[Senate Hearing 117-38]
[From the U.S. Government Publishing Office]




                                                         S. Hrg. 117-38
 
                CONTROLLING FEDERAL LEGACY IT COSTS AND
             CRAFTING 21ST CENTURY IT MANAGEMENT SOLUTIONS

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                EMERGING THREATS AND SPENDING OVERSIGHT

                                 of the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS


                             FIRST SESSION

                               __________

                             APRIL 27, 2021

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
        
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]      





             U.S. GOVERNMENT PUBLISHING OFFICE 
45-043 PDF           WASHINGTON : 2021 

        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
                Pamela Thiessen, Minority Staff Director
    Andrew Dockham, Minority Chief Counsel and Deputy Staff Director
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk


        SUBCOMMITTEE ON EMERGING THREATS AND SPENDING OVERSIGHT

                 MAGGIE HASSAN, New Hampshire, Chairman
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                     Jason Yanussi, Staff Director
            Allison Tinsey, Counsel for Governmental Affairs
                 Greg McNeill, Minority Staff Director
                Adam Salmon, Minority Research Assistant
                      Kate Kielceski, Chief Clerk
                      
                      
                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Hassan...............................................     1
    Senator Rosen................................................    13
Prepared statements:
    Senator Hassan...............................................    29

                               WITNESSES
                        Tuesday, April 27, 2021

Kevin Walsh, Director, Information Technology and Cybersecurity, 
  U.S. Government Accountability Office..........................     3
Casey Coleman, Former Chief Information Officer (2007-2014) at 
  the U.S. General Services Administration.......................     5
Renee P. Wynn, Former Chief Information Officer (2015-2020) at 
  the National Aeronautics and Space Administration..............     7
Max Everett, Former Chief Information Officer (2017-2020) at the 
  U.S. Department of Energy......................................     8

                     Alphabetical List of Witnesses

Coleman, Casey:
    Testimony....................................................     5
    Prepared statement...........................................    72
Everett, Max:
    Testimony....................................................     8
    Prepared statement...........................................    91
Walsh, Kevin:
    Testimony....................................................     3
    Prepared statement...........................................    31
Wynn, Renee P.:
    Testimony....................................................     7
    Prepared statement...........................................    86

                                APPENDIX

Responses to post-hearing questions for the Record:
    Mr. Walsh....................................................    95
    Ms. Coleman..................................................   100
    Ms. Wynn.....................................................   102
    Mr. Everett..................................................   105


                  CONTROLLING FEDERAL LEGACY IT COSTS

           AND CRAFTING 21ST CENTURY IT MANAGEMENT SOLUTIONS

                              ----------                              


                        TUESDAY, APRIL 27, 2021

                                     U.S. Senate,  
                       Subcommittee on Emerging Threats and
                                        Spending Oversight,
                    of the Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10 a.m. in 
room 342, Dirksen Senate Office Building, Hon. Maggie Hassan, 
Chair of the Subcommittee, presiding.
    Present: Senators Hassan, Sinema, Rosen, Ossoff, Scott, and 
Hawley.

             OPENING STATEMENT OF SENATOR HASSAN\1\

    Senator Hassan. Good morning, everybody.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Hassan appears in the 
Appendix on page 29.
---------------------------------------------------------------------------
    I want to start by thanking all of our witnesses for 
appearing today to discuss controlling Federal legacy 
information technology (IT) costs and crafting 21st century IT 
management solutions. I also want to thank Ranking Member Paul 
and his staff for working with us on this hearing and for our 
continued partnership to address wasteful spending and 
government inefficiencies. Even though Ranking Member Paul is 
unable to join us this morning, I look forward to addressing 
the threats posed by the Federal Government's failure to 
maintain a modern and agile information technology 
infrastructure.
    Today is the first of multiple hearings on Federal legacy 
IT systems. By shining a light on this important issue, I hope 
that agencies will work to reduce their reliance on costly 
legacy IT systems, in partnership with Congress, the Biden 
administration, and industry stakeholders.
    Today's hearing will focus on identifying the costs and 
consequences of legacy IT, as well as the institutional 
barriers to modernization. According to the Office of 
Management and Budget (OMB) and Government Accountability 
Office (GAO) , in fiscal year (FY) 2020, the Federal Government 
spent nearly $90 billion on IT investments and operations. 
Based on analysis of agency expenditures, legacy IT maintenance 
costs accounted for one-third, about $29 billion, of that total 
spending. However, the actual cost is estimated to be much 
greater when we consider legacy IT's negative effects on 
security, delivery of services, and customer experience.
    To frame our discussion we should have a common definition 
of legacy IT. The term ``legacy IT'' describes the Federal 
Government's use of old technology or custom systems designed 
to support insular agency operations. That is, legacy IT 
includes technology and systems that are no longer supported by 
industry vendors, as well as those that require additional 
maintenance or specialized knowledge to operate.
    We have seen the consequence of relying on legacy IT 
systems. For example, in 2014, hackers stole the personal 
information of more than 20 million people from the Office of 
Personnel Management (OPM), because they were able to breach 
OPM's vulnerable legacy IT systems that lacked encryption. 
Despite this breach that was clearly linked to a failure to 
modernize, OPM still relies on a 34-year-old legacy IT system 
that costs $45 million annually, roughly one-third of OPM's 
annual IT budget, even though a modern system would only cost 
$10 million and produce $16 million in cost savings.
    At the Internal Revenue Service (IRS), the system used to 
annually process millions of tax documents is more than 50 
years old, and relies on a programming language called the 
Common Business-Oriented Language (COBOL), which was invented 
in 1959. In 2018, implementation of the 2017 tax law hit a 
major roadblock due to a shortage of staff with the specialized 
knowledge needed to update COBOL-based tax processing systems. 
IRS estimates that it costs $15.9 million annually to operate 
this system, and 60 percent of those costs are for labor alone.
    During the coronavirus disease 2019 (COVID-19) pandemic, 
IRS faced additional challenges because many of its aging 
systems rely on paper rather than digital records, paper that 
was inaccessible to IRS employees who were working remotely. As 
a result, the American people felt the burden of delayed tax 
returns and economic stimulus payments.
    Similarly, in 2016, the Social Security Administration 
(SSA) was forced to rehire retirees to maintain the COBOL 
system used for making payments to beneficiaries and their 
dependents. These systems cost the Social Security 
Administration about $146 million annually to operate. However, 
the Social Security Administration estimates that it would only 
cost $25 million over 5 years to modernize the system, and that 
would significantly improve functionality and security as well 
as eliminate the need for specialized programmers.
    This begs the question, what are agencies waiting for? What 
is holding them back from realizing significant cost savings, 
increasing security, and providing greater customer service 
delivery through reducing their reliance on legacy IT?
    In addition to the costs and consequences of relying on 
legacy IT systems, today's hearing will also discuss the 
institutional barriers that prevent agencies from moving 
forward with their modernization efforts. Our distinguished 
panel includes the Director of the Government Accountability 
Office's Information Technology and Cybersecurity team, as well 
as three former Federal agency Chief Information Officers 
(CIOs) who navigated the challenging IT modernization landscape 
and successfully moved their agencies away from legacy IT 
systems. I look forward to hearing from all of our witnesses 
about how they achieved success by leveraging available 
resources and by being innovative.
    Now we are going to move to the testimony of our witnesses, 
but before we do that it is the practice of the Homeland 
Security and Governmental Affairs Committee (HSGAC) to swear in 
witnesses. If you will all please stand, including our one 
witness who is remote, and raise your right hand.
    Do you swear that the testimony you give before this 
Subcommittee will be the truth, the whole truth, and nothing 
but the truth, so help you, God?
    Mr. Walsh. I do.
    Ms. Coleman. I do.
    Ms. Wynn. I do.
    Mr. Everett. I do.
    Senator Hassan. Thank you. You may be seated.
    Now we are going to start with the testimony of each 
witness, and I will introduce each witness and then they will 
go forward with their testimony.
    We will start with Kevin Walsh. Our first witness today, 
Mr. Kevin Walsh, is Director of the Cybersecurity and 
Information Technology team at the Government Accountability 
Office. He led the team that identified the 10 Federal legacy 
IT systems most in need of modernization. Mr. Walsh has 15 
years of experience at GAO, where he has led reviews of chief 
information officer authorities, management of legacy IT 
systems, and assessments of IT-related risks.
    Welcome, Mr. Walsh. You are now recognized for your opening 
statement.

 TESTIMONY OF KEVIN WALSH,\1\ DIRECTOR, INFORMATION TECHNOLOGY 
    AND CYBERSECURITY, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Walsh. Chair Hassan, Ranking Member Paul, and Members 
of the Subcommittee, thank you for inviting GAO to testify on 
this important issue.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Walsh appears in the Appendix on 
page 31.
---------------------------------------------------------------------------
    Generally, we envision legacy systems as archaic government 
computers, stuffed in a basement with fluorescent lights 
dismally flickering above, or perhaps in the warehouse next to 
Indiana Jones' Arc of the Covenant. While we do not need 
Harrison Ford for any IT systems that I am aware of, there are 
certainly government systems that are in desperate need of 
modernization.
    In our 2019 report on the topic, we asked agencies about 
their critical legacy systems that were most in need of 
modernization. In total, the agencies identified 65 systems 
which were, on average, about 24 years old. These systems 
support some of the most critical functions in government, such 
as wartime readiness, student loans, the operation of dams and 
power plants, tax processing, and Social Security payments.
    We took a deeper dive into the 65 systems and flagged the 
10 systems that we thought were the most vulnerable and in need 
of modernization. Some were operating with known 
vulnerabilities or were written in older code, such as COBOL or 
assembly languages, and others had hardware or software that 
was no longer supported by the vendor. As the recent hacks of 
the software supply chains demonstrate, we have no shortage of 
bad actors in the world willing to take advantage of 
vulnerabilities like these.
    We also asked the agencies that owed these 10 systems some 
very basic questions. Do you have a modernization plan? Does 
your plan include timeframes, a description of the work, and a 
plan to turn off the older system? Disappointingly, only the 
systems at the Department of Defense (DOD) and the Department 
of Interior (DOI) had these things in place. Further, there 
were no modernization plans for the systems at the Department 
of Education, the Department of Health and Human Services 
(HHS), and the Department of Transportation (DOT).
    To be fair, the hardware these systems ran on was not as 
old as their software. The hardware averaged a bit over 7 years 
old. However, to put that in context, Amazon made news early 
last year when it extended the useful life of its servers from 
3 to 4 years.
    In general, as our servers get older, and our systems with 
them, they cost more to secure, more to maintain, do not always 
meet mission needs, and, in some cases, the only people who can 
update them are retired. Basically, we are balancing cost, 
staffing, security, and functionality.
    To keep the lights on and systems running, we are accepting 
risks that, in hindsight, may not make sense. For example, as 
the Chair noted, OPM reported that some of its networks were 
too old to implement encryption, a rather important security 
step.
    Looking forward, modernization decisions need to carefully 
consider the following: how risky it is going to be, including 
risks to security and privacy; the criticality of the system; 
the cost to modernize or maintain the current system; potential 
cost savings; whether mission needs are being met; and if 
additional functionality or performance can be gained.
    After considering all of that, there will undoubtedly be 
instances where modernization may not make sense. For example, 
National Aeronautics and Space Administration (NASA) uses 
Fortran code to communicate with the Voyager space probes that 
we launched in 1977. We cannot catch and upgrade that hardware.
    On the other hand, we also identified a system at the IRS 
that reported annual labor and operating costs of about $16 
million. The IRS reported that it would cost a staggering $1.6 
billion to upgrade that system.
    We have also noted that agencies may not have a complete 
picture of their legacy systems. OMB drafted guidance in 2016, 
that would have required agencies to identify, evaluate, and 
prioritize their IT investments to make modernization 
decisions. Sadly, that guidance was never finalized.
    Until agencies are able to identify all of their legacy 
systems, assess them, and document their plans for 
modernization, they run the risk of wasting money on systems 
that are not meeting mission needs or are likely putting the 
agencies at risk.
    This concludes my comments, and I look forward to your 
questions.
    Senator Hassan. Thank you very much. Next we will move to 
Casey Coleman. Ms. Coleman is the Senior Vice President for 
Digital Transformation at Salesforce. In this role, she is 
responsible for developing strategies and solutions for 
government customers looking to modernize their IT systems. 
Prior to joining Salesforce, Ms. Coleman served as the Chief 
Information Officer at the General Services Administration 
(GSA), where she led several modernization initiatives, 
including the first agency-wide move to cloud-based email and 
collaboration platforms. She also led Federal efforts to 
develop the FedRAMP standards for cloud services and 
cybersecurity.
    Welcome, Ms. Coleman. You are now recognized for your 
opening statement.

TESTIMONY OF CASEY COLEMAN,\1\ FORMER CHIEF INFORMATION OFFICER 
    (2007-2014) AT THE U.S. GENERAL SERVICES ADMINISTRATION

    Ms. Coleman. Thank you, Chair Hassan, Ranking Member Paul, 
and Members of the Subcommittee for the opportunity to speak on 
today's important topic. It is very timely, because we have 
been talking about modernizing Federal IT for a long time, and 
it has been a priority, but the prospects for progress have 
been significantly improved with the emergence of modern, 
cloud-based digital platforms. The world's largest banks, 
manufacturers, retailers, and health care companies are already 
transforming their operations and customer service by embracing 
the cloud. The Federal Government can do the same.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Coleman appears in the Appendix 
on page 72.
---------------------------------------------------------------------------
    All of us engage with the government through interactions 
like paying taxes, adhering to regulations and laws, and 
receiving benefits and services, and IT has become the critical 
enabler to carry out vital missions of the government, such as 
defending the Nation, providing economic stability, and 
improving public health. It is in all of our best interests 
that government and its IT systems work well.
    But too often legacy IT is not an enabler but a concrete 
barricade, making the experience for employees and customers 
fragmented, opaque, and confusing. When I first came into 
government I was surprised to see how our systems did not work 
for us. We worked for them. I could not believe how the 
technology slowed us down and frustrated our efforts to 
collaborate. These are commonplace issues, and they do not 
really inspire trust or confidence.
    Meanwhile, in our personal lives, as consumers and 
customers, everything is online and mobile, personalized and 
accessible any time. We expect the same of government, but this 
creates a growing gap between what we expect and what is being 
delivered.
    The COVID pandemic really highlighted this growing gap. 
This was a crucial moment of need, and the organizations that 
delivered successfully, public sector and private, were those 
that moved to the cloud, so their employees could work from 
anywhere and deliver services online. We saw years of 
modernization compressed into a few months, from telehealth 
services to paycheck protection loans, employee wellness 
checks, and contact tracing.
    These programs were not on anyone's radar before the 
pandemic, so what made the difference? Moving to the cloud, 
with access to rapid innovation and secure online services from 
the commercial platforms already serving the world's largest 
companies.
    Why does this matter? For a farmer, they can get their 
crops in the ground by not getting off the tractor and going 
into town to get their crop loan but rather by doing it through 
a mobile app on their phone, not wasting time. For a veteran 
seeing their doctor by video means they continue to receive the 
treatment they need and the benefits they have earned.
    This pivot is important for government employees as well. 
No one comes into the government to step backward in time and 
do things the old way, with brittle tools that were state-of-
the-art decades ago. They want to serve a mission and make a 
difference. If we want to recruit and retain talented public 
servants who have a choice, we have to give them tools to 
empower them and make their work effective.
    I am especially passionate about this because I have seen 
it first-hand. As the CIO for GSA through much of the Bush and 
Obama Administrations, I had the privilege of leading a 
multiyear modernization program to move GSA to the cloud and 
improve service delivery. When the Obama Administration 
announced the Cloud First policy, we led the way, becoming the 
first to move the entire agency to cloud platforms for email, 
collaboration, and productivity tools.
    Our previous system was on really old hardware. We did not 
know when it went down. I used to send myself emails at nights 
and weekends to make sure it was still working. By moving to 
the cloud, we had all our tools available anytime, anywhere, 
and when weather emergencies like Superstorm Sandy shut down 
all Federal offices, GSA kept going, working remotely as they 
have through the pandemic.
    In closing, modern cloud platforms are a complete game-
changer for improving government service delivery and mission 
execution. I do not mean to suggest this is a silver bullet, 
and I have included recommendations in my written testimony for 
other reforms, but all of these factors only click when you add 
the cloud.
    Thank you, and I look forward to questions.
    Senator Hassan. Thank you, Ms. Coleman.
    We are now going to turn to the witness who is joining us 
remotely, Ms. Renee Wynn. Welcome, Ms. Wynn.
    From 2015 to 2020, Ms. Wynn was the Chief Information 
Officer for the National Aeronautics and Space Administration. 
She retired from NASA last April following a 29-year career in 
Federal service that included 9 years spent in Federal 
information technology. During her time at NASA, Ms. Wynn was a 
critical and creative leader in the formulation and 
implementation of the Modernizing Government Technology (MGT) 
Act, and she worked on several projects to reduce the agency's 
reliance on legacy IT system. She now operates her own 
consulting firm.
    Welcome, Ms. Wynn. You are now recognized for your opening 
statement.

TESTIMONY OF RENEE P. WYNN,\1\ FORMER CHIEF INFORMATION OFFICER 
       (2015-2020) AT THE NATIONAL AERONAUTICS AND SPACE 
                         ADMINISTRATION

    Ms. Wynn. Good morning, Chair Hassan, and distinguished 
Members of the Subcommittee. I am honored to be here to testify 
today on the importance of IT modernization. Now is an ideal 
time for departments and agencies to focus on large, complex IT 
modernization projects. Many lessons have been learned about 
remote working and delivering Federal services during the COVID 
pandemic. These lessons can be used to accelerate modernization 
efforts. This, combined with having the right personnel, 
processes, and budgets significantly increase the probability 
that such projects will be successful.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Wynn appears in the Appendix on 
page 86.
---------------------------------------------------------------------------
    As the former Chief Information Officer at NASA, and the 
Acting CIO and Deputy CIO of the Environmental Protection 
Agency (EPA), I have had ample opportunity to understand the 
dynamics inherent in modernizing IT. These experiences gave me 
the best view of the biggest challenges a CIO faces when 
modernizing IT--an agency's culture, or sometimes referred to 
as ``the people challenge.''
    A CIO must have sustained support and funding for IT 
modernization from the agency heads, including her executive 
team. She must have the right people with the right skills, and 
she must build and maintain relationships across the agency and 
with the contractor community. Without this, complex IT 
projects will fail.
    When I was offered a position at NASA, I was over the moon 
with excitement at becoming a member of this iconic Federal 
agency. I was confident that I would find best-in-class IT 
management and cybersecurity practices. What I found was a work 
in progress--a need for more centralized or enterprise-wide IT 
services, systems in need of modernization, a poor 
cybersecurity posture, and a culture that viewed the NASA CIO 
with skepticism.
    Fortunately, NASA recognized this as well and had already 
completed a business services assessment (BSA). The BSA was 
undertaken to identify organizational and management 
improvement areas for NASA's mission support services, 
including IT. Based on the BSA recommendations, the CIO office 
developed and executed an implementation plan.
    Many valuable lessons were learned, and a big issue was 
identified, which was preventing NASA from gaining the full 
benefit of the BSA. Too much of NASA's IT budget and staff were 
not managed by the NASA CIO, making it difficult to modernize 
IT and control spending. Given this, NASA took the bold and 
politically charged step of having all the people and budget 
associated with a mission support function report to the head 
of that function.
    As I led the BSA implementation, the culture or people 
challenges were a constant. While NASA's top executives 
provided steadfast report, executives and staff below them were 
resistant and, at times, difficult. Nothing rattles a civil 
servant more than having portions of their budgets and staff 
reallocated.
    Congress has taken the steps to address IT management and 
cybersecurity risks through legislation, from the Clinger-Cohen 
Act to the Federal Information Security Modernization Act 
(FISMA) and on to the Federal Information Technology 
Acquisition Reform Act (FITARA). All were designed to advance 
IT in support of government services and provide improved 
information security. Support continued with the passage of the 
Modernizing Government Technology Act. This provided financial 
resources to agencies through the creation of a centralized 
modernization fund, called the Technology Modernization Fund 
(TMF).
    The oversight of Congress has also been a driving factor in 
making the intended improvements to IT modernization and 
cybersecurity. Legislative actions, combined with sustained 
oversight, have provided the foundation to improve IT 
management and cybersecurity.
    I will conclude today by emphasizing Congress should 
continue to hold oversight hearings and provide predictable 
funding and be prepared to act should gaps emerge in the 
Federal Government's ability to deliver more modern and 
effective public services. The CIO must have sustained support 
and budgets, plus a knowledgeable and skilled workforce, to 
meet the growing demands of IT modernization and cybersecurity. 
With this, the CIO can lead agencies forward to deliver IT 
modernization and improve cybersecurity so departments and 
agencies can deliver the mission for the American public.
    Thank you again for the opportunity to appear before the 
Subcommittee today, and I stand ready to answer your questions.
    Senator Hassan. Thank you very much, Ms. Wynn. Now let's 
turn to our last witness, Mr. Max Everett.
    Mr. Everett served as Chief Information Officer at the 
Department of Energy (DOE) following a career in IT security 
and risk management. During his time at Energy, Mr. Everett 
secured one of the first awards from the Technology 
Modernization Fund to migrate Energy's legacy email system to a 
cloud platform. He is now CEO of Adnovem Consulting Group, 
which works with public and private customers to provide 
services and promotes a lean and agile approach to IT 
modernization.
    Welcome, Mr. Everett. You are now recognized for your 
opening statement.

 TESTIMONY OF MAX EVERETT,\1\ FORMER CHIEF INFORMATION OFFICER 
         (2017-2020), AT THE U.S. DEPARTMENT OF ENERGY

    Mr. Everett. Thank you, Chairwoman Hassan, Ranking Member 
Paul, and Members of the Committee. I appreciate the 
opportunity to be here this morning and talk about this. I 
appreciate the advocacy that you all are providing, and the 
support to all the CIOs who are currently going through the 
challenges of this. I would like to talk for a few minutes, 
after 20 years in and around Federal IT, to talk a little 
candidly about some of the challenges we have seen.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Everett appears in the Appendix 
on page 91.
---------------------------------------------------------------------------
    The events of the last year have obviously shown the 
critical importance of our IT and the challenges of legacy, 
whether that was supporting people impacted by COVID or some of 
the recent cybersecurity incidents that we are still grappling 
with.
    I would begin here suggesting, as a few people have talked 
about, that it is important to talk about what constitutes 
legacy IT, and I think it is a broad definition. It is not 
merely the electronic systems. Fax machines are probably the 
most common legacy IT in the U.S. Government. There is so much 
that is on paper right now that I think is a huge problem, and 
it is preventing us from serving our customers, citizens.
    I think this is important because the way that we value our 
electronic systems and IT is primarily data. Data is what we 
use to measure. We understand how we are doing. We are 
providing value with data. When that data is locked into paper, 
in warehouses--and I have been to a few of those warehouses 
that we own as the Federal Government--that is data and value 
that is locked away from us to use.
    When I was CIO at the Department of Energy, we spent a good 
amount of time, and it started on the front end, moving to 
digitizing documents, and that was both to provide better 
service, but it was also to free up some of that value of data. 
That data could help us drive our management better, it could 
help us serve better, not only citizens but everyone doing the 
mission in the Department, and that is really what we are 
supposed to be there for.
    I want to really quickly talk, and people have already hit, 
I think, on these two subjects. Most of the time in IT we talk 
about people and we talk about process. Renee already, I think, 
mentioned very well some of the people problems that we have in 
government. I can tell you that our human capital system needs 
dramatic improvement. We simply cannot compete. We cannot even 
get access to some of the people that we need to recruit in 
government if we are going to move to the cloud. If we are 
going to move to managed services, those are new skill sets. 
There is a place for retraining our employees, but right now we 
are not doing that very well either. I think it is important to 
continue to look at that issue of human capital.
    I can tell you, as a CIO, I had a number of authorities on 
paper to be able to go and hire new people, to use more 
creative ways of hiring. It was rare that I was ever able to 
use those. I would walk into meetings with people, having 
printed out documents from the OPM website stating my 
authorities to be able to hire, and yet was unable to use them. 
That is a critical failure that has to change, and it is a 
communication issue, and it is an oversight issue.
    I do also want to very quickly mention, with gratitude, 
that I know Congress recently allocated more money for the U.S. 
Digital Service (USDS) and other groups. I think that is 
important. The U.S. Digital Service is an opportunity to bring 
in some very experienced people from digital backgrounds who 
want to serve the U.S. Government, and that is great. My 
encouragement for them is that they focus on sustainable, 
commercial solutions. Those are the things that will last. 
Those are the things that the current CIOs are actually going 
to be able to sustain with the workforce that we have. I think 
that is important.
    I also want to quickly mention contractors. We cannot 
discuss the people issue in government without talking about 
contractors. In most departments, the number of contractors in 
IT typically outnumbers the Feds by 3 or 4 to 1, or more, and 
we need to understand that if we are going to deal with that 
problem.
    I very quickly, then, want to jump into a couple of things 
I know we will talk about further. We already mentioned TMF. I 
am a strong proponent of TMF. TMF is not about the money, 
although we certainly appreciate the billion dollars that have 
gone to TMF that will radically change that program. It is 
about the process of actually getting those grants, what you 
have to go through. It changes the way that we should be 
managing IT in government. I think TMF is important.
    I cannot let the opportunity pass without mentioning, I 
know that there have been some conversations about waiving the 
repayment. I would encourage that to be given some thought. I 
am supportive of it, as long as the process is followed. The 
TMF process is as important as the money, because it means we 
are counting our costs, we are looking for savings, and we are 
managing things in the way we would expect anybody to manage 
our own money. I think that is critically important in all 
those conversations, and to make sure that the TMF money that 
has gone over goes to the TMF process, that it goes through the 
committee and the board that is there, and goes through proper 
oversight. I think that is critical.
    With that I will conclude my remarks and look forward to 
your questions.
    Senator Hassan. Thank you to all of you for your excellent 
testimony. We are now going to go to rounds of questions from 
Members of the Subcommittee. I will start. Each round will be 7 
minutes, and do try to be mindful of Senators trying to move to 
other witnesses as you give your answers, please.
    Why don't I start with a question to Mr. Walsh. I would 
like to start by identifying the costs and consequences of 
relying on legacy IT. We have established what we mean by 
legacy IT, namely systems no longer supported by industry 
vendors or custom systems that are difficult to manage and 
adapt over time. However, what is more difficult to define are 
the costs, both quantitative and qualitative, that continued 
reliance on legacy IT produces.
    Mr. Walsh, how does GAO determine costs associated with 
legacy systems, and how can agencies improve their 
identification and reporting of these costs?
    Mr. Walsh. Identifying costs associated with legacy systems 
is more difficult than one might think. As Mr. Everett noted, 
the fax machines do not show up on a spreadsheet. They are hard 
to figure out. You can look at our inventory of IT systems, but 
we finished getting a complete inventory of our software 
licenses for each of the major CFO Act agencies this past year. 
We still need to work on getting better inventories of what IT 
we have out there before we can fully capture the cost.
    There is a nascent effort underway called technology 
business management (TBM), which would closely tie accounting 
systems to our IT oversight and management systems, which would 
help allow us to better track where the money is going. But to 
answer your question, there is no good way right now to 
identify all of the legacy IT in government.
    Senator Hassan. I want to follow up with that, because as I 
mentioned in my opening statement, roughly one-third of total 
Federal spending on IT went toward legacy systems in 2020, but 
many experts believe that that number does not capture the 
whole picture.
    Mr. Walsh, what are we leaving out of our calculations on 
legacy IT costs? How can we better factor in qualitative or 
performance costs associated with legacy IT systems?
    Mr. Walsh. One of the biggest issues with the dollar amount 
is the $90 billion that this is all predicated upon is 
dramatically understated. That $90 billion does not include 
weapons systems, satellites, or supercomputers. There is a lot 
of IT in the government that one might think, ``Hey, that is 
certainly IT,'' that actually is not included in that number.
    Getting all of that IT accounted for is the first big step. 
Once it is accounted for, having that accounting system tie 
into our technology management would help us get better to see 
if the money is going for specific hardware or software usages. 
But this is not a silver bullet, easy fix. This is going to 
take time.
    Senator Hassan. Thank you, and I will follow up with you on 
that probably in another round of questions.
    But let me move on to Ms. Coleman right now. The American 
people pay the price of failing to modernize legacy IT systems. 
The U.S. Government ranks among the lowest industries in 
customer satisfaction.
    Over the past year, in particular, my office has received 
hundreds of messages from constituents struggling to access 
passports and visas, unemployment benefits, economic stimulus 
payments, benefits information from the Department of Veterans 
Affairs (VA), and information on filing taxes. We have also 
heard from Federal employees like those at the National 
Passport Center in Portsmouth, New Hampshire, who want to 
respond to the needs of the American people but simply cannot 
do it because of their limited IT capabilities.
    Much of this is due to the antiquated paper-based systems 
that cannot support 21st century agency missions or respond to 
changing requirements during a pandemic. Ms. Coleman, how 
important is it for agencies to recognize that failing to 
modernize means failing to serve the American people?
    Ms. Coleman. Thank you, Chair Hassan. I think it is a vital 
issue, because, as you point out, we interact with the 
government on really critical services that we count on, and if 
those services are not delivered effectively there is a cost. 
There is a cost in terms of employee productivity and in terms 
of our time as citizens and as the public. There is also a 
public trust at stake. There is a confidence in the ability of 
government to deliver what we are anticipating as taxpayers and 
as citizens. I think that public trust is one of the key costs.
    I think that it starts from the way government has been 
designed and operated. Our systems reflect the way the 
government is set up, sort of from the inside out, with the 
programs designed around different siloed functions. As we 
interact with government we do not think that way, but we are 
forced to navigate the complexity of that bureaucracy. I think 
one criterion to change this is to start to think from the 
outside in, from the point of view of the customer or the 
resident that is navigating that process.
    There are very encouraging success stories. For example, 
U.S. Department of Agriculture (USDA) has created farmers.gov, 
which is a portal for all services delivered by the U.S. 
Department of Agriculture, so you do not have to navigate 
separate programs for crop loans or disaster insurance or 
conservation research. All of these things have been integrated 
and delivered in a holistic way, and it offers an example for 
others to be mindful of.
    Senator Hassan. Thank you.
    Let me follow up. Mr. Walsh, can you describe agency 
efforts to prioritize customer experience through IT 
modernization? Ms. Coleman mentioned one at the Department of 
Agriculture, but I think the Department of Education also comes 
to mind as a leader that has used IT modernization to improve 
customer service and mission readiness.
    Mr. Walsh. That is correct. The Department of Education has 
actually modernized all of its data centers. It is now almost 
entirely in the cloud, and to its credit it is moving to get 
away from legacy. That is not say that their modernization 
journey is done, but they are a leader in that area.
    Senator Hassan. Thank you. I am going to get through one 
more question. Some have argued, Mr. Walsh, that maintaining 
legacy systems, especially customer-built systems that rely on 
antiquated coding languages and lack connectivity to other 
agency systems are insulated from cyber threats and do not need 
to be modernized because they pose little risk.
    Mr. Walsh, do you agree with this argument, and if not, 
what would be a better risk management strategy than simply 
maintaining legacy IT systems in perpetuity?
    Mr. Walsh. Legacy systems represent a security risk. They 
are not good at meeting our mission needs. They cost more to 
maintain because a lot of times the people who can maintain 
them are retired or, in some cases, deceased. They increase our 
cost every year. I do not think that security through obscurity 
or hoping that the bad guys do not know the system code, is a 
good approach.
    Senator Hassan. Thank you. Ms. Wynn and Mr. Everett, the 
agencies you have worked for both handle extremely sensitive 
information that may be stored on legacy systems. How did you 
balance the need for modernizing legacy IT systems with 
mitigating risks inherent to storing sensitive information? Why 
don't we start with you, Mr. Everett, and then quickly on to 
Ms. Coleman?
    Mr. Everett. I will quickly say that was an enormous 
challenge for us, as Kevin already said. One of the issues you 
have with legacy systems is you cannot put modern protections 
on them--multifactor authentications, encryption. The secret of 
those systems is to even work today they often have to have a 
number of these little enabling things we call system accounts 
or administrative accounts. When you are an administrative 
account you know that is exactly what a bad guy wants to use, 
because once they have it they can use it to access and do 
other things in your system.
    That is one of the dirty secrets of those older legacy 
things. They are not protected more because people do not know 
them, they are, in fact, enabled by a bunch of other things, 
and pretty soon it is a Rube Goldberg apparatus.
    Security is also about resilience. One of the reasons your 
constituents cannot get on those is because they fail all the 
time. Why? Because they are old and they fall apart and nobody 
knows how to fix them. That, in and of itself, is a security 
risk, because everything else in the system has to adapt around 
that, which causes you to make all sorts of other security 
compromises to keep it going.
    Senator Hassan. Thank you. Ms. Coleman, very quickly on 
that issue, and then we are going to move to other Senators.
    Ms. Coleman. Thank you. The point is well taken, and one of 
the key issues with securing data, many times it is good cyber 
hygiene. Estimates are that well over 50 percent of all 
incidents are due to basic good cyber hygiene. With modern 
platforms you are really taking advantage of best-in-class 
security and a partner who can assist you with that. But 
really, ultimately, the government needs to start with basics 
and maintain good protocols.
    Senator Hassan. Thank you very much. I thank you all for 
your answers. Now we are going to turn to other Senators, and 
first up is Senator Rosen, who has been very patient and is 
very knowledgeable on this issue. Senator Rosen, you are 
recognized for 7 minutes.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Chair Hassan, for organizing this 
important meeting. Chair Hassan, you have done so much work on 
the issue of Federal IT management. It is critically important 
to serving our taxpayers, to saving us money, to delivering 
services, as well as boosting the morale and effectiveness of 
our Federal agency workers. I really appreciate everything that 
you have done.
    Of course, a common theme that has emerged from all four of 
our witnesses is the importance of the Federal workforce in 
implementing IT modernization at our Federal agencies. I have 
to admit that I actually wrote COBOL legacy IT systems in the 
1980s and the 1990s, and so I intimately know exactly what you 
are talking about. It makes me feel a little old, but we do 
need to move forward on this.
    I have been working with my colleagues on this Committee 
and across the Senate to address the nation's shortage of these 
kinds of technical workers and cybersecurity workers, and 
Federal public service positions. They really should be 
attractive to those folks who want to work in tech.
    I joined Chairman Peters and Senator Hoeven in 
reintroducing the Federal Rotational Cyber Workforce Program 
Act. It is going to provide opportunities for our civilian 
cybersecurity employees to rotate amongst various Federal 
agencies. It expands their experience, expands their 
professional networks, and expands their opportunities to serve 
the country.
    Last week I introduced a bipartisan bill with Senator 
Blackburn to allow DHS and DOD to establish a Civilian 
Cybersecurity Reserve Pilot Program. It would call on former 
military and civilian cybersecurity employees and others for 
temporary assignments in the government. I think this can serve 
as a model for other agencies.
    Mr. Walsh, in the course of GAO's reporting on your IT 
modernization efforts, have you identified agencies that have 
done particularly well in recruiting and retaining these types 
of employees? How do we export those best practices? If you 
have not, does OMB and OPM play a role, and how do you see that 
role?
    Mr. Walsh. We have not done specific work--I should say I 
am not aware of specific work in that regard on hiring cyber 
employees. Now I do know that, as Mr. Everett mentioned 
earlier, the U.S. Digital Service as well as 18F serve as ways 
to get private sector talent into the government. I do not know 
if they are as quick as your proposed legislation is 
considering. But having that venue for external talent to come 
into the government and share ideas and propagate those ideas 
is very important.
    CIOs also do have additional authorities that they can use 
to hire and bring in folks from the outside, but Mr. Everett 
earlier identified issues with executing some of those 
authorities. GAO has not done specific work in that regard, but 
I am eager to work with your staff on that.
    Senator Rosen. Thank you. I appreciate it.
    Ms. Wynn, in your testimony, you mentioned there needs to 
be civil servants who are working on every Federal IT project 
and that those workers need to be reskilled. You said that 
early efforts to reskill existing Federal employees have been 
successful. Can you elaborate on what type of reskilling was 
the most successful, and what areas we need to still reskill 
in, so we might direct our efforts in creating workforce and 
training in that workforce pipeline?
    Ms. Wynn. Thank you for that one. The Office of Management 
and Budget, through the Federal CIO Council, through their 
Workforce Subcommittee, established a reskilling institution or 
program. A lot of Federal civil servants applied to this 
program. They took an aptitude test for cybersecurity, and from 
there the top folks were taken, and yet they still had to cut 
the number of participation to a low number, because it was our 
first-ever endeavor. Those folks went through some training 
programs and proved themselves to be very capable cybersecurity 
professionals, and then went on to seek future employment, 
still within the Federal Government, but in this case a job 
change.
    The bottom line is Federal Government workforce is 
talented. When we show them the way and give them the time and 
the support to get reskilled, we can take their talent and use 
them in other places, especially in cybersecurity.
    Senator Rosen. Thank you. I look forward to working on 
that.
    I would like to move on now, and again, Ms. Wynn, I want to 
talk to you about IT modernization and support to national 
security. Given your background at the Department of Energy, 
which houses the Nevada National Security Site, located not too 
far from Las Vegas, it is facilities that are critical to our 
security. Can you comment on why modernizing the Federal 
Government's IT and cybersecurity infrastructure is critical to 
our national security and safety. Particularly as it relates 
maybe even to our nuclear stockpile, how do we move forward, 
create more nimble, secure platforms and firewalls to protect 
our national interests?
    Mr. Everett. I think----
    Ms. Wynn. Senator Rosen, why don't I get started and then 
Max Everett might be able to----
    Senator Rosen. Perfect. I am going to him after you.
    Ms. Wynn. That is great. I will get it started because 
critical infrastructure, right now the space, and flying in 
space in satellites are being thought about as critical 
infrastructure because we rely on them for logistics. Moving 
anything around this globe requires satellites, navigation, if 
you expect it to get there and avoid significant weather 
events. That type of security is very challenging.
    You need the cooperation of a number of parties, including 
all those that operate the infrastructure. You have the 
electric grid, you have the water infrastructure, and in this 
instance I mentioned space, and those folks have to get 
together and first and foremost recognize that there are real 
threats in space, space needs to be acknowledged as an element 
of the business practice as well as part of critical 
infrastructure. In that case, work as a team to put into place 
and take steps toward securing it better.
    At NASA we were beginning to do that, by taking a look at 
our critical satellites and then trying to figure out the best 
way to secure them in this current environment. As noted 
previously, we cannot bring back our older satellites and give 
them a new operating system, but we can do things here on terra 
firma, as I call it, to secure them better, and then we have to 
apply good neighbor policies, because we fly in the same place 
as other countries, as well as the Department of Defense, and 
private sector. Again, working together to protect our critical 
infrastructure is what is needed to get the job done.
    Senator Rosen. Thank you. Mr. Everett, I know my time is 
up, but if you could be kind of quick about it, that would be 
fantastic.
    Senator Hassan. I will add that a number of Members have 
conflicts and are not going to be able to come, so Senator, if 
you want to take a couple of more minutes and the witness too, 
that is fine.
    Senator Rosen. OK. Mr. Everett, then please. Please 
elaborate.
    Mr. Everett. I will. Thank you. You are right. The 
Department of Energy, one of the great challenges at the 
Department is the breadth of its mission. Certainly some of us 
know that they have a nuclear mission for protecting, building, 
and designing the nuclear stockpile. But that mission stretches 
all the way down to fundamental science that is conducted with 
scientists around the planet. We have what are called user 
facilities that are used by the top scientists around the world 
to do collaborative scientific basic research that not only 
helps the United States, certainly, but really helps the entire 
planet. One could argue it is almost a diplomatic role that we 
play in science because of that. With those very divergent 
missions it adds an extra layer of challenge for the Department 
of Energy.
    I would say there are three sort of focus areas that we try 
to work on, that we think are the most important for that. One 
of them is simple visibility. Visibility is about being able to 
see and understand, as we talked about, what do you have? What 
actual systems do you have? What legacy systems do you have? 
Who is on your network? That is a critical element, and it is 
one we have not done very well as the Federal Government.
    I think some of you are already aware, and it has been 
discussed over the last few months with the cyber incidents we 
have had, there have been some significant challenges with the 
EINSTEIN program that needs to really be very carefully re-
looked at. I would tell you in our own department that was a 
challenge of basic reporting and visibility of what was going 
on across our whole footprint.
    The second part of that is risk management, and this was 
where we put a lot of our focus. When you have a large 
enterprise like NASA, Department of Energy, GSA, and you have 
divergent levels of risk, we will never have enough resources. 
When I was CIO, I was always glad to come and ask Congress for 
more money, but you only have a certain amount of resources to 
go around. Risk management is looking at what are your top 
risks, what are your most important things, and they get the 
first dollar, and you find that balance.
    That is what risk management is, and it takes real thought, 
and it takes effort, and you need to document and discuss and 
be able to defend your efforts. We spent a significant amount 
of time because it is critically important.
    The third element I would talk about, and it starts to go 
to what we are talking about here today with legacy and 
modernization, is moving to new models. Some of you may have 
heard the term ``zero trust networks.'' Fundamentally, you 
cannot use zero trust networks with legacy, because they 
require some new tools to be able to better manage what is on 
your network and make sure that those things can essentially 
tell other things on the system that they are allowed to be 
there and do what they are doing. That is very difficult to 
plug into a 20-year-old system. These newer models like that 
simply will not work in those legacy environments. They have to 
be updated to do it.
    Another area I would mention here is FedRAMP. FedRAMP has 
been around. It was started for a good purpose. I still think 
it can serve a valuable purpose. But I would tell you FedRAMP 
is far too slow. I do not know of any vendor that I talked to 
in my time at CIO or now who does not complain about the 
timeline for FedRAMP.
    What that means is probably FedRAMP needs some more 
resources, because what FedRAMP does is it does the baseline 
security work one time, so it is a shared service. It is doing 
that one time for everybody so that you can then start to bring 
more innovative solutions to market more quickly in the Federal 
Government.
    We are missing out on opportunities. I recently talked to a 
venture capital person. He told me, for some small and mid-
sized companies with unique new services, primarily software as 
a service, that it was taking them four to five people at $1 
million and a year to go through FedRAMP. For most of these 
startups who are coming up with new, innovative, new things to 
do, that is not sustainable, and we are going to miss out on 
those opportunities if we cannot improve that process.
    Senator Rosen. Thank you. I have a closing statement, but I 
am glad to ask other questions. But one thing I know for sure 
is that good code means speed. Good code means ease of use and 
data capture for the end user. Good code means the better the 
data capture for analytics for our future. It saves us time, it 
saves us money, it improves outcomes, and it helps us plan for 
the future.
    By modernizing these systems, by having safe, secure 
systems, by capturing more data in consistent ways, we are able 
to predict, plan, and protect ourselves, and we have to do 
that.
    Chair Hassan, I am glad to continue to talk about this. I 
am not sure if someone else is in the room, but you tell me.
    Senator Hassan. Thank you, Senator Rosen. I think right now 
it is just you and me, and I have another round of questions. 
But if you have a couple more why don't you go ahead and then I 
can finish up with my round.
    Senator Rosen. You know what? I am going to hand over to 
SASC, where I think I am finally up over there. I appreciate 
everyone being here. I appreciate what you do, and I sincerely 
hope that we can try to, I guess even one system at time, 
continue to get off those legacy systems onto something that is 
newer, more nimble, and allows us better data capture so we can 
continue to take care of everything that we need to. Thank you.
    Senator Hassan. Thank you, Senator. Now I will turn to a 
second round of questions, and I appreciate the testimony you 
all have provided so far. I am going to start with this 
question for Ms. Wynn.
    I have advocated for a biennial budgeting cycle where 
Congress would determine and appropriate the budget in one year 
and then year two can be spent on doing effective oversight to 
inform future spending. The current one-year cycle often leads 
to hasty decisionmaking and neglects capital investments that 
take several years to implement, including IT modernization 
projects designed to move away from legacy IT systems.
    Ms. Wynn, how difficult is it to manage IT modernization 
around the one-year budgeting and appropriations cycle, and how 
did you work within this cycle to achieve your goals? What 
would you have done differently if there was a biennial 
budgeting process?
    Ms. Wynn. Thank you, Chair Hassan, for the question. One of 
the things that I have found, first, is sort of annual 
appropriation, first thing you need to know is every time you 
cross a fiscal year with a project, and most IT projects cross 
a fiscal year, you add more risk to your plan, and that is 
because from year to year you face the potential loss of 
funding or the loss of people.
    Now you have disrupted your project, and now you have most 
likely extended when you are going to get that project done. 
That extension, if it goes on too long, means you are 
potentially using software that will no longer be considered 
modern or available, or could reach end of life by the time you 
use or get that system back in operation after it has been 
modernized.
    What I would do is, and probably what most CIOs would do, 
is I would take my total budget and I would create a reserve, 
and that way the reserve would be used to make sure that the 
most critical, the highest-risk projects would get funding, 
going into the secondary years of their project. That way I 
knew that they could be able to continue. If I did not do that, 
I would run the risk of work stoppage, and then I could lose 
the talent of my staff, of staff from other mission areas or 
mission support, or I could even lose contractor staff, and 
that would, again, start to slow down and add more risk to your 
project.
    If I had a second year added to it by a biennial, I would 
be able to take the projects and draw a timeline of people and 
dollars, and make sure that they were spent according to it, 
and hold people accountable to a two-year increment. This would 
reduce the risk in a complex IT project, because you did not 
have to worry about funding every few months, because by the 
time you get appropriations finished and you get the new 
authority money, several months in the fiscal year have gone 
by, you could actually plan about 18 months and be assured of 
those resources, therefore reducing the risk of managing a 
complex IT project and you could deliver that project a lot 
faster because you would take out that funding issue, or 
convert the funding issue to an 18-month issue instead of a 9-
month issue. That would be hugely beneficial and a great gift 
to CIOs and program and project managers around the country.
    Senator Hassan. Thank you. Ms. Coleman, at GSA you worked 
to develop FedRAMP and streamline agency IT acquisitions in 
coordination with industry partners. You now work for one of 
those industry partners that is trying to help the Federal 
Government modernize its systems. What is the impact that the 
one-year budgeting and appropriations cycle has on industry and 
its ability to support IT modernization efforts?
    Ms. Coleman. Thank you, Chair. I agree with everything that 
Renee said about the ability to plan over long-time horizons. 
It is almost even not a nine-month planning horizon with the 
annual cycle we have now, because of the frequency of 
continuing resolutions (CR), which create even greater 
uncertainty about available funding and disruption of 
resources. That alone is a complication.
    One thing I would like to suggest as a companion idea to a 
two-year planning and budgeting cycle, which I think is a much 
needed and helpful measure, is greater use of agile DevOps 
tactics to break modernization projects into short sprints that 
deliver short and relatively quick intermediate results, so 
that there can be fine-tuning and transparency and oversight 
throughout the process. Any project that is intended to deliver 
results in 2 or 3 years is going to be out of date by the time 
results are delivered. We need to be thinking about very short, 
rapid cycles to deliver results, and the accompanying oversight 
and funding to go with it.
    Working capital funds of previous legislation have been 
very helpful. We used that with great success at GSA. We also 
implemented a zero-based budget so we could see where our 
incumbent costs were and understand where we needed to place 
our dollars for modernization priorities.
    Senator Hassan. Thank you. That brings me to another set of 
questions, and I am going to start with Mr. Walsh, concerning 
agency modernization plans.
    Currently, agencies are not required to develop or publish 
IT modernization plans. While many agencies have developed 
plans, some of these plans fail to establish concrete 
timelines, cost estimates, and goals. GAO recognizes that 
having an IT modernization plan in place is essential to 
reducing reliance on legacy IT systems.
    What makes these plans such a valuable tool, and how can 
agencies better leverage them to meet their goals and manage 
their resources?
    Mr. Walsh. Having these plans is valuable, to get agencies 
thinking about it. In agencies that do not have a documented 
plan, we are not sure what kind of resources they are going to 
be able to throw, what kind of timeframes, even the scope of 
the project. Having some idea of what needs to be done is kind 
of the most fundamental step, and in our 2019 report, it was 
very disheartening to see that three of the agencies did not 
have a plan, an additional five had some aspects of a plan, and 
only two really had a firm idea of what needed to be done.
    It is critical because modernizing legacy systems is 
critical to the government's security and privacy and how well 
we serve our citizens. Getting our agencies to be thinking 
about modernization is the first step.
    Senator Hassan. Thank you for that. One other key element 
that modernization plans, when they do exist, often omit is how 
the agency plans to manage costs arising from maintaining a 
legacy system while they are also implementing a modern system.
    Let me turn to Mr. Everett now. In your time as the Chief 
Information Officer at the Department of Energy, how did you 
manage the competing investment needs between existing systems 
and new systems? How might agencies leverage modernization 
plans and existing resources to offset what is essentially the 
cost of the overlap?
    Mr. Everett. I would tell you much of my experience was, to 
be very frank, robbing Peter to pay Paul. In most cases, to do 
those modernizations, you are going to have to take money from 
somewhere. I think to Kevin's good point that you already 
brought up, without a modernization plan you cannot have the 
planning. I was, frankly, somewhat fortunate as a CIO. We had 
some monies that were multi-year monies, that gave some level 
of help to us in being able to plan, but I know many of my 
peers had only single-year money, which was a great challenge. 
I think your discussion of a biennial is certainly helpful.
    The other one I would bring up, certainly, is things like 
TMF, and within the MGT Act, the idea of Working Capital Funds. 
I know that there is long-held concern about Working Capital 
Funds turning into slush funds and things of that nature. I 
think that simply means they need to have the appropriate 
oversight. But they would allow that level of longer-term 
planning.
    Listen, anybody can put out a modernization plan, but if 
they do not have the money to back it up or the people to 
execute on it, it is not going to work anyway.
    I will also say I think what Ms. Coleman said is absolutely 
correct. Kevin could probably sit for hours and tell us stories 
of programs that have been run in the government for multiple 
years, these large projects, millions, if not billions, of 
dollars wasted, that did not ever come to a finish line, or 
even worse, came to a finish line, and were probably even 
reported as being on time and schedule, and yet provided no 
actual value to citizens, to anyone.
    Breaking things up, that agile method of breaking things up 
and doing it in those smaller chunks is appropriate. There are 
very few systems that we should be building in government 
anyway. We should mostly be using commercial. Where we do need 
to build those--and certainly Energy, NASA, and other places 
have those use cases--they should be done in an agile way where 
you can have some oversight, make sure they are delivering 
value on an iterative basis, so that you do not have to plunge 
hundreds of millions of capital expense into something, only to 
come to the end of the road and the money is all gone. I think 
that has happened far too often.
    It always a challenge, again, for us. We had a little more 
flexibility, but even I had to have a lot of conversations. 
Renee made the right point--you often simply had to build a 
reserve, and that reserve was usually coming from other things 
you would have liked to have done that were customer service-
oriented or those kind of things. It is a real trap, and it 
builds what we call technical debt. It is not the monetary 
debt. It is all the things we cannot do that are a part of 
that.
    Senator Hassan. I thank you for that, and I am going to 
take advantage of a rare moment in the Senate, because we have 
a little bit more time and you are such an excellent panel. I 
have two or three more questions, so bear with me. But I think 
we are learning a lot here.
    I want to turn now to the issue of the authority of Chief 
information officers. I want to start with a question to you, 
Ms. Wynn. The Federal Information Technology Acquisition Reform 
Act expanded the responsibilities of agency Chief information 
officers and requires their input on IT acquisitions to realize 
cost savings and to manage IT inventories. However, despite the 
good intentions of this law, GAO has found that Chief 
information officers do not receive adequate deference on IT 
planning, budgeting, and management.
    Ms. Wynn, can you speak to your own experience as a Chief 
Information Officer, both at the Environmental Protection 
Agency and at NASA, and how you worked to get institutional 
buy-in from agency leaders to advance your IT modernization 
efforts?
    Ms. Wynn. Chair Hassan, I would begin by saying never let a 
crisis go to waste, when it came to exercising the authority 
and making culture changes and process changes within a Federal 
agency.
    My first example comes when I first arrived at NASA and 
noticed that, as Max earlier said, you need to know who and 
what is on your network, and NASA did not have that ability to 
look at the network associated, used across the globe, and it 
is relied upon for the NASA flying assets, satellites. At that 
point I could easily go to the leadership and say, ``How do you 
know you don't have problems? How do you know you have 
problems?''
    We began the process of rolling on the Continuous 
Diagnostic and Mitigation Program. With that transparency, with 
that visibility, we got to see what was on our network, and 
there was a lot of inappropriate software and activity on the 
network. Then I used that data to share with agency leadership, 
to say, ``I do not think it is OK for us to have this type of 
software on NASA's network.''
    From there I would build, with this visibility that we got, 
tell stories back to folks, and turn it around to say, ``This 
is not acceptable for a public agency,'' and use the pride that 
my colleagues had about working for NASA to really propel us 
forward. With each fiscal year we got better at working as a 
team by gaining that visibility.
    Then what we did is when I mentioned the business services 
assessment, and also the follow-on to the business services 
assessment, when NASA said functional areas such as the CIO 
needed to have control over the appropriate IT budgets. This 
was also true for procurement. My colleague in the procurement 
office recognized that IT needed to be procured better, and 
stood up an IT division while I was still there, and we worked 
very closely with her to set that up. The establishment of that 
IT division meant that all IT purchases for NASA would have to 
go through that division, and that I or my team had significant 
influence over that acquisition process.
    That took about 18 months to get set up. It got going in 
full swing after I left NASA. But by having a crisis, by having 
visibility, and by forming partnerships, NASA was able to 
continually iterate in order to give the greater authority over 
to the CIO, gave IT procurement greater visibility into what 
NASA was buying, and with that visibility and with that 
partnership, each year that I was there at NASA we were saving 
about $50 million a year on software purchases alone.
    Real differences can be made through partnership, and I 
will close with the same thing I started--with never let a good 
crisis go to waste. Just stand in someone's office, make a 
friend, and get going on fixing the crisis and changing the 
processes that might have created that crisis.
    Senator Hassan. Thank you for that answer. There is a lot 
for us to learn from that and from your experience and your 
good work.
    Chief information officers spend an average of 2 years or 
less in their position, so I am concerned that this short 
tenure provides very little time for CIOs to be effective or 
establish fiscally responsible practices.
    Ms. Coleman, you spent 12 years at the General Services 
Administration. Do you think that your ability to stay with the 
agency for that long contributed to your success as a CIO, and 
how so?
    Ms. Coleman. Absolutely. It allowed me to really understand 
the culture of the agency, and to the point Renee made, to 
build relationships and partnerships with senior leaders, 
because modernization is a team sport. It is important that 
CIOs have adequate authority. But it is also important that top 
leadership understand the role that they play in supporting 
transformation. To the point you made earlier about the need 
for modernization plans, it should start at the top and be a 
priority, even of the Secretary or the administrator of the 
agency, and at the political appointee level.
    By having a long tenure at GSA, and in the role of CIO, I 
was able to understand that, and be able to use the tailwinds 
provided at GSA. It is an agency that provides business 
services to other agencies, so they take pride in understanding 
technologies to be a good supplier and partner with other 
agencies. That gave us momentum with moving to the cloud, 
because we were able to tap into the culture of what the agency 
is good at, and the DNA to support it across all lines of 
authority. That alignment, not only with leadership but also 
with my peer, the CFOs, the head of HR, and so forth gave us 
the unity of leadership to make real progress.
    Senator Hassan. Thank you. I am going to now turn to Mr. 
Everett, because you had a slightly different experience at 
Energy, because you had a brief tenure at the Department of 
Energy, but you were also able to be extremely effective. What 
do you recommend that current and future CIOs do to be most 
effective from their very first day, and then forward, at an 
agency?
    Mr. Everett. I think there are some tremendous challenges 
on that, and part of this gets into the conversation of 
political versus career CIOs.
    Senator Hassan. Yes.
    Mr. Everett. There is a tradeoff. I absolutely agree, the 
longevity is critical, because they can understand the mission. 
The political ones typically are going to have more access to 
senior leadership, so there is a bit of a balancing act there.
    What I would tell you is part of the reason I was able to 
be effective is I had been in Federal Government before. I knew 
the ropes. I knew what I was getting into. I routinely tell 
people, as just sort of shorthand, if you are new to Federal 
Government, it is going to take you a year to know which way is 
up. If you are coming, no matter how smart you are, from the 
private sector, you are going to have to go through a whole 
year, just to know which way is up, all the differences that 
you have there.
    Because of the nature of the timing--again, going back to 
budgets--because of the timing of budget, you are going to go 2 
years before you are working with your own budget that you had 
any input into. When I walked in, in 2017, my initials were at 
a budget formulation that had already been submitted to OMB. By 
the time that goes clinking around through the entire process 
of OMB, back to the Hill, it is October, a year and a half 
later. That is really challenging.
    I have talked to people from both parties who have been 
very involved in trying to recruit innovative leaders to come 
in as CIOs, and you will find ones that are willing to give up 
the money. They will divest their stock. They will take a 
salary hit. They will move their family. They are willing to 
serve our country, and then they find out, it is going to be 2 
years before you can actually make an impact? That is a killer, 
because their whole reason of doing such a thing is to make an 
impact. If they are politically appointed, they know they have 
a shelf life, and that is a really hard sale. It has made it 
really challenging.
    We have great career folks, as well, that have done really 
good jobs as CIOs, without question, and so my emphasis is 
definitely there, of giving them more authorities. I would love 
to get some of those outside CIOs, regardless of political 
affiliation, because, thankfully, IT is the last nonpartisan 
issue in town.
    I would love to have those people. I would love to have 
those innovators. But we do have to have the structure so that 
they feel it is worth the sacrifice to come in and bring that 
experience and innovation that they have from the private 
sector. It is critical. In the meantime, we have plenty of 
great careers, CIOs and deputies, out there. Giving them the 
tools. FITARA is an important tool, but you have to know how to 
use it.
    I have been in probably the three most spread-out 
agencies--DOE, I spent time at Commerce, and at DHS. I would 
describe them, at best, as a feudal system, if not a mob 
family, and you have to be able to pick your fights. I have 
seen CIOs who have gotten run over because they did not use 
FITARA appropriately.
    Renee made a great point. Procurement was a great ally to 
me in the process. I would tell people, walking in, your 
procurement officer is going to be a great help. I will pick a 
fight and say, we need more support versus the CFOs. CFOs 
typically are Senate confirmed.
    Senator Hassan. Yes.
    Mr. Everett. Only one CIO, VA, is Senate confirmed. In the 
pecking order of this town, it is very difficult for CIOs going 
up against a Senate-confirmed CFO. You can make a great 
relationship with them, but at the end of the day, they are 
higher in that pecking order, and that is a challenge for many 
CIOs, because you are not sort of quite at the same level.
    Senator Hassan. Thank you. I am going to turn to one other 
topic before I ask you a wrap-up question, and it is something 
all of you have mentioned, but I want to focus in on it a 
little bit. I want to start with Mr. Everett.
    As part of the American Rescue Plan, the Technology 
Modernization Fund received $1 billion to loan to agencies in 
order to modernize IT systems. Although we do not see the 
impact of these funds for years to come, this is a really major 
step forward to reduce reliance on legacy IT, and I hope that 
the fund prioritizes agency plans to replace the legacy IT 
systems that we have discussed today.
    Mr. Everett, as a CIO who successfully leveraged the 
Technology Modernization Fund to move away from legacy IT 
systems, how should agencies utilize the fund to ensure that 
they not only have the resources and infrastructure to support 
IT modernization, but also ensure that the systems they propose 
actually reduce reliance on legacy IT while contributing to 
better security and customer service?
    Mr. Everett. The first thing they should do is have the 
courage to actually go apply for those. I think if you go look, 
I believe it is still only five agencies that have actually 
received TMF funds. I spent a lot of time browbeating people, 
and I know people, they were simply afraid of the oversight, 
afraid of the visibility. They were also afraid of the 
repayment, which is why I think that has to be looked at.
    But a lot of them--listen, from my team, the culture chain 
was important. I had members of my team, my career team, come 
back and tell me they enjoyed the process. They went through a 
process that is similar to anybody who has ever worked in 
private sector. You can go right now to the website, the TMF 
website, and go through the spreadsheets, and see the level of 
detail that you were asked about your current cost basis and 
your future cost basis. That is how everybody in the private 
sector runs their IT. That is exactly how we should. We should 
know all of our costs, across the board. We should be able to 
project them out over years. That is what any mature 
organization would do, and that is a huge value of the TMF, and 
you need your people to do that.
    Literally, I do not care if you do not turn it in. Everyone 
should go do one of those today. Everybody in government. I 
think part of it is being brave enough to step forward and go 
ahead and do it, know that there is going to be that challenge. 
There is oversight to it. The board checks in on you, so you do 
not get a giant check.
    Senator Hassan. Right.
    Mr. Everett. There is a process to it, and that is 
critically important. I would urge all of you--I have been in 
this town 20 years. When Congress gave $1 billion to a program 
that most people kind of do not understand, I know for a fact, 
in this town, there are people eyeballing that money, who want 
to cut the line and avoid the process. I would strongly urge 
you to make sure that your oversight does not allow that to 
happen. That process has to be followed. Now, it can go to all 
sorts of things, and so to your point, those legacy systems are 
probably, arguably, the easiest ones to show, in many cases, 
where you can get value and return on the investment, and they 
are great.
    But I will also mention--and this is where some of those 
waivers need to be looked at--there are so many customer-facing 
systems, it is very hard to document the cost savings there. 
The customer service, we can talk about all day long. You can 
see it with your eyes. But it may be harder to show the cost 
savings on that system, and that is where I think we do need to 
look at some ability to defer away costs, as long as the 
process is followed.
    I am such a proponent, as you can tell, of TMF, because 
that process leads us to how we should manage things. It should 
not simply be giving things out to a most favored program.
    Senator Hassan. Right.
    Mr. Everett. We have done that too often, and that is a 
disaster. Making people go through the process is just so 
critical, and I think any CIO coming in right now, it is a 
great test of your team. Ask them to go find you--I would 
challenge any new CIO----
    Senator Hassan. Yes.
    Mr. Everett [continuing]. Tell your team to find one 
program or system that needs to be modernized, and make them 
fill the form out and take a look at it, and you should be able 
to tell right there, do they know their costs, do they know 
their systems, do they understand how to project that budget? 
If they do not, get help.
    Listen, there are some great groups in town, some truly 
private sector associations, that will come in, free of charge, 
and come help you with your acquisition and your budget 
process, and they are not trying to sell you anything.
    Senator Hassan. Yes.
    Mr. Everett. As well, Kevin mentioned TBM. Another great 
process you can go through to understand, in a very modern way, 
how your costs should be managed. There is help out there for 
anybody who is looking for it in the Federal Government right 
now, if they are willing to reach out.
    Senator Hassan. Thank you. I am going to turn to Ms. 
Coleman, too, about Working Capital Funds. I will also note 
that one of the issues you raised is how we go about qualifying 
and quantifying customer service value, right? Because, 
obviously, for taxpayers, our goal should be to make the 
interface with the Federal Government as customer friendly as 
possible, since taxpayers are footing the bill here. Trying to 
figure out a way to really assess value there, I think is 
really important.
    Ms. Coleman, Working Capital Funds are another mechanism 
that agencies can use to support their IT modernization 
priorities, outside of the one-year budgeting and 
appropriations cycle. While some agencies have the authority to 
establish these funds under the Modernizing Government 
Technology Act, some agencies were not given the authority, 
which is a technical error that I hope to address in future 
legislation.
    Ms. Coleman, the General Services Administration 
effectively uses Working Capital Funds and fees generated from 
its governmentwide services to fund its mission. Can you 
describe how GSA uses savings produced from modernization 
projects to keep the Working Capital Fund going?
    Ms. Coleman. Yes. Thank you. One of the keys is to take a 
portfolio approach, and I completely agree with what Max said 
earlier about the Working Capital Funds. Modernization, in and 
of itself, will incur cost and complexity when viewed in 
isolation. One way to counterbalance that is to look across all 
systems and all investments, and to be able to do puts and 
takes in a portfolio-based approach. If you have a Working 
Capital Fund, you can know your money and you can time the 
modernization according to your risk management and according 
to your most critical systems first, or the ones that deliver 
the greatest impact.
    As it pertains to customer service, that is a qualitative 
measure, not so much quantitative measure.
    Senator Hassan. Yes.
    Ms. Coleman. But the ability to stay up to date with 
platforms that are maintained by the vendor, rather than having 
to continually invest with agency resources for these big 
upgrades every 2 or 3 years, provides cost savings along the 
way as well.
    Senator Hassan. Thank you. Mr. Walsh, from GAO's 
perspective, what are the advantages or disadvantages of 
relying on the Technology Modernization Fund, or Working 
Capital Funds, to resource IT modernization rather than 
requesting funding through the annual budget requests?
    Mr. Walsh. As the other witnesses have noted, the TMF 
allows agencies to kind of shortcut the budget cycle. Now, it 
is still a loan. It is not a free gift to go out and spend 
willy nilly. You go through the application process. I will 
also note that the process, as described, going through TMF 
that Max talked about, is very similar to having the 
modernization plans that we described. You have to have some 
idea of the work to be done, the timelines, and a plan to turn 
off the old system.
    The disadvantage to the TMF is that it is linked to 
spending and cost savings. There are times where we need to 
modernize systems, and they will not save money.
    The OPM breach that we talked about earlier----
    Senator Hassan. Yes.
    Mr. Walsh [continuing]. The government had the choice to 
modernize those networks and systems to allow the data to be 
encrypted when it was at rest. It was a tradeoff. I am sure if 
OPM wanted to go back in time and had that decision to make, 
they would absolutely spend the money to modernize that. But 
they would not save any money by doing that modernization.
    Modernization is not about cost savings. It is about better 
services to our citizens, privacy, security. Cost savings can 
be a part of it, but there is a lot more to this decision than 
just the money.
    Senator Hassan. Thank you. That concludes the rounds of 
questions I had. I am going to ask you all one wrap-up 
question, and just double-check with staff--we are good on 
other Senators, right? OK.
    First of all, all four of you have been so generous, not 
only with your time this morning and your preparation for this 
hearing but with your expertise and your clear engagement with 
this issue and desire to help the Federal Government do its 
work much better in modernizing the IT sector at a time when we 
so desperately need to do that, for all the reasons, among 
others, that the pandemic has really laid clear. Thank you for 
your service, for your expertise, and for your testimony today.
    As we wrap up, I will ask each of you this, and I will 
start with Ms. Wynn. Could each of you describe what, in your 
opinion, is the greatest challenge presented by the sustained 
use of legacy IT systems? If you already feel like you have 
talked about it, just go ahead and say that. But I really do 
not want to let this opportunity go without giving you all a 
chance to focus on that.
    Ms. Wynn, we will start with you.
    Ms. Wynn. Great. Thank you, and thank you again for the 
honor to testify today. It is a great pleasure of mine to 
continue to give to the United States Federal Government after 
30 years of service.
    I would say the greatest challenge presented to us today 
are agency and department cultures. They must recognize that IT 
modernization is part of the path forward for the United States 
government to quickly and securely deliver new or better 
quality services to the American public. This needs to be done 
with a positive customer experience, and finally, it must be 
delivered in a way that improves national security and not poke 
a hole through it.
    Again, it was an honor to be here and to be with my former 
colleagues as well. Thank you.
    Senator Hassan. Thank you, Ms. Wynn. Mr. Everett.
    Mr. Everett. I would say I hope that we have covered it 
well for you. I would summarize by simply saying missed 
opportunities. To me, this challenge is we are missing 
opportunities across the board, opportunities to secure our 
systems, opportunities to entice people with new and innovative 
skills into government, and opportunities to serve the citizens 
of the country. All of those, they are these missed 
opportunities, over and over again, that we were stuck in these 
systems.
    Again, that word I used, technical debt, but that is what 
it means. It is not the money. As Renee said, it is the 
culture. It is so many of these things that we are missing out 
on, these missed opportunities, that we could get simply by 
doing some basic modernization of systems. The flow-down effect 
would be really, I think, dramatic in so many different areas.
    That is the part that disappoints me, but right now it also 
excites me, because we have gotten new resources, we have the 
attention of Congress and other folks. We have some really 
good, new opportunities right now, and everyone has seen the 
value that IT can bring to life and to meeting challenges. Just 
after this last year of dealing with COVID, there are so many 
things we are able to do because of technology. I think there 
is a unique time of recognition of that. I would love to see 
that progress, not pause but accelerate in 2021.
    Senator Hassan. Thank you. Ms. Coleman.
    Ms. Coleman. Chair Hassan, I think it is a mark of how 
aligned we all are that when you asked this question I wrote 
down ``culture change'' and ``missed opportunities,'' just like 
Renee and Max. I think that, just to double down on that 
statement, modern technology allows us to do things not just 
better but things we could not do before, and I think that is 
the missed opportunity if we do not modernize.
    I will give you one very quick example. The pandemic has 
illustrated so many areas where government is so critical to 
the well-being of the public. In New Mexico, unemployment 
claims spiked by 600 percent when people were thrust out of 
work, and call center workers were sent home, and they were not 
able to process claims in a timely way.
    We had the opportunity to help them with a virtual contact 
center, which allowed their workers to work from home, but also 
with chatbots. It let them answer questions in an automated 
fashion, and take some of that burden off of the call center 
agents to focus on the higher-value need, and get economic 
relief into the community quickly.
    There are things that can be done that we are not taking 
advantage of, at every level of government, and I think that 
the time is now to rethink that. Thank you.
    Senator Hassan. Thank you. Mr. Walsh.
    Mr. Walsh. It is hard to imagine a government function that 
is not somehow tied to IT. As we go along, IT has become more 
and more complex. If you look back, again to the Voyager 
probes, those were written with 3,000 lines of COBOL code. We 
have come a long way since then. Modern technology requires 
millions, if not billions, of lines of code.
    The problem is the longer we wait to modernize, the longer 
we procrastinate, the more it is going to cost, both in terms 
of money, in terms of breaches, in terms of security, in terms 
of lost--to quote my peers--lost opportunities, ways that we 
could have better served our citizens.
    It is an issue of procrastination. We need to act. We need 
to act now.
    Senator Hassan. Thank you. Thank you to all four of you, 
for your time and your testimony this morning. To Kevin Walsh, 
Casey Coleman, Renee Wynn, and Max Everett, your testimony 
provided really valuable insights on this topic, and your 
contributions to improving Federal IT systems in a fiscally 
responsible way are really appreciated.
    As I mentioned in my opening statement, this hearing is the 
first on the costs and challenges presented by reliance on 
legacy IT systems, and I look forward to continuing this 
important oversight work, to save taxpayer dollars, to deliver 
government services more efficiently, and to keep government IT 
systems secure.
    The hearing record will remain open for 15 days, until 5 
p.m. on May 12th, for submissions of statements and questions 
for the record.
    This hearing is now adjourned.
    [Whereupon, at 11:27 a.m., the Subcommittee was adjourned.]

                            A P P E N D I X

                              ----------   
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]