b"<html>\n<title> - CONTROLLING FEDERAL LEGACY IT COSTS AND CRAFTING 21ST CENTURY IT MANAGEMENT SOLUTIONS</title>\n<body><pre>[Senate Hearing 117-38]\n[From the U.S. Government Publishing Office]\n\n\n\n\n                                                         S. Hrg. 117-38\n \n                CONTROLLING FEDERAL LEGACY IT COSTS AND\n             CRAFTING 21ST CENTURY IT MANAGEMENT SOLUTIONS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                EMERGING THREATS AND SPENDING OVERSIGHT\n\n                                 of the\n\n                              COMMITTEE ON\n               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n                    ONE HUNDRED SEVENTEENTH CONGRESS\n\n\n                             FIRST SESSION\n\n                               __________\n\n                             APRIL 27, 2021\n\n                               __________\n\n        Available via the World Wide Web: http://www.govinfo.gov\n\n                       Printed for the use of the\n        Committee on Homeland Security and Governmental Affairs\n        \n        \n        \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]      \n\n\n\n\n\n             U.S. GOVERNMENT PUBLISHING OFFICE \n45-043 PDF           WASHINGTON : 2021 \n\n        \n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n                   GARY C. PETERS, Michigan, Chairman\nTHOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio\nMAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin\nKYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky\nJACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma\nALEX PADILLA, California             MITT ROMNEY, Utah\nJON OSSOFF, Georgia                  RICK SCOTT, Florida\n                                     JOSH HAWLEY, Missouri\n\n                   David M. Weinberg, Staff Director\n                    Zachary I. Schram, Chief Counsel\n                Pamela Thiessen, Minority Staff Director\n    Andrew Dockham, Minority Chief Counsel and Deputy Staff Director\n                     Laura W. Kilbride, Chief Clerk\n                     Thomas J. Spino, Hearing Clerk\n\n\n        SUBCOMMITTEE ON EMERGING THREATS AND SPENDING OVERSIGHT\n\n                 MAGGIE HASSAN, New Hampshire, Chairman\nKYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky\nJACKY ROSEN, Nevada                  MITT ROMNEY, Utah\nJON OSSOFF, Georgia                  RICK SCOTT, Florida\n                                     JOSH HAWLEY, Missouri\n\n                     Jason Yanussi, Staff Director\n            Allison Tinsey, Counsel for Governmental Affairs\n                 Greg McNeill, Minority Staff Director\n                Adam Salmon, Minority Research Assistant\n                      Kate Kielceski, Chief Clerk\n                      \n                      \n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Hassan...............................................     1\n    Senator Rosen................................................    13\nPrepared statements:\n    Senator Hassan...............................................    29\n\n                               WITNESSES\n                        Tuesday, April 27, 2021\n\nKevin Walsh, Director, Information Technology and Cybersecurity, \n  U.S. Government Accountability Office..........................     3\nCasey Coleman, Former Chief Information Officer (2007-2014) at \n  the U.S. General Services Administration.......................     5\nRenee P. Wynn, Former Chief Information Officer (2015-2020) at \n  the National Aeronautics and Space Administration..............     7\nMax Everett, Former Chief Information Officer (2017-2020) at the \n  U.S. Department of Energy......................................     8\n\n                     Alphabetical List of Witnesses\n\nColeman, Casey:\n    Testimony....................................................     5\n    Prepared statement...........................................    72\nEverett, Max:\n    Testimony....................................................     8\n    Prepared statement...........................................    91\nWalsh, Kevin:\n    Testimony....................................................     3\n    Prepared statement...........................................    31\nWynn, Renee P.:\n    Testimony....................................................     7\n    Prepared statement...........................................    86\n\n                                APPENDIX\n\nResponses to post-hearing questions for the Record:\n    Mr. Walsh....................................................    95\n    Ms. Coleman..................................................   100\n    Ms. Wynn.....................................................   102\n    Mr. Everett..................................................   105\n\n\n                  CONTROLLING FEDERAL LEGACY IT COSTS\n\n           AND CRAFTING 21ST CENTURY IT MANAGEMENT SOLUTIONS\n\n                              ----------                              \n\n\n                        TUESDAY, APRIL 27, 2021\n\n                                     U.S. Senate,  \n                       Subcommittee on Emerging Threats and\n                                        Spending Oversight,\n                    of the Committee on Homeland Security  \n                                  and Governmental Affairs,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 10 a.m. in \nroom 342, Dirksen Senate Office Building, Hon. Maggie Hassan, \nChair of the Subcommittee, presiding.\n    Present: Senators Hassan, Sinema, Rosen, Ossoff, Scott, and \nHawley.\n\n             OPENING STATEMENT OF SENATOR HASSAN\\1\\\n\n    Senator Hassan. Good morning, everybody.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Hassan appears in the \nAppendix on page 29.\n---------------------------------------------------------------------------\n    I want to start by thanking all of our witnesses for \nappearing today to discuss controlling Federal legacy \ninformation technology (IT) costs and crafting 21st century IT \nmanagement solutions. I also want to thank Ranking Member Paul \nand his staff for working with us on this hearing and for our \ncontinued partnership to address wasteful spending and \ngovernment inefficiencies. Even though Ranking Member Paul is \nunable to join us this morning, I look forward to addressing \nthe threats posed by the Federal Government's failure to \nmaintain a modern and agile information technology \ninfrastructure.\n    Today is the first of multiple hearings on Federal legacy \nIT systems. By shining a light on this important issue, I hope \nthat agencies will work to reduce their reliance on costly \nlegacy IT systems, in partnership with Congress, the Biden \nadministration, and industry stakeholders.\n    Today's hearing will focus on identifying the costs and \nconsequences of legacy IT, as well as the institutional \nbarriers to modernization. According to the Office of \nManagement and Budget (OMB) and Government Accountability \nOffice (GAO) , in fiscal year (FY) 2020, the Federal Government \nspent nearly $90 billion on IT investments and operations. \nBased on analysis of agency expenditures, legacy IT maintenance \ncosts accounted for one-third, about $29 billion, of that total \nspending. However, the actual cost is estimated to be much \ngreater when we consider legacy IT's negative effects on \nsecurity, delivery of services, and customer experience.\n    To frame our discussion we should have a common definition \nof legacy IT. The term ``legacy IT'' describes the Federal \nGovernment's use of old technology or custom systems designed \nto support insular agency operations. That is, legacy IT \nincludes technology and systems that are no longer supported by \nindustry vendors, as well as those that require additional \nmaintenance or specialized knowledge to operate.\n    We have seen the consequence of relying on legacy IT \nsystems. For example, in 2014, hackers stole the personal \ninformation of more than 20 million people from the Office of \nPersonnel Management (OPM), because they were able to breach \nOPM's vulnerable legacy IT systems that lacked encryption. \nDespite this breach that was clearly linked to a failure to \nmodernize, OPM still relies on a 34-year-old legacy IT system \nthat costs $45 million annually, roughly one-third of OPM's \nannual IT budget, even though a modern system would only cost \n$10 million and produce $16 million in cost savings.\n    At the Internal Revenue Service (IRS), the system used to \nannually process millions of tax documents is more than 50 \nyears old, and relies on a programming language called the \nCommon Business-Oriented Language (COBOL), which was invented \nin 1959. In 2018, implementation of the 2017 tax law hit a \nmajor roadblock due to a shortage of staff with the specialized \nknowledge needed to update COBOL-based tax processing systems. \nIRS estimates that it costs $15.9 million annually to operate \nthis system, and 60 percent of those costs are for labor alone.\n    During the coronavirus disease 2019 (COVID-19) pandemic, \nIRS faced additional challenges because many of its aging \nsystems rely on paper rather than digital records, paper that \nwas inaccessible to IRS employees who were working remotely. As \na result, the American people felt the burden of delayed tax \nreturns and economic stimulus payments.\n    Similarly, in 2016, the Social Security Administration \n(SSA) was forced to rehire retirees to maintain the COBOL \nsystem used for making payments to beneficiaries and their \ndependents. These systems cost the Social Security \nAdministration about $146 million annually to operate. However, \nthe Social Security Administration estimates that it would only \ncost $25 million over 5 years to modernize the system, and that \nwould significantly improve functionality and security as well \nas eliminate the need for specialized programmers.\n    This begs the question, what are agencies waiting for? What \nis holding them back from realizing significant cost savings, \nincreasing security, and providing greater customer service \ndelivery through reducing their reliance on legacy IT?\n    In addition to the costs and consequences of relying on \nlegacy IT systems, today's hearing will also discuss the \ninstitutional barriers that prevent agencies from moving \nforward with their modernization efforts. Our distinguished \npanel includes the Director of the Government Accountability \nOffice's Information Technology and Cybersecurity team, as well \nas three former Federal agency Chief Information Officers \n(CIOs) who navigated the challenging IT modernization landscape \nand successfully moved their agencies away from legacy IT \nsystems. I look forward to hearing from all of our witnesses \nabout how they achieved success by leveraging available \nresources and by being innovative.\n    Now we are going to move to the testimony of our witnesses, \nbut before we do that it is the practice of the Homeland \nSecurity and Governmental Affairs Committee (HSGAC) to swear in \nwitnesses. If you will all please stand, including our one \nwitness who is remote, and raise your right hand.\n    Do you swear that the testimony you give before this \nSubcommittee will be the truth, the whole truth, and nothing \nbut the truth, so help you, God?\n    Mr. Walsh. I do.\n    Ms. Coleman. I do.\n    Ms. Wynn. I do.\n    Mr. Everett. I do.\n    Senator Hassan. Thank you. You may be seated.\n    Now we are going to start with the testimony of each \nwitness, and I will introduce each witness and then they will \ngo forward with their testimony.\n    We will start with Kevin Walsh. Our first witness today, \nMr. Kevin Walsh, is Director of the Cybersecurity and \nInformation Technology team at the Government Accountability \nOffice. He led the team that identified the 10 Federal legacy \nIT systems most in need of modernization. Mr. Walsh has 15 \nyears of experience at GAO, where he has led reviews of chief \ninformation officer authorities, management of legacy IT \nsystems, and assessments of IT-related risks.\n    Welcome, Mr. Walsh. You are now recognized for your opening \nstatement.\n\n TESTIMONY OF KEVIN WALSH,\\1\\ DIRECTOR, INFORMATION TECHNOLOGY \n    AND CYBERSECURITY, U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Walsh. Chair Hassan, Ranking Member Paul, and Members \nof the Subcommittee, thank you for inviting GAO to testify on \nthis important issue.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Walsh appears in the Appendix on \npage 31.\n---------------------------------------------------------------------------\n    Generally, we envision legacy systems as archaic government \ncomputers, stuffed in a basement with fluorescent lights \ndismally flickering above, or perhaps in the warehouse next to \nIndiana Jones' Arc of the Covenant. While we do not need \nHarrison Ford for any IT systems that I am aware of, there are \ncertainly government systems that are in desperate need of \nmodernization.\n    In our 2019 report on the topic, we asked agencies about \ntheir critical legacy systems that were most in need of \nmodernization. In total, the agencies identified 65 systems \nwhich were, on average, about 24 years old. These systems \nsupport some of the most critical functions in government, such \nas wartime readiness, student loans, the operation of dams and \npower plants, tax processing, and Social Security payments.\n    We took a deeper dive into the 65 systems and flagged the \n10 systems that we thought were the most vulnerable and in need \nof modernization. Some were operating with known \nvulnerabilities or were written in older code, such as COBOL or \nassembly languages, and others had hardware or software that \nwas no longer supported by the vendor. As the recent hacks of \nthe software supply chains demonstrate, we have no shortage of \nbad actors in the world willing to take advantage of \nvulnerabilities like these.\n    We also asked the agencies that owed these 10 systems some \nvery basic questions. Do you have a modernization plan? Does \nyour plan include timeframes, a description of the work, and a \nplan to turn off the older system? Disappointingly, only the \nsystems at the Department of Defense (DOD) and the Department \nof Interior (DOI) had these things in place. Further, there \nwere no modernization plans for the systems at the Department \nof Education, the Department of Health and Human Services \n(HHS), and the Department of Transportation (DOT).\n    To be fair, the hardware these systems ran on was not as \nold as their software. The hardware averaged a bit over 7 years \nold. However, to put that in context, Amazon made news early \nlast year when it extended the useful life of its servers from \n3 to 4 years.\n    In general, as our servers get older, and our systems with \nthem, they cost more to secure, more to maintain, do not always \nmeet mission needs, and, in some cases, the only people who can \nupdate them are retired. Basically, we are balancing cost, \nstaffing, security, and functionality.\n    To keep the lights on and systems running, we are accepting \nrisks that, in hindsight, may not make sense. For example, as \nthe Chair noted, OPM reported that some of its networks were \ntoo old to implement encryption, a rather important security \nstep.\n    Looking forward, modernization decisions need to carefully \nconsider the following: how risky it is going to be, including \nrisks to security and privacy; the criticality of the system; \nthe cost to modernize or maintain the current system; potential \ncost savings; whether mission needs are being met; and if \nadditional functionality or performance can be gained.\n    After considering all of that, there will undoubtedly be \ninstances where modernization may not make sense. For example, \nNational Aeronautics and Space Administration (NASA) uses \nFortran code to communicate with the Voyager space probes that \nwe launched in 1977. We cannot catch and upgrade that hardware.\n    On the other hand, we also identified a system at the IRS \nthat reported annual labor and operating costs of about $16 \nmillion. The IRS reported that it would cost a staggering $1.6 \nbillion to upgrade that system.\n    We have also noted that agencies may not have a complete \npicture of their legacy systems. OMB drafted guidance in 2016, \nthat would have required agencies to identify, evaluate, and \nprioritize their IT investments to make modernization \ndecisions. Sadly, that guidance was never finalized.\n    Until agencies are able to identify all of their legacy \nsystems, assess them, and document their plans for \nmodernization, they run the risk of wasting money on systems \nthat are not meeting mission needs or are likely putting the \nagencies at risk.\n    This concludes my comments, and I look forward to your \nquestions.\n    Senator Hassan. Thank you very much. Next we will move to \nCasey Coleman. Ms. Coleman is the Senior Vice President for \nDigital Transformation at Salesforce. In this role, she is \nresponsible for developing strategies and solutions for \ngovernment customers looking to modernize their IT systems. \nPrior to joining Salesforce, Ms. Coleman served as the Chief \nInformation Officer at the General Services Administration \n(GSA), where she led several modernization initiatives, \nincluding the first agency-wide move to cloud-based email and \ncollaboration platforms. She also led Federal efforts to \ndevelop the FedRAMP standards for cloud services and \ncybersecurity.\n    Welcome, Ms. Coleman. You are now recognized for your \nopening statement.\n\nTESTIMONY OF CASEY COLEMAN,\\1\\ FORMER CHIEF INFORMATION OFFICER \n    (2007-2014) AT THE U.S. GENERAL SERVICES ADMINISTRATION\n\n    Ms. Coleman. Thank you, Chair Hassan, Ranking Member Paul, \nand Members of the Subcommittee for the opportunity to speak on \ntoday's important topic. It is very timely, because we have \nbeen talking about modernizing Federal IT for a long time, and \nit has been a priority, but the prospects for progress have \nbeen significantly improved with the emergence of modern, \ncloud-based digital platforms. The world's largest banks, \nmanufacturers, retailers, and health care companies are already \ntransforming their operations and customer service by embracing \nthe cloud. The Federal Government can do the same.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Coleman appears in the Appendix \non page 72.\n---------------------------------------------------------------------------\n    All of us engage with the government through interactions \nlike paying taxes, adhering to regulations and laws, and \nreceiving benefits and services, and IT has become the critical \nenabler to carry out vital missions of the government, such as \ndefending the Nation, providing economic stability, and \nimproving public health. It is in all of our best interests \nthat government and its IT systems work well.\n    But too often legacy IT is not an enabler but a concrete \nbarricade, making the experience for employees and customers \nfragmented, opaque, and confusing. When I first came into \ngovernment I was surprised to see how our systems did not work \nfor us. We worked for them. I could not believe how the \ntechnology slowed us down and frustrated our efforts to \ncollaborate. These are commonplace issues, and they do not \nreally inspire trust or confidence.\n    Meanwhile, in our personal lives, as consumers and \ncustomers, everything is online and mobile, personalized and \naccessible any time. We expect the same of government, but this \ncreates a growing gap between what we expect and what is being \ndelivered.\n    The COVID pandemic really highlighted this growing gap. \nThis was a crucial moment of need, and the organizations that \ndelivered successfully, public sector and private, were those \nthat moved to the cloud, so their employees could work from \nanywhere and deliver services online. We saw years of \nmodernization compressed into a few months, from telehealth \nservices to paycheck protection loans, employee wellness \nchecks, and contact tracing.\n    These programs were not on anyone's radar before the \npandemic, so what made the difference? Moving to the cloud, \nwith access to rapid innovation and secure online services from \nthe commercial platforms already serving the world's largest \ncompanies.\n    Why does this matter? For a farmer, they can get their \ncrops in the ground by not getting off the tractor and going \ninto town to get their crop loan but rather by doing it through \na mobile app on their phone, not wasting time. For a veteran \nseeing their doctor by video means they continue to receive the \ntreatment they need and the benefits they have earned.\n    This pivot is important for government employees as well. \nNo one comes into the government to step backward in time and \ndo things the old way, with brittle tools that were state-of-\nthe-art decades ago. They want to serve a mission and make a \ndifference. If we want to recruit and retain talented public \nservants who have a choice, we have to give them tools to \nempower them and make their work effective.\n    I am especially passionate about this because I have seen \nit first-hand. As the CIO for GSA through much of the Bush and \nObama Administrations, I had the privilege of leading a \nmultiyear modernization program to move GSA to the cloud and \nimprove service delivery. When the Obama Administration \nannounced the Cloud First policy, we led the way, becoming the \nfirst to move the entire agency to cloud platforms for email, \ncollaboration, and productivity tools.\n    Our previous system was on really old hardware. We did not \nknow when it went down. I used to send myself emails at nights \nand weekends to make sure it was still working. By moving to \nthe cloud, we had all our tools available anytime, anywhere, \nand when weather emergencies like Superstorm Sandy shut down \nall Federal offices, GSA kept going, working remotely as they \nhave through the pandemic.\n    In closing, modern cloud platforms are a complete game-\nchanger for improving government service delivery and mission \nexecution. I do not mean to suggest this is a silver bullet, \nand I have included recommendations in my written testimony for \nother reforms, but all of these factors only click when you add \nthe cloud.\n    Thank you, and I look forward to questions.\n    Senator Hassan. Thank you, Ms. Coleman.\n    We are now going to turn to the witness who is joining us \nremotely, Ms. Renee Wynn. Welcome, Ms. Wynn.\n    From 2015 to 2020, Ms. Wynn was the Chief Information \nOfficer for the National Aeronautics and Space Administration. \nShe retired from NASA last April following a 29-year career in \nFederal service that included 9 years spent in Federal \ninformation technology. During her time at NASA, Ms. Wynn was a \ncritical and creative leader in the formulation and \nimplementation of the Modernizing Government Technology (MGT) \nAct, and she worked on several projects to reduce the agency's \nreliance on legacy IT system. She now operates her own \nconsulting firm.\n    Welcome, Ms. Wynn. You are now recognized for your opening \nstatement.\n\nTESTIMONY OF RENEE P. WYNN,\\1\\ FORMER CHIEF INFORMATION OFFICER \n       (2015-2020) AT THE NATIONAL AERONAUTICS AND SPACE \n                         ADMINISTRATION\n\n    Ms. Wynn. Good morning, Chair Hassan, and distinguished \nMembers of the Subcommittee. I am honored to be here to testify \ntoday on the importance of IT modernization. Now is an ideal \ntime for departments and agencies to focus on large, complex IT \nmodernization projects. Many lessons have been learned about \nremote working and delivering Federal services during the COVID \npandemic. These lessons can be used to accelerate modernization \nefforts. This, combined with having the right personnel, \nprocesses, and budgets significantly increase the probability \nthat such projects will be successful.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Wynn appears in the Appendix on \npage 86.\n---------------------------------------------------------------------------\n    As the former Chief Information Officer at NASA, and the \nActing CIO and Deputy CIO of the Environmental Protection \nAgency (EPA), I have had ample opportunity to understand the \ndynamics inherent in modernizing IT. These experiences gave me \nthe best view of the biggest challenges a CIO faces when \nmodernizing IT--an agency's culture, or sometimes referred to \nas ``the people challenge.''\n    A CIO must have sustained support and funding for IT \nmodernization from the agency heads, including her executive \nteam. She must have the right people with the right skills, and \nshe must build and maintain relationships across the agency and \nwith the contractor community. Without this, complex IT \nprojects will fail.\n    When I was offered a position at NASA, I was over the moon \nwith excitement at becoming a member of this iconic Federal \nagency. I was confident that I would find best-in-class IT \nmanagement and cybersecurity practices. What I found was a work \nin progress--a need for more centralized or enterprise-wide IT \nservices, systems in need of modernization, a poor \ncybersecurity posture, and a culture that viewed the NASA CIO \nwith skepticism.\n    Fortunately, NASA recognized this as well and had already \ncompleted a business services assessment (BSA). The BSA was \nundertaken to identify organizational and management \nimprovement areas for NASA's mission support services, \nincluding IT. Based on the BSA recommendations, the CIO office \ndeveloped and executed an implementation plan.\n    Many valuable lessons were learned, and a big issue was \nidentified, which was preventing NASA from gaining the full \nbenefit of the BSA. Too much of NASA's IT budget and staff were \nnot managed by the NASA CIO, making it difficult to modernize \nIT and control spending. Given this, NASA took the bold and \npolitically charged step of having all the people and budget \nassociated with a mission support function report to the head \nof that function.\n    As I led the BSA implementation, the culture or people \nchallenges were a constant. While NASA's top executives \nprovided steadfast report, executives and staff below them were \nresistant and, at times, difficult. Nothing rattles a civil \nservant more than having portions of their budgets and staff \nreallocated.\n    Congress has taken the steps to address IT management and \ncybersecurity risks through legislation, from the Clinger-Cohen \nAct to the Federal Information Security Modernization Act \n(FISMA) and on to the Federal Information Technology \nAcquisition Reform Act (FITARA). All were designed to advance \nIT in support of government services and provide improved \ninformation security. Support continued with the passage of the \nModernizing Government Technology Act. This provided financial \nresources to agencies through the creation of a centralized \nmodernization fund, called the Technology Modernization Fund \n(TMF).\n    The oversight of Congress has also been a driving factor in \nmaking the intended improvements to IT modernization and \ncybersecurity. Legislative actions, combined with sustained \noversight, have provided the foundation to improve IT \nmanagement and cybersecurity.\n    I will conclude today by emphasizing Congress should \ncontinue to hold oversight hearings and provide predictable \nfunding and be prepared to act should gaps emerge in the \nFederal Government's ability to deliver more modern and \neffective public services. The CIO must have sustained support \nand budgets, plus a knowledgeable and skilled workforce, to \nmeet the growing demands of IT modernization and cybersecurity. \nWith this, the CIO can lead agencies forward to deliver IT \nmodernization and improve cybersecurity so departments and \nagencies can deliver the mission for the American public.\n    Thank you again for the opportunity to appear before the \nSubcommittee today, and I stand ready to answer your questions.\n    Senator Hassan. Thank you very much, Ms. Wynn. Now let's \nturn to our last witness, Mr. Max Everett.\n    Mr. Everett served as Chief Information Officer at the \nDepartment of Energy (DOE) following a career in IT security \nand risk management. During his time at Energy, Mr. Everett \nsecured one of the first awards from the Technology \nModernization Fund to migrate Energy's legacy email system to a \ncloud platform. He is now CEO of Adnovem Consulting Group, \nwhich works with public and private customers to provide \nservices and promotes a lean and agile approach to IT \nmodernization.\n    Welcome, Mr. Everett. You are now recognized for your \nopening statement.\n\n TESTIMONY OF MAX EVERETT,\\1\\ FORMER CHIEF INFORMATION OFFICER \n         (2017-2020), AT THE U.S. DEPARTMENT OF ENERGY\n\n    Mr. Everett. Thank you, Chairwoman Hassan, Ranking Member \nPaul, and Members of the Committee. I appreciate the \nopportunity to be here this morning and talk about this. I \nappreciate the advocacy that you all are providing, and the \nsupport to all the CIOs who are currently going through the \nchallenges of this. I would like to talk for a few minutes, \nafter 20 years in and around Federal IT, to talk a little \ncandidly about some of the challenges we have seen.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Everett appears in the Appendix \non page 91.\n---------------------------------------------------------------------------\n    The events of the last year have obviously shown the \ncritical importance of our IT and the challenges of legacy, \nwhether that was supporting people impacted by COVID or some of \nthe recent cybersecurity incidents that we are still grappling \nwith.\n    I would begin here suggesting, as a few people have talked \nabout, that it is important to talk about what constitutes \nlegacy IT, and I think it is a broad definition. It is not \nmerely the electronic systems. Fax machines are probably the \nmost common legacy IT in the U.S. Government. There is so much \nthat is on paper right now that I think is a huge problem, and \nit is preventing us from serving our customers, citizens.\n    I think this is important because the way that we value our \nelectronic systems and IT is primarily data. Data is what we \nuse to measure. We understand how we are doing. We are \nproviding value with data. When that data is locked into paper, \nin warehouses--and I have been to a few of those warehouses \nthat we own as the Federal Government--that is data and value \nthat is locked away from us to use.\n    When I was CIO at the Department of Energy, we spent a good \namount of time, and it started on the front end, moving to \ndigitizing documents, and that was both to provide better \nservice, but it was also to free up some of that value of data. \nThat data could help us drive our management better, it could \nhelp us serve better, not only citizens but everyone doing the \nmission in the Department, and that is really what we are \nsupposed to be there for.\n    I want to really quickly talk, and people have already hit, \nI think, on these two subjects. Most of the time in IT we talk \nabout people and we talk about process. Renee already, I think, \nmentioned very well some of the people problems that we have in \ngovernment. I can tell you that our human capital system needs \ndramatic improvement. We simply cannot compete. We cannot even \nget access to some of the people that we need to recruit in \ngovernment if we are going to move to the cloud. If we are \ngoing to move to managed services, those are new skill sets. \nThere is a place for retraining our employees, but right now we \nare not doing that very well either. I think it is important to \ncontinue to look at that issue of human capital.\n    I can tell you, as a CIO, I had a number of authorities on \npaper to be able to go and hire new people, to use more \ncreative ways of hiring. It was rare that I was ever able to \nuse those. I would walk into meetings with people, having \nprinted out documents from the OPM website stating my \nauthorities to be able to hire, and yet was unable to use them. \nThat is a critical failure that has to change, and it is a \ncommunication issue, and it is an oversight issue.\n    I do also want to very quickly mention, with gratitude, \nthat I know Congress recently allocated more money for the U.S. \nDigital Service (USDS) and other groups. I think that is \nimportant. The U.S. Digital Service is an opportunity to bring \nin some very experienced people from digital backgrounds who \nwant to serve the U.S. Government, and that is great. My \nencouragement for them is that they focus on sustainable, \ncommercial solutions. Those are the things that will last. \nThose are the things that the current CIOs are actually going \nto be able to sustain with the workforce that we have. I think \nthat is important.\n    I also want to quickly mention contractors. We cannot \ndiscuss the people issue in government without talking about \ncontractors. In most departments, the number of contractors in \nIT typically outnumbers the Feds by 3 or 4 to 1, or more, and \nwe need to understand that if we are going to deal with that \nproblem.\n    I very quickly, then, want to jump into a couple of things \nI know we will talk about further. We already mentioned TMF. I \nam a strong proponent of TMF. TMF is not about the money, \nalthough we certainly appreciate the billion dollars that have \ngone to TMF that will radically change that program. It is \nabout the process of actually getting those grants, what you \nhave to go through. It changes the way that we should be \nmanaging IT in government. I think TMF is important.\n    I cannot let the opportunity pass without mentioning, I \nknow that there have been some conversations about waiving the \nrepayment. I would encourage that to be given some thought. I \nam supportive of it, as long as the process is followed. The \nTMF process is as important as the money, because it means we \nare counting our costs, we are looking for savings, and we are \nmanaging things in the way we would expect anybody to manage \nour own money. I think that is critically important in all \nthose conversations, and to make sure that the TMF money that \nhas gone over goes to the TMF process, that it goes through the \ncommittee and the board that is there, and goes through proper \noversight. I think that is critical.\n    With that I will conclude my remarks and look forward to \nyour questions.\n    Senator Hassan. Thank you to all of you for your excellent \ntestimony. We are now going to go to rounds of questions from \nMembers of the Subcommittee. I will start. Each round will be 7 \nminutes, and do try to be mindful of Senators trying to move to \nother witnesses as you give your answers, please.\n    Why don't I start with a question to Mr. Walsh. I would \nlike to start by identifying the costs and consequences of \nrelying on legacy IT. We have established what we mean by \nlegacy IT, namely systems no longer supported by industry \nvendors or custom systems that are difficult to manage and \nadapt over time. However, what is more difficult to define are \nthe costs, both quantitative and qualitative, that continued \nreliance on legacy IT produces.\n    Mr. Walsh, how does GAO determine costs associated with \nlegacy systems, and how can agencies improve their \nidentification and reporting of these costs?\n    Mr. Walsh. Identifying costs associated with legacy systems \nis more difficult than one might think. As Mr. Everett noted, \nthe fax machines do not show up on a spreadsheet. They are hard \nto figure out. You can look at our inventory of IT systems, but \nwe finished getting a complete inventory of our software \nlicenses for each of the major CFO Act agencies this past year. \nWe still need to work on getting better inventories of what IT \nwe have out there before we can fully capture the cost.\n    There is a nascent effort underway called technology \nbusiness management (TBM), which would closely tie accounting \nsystems to our IT oversight and management systems, which would \nhelp allow us to better track where the money is going. But to \nanswer your question, there is no good way right now to \nidentify all of the legacy IT in government.\n    Senator Hassan. I want to follow up with that, because as I \nmentioned in my opening statement, roughly one-third of total \nFederal spending on IT went toward legacy systems in 2020, but \nmany experts believe that that number does not capture the \nwhole picture.\n    Mr. Walsh, what are we leaving out of our calculations on \nlegacy IT costs? How can we better factor in qualitative or \nperformance costs associated with legacy IT systems?\n    Mr. Walsh. One of the biggest issues with the dollar amount \nis the $90 billion that this is all predicated upon is \ndramatically understated. That $90 billion does not include \nweapons systems, satellites, or supercomputers. There is a lot \nof IT in the government that one might think, ``Hey, that is \ncertainly IT,'' that actually is not included in that number.\n    Getting all of that IT accounted for is the first big step. \nOnce it is accounted for, having that accounting system tie \ninto our technology management would help us get better to see \nif the money is going for specific hardware or software usages. \nBut this is not a silver bullet, easy fix. This is going to \ntake time.\n    Senator Hassan. Thank you, and I will follow up with you on \nthat probably in another round of questions.\n    But let me move on to Ms. Coleman right now. The American \npeople pay the price of failing to modernize legacy IT systems. \nThe U.S. Government ranks among the lowest industries in \ncustomer satisfaction.\n    Over the past year, in particular, my office has received \nhundreds of messages from constituents struggling to access \npassports and visas, unemployment benefits, economic stimulus \npayments, benefits information from the Department of Veterans \nAffairs (VA), and information on filing taxes. We have also \nheard from Federal employees like those at the National \nPassport Center in Portsmouth, New Hampshire, who want to \nrespond to the needs of the American people but simply cannot \ndo it because of their limited IT capabilities.\n    Much of this is due to the antiquated paper-based systems \nthat cannot support 21st century agency missions or respond to \nchanging requirements during a pandemic. Ms. Coleman, how \nimportant is it for agencies to recognize that failing to \nmodernize means failing to serve the American people?\n    Ms. Coleman. Thank you, Chair Hassan. I think it is a vital \nissue, because, as you point out, we interact with the \ngovernment on really critical services that we count on, and if \nthose services are not delivered effectively there is a cost. \nThere is a cost in terms of employee productivity and in terms \nof our time as citizens and as the public. There is also a \npublic trust at stake. There is a confidence in the ability of \ngovernment to deliver what we are anticipating as taxpayers and \nas citizens. I think that public trust is one of the key costs.\n    I think that it starts from the way government has been \ndesigned and operated. Our systems reflect the way the \ngovernment is set up, sort of from the inside out, with the \nprograms designed around different siloed functions. As we \ninteract with government we do not think that way, but we are \nforced to navigate the complexity of that bureaucracy. I think \none criterion to change this is to start to think from the \noutside in, from the point of view of the customer or the \nresident that is navigating that process.\n    There are very encouraging success stories. For example, \nU.S. Department of Agriculture (USDA) has created farmers.gov, \nwhich is a portal for all services delivered by the U.S. \nDepartment of Agriculture, so you do not have to navigate \nseparate programs for crop loans or disaster insurance or \nconservation research. All of these things have been integrated \nand delivered in a holistic way, and it offers an example for \nothers to be mindful of.\n    Senator Hassan. Thank you.\n    Let me follow up. Mr. Walsh, can you describe agency \nefforts to prioritize customer experience through IT \nmodernization? Ms. Coleman mentioned one at the Department of \nAgriculture, but I think the Department of Education also comes \nto mind as a leader that has used IT modernization to improve \ncustomer service and mission readiness.\n    Mr. Walsh. That is correct. The Department of Education has \nactually modernized all of its data centers. It is now almost \nentirely in the cloud, and to its credit it is moving to get \naway from legacy. That is not say that their modernization \njourney is done, but they are a leader in that area.\n    Senator Hassan. Thank you. I am going to get through one \nmore question. Some have argued, Mr. Walsh, that maintaining \nlegacy systems, especially customer-built systems that rely on \nantiquated coding languages and lack connectivity to other \nagency systems are insulated from cyber threats and do not need \nto be modernized because they pose little risk.\n    Mr. Walsh, do you agree with this argument, and if not, \nwhat would be a better risk management strategy than simply \nmaintaining legacy IT systems in perpetuity?\n    Mr. Walsh. Legacy systems represent a security risk. They \nare not good at meeting our mission needs. They cost more to \nmaintain because a lot of times the people who can maintain \nthem are retired or, in some cases, deceased. They increase our \ncost every year. I do not think that security through obscurity \nor hoping that the bad guys do not know the system code, is a \ngood approach.\n    Senator Hassan. Thank you. Ms. Wynn and Mr. Everett, the \nagencies you have worked for both handle extremely sensitive \ninformation that may be stored on legacy systems. How did you \nbalance the need for modernizing legacy IT systems with \nmitigating risks inherent to storing sensitive information? Why \ndon't we start with you, Mr. Everett, and then quickly on to \nMs. Coleman?\n    Mr. Everett. I will quickly say that was an enormous \nchallenge for us, as Kevin already said. One of the issues you \nhave with legacy systems is you cannot put modern protections \non them--multifactor authentications, encryption. The secret of \nthose systems is to even work today they often have to have a \nnumber of these little enabling things we call system accounts \nor administrative accounts. When you are an administrative \naccount you know that is exactly what a bad guy wants to use, \nbecause once they have it they can use it to access and do \nother things in your system.\n    That is one of the dirty secrets of those older legacy \nthings. They are not protected more because people do not know \nthem, they are, in fact, enabled by a bunch of other things, \nand pretty soon it is a Rube Goldberg apparatus.\n    Security is also about resilience. One of the reasons your \nconstituents cannot get on those is because they fail all the \ntime. Why? Because they are old and they fall apart and nobody \nknows how to fix them. That, in and of itself, is a security \nrisk, because everything else in the system has to adapt around \nthat, which causes you to make all sorts of other security \ncompromises to keep it going.\n    Senator Hassan. Thank you. Ms. Coleman, very quickly on \nthat issue, and then we are going to move to other Senators.\n    Ms. Coleman. Thank you. The point is well taken, and one of \nthe key issues with securing data, many times it is good cyber \nhygiene. Estimates are that well over 50 percent of all \nincidents are due to basic good cyber hygiene. With modern \nplatforms you are really taking advantage of best-in-class \nsecurity and a partner who can assist you with that. But \nreally, ultimately, the government needs to start with basics \nand maintain good protocols.\n    Senator Hassan. Thank you very much. I thank you all for \nyour answers. Now we are going to turn to other Senators, and \nfirst up is Senator Rosen, who has been very patient and is \nvery knowledgeable on this issue. Senator Rosen, you are \nrecognized for 7 minutes.\n\n               OPENING STATEMENT OF SENATOR ROSEN\n\n    Senator Rosen. Thank you, Chair Hassan, for organizing this \nimportant meeting. Chair Hassan, you have done so much work on \nthe issue of Federal IT management. It is critically important \nto serving our taxpayers, to saving us money, to delivering \nservices, as well as boosting the morale and effectiveness of \nour Federal agency workers. I really appreciate everything that \nyou have done.\n    Of course, a common theme that has emerged from all four of \nour witnesses is the importance of the Federal workforce in \nimplementing IT modernization at our Federal agencies. I have \nto admit that I actually wrote COBOL legacy IT systems in the \n1980s and the 1990s, and so I intimately know exactly what you \nare talking about. It makes me feel a little old, but we do \nneed to move forward on this.\n    I have been working with my colleagues on this Committee \nand across the Senate to address the nation's shortage of these \nkinds of technical workers and cybersecurity workers, and \nFederal public service positions. They really should be \nattractive to those folks who want to work in tech.\n    I joined Chairman Peters and Senator Hoeven in \nreintroducing the Federal Rotational Cyber Workforce Program \nAct. It is going to provide opportunities for our civilian \ncybersecurity employees to rotate amongst various Federal \nagencies. It expands their experience, expands their \nprofessional networks, and expands their opportunities to serve \nthe country.\n    Last week I introduced a bipartisan bill with Senator \nBlackburn to allow DHS and DOD to establish a Civilian \nCybersecurity Reserve Pilot Program. It would call on former \nmilitary and civilian cybersecurity employees and others for \ntemporary assignments in the government. I think this can serve \nas a model for other agencies.\n    Mr. Walsh, in the course of GAO's reporting on your IT \nmodernization efforts, have you identified agencies that have \ndone particularly well in recruiting and retaining these types \nof employees? How do we export those best practices? If you \nhave not, does OMB and OPM play a role, and how do you see that \nrole?\n    Mr. Walsh. We have not done specific work--I should say I \nam not aware of specific work in that regard on hiring cyber \nemployees. Now I do know that, as Mr. Everett mentioned \nearlier, the U.S. Digital Service as well as 18F serve as ways \nto get private sector talent into the government. I do not know \nif they are as quick as your proposed legislation is \nconsidering. But having that venue for external talent to come \ninto the government and share ideas and propagate those ideas \nis very important.\n    CIOs also do have additional authorities that they can use \nto hire and bring in folks from the outside, but Mr. Everett \nearlier identified issues with executing some of those \nauthorities. GAO has not done specific work in that regard, but \nI am eager to work with your staff on that.\n    Senator Rosen. Thank you. I appreciate it.\n    Ms. Wynn, in your testimony, you mentioned there needs to \nbe civil servants who are working on every Federal IT project \nand that those workers need to be reskilled. You said that \nearly efforts to reskill existing Federal employees have been \nsuccessful. Can you elaborate on what type of reskilling was \nthe most successful, and what areas we need to still reskill \nin, so we might direct our efforts in creating workforce and \ntraining in that workforce pipeline?\n    Ms. Wynn. Thank you for that one. The Office of Management \nand Budget, through the Federal CIO Council, through their \nWorkforce Subcommittee, established a reskilling institution or \nprogram. A lot of Federal civil servants applied to this \nprogram. They took an aptitude test for cybersecurity, and from \nthere the top folks were taken, and yet they still had to cut \nthe number of participation to a low number, because it was our \nfirst-ever endeavor. Those folks went through some training \nprograms and proved themselves to be very capable cybersecurity \nprofessionals, and then went on to seek future employment, \nstill within the Federal Government, but in this case a job \nchange.\n    The bottom line is Federal Government workforce is \ntalented. When we show them the way and give them the time and \nthe support to get reskilled, we can take their talent and use \nthem in other places, especially in cybersecurity.\n    Senator Rosen. Thank you. I look forward to working on \nthat.\n    I would like to move on now, and again, Ms. Wynn, I want to \ntalk to you about IT modernization and support to national \nsecurity. Given your background at the Department of Energy, \nwhich houses the Nevada National Security Site, located not too \nfar from Las Vegas, it is facilities that are critical to our \nsecurity. Can you comment on why modernizing the Federal \nGovernment's IT and cybersecurity infrastructure is critical to \nour national security and safety. Particularly as it relates \nmaybe even to our nuclear stockpile, how do we move forward, \ncreate more nimble, secure platforms and firewalls to protect \nour national interests?\n    Mr. Everett. I think----\n    Ms. Wynn. Senator Rosen, why don't I get started and then \nMax Everett might be able to----\n    Senator Rosen. Perfect. I am going to him after you.\n    Ms. Wynn. That is great. I will get it started because \ncritical infrastructure, right now the space, and flying in \nspace in satellites are being thought about as critical \ninfrastructure because we rely on them for logistics. Moving \nanything around this globe requires satellites, navigation, if \nyou expect it to get there and avoid significant weather \nevents. That type of security is very challenging.\n    You need the cooperation of a number of parties, including \nall those that operate the infrastructure. You have the \nelectric grid, you have the water infrastructure, and in this \ninstance I mentioned space, and those folks have to get \ntogether and first and foremost recognize that there are real \nthreats in space, space needs to be acknowledged as an element \nof the business practice as well as part of critical \ninfrastructure. In that case, work as a team to put into place \nand take steps toward securing it better.\n    At NASA we were beginning to do that, by taking a look at \nour critical satellites and then trying to figure out the best \nway to secure them in this current environment. As noted \npreviously, we cannot bring back our older satellites and give \nthem a new operating system, but we can do things here on terra \nfirma, as I call it, to secure them better, and then we have to \napply good neighbor policies, because we fly in the same place \nas other countries, as well as the Department of Defense, and \nprivate sector. Again, working together to protect our critical \ninfrastructure is what is needed to get the job done.\n    Senator Rosen. Thank you. Mr. Everett, I know my time is \nup, but if you could be kind of quick about it, that would be \nfantastic.\n    Senator Hassan. I will add that a number of Members have \nconflicts and are not going to be able to come, so Senator, if \nyou want to take a couple of more minutes and the witness too, \nthat is fine.\n    Senator Rosen. OK. Mr. Everett, then please. Please \nelaborate.\n    Mr. Everett. I will. Thank you. You are right. The \nDepartment of Energy, one of the great challenges at the \nDepartment is the breadth of its mission. Certainly some of us \nknow that they have a nuclear mission for protecting, building, \nand designing the nuclear stockpile. But that mission stretches \nall the way down to fundamental science that is conducted with \nscientists around the planet. We have what are called user \nfacilities that are used by the top scientists around the world \nto do collaborative scientific basic research that not only \nhelps the United States, certainly, but really helps the entire \nplanet. One could argue it is almost a diplomatic role that we \nplay in science because of that. With those very divergent \nmissions it adds an extra layer of challenge for the Department \nof Energy.\n    I would say there are three sort of focus areas that we try \nto work on, that we think are the most important for that. One \nof them is simple visibility. Visibility is about being able to \nsee and understand, as we talked about, what do you have? What \nactual systems do you have? What legacy systems do you have? \nWho is on your network? That is a critical element, and it is \none we have not done very well as the Federal Government.\n    I think some of you are already aware, and it has been \ndiscussed over the last few months with the cyber incidents we \nhave had, there have been some significant challenges with the \nEINSTEIN program that needs to really be very carefully re-\nlooked at. I would tell you in our own department that was a \nchallenge of basic reporting and visibility of what was going \non across our whole footprint.\n    The second part of that is risk management, and this was \nwhere we put a lot of our focus. When you have a large \nenterprise like NASA, Department of Energy, GSA, and you have \ndivergent levels of risk, we will never have enough resources. \nWhen I was CIO, I was always glad to come and ask Congress for \nmore money, but you only have a certain amount of resources to \ngo around. Risk management is looking at what are your top \nrisks, what are your most important things, and they get the \nfirst dollar, and you find that balance.\n    That is what risk management is, and it takes real thought, \nand it takes effort, and you need to document and discuss and \nbe able to defend your efforts. We spent a significant amount \nof time because it is critically important.\n    The third element I would talk about, and it starts to go \nto what we are talking about here today with legacy and \nmodernization, is moving to new models. Some of you may have \nheard the term ``zero trust networks.'' Fundamentally, you \ncannot use zero trust networks with legacy, because they \nrequire some new tools to be able to better manage what is on \nyour network and make sure that those things can essentially \ntell other things on the system that they are allowed to be \nthere and do what they are doing. That is very difficult to \nplug into a 20-year-old system. These newer models like that \nsimply will not work in those legacy environments. They have to \nbe updated to do it.\n    Another area I would mention here is FedRAMP. FedRAMP has \nbeen around. It was started for a good purpose. I still think \nit can serve a valuable purpose. But I would tell you FedRAMP \nis far too slow. I do not know of any vendor that I talked to \nin my time at CIO or now who does not complain about the \ntimeline for FedRAMP.\n    What that means is probably FedRAMP needs some more \nresources, because what FedRAMP does is it does the baseline \nsecurity work one time, so it is a shared service. It is doing \nthat one time for everybody so that you can then start to bring \nmore innovative solutions to market more quickly in the Federal \nGovernment.\n    We are missing out on opportunities. I recently talked to a \nventure capital person. He told me, for some small and mid-\nsized companies with unique new services, primarily software as \na service, that it was taking them four to five people at $1 \nmillion and a year to go through FedRAMP. For most of these \nstartups who are coming up with new, innovative, new things to \ndo, that is not sustainable, and we are going to miss out on \nthose opportunities if we cannot improve that process.\n    Senator Rosen. Thank you. I have a closing statement, but I \nam glad to ask other questions. But one thing I know for sure \nis that good code means speed. Good code means ease of use and \ndata capture for the end user. Good code means the better the \ndata capture for analytics for our future. It saves us time, it \nsaves us money, it improves outcomes, and it helps us plan for \nthe future.\n    By modernizing these systems, by having safe, secure \nsystems, by capturing more data in consistent ways, we are able \nto predict, plan, and protect ourselves, and we have to do \nthat.\n    Chair Hassan, I am glad to continue to talk about this. I \nam not sure if someone else is in the room, but you tell me.\n    Senator Hassan. Thank you, Senator Rosen. I think right now \nit is just you and me, and I have another round of questions. \nBut if you have a couple more why don't you go ahead and then I \ncan finish up with my round.\n    Senator Rosen. You know what? I am going to hand over to \nSASC, where I think I am finally up over there. I appreciate \neveryone being here. I appreciate what you do, and I sincerely \nhope that we can try to, I guess even one system at time, \ncontinue to get off those legacy systems onto something that is \nnewer, more nimble, and allows us better data capture so we can \ncontinue to take care of everything that we need to. Thank you.\n    Senator Hassan. Thank you, Senator. Now I will turn to a \nsecond round of questions, and I appreciate the testimony you \nall have provided so far. I am going to start with this \nquestion for Ms. Wynn.\n    I have advocated for a biennial budgeting cycle where \nCongress would determine and appropriate the budget in one year \nand then year two can be spent on doing effective oversight to \ninform future spending. The current one-year cycle often leads \nto hasty decisionmaking and neglects capital investments that \ntake several years to implement, including IT modernization \nprojects designed to move away from legacy IT systems.\n    Ms. Wynn, how difficult is it to manage IT modernization \naround the one-year budgeting and appropriations cycle, and how \ndid you work within this cycle to achieve your goals? What \nwould you have done differently if there was a biennial \nbudgeting process?\n    Ms. Wynn. Thank you, Chair Hassan, for the question. One of \nthe things that I have found, first, is sort of annual \nappropriation, first thing you need to know is every time you \ncross a fiscal year with a project, and most IT projects cross \na fiscal year, you add more risk to your plan, and that is \nbecause from year to year you face the potential loss of \nfunding or the loss of people.\n    Now you have disrupted your project, and now you have most \nlikely extended when you are going to get that project done. \nThat extension, if it goes on too long, means you are \npotentially using software that will no longer be considered \nmodern or available, or could reach end of life by the time you \nuse or get that system back in operation after it has been \nmodernized.\n    What I would do is, and probably what most CIOs would do, \nis I would take my total budget and I would create a reserve, \nand that way the reserve would be used to make sure that the \nmost critical, the highest-risk projects would get funding, \ngoing into the secondary years of their project. That way I \nknew that they could be able to continue. If I did not do that, \nI would run the risk of work stoppage, and then I could lose \nthe talent of my staff, of staff from other mission areas or \nmission support, or I could even lose contractor staff, and \nthat would, again, start to slow down and add more risk to your \nproject.\n    If I had a second year added to it by a biennial, I would \nbe able to take the projects and draw a timeline of people and \ndollars, and make sure that they were spent according to it, \nand hold people accountable to a two-year increment. This would \nreduce the risk in a complex IT project, because you did not \nhave to worry about funding every few months, because by the \ntime you get appropriations finished and you get the new \nauthority money, several months in the fiscal year have gone \nby, you could actually plan about 18 months and be assured of \nthose resources, therefore reducing the risk of managing a \ncomplex IT project and you could deliver that project a lot \nfaster because you would take out that funding issue, or \nconvert the funding issue to an 18-month issue instead of a 9-\nmonth issue. That would be hugely beneficial and a great gift \nto CIOs and program and project managers around the country.\n    Senator Hassan. Thank you. Ms. Coleman, at GSA you worked \nto develop FedRAMP and streamline agency IT acquisitions in \ncoordination with industry partners. You now work for one of \nthose industry partners that is trying to help the Federal \nGovernment modernize its systems. What is the impact that the \none-year budgeting and appropriations cycle has on industry and \nits ability to support IT modernization efforts?\n    Ms. Coleman. Thank you, Chair. I agree with everything that \nRenee said about the ability to plan over long-time horizons. \nIt is almost even not a nine-month planning horizon with the \nannual cycle we have now, because of the frequency of \ncontinuing resolutions (CR), which create even greater \nuncertainty about available funding and disruption of \nresources. That alone is a complication.\n    One thing I would like to suggest as a companion idea to a \ntwo-year planning and budgeting cycle, which I think is a much \nneeded and helpful measure, is greater use of agile DevOps \ntactics to break modernization projects into short sprints that \ndeliver short and relatively quick intermediate results, so \nthat there can be fine-tuning and transparency and oversight \nthroughout the process. Any project that is intended to deliver \nresults in 2 or 3 years is going to be out of date by the time \nresults are delivered. We need to be thinking about very short, \nrapid cycles to deliver results, and the accompanying oversight \nand funding to go with it.\n    Working capital funds of previous legislation have been \nvery helpful. We used that with great success at GSA. We also \nimplemented a zero-based budget so we could see where our \nincumbent costs were and understand where we needed to place \nour dollars for modernization priorities.\n    Senator Hassan. Thank you. That brings me to another set of \nquestions, and I am going to start with Mr. Walsh, concerning \nagency modernization plans.\n    Currently, agencies are not required to develop or publish \nIT modernization plans. While many agencies have developed \nplans, some of these plans fail to establish concrete \ntimelines, cost estimates, and goals. GAO recognizes that \nhaving an IT modernization plan in place is essential to \nreducing reliance on legacy IT systems.\n    What makes these plans such a valuable tool, and how can \nagencies better leverage them to meet their goals and manage \ntheir resources?\n    Mr. Walsh. Having these plans is valuable, to get agencies \nthinking about it. In agencies that do not have a documented \nplan, we are not sure what kind of resources they are going to \nbe able to throw, what kind of timeframes, even the scope of \nthe project. Having some idea of what needs to be done is kind \nof the most fundamental step, and in our 2019 report, it was \nvery disheartening to see that three of the agencies did not \nhave a plan, an additional five had some aspects of a plan, and \nonly two really had a firm idea of what needed to be done.\n    It is critical because modernizing legacy systems is \ncritical to the government's security and privacy and how well \nwe serve our citizens. Getting our agencies to be thinking \nabout modernization is the first step.\n    Senator Hassan. Thank you for that. One other key element \nthat modernization plans, when they do exist, often omit is how \nthe agency plans to manage costs arising from maintaining a \nlegacy system while they are also implementing a modern system.\n    Let me turn to Mr. Everett now. In your time as the Chief \nInformation Officer at the Department of Energy, how did you \nmanage the competing investment needs between existing systems \nand new systems? How might agencies leverage modernization \nplans and existing resources to offset what is essentially the \ncost of the overlap?\n    Mr. Everett. I would tell you much of my experience was, to \nbe very frank, robbing Peter to pay Paul. In most cases, to do \nthose modernizations, you are going to have to take money from \nsomewhere. I think to Kevin's good point that you already \nbrought up, without a modernization plan you cannot have the \nplanning. I was, frankly, somewhat fortunate as a CIO. We had \nsome monies that were multi-year monies, that gave some level \nof help to us in being able to plan, but I know many of my \npeers had only single-year money, which was a great challenge. \nI think your discussion of a biennial is certainly helpful.\n    The other one I would bring up, certainly, is things like \nTMF, and within the MGT Act, the idea of Working Capital Funds. \nI know that there is long-held concern about Working Capital \nFunds turning into slush funds and things of that nature. I \nthink that simply means they need to have the appropriate \noversight. But they would allow that level of longer-term \nplanning.\n    Listen, anybody can put out a modernization plan, but if \nthey do not have the money to back it up or the people to \nexecute on it, it is not going to work anyway.\n    I will also say I think what Ms. Coleman said is absolutely \ncorrect. Kevin could probably sit for hours and tell us stories \nof programs that have been run in the government for multiple \nyears, these large projects, millions, if not billions, of \ndollars wasted, that did not ever come to a finish line, or \neven worse, came to a finish line, and were probably even \nreported as being on time and schedule, and yet provided no \nactual value to citizens, to anyone.\n    Breaking things up, that agile method of breaking things up \nand doing it in those smaller chunks is appropriate. There are \nvery few systems that we should be building in government \nanyway. We should mostly be using commercial. Where we do need \nto build those--and certainly Energy, NASA, and other places \nhave those use cases--they should be done in an agile way where \nyou can have some oversight, make sure they are delivering \nvalue on an iterative basis, so that you do not have to plunge \nhundreds of millions of capital expense into something, only to \ncome to the end of the road and the money is all gone. I think \nthat has happened far too often.\n    It always a challenge, again, for us. We had a little more \nflexibility, but even I had to have a lot of conversations. \nRenee made the right point--you often simply had to build a \nreserve, and that reserve was usually coming from other things \nyou would have liked to have done that were customer service-\noriented or those kind of things. It is a real trap, and it \nbuilds what we call technical debt. It is not the monetary \ndebt. It is all the things we cannot do that are a part of \nthat.\n    Senator Hassan. I thank you for that, and I am going to \ntake advantage of a rare moment in the Senate, because we have \na little bit more time and you are such an excellent panel. I \nhave two or three more questions, so bear with me. But I think \nwe are learning a lot here.\n    I want to turn now to the issue of the authority of Chief \ninformation officers. I want to start with a question to you, \nMs. Wynn. The Federal Information Technology Acquisition Reform \nAct expanded the responsibilities of agency Chief information \nofficers and requires their input on IT acquisitions to realize \ncost savings and to manage IT inventories. However, despite the \ngood intentions of this law, GAO has found that Chief \ninformation officers do not receive adequate deference on IT \nplanning, budgeting, and management.\n    Ms. Wynn, can you speak to your own experience as a Chief \nInformation Officer, both at the Environmental Protection \nAgency and at NASA, and how you worked to get institutional \nbuy-in from agency leaders to advance your IT modernization \nefforts?\n    Ms. Wynn. Chair Hassan, I would begin by saying never let a \ncrisis go to waste, when it came to exercising the authority \nand making culture changes and process changes within a Federal \nagency.\n    My first example comes when I first arrived at NASA and \nnoticed that, as Max earlier said, you need to know who and \nwhat is on your network, and NASA did not have that ability to \nlook at the network associated, used across the globe, and it \nis relied upon for the NASA flying assets, satellites. At that \npoint I could easily go to the leadership and say, ``How do you \nknow you don't have problems? How do you know you have \nproblems?''\n    We began the process of rolling on the Continuous \nDiagnostic and Mitigation Program. With that transparency, with \nthat visibility, we got to see what was on our network, and \nthere was a lot of inappropriate software and activity on the \nnetwork. Then I used that data to share with agency leadership, \nto say, ``I do not think it is OK for us to have this type of \nsoftware on NASA's network.''\n    From there I would build, with this visibility that we got, \ntell stories back to folks, and turn it around to say, ``This \nis not acceptable for a public agency,'' and use the pride that \nmy colleagues had about working for NASA to really propel us \nforward. With each fiscal year we got better at working as a \nteam by gaining that visibility.\n    Then what we did is when I mentioned the business services \nassessment, and also the follow-on to the business services \nassessment, when NASA said functional areas such as the CIO \nneeded to have control over the appropriate IT budgets. This \nwas also true for procurement. My colleague in the procurement \noffice recognized that IT needed to be procured better, and \nstood up an IT division while I was still there, and we worked \nvery closely with her to set that up. The establishment of that \nIT division meant that all IT purchases for NASA would have to \ngo through that division, and that I or my team had significant \ninfluence over that acquisition process.\n    That took about 18 months to get set up. It got going in \nfull swing after I left NASA. But by having a crisis, by having \nvisibility, and by forming partnerships, NASA was able to \ncontinually iterate in order to give the greater authority over \nto the CIO, gave IT procurement greater visibility into what \nNASA was buying, and with that visibility and with that \npartnership, each year that I was there at NASA we were saving \nabout $50 million a year on software purchases alone.\n    Real differences can be made through partnership, and I \nwill close with the same thing I started--with never let a good \ncrisis go to waste. Just stand in someone's office, make a \nfriend, and get going on fixing the crisis and changing the \nprocesses that might have created that crisis.\n    Senator Hassan. Thank you for that answer. There is a lot \nfor us to learn from that and from your experience and your \ngood work.\n    Chief information officers spend an average of 2 years or \nless in their position, so I am concerned that this short \ntenure provides very little time for CIOs to be effective or \nestablish fiscally responsible practices.\n    Ms. Coleman, you spent 12 years at the General Services \nAdministration. Do you think that your ability to stay with the \nagency for that long contributed to your success as a CIO, and \nhow so?\n    Ms. Coleman. Absolutely. It allowed me to really understand \nthe culture of the agency, and to the point Renee made, to \nbuild relationships and partnerships with senior leaders, \nbecause modernization is a team sport. It is important that \nCIOs have adequate authority. But it is also important that top \nleadership understand the role that they play in supporting \ntransformation. To the point you made earlier about the need \nfor modernization plans, it should start at the top and be a \npriority, even of the Secretary or the administrator of the \nagency, and at the political appointee level.\n    By having a long tenure at GSA, and in the role of CIO, I \nwas able to understand that, and be able to use the tailwinds \nprovided at GSA. It is an agency that provides business \nservices to other agencies, so they take pride in understanding \ntechnologies to be a good supplier and partner with other \nagencies. That gave us momentum with moving to the cloud, \nbecause we were able to tap into the culture of what the agency \nis good at, and the DNA to support it across all lines of \nauthority. That alignment, not only with leadership but also \nwith my peer, the CFOs, the head of HR, and so forth gave us \nthe unity of leadership to make real progress.\n    Senator Hassan. Thank you. I am going to now turn to Mr. \nEverett, because you had a slightly different experience at \nEnergy, because you had a brief tenure at the Department of \nEnergy, but you were also able to be extremely effective. What \ndo you recommend that current and future CIOs do to be most \neffective from their very first day, and then forward, at an \nagency?\n    Mr. Everett. I think there are some tremendous challenges \non that, and part of this gets into the conversation of \npolitical versus career CIOs.\n    Senator Hassan. Yes.\n    Mr. Everett. There is a tradeoff. I absolutely agree, the \nlongevity is critical, because they can understand the mission. \nThe political ones typically are going to have more access to \nsenior leadership, so there is a bit of a balancing act there.\n    What I would tell you is part of the reason I was able to \nbe effective is I had been in Federal Government before. I knew \nthe ropes. I knew what I was getting into. I routinely tell \npeople, as just sort of shorthand, if you are new to Federal \nGovernment, it is going to take you a year to know which way is \nup. If you are coming, no matter how smart you are, from the \nprivate sector, you are going to have to go through a whole \nyear, just to know which way is up, all the differences that \nyou have there.\n    Because of the nature of the timing--again, going back to \nbudgets--because of the timing of budget, you are going to go 2 \nyears before you are working with your own budget that you had \nany input into. When I walked in, in 2017, my initials were at \na budget formulation that had already been submitted to OMB. By \nthe time that goes clinking around through the entire process \nof OMB, back to the Hill, it is October, a year and a half \nlater. That is really challenging.\n    I have talked to people from both parties who have been \nvery involved in trying to recruit innovative leaders to come \nin as CIOs, and you will find ones that are willing to give up \nthe money. They will divest their stock. They will take a \nsalary hit. They will move their family. They are willing to \nserve our country, and then they find out, it is going to be 2 \nyears before you can actually make an impact? That is a killer, \nbecause their whole reason of doing such a thing is to make an \nimpact. If they are politically appointed, they know they have \na shelf life, and that is a really hard sale. It has made it \nreally challenging.\n    We have great career folks, as well, that have done really \ngood jobs as CIOs, without question, and so my emphasis is \ndefinitely there, of giving them more authorities. I would love \nto get some of those outside CIOs, regardless of political \naffiliation, because, thankfully, IT is the last nonpartisan \nissue in town.\n    I would love to have those people. I would love to have \nthose innovators. But we do have to have the structure so that \nthey feel it is worth the sacrifice to come in and bring that \nexperience and innovation that they have from the private \nsector. It is critical. In the meantime, we have plenty of \ngreat careers, CIOs and deputies, out there. Giving them the \ntools. FITARA is an important tool, but you have to know how to \nuse it.\n    I have been in probably the three most spread-out \nagencies--DOE, I spent time at Commerce, and at DHS. I would \ndescribe them, at best, as a feudal system, if not a mob \nfamily, and you have to be able to pick your fights. I have \nseen CIOs who have gotten run over because they did not use \nFITARA appropriately.\n    Renee made a great point. Procurement was a great ally to \nme in the process. I would tell people, walking in, your \nprocurement officer is going to be a great help. I will pick a \nfight and say, we need more support versus the CFOs. CFOs \ntypically are Senate confirmed.\n    Senator Hassan. Yes.\n    Mr. Everett. Only one CIO, VA, is Senate confirmed. In the \npecking order of this town, it is very difficult for CIOs going \nup against a Senate-confirmed CFO. You can make a great \nrelationship with them, but at the end of the day, they are \nhigher in that pecking order, and that is a challenge for many \nCIOs, because you are not sort of quite at the same level.\n    Senator Hassan. Thank you. I am going to turn to one other \ntopic before I ask you a wrap-up question, and it is something \nall of you have mentioned, but I want to focus in on it a \nlittle bit. I want to start with Mr. Everett.\n    As part of the American Rescue Plan, the Technology \nModernization Fund received $1 billion to loan to agencies in \norder to modernize IT systems. Although we do not see the \nimpact of these funds for years to come, this is a really major \nstep forward to reduce reliance on legacy IT, and I hope that \nthe fund prioritizes agency plans to replace the legacy IT \nsystems that we have discussed today.\n    Mr. Everett, as a CIO who successfully leveraged the \nTechnology Modernization Fund to move away from legacy IT \nsystems, how should agencies utilize the fund to ensure that \nthey not only have the resources and infrastructure to support \nIT modernization, but also ensure that the systems they propose \nactually reduce reliance on legacy IT while contributing to \nbetter security and customer service?\n    Mr. Everett. The first thing they should do is have the \ncourage to actually go apply for those. I think if you go look, \nI believe it is still only five agencies that have actually \nreceived TMF funds. I spent a lot of time browbeating people, \nand I know people, they were simply afraid of the oversight, \nafraid of the visibility. They were also afraid of the \nrepayment, which is why I think that has to be looked at.\n    But a lot of them--listen, from my team, the culture chain \nwas important. I had members of my team, my career team, come \nback and tell me they enjoyed the process. They went through a \nprocess that is similar to anybody who has ever worked in \nprivate sector. You can go right now to the website, the TMF \nwebsite, and go through the spreadsheets, and see the level of \ndetail that you were asked about your current cost basis and \nyour future cost basis. That is how everybody in the private \nsector runs their IT. That is exactly how we should. We should \nknow all of our costs, across the board. We should be able to \nproject them out over years. That is what any mature \norganization would do, and that is a huge value of the TMF, and \nyou need your people to do that.\n    Literally, I do not care if you do not turn it in. Everyone \nshould go do one of those today. Everybody in government. I \nthink part of it is being brave enough to step forward and go \nahead and do it, know that there is going to be that challenge. \nThere is oversight to it. The board checks in on you, so you do \nnot get a giant check.\n    Senator Hassan. Right.\n    Mr. Everett. There is a process to it, and that is \ncritically important. I would urge all of you--I have been in \nthis town 20 years. When Congress gave $1 billion to a program \nthat most people kind of do not understand, I know for a fact, \nin this town, there are people eyeballing that money, who want \nto cut the line and avoid the process. I would strongly urge \nyou to make sure that your oversight does not allow that to \nhappen. That process has to be followed. Now, it can go to all \nsorts of things, and so to your point, those legacy systems are \nprobably, arguably, the easiest ones to show, in many cases, \nwhere you can get value and return on the investment, and they \nare great.\n    But I will also mention--and this is where some of those \nwaivers need to be looked at--there are so many customer-facing \nsystems, it is very hard to document the cost savings there. \nThe customer service, we can talk about all day long. You can \nsee it with your eyes. But it may be harder to show the cost \nsavings on that system, and that is where I think we do need to \nlook at some ability to defer away costs, as long as the \nprocess is followed.\n    I am such a proponent, as you can tell, of TMF, because \nthat process leads us to how we should manage things. It should \nnot simply be giving things out to a most favored program.\n    Senator Hassan. Right.\n    Mr. Everett. We have done that too often, and that is a \ndisaster. Making people go through the process is just so \ncritical, and I think any CIO coming in right now, it is a \ngreat test of your team. Ask them to go find you--I would \nchallenge any new CIO----\n    Senator Hassan. Yes.\n    Mr. Everett [continuing]. Tell your team to find one \nprogram or system that needs to be modernized, and make them \nfill the form out and take a look at it, and you should be able \nto tell right there, do they know their costs, do they know \ntheir systems, do they understand how to project that budget? \nIf they do not, get help.\n    Listen, there are some great groups in town, some truly \nprivate sector associations, that will come in, free of charge, \nand come help you with your acquisition and your budget \nprocess, and they are not trying to sell you anything.\n    Senator Hassan. Yes.\n    Mr. Everett. As well, Kevin mentioned TBM. Another great \nprocess you can go through to understand, in a very modern way, \nhow your costs should be managed. There is help out there for \nanybody who is looking for it in the Federal Government right \nnow, if they are willing to reach out.\n    Senator Hassan. Thank you. I am going to turn to Ms. \nColeman, too, about Working Capital Funds. I will also note \nthat one of the issues you raised is how we go about qualifying \nand quantifying customer service value, right? Because, \nobviously, for taxpayers, our goal should be to make the \ninterface with the Federal Government as customer friendly as \npossible, since taxpayers are footing the bill here. Trying to \nfigure out a way to really assess value there, I think is \nreally important.\n    Ms. Coleman, Working Capital Funds are another mechanism \nthat agencies can use to support their IT modernization \npriorities, outside of the one-year budgeting and \nappropriations cycle. While some agencies have the authority to \nestablish these funds under the Modernizing Government \nTechnology Act, some agencies were not given the authority, \nwhich is a technical error that I hope to address in future \nlegislation.\n    Ms. Coleman, the General Services Administration \neffectively uses Working Capital Funds and fees generated from \nits governmentwide services to fund its mission. Can you \ndescribe how GSA uses savings produced from modernization \nprojects to keep the Working Capital Fund going?\n    Ms. Coleman. Yes. Thank you. One of the keys is to take a \nportfolio approach, and I completely agree with what Max said \nearlier about the Working Capital Funds. Modernization, in and \nof itself, will incur cost and complexity when viewed in \nisolation. One way to counterbalance that is to look across all \nsystems and all investments, and to be able to do puts and \ntakes in a portfolio-based approach. If you have a Working \nCapital Fund, you can know your money and you can time the \nmodernization according to your risk management and according \nto your most critical systems first, or the ones that deliver \nthe greatest impact.\n    As it pertains to customer service, that is a qualitative \nmeasure, not so much quantitative measure.\n    Senator Hassan. Yes.\n    Ms. Coleman. But the ability to stay up to date with \nplatforms that are maintained by the vendor, rather than having \nto continually invest with agency resources for these big \nupgrades every 2 or 3 years, provides cost savings along the \nway as well.\n    Senator Hassan. Thank you. Mr. Walsh, from GAO's \nperspective, what are the advantages or disadvantages of \nrelying on the Technology Modernization Fund, or Working \nCapital Funds, to resource IT modernization rather than \nrequesting funding through the annual budget requests?\n    Mr. Walsh. As the other witnesses have noted, the TMF \nallows agencies to kind of shortcut the budget cycle. Now, it \nis still a loan. It is not a free gift to go out and spend \nwilly nilly. You go through the application process. I will \nalso note that the process, as described, going through TMF \nthat Max talked about, is very similar to having the \nmodernization plans that we described. You have to have some \nidea of the work to be done, the timelines, and a plan to turn \noff the old system.\n    The disadvantage to the TMF is that it is linked to \nspending and cost savings. There are times where we need to \nmodernize systems, and they will not save money.\n    The OPM breach that we talked about earlier----\n    Senator Hassan. Yes.\n    Mr. Walsh [continuing]. The government had the choice to \nmodernize those networks and systems to allow the data to be \nencrypted when it was at rest. It was a tradeoff. I am sure if \nOPM wanted to go back in time and had that decision to make, \nthey would absolutely spend the money to modernize that. But \nthey would not save any money by doing that modernization.\n    Modernization is not about cost savings. It is about better \nservices to our citizens, privacy, security. Cost savings can \nbe a part of it, but there is a lot more to this decision than \njust the money.\n    Senator Hassan. Thank you. That concludes the rounds of \nquestions I had. I am going to ask you all one wrap-up \nquestion, and just double-check with staff--we are good on \nother Senators, right? OK.\n    First of all, all four of you have been so generous, not \nonly with your time this morning and your preparation for this \nhearing but with your expertise and your clear engagement with \nthis issue and desire to help the Federal Government do its \nwork much better in modernizing the IT sector at a time when we \nso desperately need to do that, for all the reasons, among \nothers, that the pandemic has really laid clear. Thank you for \nyour service, for your expertise, and for your testimony today.\n    As we wrap up, I will ask each of you this, and I will \nstart with Ms. Wynn. Could each of you describe what, in your \nopinion, is the greatest challenge presented by the sustained \nuse of legacy IT systems? If you already feel like you have \ntalked about it, just go ahead and say that. But I really do \nnot want to let this opportunity go without giving you all a \nchance to focus on that.\n    Ms. Wynn, we will start with you.\n    Ms. Wynn. Great. Thank you, and thank you again for the \nhonor to testify today. It is a great pleasure of mine to \ncontinue to give to the United States Federal Government after \n30 years of service.\n    I would say the greatest challenge presented to us today \nare agency and department cultures. They must recognize that IT \nmodernization is part of the path forward for the United States \ngovernment to quickly and securely deliver new or better \nquality services to the American public. This needs to be done \nwith a positive customer experience, and finally, it must be \ndelivered in a way that improves national security and not poke \na hole through it.\n    Again, it was an honor to be here and to be with my former \ncolleagues as well. Thank you.\n    Senator Hassan. Thank you, Ms. Wynn. Mr. Everett.\n    Mr. Everett. I would say I hope that we have covered it \nwell for you. I would summarize by simply saying missed \nopportunities. To me, this challenge is we are missing \nopportunities across the board, opportunities to secure our \nsystems, opportunities to entice people with new and innovative \nskills into government, and opportunities to serve the citizens \nof the country. All of those, they are these missed \nopportunities, over and over again, that we were stuck in these \nsystems.\n    Again, that word I used, technical debt, but that is what \nit means. It is not the money. As Renee said, it is the \nculture. It is so many of these things that we are missing out \non, these missed opportunities, that we could get simply by \ndoing some basic modernization of systems. The flow-down effect \nwould be really, I think, dramatic in so many different areas.\n    That is the part that disappoints me, but right now it also \nexcites me, because we have gotten new resources, we have the \nattention of Congress and other folks. We have some really \ngood, new opportunities right now, and everyone has seen the \nvalue that IT can bring to life and to meeting challenges. Just \nafter this last year of dealing with COVID, there are so many \nthings we are able to do because of technology. I think there \nis a unique time of recognition of that. I would love to see \nthat progress, not pause but accelerate in 2021.\n    Senator Hassan. Thank you. Ms. Coleman.\n    Ms. Coleman. Chair Hassan, I think it is a mark of how \naligned we all are that when you asked this question I wrote \ndown ``culture change'' and ``missed opportunities,'' just like \nRenee and Max. I think that, just to double down on that \nstatement, modern technology allows us to do things not just \nbetter but things we could not do before, and I think that is \nthe missed opportunity if we do not modernize.\n    I will give you one very quick example. The pandemic has \nillustrated so many areas where government is so critical to \nthe well-being of the public. In New Mexico, unemployment \nclaims spiked by 600 percent when people were thrust out of \nwork, and call center workers were sent home, and they were not \nable to process claims in a timely way.\n    We had the opportunity to help them with a virtual contact \ncenter, which allowed their workers to work from home, but also \nwith chatbots. It let them answer questions in an automated \nfashion, and take some of that burden off of the call center \nagents to focus on the higher-value need, and get economic \nrelief into the community quickly.\n    There are things that can be done that we are not taking \nadvantage of, at every level of government, and I think that \nthe time is now to rethink that. Thank you.\n    Senator Hassan. Thank you. Mr. Walsh.\n    Mr. Walsh. It is hard to imagine a government function that \nis not somehow tied to IT. As we go along, IT has become more \nand more complex. If you look back, again to the Voyager \nprobes, those were written with 3,000 lines of COBOL code. We \nhave come a long way since then. Modern technology requires \nmillions, if not billions, of lines of code.\n    The problem is the longer we wait to modernize, the longer \nwe procrastinate, the more it is going to cost, both in terms \nof money, in terms of breaches, in terms of security, in terms \nof lost--to quote my peers--lost opportunities, ways that we \ncould have better served our citizens.\n    It is an issue of procrastination. We need to act. We need \nto act now.\n    Senator Hassan. Thank you. Thank you to all four of you, \nfor your time and your testimony this morning. To Kevin Walsh, \nCasey Coleman, Renee Wynn, and Max Everett, your testimony \nprovided really valuable insights on this topic, and your \ncontributions to improving Federal IT systems in a fiscally \nresponsible way are really appreciated.\n    As I mentioned in my opening statement, this hearing is the \nfirst on the costs and challenges presented by reliance on \nlegacy IT systems, and I look forward to continuing this \nimportant oversight work, to save taxpayer dollars, to deliver \ngovernment services more efficiently, and to keep government IT \nsystems secure.\n    The hearing record will remain open for 15 days, until 5 \np.m. on May 12th, for submissions of statements and questions \nfor the record.\n    This hearing is now adjourned.\n    [Whereupon, at 11:27 a.m., the Subcommittee was adjourned.]\n\n                            A P P E N D I X\n\n                              ----------   \n                              \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                              \n\n\n\n\n                                 <all>\n</pre></body></html>\n"