trust Fund, I think is a salvageable concept if we think 
outside the box and move away from gas taxes as the sole 
provider. We have not raised that tax since 1993, but given the 
fuel efficiencies of cars and the move to hybrid electronic 
vehicles, that was not going to be our solution anyway in the 
highway area.
    Social Security, I think there are a lot of good options on 
the table to deal with that aside from the revenue side. I 
think you have to look at the revenue side. In all fairness, 
the problem is so big you have to deal with that problem as 
well, and maybe, it needs--there have been proposals about 
doing some more means-testing, to eliminate the cap on Social 
Security benefits for higher wage earners. There is a wide 
variety of things because it is a social insurance program, and 
we have to figure out how to craft it properly to provide 
safeguards.
    I am very concerned about the retirement security of 
Americans, writ large, because it is not just Social Security, 
but the private sector has been moving away from defined 
benefit plans to defined contribution plans, if they have any 
options, they are availing their workers to at all in those 
areas. The burden is more shifted to individuals to plan for 
their own retirement, and the pillars that had been there 
before are a little shaky right now, both in the employer-based 
systems as well as the government systems, as we were talking 
about, and many people have not saved themselves, which is the 
third pillar that we have relied on over time. That is very 
important.
    The one that is, I think, the most complex to solve is 
Medicare and our health programs. Those are the fastest-growing 
programs. We have been unable as a country to contain health 
care costs. They keep growing faster than the economy is 
growing, so our ability to pay for them is not there. The costs 
are shifted to the government. This is the most perplexing 
area. I do not have as many ready solutions. We have some 
recommendations at GAO that would save billions of dollars, but 
this is beyond that. That is the one that I think we are going 
to require a lot of expertise and discussion and debate on, and 
I think the sooner we get started trying to deal with 
containing these health care costs, the better off we are going 
to be, because that is the one area that I think can cause us 
the most problems long term, particularly given our changing 
demographics.
    Senator Romney. Thank you very much. I appreciate your 
testimony and counsel.
    Mr. Chairman, thank you.
    Chairman Peters. Thank you, Senator Romney.
    The Chair recognizes Senator Padilla for your questions.

              OPENING STATEMENT OF SENATOR PADILLA

    Senator Padilla. Thank you, Mr. Chairman. Mr. Dodaro, thank 
you for your participation, testimony, and information today. I 
know we have covered a lot of different topics, subject matter, 
so I will be focused on the census, the decennial census we are 
still working to complete, and looking forward to the 2030 
decennial census as well.
    In the interest of time, I will spare us all the chronology 
of the number of challenges faced in trying to complete a 
fairly accurate national population count in 2020. I do not 
know if we all would agree, but I certainly believe that there 
was a lot of political attacks undermining the 2020 census, 
both the years of underfunding and understaffing as the Bureau 
was preparing for the 2020 census. We saw the back and forth on 
the prior administration's attempt to question the citizenship 
of every person in America. That was, thankfully, not 
successful. But add to all that the restrictions and 
limitations posed by the COVID-19 pandemic requiring extensions 
and changing of deadlines, and so we find ourselves in a place 
with compressed timetables for the Bureau to complete its work 
and record its data, not just to Federal partners but to States 
so they can proceed with the work of the redistricting process, 
let alone the funding formulas for State and Federal funds that 
are disbursed on a per capita basis, et cetera.
    My question is really in two parts. First, what lessons 
could we, should we have learned from the 2020 census 
experience? The GAO report does call out the concerns about the 
compressed timeframe. What lessons learned do we draw from the 
2020 single census experience as we will begin to prepare for 
the 2030 census soon enough? Then maybe even more short term, 
what can be done to try to ensure the maximum accuracy and 
quality of data for the 2020 census?
    Mr. Dodaro. Senator, we are both in luck today. Our census 
expert, Chris Mihm, has been involved in every census since the 
1990 census. He is with us today and can best respond to those 
questions.
    I would also note that Chris will be retiring from GAO this 
year after 36 years of distinguished Federal service, and he, 
in addition to the census work, headed up all our High-Risk 
programs at GAO. I will turn it to him, and he can give you 
terrific answers here.
    Senator Padilla. Thank you.
    Mr. Mihm. Thank you, Comptroller General, and thank you, 
Senator, for the question. You outlined perfectly, I think all 
the challenges that the Bureau ran into both in terms of the 
changes in the schedule at an Executive Branch level as well as 
the forced changes as a result of COVID-19, going into the 
field and coming out and then going back in.
    I think there are a couple of big lessons that we can learn 
from that. Perhaps at the most macro level is that there is 
only so much time that you can squeeze out of the schedule. The 
Bureau had said, for example, it would take them--or, rather, 
in 2010 it took them 150 days to process the data after field 
data colleague was done. They then this time were at least 
initially saying that they were going to have to use 90 days, 
and it went down to 70. It turned out that they said, we are 
going to find things that in the data, what they call 
``anomalies,'' that are going to need to be investigated. We 
cannot get it down to that, to the quality of historical 
standards of the census. Indeed they could not.
    But, more on point to your question is that we believe that 
the Bureau ought to be doing two things. One is that they need 
to be making sure that they are evaluating the impact of the 
operational changes that they made to data collection and data 
processing. Some of those may be good ideas in order to carry 
forward, but some of them may have consequences for the quality 
of the data. Second, and perhaps more importantly, is that we 
believe that the Census Bureau, when they release apportionment 
data and when they release the redistricting data, needs to 
provide stakeholders, including the Congress and the public, 
high-level data that is indicative of the type of quality of 
the data of the underlying data--for example, proxy data, the 
extent to which they used information not from the actual 
respondent but from a neighbor or other trusted source, and not 
just at the national level, but breaking that down to sub-
demographics by racial categories, local jurisdictions, and all 
the rest.
    They to provide information to us in real time that shows 
us the quality of the data while they are doing their longer 
evaluations of the impact of the design changes.
    Mr. Dodaro. I think the other lessons learned is that the 
Internet response rate worked, the Internet option worked. I 
think in future years, as our population becomes more computer 
connected, that offers some lessons learned, Senator, for the 
future as well.
    Senator Padilla. All right. Any final comments on 
salvaging, to the best of our ability, the quality and accuracy 
of the 2020 census data?
    Mr. Dodaro. I think the best option at this point is to let 
Census do its normal thing that it has done before and look at 
the coverage evaluation and to take the time that they think 
they need to give us the best data they can within the 
timeframes that are available. I do think that vetting it at 
the State and local level and allowing them to comment on it 
has always been a good quality check, and we do not want to 
shortchange that process either.
    Chris, anything else there?
    Mr. Mihm. No, other than, Gene, that they will be doing 
their big independent assessment of the quality of the census 
called the ``Post-Enumeration Survey.'' That data will not come 
out until later this year or even spring of 2022. We are going 
to continue to be evaluating and monitoring that on behalf of 
the Congress, and obviously we will be reporting out anything 
we see on that.
    Senator Padilla. OK. Thank you both.
    Mr. Chairman, I yield back the balance of my time.
    Chairman Peters. Thank you, Senator.
    That concludes the questions for today. Mr. Dodaro, you had 
a long day today. I started with you this morning at a press 
availability. I know you had a long day with our friends over 
at the House testifying on this report, and you have been with 
us for a period of time as well. But I want to thank you for 
your accessibility. I want to thank you for your work on this 
report, plus your 40-plus years of service to the government. I 
certainly want to thank all the members of your team and the 
members who joined us here virtually, but who show up every day 
and work hard for the American taxpayers.
    With that, this hearing record will remain open for 15 
days, until March 17th at 5 p.m., for submission of statements 
and questions for the record. With that this hearing is 
adjourned.
    Whereupon, at 4:36 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

		[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]