[Senate Hearing 118-152]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 118-152

             SECURING THE NATION: MODERNIZING DHS'S 
              MISSION - CRITICAL LEGACY IT SYSTEMS

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                EMERGING THREATS AND SPENDING OVERSIGHT

                                 of the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED EIGHTEENTH CONGRESS


                             FIRST SESSION

                               __________

                              MAY 31, 2023

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs




[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
52-438 PDF               WASHINGTON : 2023 

















        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
ALEX PADILLA, California             RICK SCOTT, Florida
JON OSSOFF, Georgia                  JOSH HAWLEY, Missouri
RICHARD BLUMENTHAL, Connecticut      ROGER MARSHALL, Kansas

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
           William E. Henderson III, Minority Staff Director
                     Laura W. Kilbride, Chief Clerk
                   Ashley A. Gonzalez, Hearing Clerk


        SUBCOMMITTEE ON EMERGING THREATS AND SPENDING OVERSIGHT

                 MAGGIE HASSAN, New Hampshire, Chairman
KYRSTEN SINEMA, Arizona              MITT ROMNEY, Utah
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
JON OSSOFF, Georgia                  RICK SCOTT, Florida

                    Jason M. Yanussi, Staff Director
                   Allison M. Tinsey, Senior Counsel
           Scott Maclean Richardson, Minority Staff Director
        Margaret E. Frankel, Minority Professional Staff Member
                      Kate Kielceski, Chief Clerk   
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Hassan...............................................     1
    Senator Romney...............................................     2
    Senator Lankford.............................................    13
    Senator Rosen................................................    15
Prepared statements:
    Senator Hassan...............................................    25
    Senator Romney...............................................    26

                               WITNESSES
                        Wednesday, May 31, 2023

Eric Hysen, Chief Information Officer, U.S. Department of 
  Homeland Security..............................................     3
Charles R. Armstrong, Chief Information Officer, Federal 
  Emergency Management Agency, U.S. Department of Homeland 
  Security.......................................................     4
Yemi Oshinnaiye, Chief Information Officer, Transportation 
  Security Administration, U.S. Department of Homeland Security..     6
Kevin Walsh, Director, Information Technology and Cybersecurity, 
  U.S. Government Accountability Office..........................     7

                     Alphabetical List of Witnesses

Armstrong, Charles R.:
    Testimony....................................................     4
    Joint prepared statement.....................................    27
Hysen, Eric:
    Testimony....................................................     3
    Joint prepared statement.....................................    27
Oshinnaiye, Yemi:
    Testimony....................................................     6
    Joint prepared statement.....................................    27
Walsh, Kevin:
    Testimony....................................................     7
    Prepared statement...........................................    37

                                APPENDIX

Responses to post-hearing questions for the Record:
    Mr. Hysen....................................................    57
    Mr. Armstrong................................................    80

 
   SECURING THE NATION: MODERNIZING DHS'S MISSION-CRITICAL LEGACY IT 
                                SYSTEMS

                              ----------                              


                        WEDNESDAY, MAY 31, 2023

                                     U.S. Senate,  
                       Subcommittee on Emerging Threats and
                                        Spending Oversight,
                    of the Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:15 a.m., in 
room SD-562, Dirksen Senate Office Building, Hon. Maggie 
Hassan, Chairwoman of the Subcommittee, presiding.
    Present: Senators Hassan [presiding], Sinema, Rosen, 
Ossoff, Romney, Lankford, and Scott.

             OPENING STATEMENT OF SENATOR HASSAN\1\

    Senator Hassan. This hearing will come to order.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Hassan appears in the 
Appendix on page 25.
---------------------------------------------------------------------------
    Good morning and welcome to our distinguished panel of 
witnesses. Thank you for appearing today to discuss the 
Department of Homeland Security's (DHSs) reliance on aging 
information technology (IT) systems as it works to secure the 
Nation, and why it is crucial that the Department and its 
component agencies modernize their mission-critical systems.
    I also want to thank Ranking Member Romney and his staff 
for working with us on this hearing and for our continued 
partnership to address emerging threats and reduce wasteful 
government spending.
    Today's hearing continues our Subcommittee's work to 
replace aging government technology that wastes taxpayer 
dollars, undermines our security, and limits government's 
efficiency and responsiveness. As our Subcommittee continues to 
encourage agencies to adopt modern systems that are more 
efficient, more cost effective, and frequently more capable, we 
will hear today from senior DHS officials about their outdated 
technology negatively impacts the Department's budget and our 
nation's safety.
    For example, if an aging system that DHS uses to vet 
passengers or visitors traveling into or through the United 
States goes offline there is a chance that a dangerous person 
could enter our country. In such cases, workarounds can help 
limit national security risks, but they can also cause 
commercial delays or miss real-time intelligence.
    The Government Accountability Office (GAO) and the DHS 
inspector general (IG) have assessed DHS's IT modernization 
efforts and in doing so have raised concerns about its reliance 
on outdated IT systems that perform mission-critical 
operations. They have looked at DHS IT systems that ensure the 
security of air travel, support disaster mitigation and 
preparedness activities, and enhance border security, and they 
have asserted that the failure of any of these systems would 
have a significant impact on public safety and national 
security. That is why it is crucial that DHS modernize these 
systems.
    Today's hearing is an opportunity to examine how legacy 
information technology is a threat to national security and how 
DHS can responsibly update its systems. I look forward to 
hearing from all of our witnesses about the risks posed by 
legacy IT systems at DHS and how DHS can successfully modernize 
these systems to keep the American people safe, secure, and 
free.
    I will now recognize Ranking Member Romney for his opening 
remarks.

             OPENING STATEMENT OF SENATOR ROMNEY\1\

    Senator Romney. Thank you, Madam Chair. I appreciate the 
opportunity to hear from the witnesses today. In the interest 
of time I am going to ask for my comments to be included in the 
record.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Romney appears in the 
Appendix on page 26.
---------------------------------------------------------------------------
    I would note that the vulnerability of our systems has 
obviously changed in dramatic ways with the advent of 
artificial intelligence (AI). There are probably two sides of 
that issue, which is, one, we are more vulnerable, but two, the 
capacity to update systems through the use of AI to do some 
software development is probably enhanced. How this will change 
our perspective I think is one of the topics we should discuss 
today.
    But I think we all recognize that intrusion into government 
systems is a risk. It has been carried out a number of times by 
the Chinese or by their cohorts and by Russians, and we need to 
take special care to protect the information provided by the 
American people.
    With that I will turn to the questions that we have and the 
testimony of our witnesses.
    Senator Hassan. Thank you very much, Senator Romney.
    It is the practice of the Homeland Security and 
Governmental Affairs Committee (HSGAC) to swear in witnesses. 
If you will all please stand and raise your right hands.
    Do you swear that the testimony you give before this 
Subcommittee will be the truth, the whole truth, and nothing 
but the truth, so help you, God?
    Mr. Hysen. I do.
    Mr. Armstrong. I do.
    Mr. Oshinnaiye. I do.
    Mr. Walsh. I do.
    Senator Hassan. Thank you. Please be seated.
    Our first witness today is Eric Hysen. Mr. Hysen serves as 
the Chief Information Officer (CIO) for the Department of 
Homeland Security. He is responsible for strategically aligning 
the Department's technology resources to support DHS's missions 
and activities. He was a founding member of the U.S. Digital 
Service (USDS) at the Office of Management and Budget (OMB) and 
worked as a software engineer for Google before joining the 
Federal Government.
    Welcome, Mr. Hysen. You are recognized for your opening 
statement.

  TESTIMONY OF ERIC HYSEN,\1\ CHIEF INFORMATION OFFICER, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Mr. Hysen. Chair Hassan, Ranking Member Romney, and 
distinguished Members of the Subcommittee, thank you for the 
opportunity to testify today.
---------------------------------------------------------------------------
    \1\ The joint prepared statement of Mr. Hysen appears in the 
Appendix on page 27.
---------------------------------------------------------------------------
    The Department of Homeland Security interacts with the 
American people on a daily basis more than any other Federal 
agency, from travelers moving through our air, land, and sea 
ports, to businesses importing goods into our country, to 
disaster survivors applying for assistance in their hour of 
need.
    An increasing portion of these interactions occur through 
our information technology systems. Modernizing our legacy IT 
systems is essential to improving the experience of those that 
rely on our department for critical services and of 
strengthening our ability to carry out our vital homeland 
security missions. Modernization further offers opportunities 
to strengthen our cybersecurity posture and reduce spending.
    I have worked to improve service delivery at all levels of 
government throughout my career. As you noted, Chair, I worked 
in Silicon Valley as an engineer and product manager to launch 
tools in over 30 countries to help people vote and engage with 
their representatives. I worked in philanthropy and State 
government to improve social service delivery at the State and 
local level. I left the private sector to cofound the United 
States Digital Service, where I worked to improve key services 
across DHS, and I bring those perspectives to my current role 
as the Department's Chief Information Officer.
    Historically, agencies across the Federal Government, 
including DHS, took a ``big bang'' approach to IT 
modernization. At its most basic level, we attempted to acquire 
and deploy IT systems in the same way that we acquire and 
deploy ships. Government staff spent years gathering 
requirements, awarding a large contract to a single system 
integrator to build to those exact requirements, extensively 
test against them, and then launch. In theory, everything would 
go well, the new system would replace the old one, and then go 
into ongoing maintenance for several years until it was time to 
start the entire process over and modernize again.
    In practice, however, this approach, known as ``waterfall'' 
software development, leads to modernization programs going 
over budget and behind schedule at alarming rates. Single, 
``big bang'' releases of new systems lead to massively 
increased risk.
    At DHS today, we reject this approach in favor of a more 
incremental, iterative, and measured strategy based on private 
sector best practices that enable us to successfully modernize 
key services and retire costly legacy systems. Our newly 
initiated modernization programs focus on defining a minimum 
viable product, initial functionality that can be launched 
within months, not years. From there, we follow an agile 
software development methodology that gathers requirements, 
builds, tests, and launches software, in rapid, iterative 
cycles. Modernized systems are deployed and implemented in 
parallel to the old legacy ones, to buy down risk over time.
    For our existing modernization programs, started under the 
old model, we are focused on transitioning as much of the work 
to the new approach as possible. A critical element of this 
approach is that government, not any one vendor, must serve as 
the integrator ultimately responsible for successful delivery 
of an IT system. We depend on our industry partnerships but 
require strong technical expertise in Federal service to 
oversee contracts and ensure results. I am focused on 
strengthening our IT workforce to enable this, both by bringing 
in talent from the private sector and creating new 
opportunities for our workforce to develop and gain new skills.
    Our written testimony provides examples of our transition 
of legacy modernization programs into this new approach as well 
as of newer initiatives started under this model.
    This work is showing results in strengthening 
cybersecurity, reducing spending, and most importantly, 
improving customer experience. Just yesterday we announced that 
the Department had reached its target of eliminating 20 million 
of the 190 million hours of administrative burden that we place 
on the public each year through modernizing our IT systems and 
simplifying our services.
    We still have much work to do, but I am proud of the work 
done by my colleagues here today and the entire DHS IT 
community to deliver modernized, secure, effective, and usable 
systems to support our Department's critical missions.
    Thank you again for the opportunity to testify today, and I 
look forward to your questions.
    Senator Hassan. Thank you very much.
    Our next witness is Charles Armstrong. Mr. Armstrong serves 
as the Chief Information Officer for the Federal Emergency 
Management Agency (FEMA). His role is to ensure that the 
agency's technology can support its mission to prevent, prepare 
for, and recover from domestic disasters. He previously served 
in the Customs and Border Protection (CBP) Office of 
Information and Technology and was Deputy Chief Information 
Officer of DHS.
    Welcome, Mr. Armstrong. You are recognized for your opening 
statement.

    TESTIMONY OF CHARLES R. ARMSTRONG,\1\ CHIEF INFORMATION 
 OFFICER, FEDERAL EMERGENCY MANAGEMENT AGENCY, U.S. DEPARTMENT 
                      OF HOMELAND SECURITY

    Mr. Armstrong. Thank you. Good morning Chair Hassan, 
Ranking Member Romney, and distinguished Members of the 
Subcommittee. Thank you for the opportunity to testify today in 
support of the agency's information technology modernization 
program.
---------------------------------------------------------------------------
    \1\ The joint prepared statement of Mr. Armstrong appears in the 
Appendix on page 27.
---------------------------------------------------------------------------
    FEMA is utilizing an agile development and delivering small 
segments and providing an opportunity for customers to interact 
with systems in a rapid fashion. This approach allows our 
developers to receive real-time feedback from customers on 
their experience.
    FEMA requires continuous modernization to maintain mission 
readiness. The overarching goal is to modernize and streamline 
processes through the consolidation of systems and platforms. 
As Stafford Act-related disasters increase, our system must be 
able to scale to support the magnitude of the disaster.
    Today I will highlight three FEMA modernization programs: 
Grants Management Modernization (GMM), the National Flood 
Insurance Program (NFIP), and Individual Assistance (IA). 
First, let me begin with Grants Management.
    Based on prioritizing customer experience, FEMA is 
consolidating eight disparate legacy systems into the FEMA 
Grants Outcomes (FEMA GO) System. The new IT platform is 
targeted toward the entire grants community of users, including 
FEMA personnel, the grants recipients, the sub-recipients 
across State, local governments, Tribal, and territorial 
partners. GMM, through FEMA GO, has migrated 5 programs to the 
new system in fiscal years (FY) 2018 through 2022, and has on 
boarded 14 additional grant programs in fiscal year 2023. FEMA 
plans to onboard approximately 20 additional grant programs by 
April 2024, and decommission all the old systems by 2025.
    Next I am going to discuss the National Flood Insurance 
Program, or the Pivot system. As a goal for making wise land 
use decisions, Congress established the NFIP to encourage 
communities to enact floodplain management ordinances 
consistent with Federal standards. Pivot facilities and 
consolidates the NFIP core business processes from the legacy 
system and services program. Pivot was an agile modernization 
program in the newer mold of technology modernization, 
replacing the old NFIP system and services program.
    Pivot processes millions of transactions of flood insurance 
applications, policies, and claims, and provides business 
workflow to automate manual processes and provides reporting 
and data analytics for financial and business requirements. 
Pivot met its full operational capability in October 2020, 
ahead of schedule and under budget.
    Finally, the Individual Assistance Technology Support 
Services program. FEMA is planning to migrate 9 disparate 
systems into the Individual Recovery Information System (IRIS), 
and will be replatforming into the recovery cloud environment. 
The IRIS full operational capability is projected for July 
2027, contingent on out year funding. FEMA's Individual 
Assistance also implemented Login.gov as a multifactor 
authentication and to support State, local, and Tribal access 
in 2023, and plans to place this integrated component in the 
beginning of the registration intake process once streamlined 
disaster assistance intake is rolled out in August.
    In closing, again, FEMA thanks the Committee for the 
opportunity to be a witness at today's hearing. The agency 
looks forward to continued partnership and is open to any 
questions that you may have. Thank you.
    Senator Hassan. Thank you, Mr. Armstrong.
    Our third witness is Yemi Oshinnaiye. Mr. Oshinnaiye is the 
Chief Information Officer for the Transportation Security 
Administration (TSA). He works to ensure that TSA's technology 
capabilities meet the agency's task of keeping highways, 
railroads, mass transit, and air travel safe. He previously 
served as the Deputy Chief Information Officer at U.S. 
Citizenship and Immigration Services (USCIS).
    Welcome, Mr. Oshinnaiye. You are recognized for your 
opening statement.

  TESTIMONY OF YEMI OSHINNAIYE,\1\ CHIEF INFORMATION OFFICER, 
  TRANSPORTATION SECURITY ADMINISTRATION, U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Oshinnaiye. Good morning, Chair Hassan, Ranking Member 
Romney, and distinguished Members of the Subcommittee. Thank 
you for the opportunity to appear before you today and discuss 
the modernization of DHS's critical legacy IT systems.
---------------------------------------------------------------------------
    \1\ The joint prepared statement of Mr. Oshinnaiye appears in the 
Appendix on page 27.
---------------------------------------------------------------------------
    I have the honor of serving as the CIO for TSA. In this 
role, I am responsible for technology management, including 
technology delivery and support, innovation, cybersecurity, and 
all facets of IT resourcing that TSA uses to enable its 
mission. Prior to TSA, I served as the Deputy CIO for the U.S. 
Citizenship and Immigration Services, where I led innovative 
practices and solutions to address the challenges of legacy 
systems and the processes used to modernize them. These 
practices are still in use today, to enable modern systems and 
continue innovation for the nation's immigration benefit system 
and across Federal Government.
    Prior to my Federal service, I worked as a Chief Technology 
Officer in the private sector, and as an entrepreneur, 
providing software development and systems engineering 
services.
    At TSA, we are responsible for the security of over 430 
Federalized airports, and routinely screen more than 2 million 
passengers, 5 million carry-on bags, 1.4 million pieces of 
checked luggage daily for explosives and other prohibitive 
items.
    TSA IT systems enable TSA to provide world-class security 
for the American traveling public while ensuring 
confidentiality, integrity, and availability of TSA data and 
resources. I am proud of how TSA is approaching modernization 
to ensure our infrastructure, systems, and IT solutions remain 
resilient and effective.
    Our strategy for modernization at TSA is in line with the 
DHS overall approach. Our focus is on leveraging human-centered 
design for problem-solving technique we use to engage our 
customers. This technique allows us to leverage user experience 
and incorporate this feedback into our overall modernization 
strategy. When we operate this way, we provide a better 
opportunity for the user community to influence the final 
product, which improves the final product.
    TSA's IT modernization strategy enables the agency to use 
outsourced, critical portions of the modernization to industry 
partners, such as cloud vendors, who invest heavily in modern 
services and infrastructure. Leveraging this investment 
empowers TSA to focus more of our talent and resources on 
process improvement and strategies for continued mission 
success.
    Two great examples of this are the Performance and Results 
Information System (PARIS). This system manages compliance and 
inspection activities. We recently successfully migrated to the 
cloud platform which enables us to grow, scale, and provide 
robust analytics for TSA compliance activities.
    Another example is the Mission Scheduling Notification 
System (MSNS). This system scheduled Federal air marshals to 
protect in-flight travel. MSNS is a collection of systems with 
integration to many other systems, but currently includes a lot 
of extensive manual processing. We prototyped the modern 
process using cloud platforms with an intuitive design in a 
matter of months using agile, that alleviates manual 
processing. Our solution delivers rapidly over time by taking 
an iterative approach.
    These two examples show how TSA IT delivers effective 
technology to the mission and the strategy to sustain its 
capability.
    Chair Hassan, Ranking Member Romney, and distinguished 
Members of the Subcommittee, thank you for the opportunity to 
testify before you today and for your continued support of TSA. 
I look forward to this discussion and your questions.
    Senator Hassan. Thank you very much.
    Our final witness is Kevin Walsh. Mr. Walsh is the Director 
of the Government Accountability Office's Information 
Technology and Cybersecurity reviews. He has led GAO's work to 
identify challenges associated with the Federal Government's 
use of aging technology, coordination of IT acquisitions, and 
IT-related risk assessments. His work has specifically focused 
on making recommendations to improve DHS's IT systems.
    Welcome, Mr. Walsh. You are recognized for your opening 
statement.

 TESTIMONY OF KEVIN WALSH,\1\ DIRECTOR, INFORMATION TECHNOLOGY 
    AND CYBERSECURITY, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Walsh. Chair Hassan, Ranking Member Romney, and Members 
of the Subcommittee, thank you for inviting GAO to testify on 
this important issue.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Walsh appears in the Appendix on 
page 37.
---------------------------------------------------------------------------
    As you have heard, DHS plays a pivotal role in safeguarding 
the United States and its citizens from a variety of threats, 
and its IT systems are critical to that mission. Among other 
things, DHS prevents and responds to acts of terror, its IT 
systems help to coordinate intelligence gathering and analysis, 
secure transportation systems, and collaborate with Federal, 
State, and local law enforcement. DHS also secures our borders. 
This technology has intercepted illegal activities, combats 
human trafficking, and identifies unauthorized individuals, 
illicit drugs, and contraband.
    DHS also protects our infrastructure. Its IT defends 
against cyber threats to our essential services, sensitive 
information, and national security. DHS also responds to 
natural disasters. Its tech coordinates our emergency response, 
supports affected communities, and aids in their eventual 
recovery.
    In 2023, the Department expects to spend about $10 billion 
on IT. Operating and maintaining existing systems is about $9 
billion of that. In many cases, those existing systems are not 
the newest. However, because they are old does not mean they 
are at risk or in need of retirement. The systems to focus on 
are those that we would flag as legacy IT, systems that are 
outdated or obsolete that may have heightened security risks or 
are not meeting mission needs.
    Worryingly, the Department's efforts to modernize such 
systems have a history of costing more than planned and taking 
longer than promised. We have reported that the Department is 
on its third attempt at modernizing its financial systems, 
which recently breached schedule and performance goals. Its 
biometric identity management services, handling fingerprinting 
and facial recognition, are outdated, and the replacement 
project is years behind schedule. The system it uses to award 
billions in grants to prepare and respond to disasters is also 
outdated, and the replacement project is also years behind.
    While all is not quite right in the Land of Oz, DHS has 
been taking promising steps to address these issues. For 
example, they have halted or suspended projects that are going 
poorly, they have addressed our recommendations at a better-
than-average rate, documented lessons learned, and used modern 
development technologies like agile and incremental. They have 
also been working diligently to address the associated high-
risk area on IT and financial management functions.
    Going forward, DHS needs to continue addressing its legacy 
systems, cataloging those systems, identifying what is not 
performing, and prioritizing the work ahead. They should also 
make sure to turn off the old systems.
    It is worth noting that this should not be a one-time 
effort. It should be part of every agency's portfolio 
management to consider what IT is not doing well. Ideally, we 
should also be forecasting when this will occur so that the 
government's responses are proactive instead of reactive. The 
Chair's Legacy IT Reduction Act includes provisions along those 
lines.
    Finally, this probably is not what you want to hear, given 
the current fiscal environment. However, modernization may not 
be a cost-saving endeavor. What we do get are newer systems 
that are more efficient, with better functionality, and 
stronger security.
    This concludes my statement, and I look forward to your 
questions.
    Senator Hassan. Thank you, Mr. Walsh. We will now proceed 
with our first round of questions, and I will start with a few 
and then turn it over to the Ranking Member.
    The first question is to you, Mr. Walsh. This Subcommittee 
has led efforts to save taxpayer dollars by encouraging 
agencies to modernize their outdated and obsolete IT systems. 
These aging systems not only increase costs, they can also 
jeopardize our national security.
    What specific risks has GAO identified that are presented 
by DHS's aging IT infrastructure, and can you provide an 
example, please.
    Mr. Walsh. The general risks to running legacy systems are 
risks to your security, mission needs, staffing, and cost. In a 
specific example, as has already been mentioned, FEMA is 
working on its Grants Management modernization program. That 
program is to replace a series of legacy systems that currently 
are experiencing the problems we are describing today. They 
have manual processes that are a burden for recipients, a 
burden for the agency, and are slowing down the response to 
disasters. If that legacy system were to fully go off the 
rails, a disaster without grants from the government would be 
very difficult for our citizens.
    Senator Hassan. Thank you. This is a question to Mr. Hysen 
and to Mr. Walsh. It is deeply concerning that DHS relies on 
outdated technology for some of its most important work. I 
heard the testimony about progress you are making, but there is 
still really important work where we are using outdated 
technology. Mission-critical systems should be an IT 
modernization priority, but different agencies have different 
ideas about what makes an IT system mission critical.
    Mr. Hysen, how does DHS currently prioritize which systems 
to modernize?
    Mr. Hysen. Chair, thank you. As we look at establishing 
modernization priorities we are looking to those that fit into 
three categories, those that present significant cybersecurity 
risk, those that present opportunities to improve the 
experience the public has interacting with DHS services, and 
those that present opportunities to improve how our employees 
do their job every day and enable them to do that more 
effectively.
    On the cyber front, one tool that we have developed to aid 
us in this is a unified cybersecurity maturity model that 
evaluates all of our IT systems across the Department on a 
number of different cyber axes, and enables us to best identify 
areas of risk to prioritize our modernization efforts.
    Senator Hassan. Thank you. Mr. Walsh, what is GAO's 
criteria for determining if something is mission critical?
    Mr. Walsh. We have a two-tiered test. The first looks at 
whether the functions of a given system are unique to the 
agency. If it is unique, then any sort of damage or disruption, 
what kind of impact it would have to the mission of that 
agency.
    Second tier, systems who, if they were damaged or the data 
were lost, misused, or disclosed, would have a debilitating 
impact upon the agency.
    Senator Hassan. OK. Mr. Hysen, could DHS adopt GAO's 
mission-critical criteria to help decide what IT modernization 
projects to prioritize?
    Mr. Hysen. Absolutely, Chair, and I believe we look at very 
similar criteria across our planning efforts.
    Senator Hassan. I think it is a really important area to 
focus on and really try to make sure that that is, in fact, how 
the agency is approaching it.
    Mr. Oshinnaiye and Mr. Armstrong, a question for the two of 
you. Let us discuss a couple of examples of systems that are 
critical to DHS's mission but rely on aging technology. Since 
2009, TSA has used the Secure Flight System to spot potential 
threats to commercial airline travel within and outside of the 
United States. This system connects to many other agency 
systems to identify individuals who are ineligible to fly.
    Mr. Oshinnaiye, can you walk us through what would happen 
if the Secure Flight System were to go offline, fail, or be 
even partially inaccessible?
    Mr. Oshinnaiye. Thank you, Chair. Similar to what Mr. Walsh 
said, the system has been in existence for a while, but calling 
it a legacy system would not be the same as a mainframe. That 
system is constantly updated, and if that system would go 
offline we do have an offline policy or process where we can 
operate for a certain amount of time. We also test that 
scenario for COOP, to make sure that if we did have an outage 
we would still be able to operate and protect travelers.
    Senator Hassan. But what would happen? I understand there 
is a workaround, and I made that comment in my opening, but a 
workaround has its costs too. What, if it were to go offline, 
or fail, or be even partially inaccessible, and let's say your 
workaround did not work, what happens?
    Mr. Oshinnaiye. In a catastrophic event or if you would 
exceed the COOP timeframe, it would hinder our ability to see 
travelers who are dangerous to other travelers.
    Senator Hassan. OK. Thank you.
    Another example of DHS's aging IT infrastructure is FEMA 
system that enables the flows of funds and services to disaster 
survivors, and Mr. Walsh was just getting at that. Mr. 
Armstrong, if this system went down, how would Americans in 
need because of a natural disaster, access FEMA services?
    Mr. Armstrong. Chair Hassan, can I ask to clarify that, 
because Mr. Walsh talked about Grants Management, and I want to 
make sure you are not referring to Individual Assistance.
    Senator Hassan. Let us talk about Individual Assistance. 
What would happen, in a natural disaster, access to the 
Individual Assistance system goes down?
    Mr. Armstrong. Individual Assistance, as you can imagine, 
is critical to the mission of FEMA. It is one of the systems 
that we rely on to give immediate recovery to that survivor 
during the recovery and response period of a disaster. Without 
that capability in place we would have to resort to manual 
processes, which could either slow things down or prevent us 
from adequately addressing the needs of the individual during 
that critical time.
    Senator Hassan. It could have a really significant, and at 
times, really dangerous impact, right?
    Mr. Armstrong. Yes, ma'am.
    Senator Hassan. Thank you.
    I will now turn to Senator Romney for his questions.
    Senator Romney. Thank you, Chair. I appreciate the chance 
to listen to each of you and to hear your perspectives and 
update on our systems. I am curious, as we begin, Mr. Hysen, do 
Mr. Armstrong and Mr. Oshinnaiye both report to you? What is 
the organizational structure within DHS for the various 
agencies that are part of the entire entity?
    Mr. Hysen. Thank you, Ranking Member. Under the Federal IT 
Acquisition Reform Act (FITARA), the component CIOs under DHS 
report in to me. However, they also maintain a reporting 
structure into their component agencies.
    Senator Romney. It is a matrix reporting system. Do they 
follow the same approach that you described? I am curious as to 
how widespread your approach is, which, as you described, I 
will call it the ``big bang'' approach, which is a big contract 
going out and waiting for a full system being delivered by an 
outside contractor, versus something now which I do not know 
how you would describe it incremental, which is you begin with 
a system and then add onto it as time goes on, improve it as 
time goes on.
    How much of what is being done follows the latter approach 
as opposed to the former ``big bang'' approach?
    Mr. Hysen. At this point, Ranking Member, agile delivery 
and this newer approach to modernization is widespread across 
DHS. This has been a journey over really the last decade. Some 
of our component agencies were earlier adopters of this 
approach, some have made that transition more recently, but it 
is now the norm.
    Senator Romney. Do you know whether that is the case also 
more broadly through our government? I presume you interact 
with CIOs in other departments as well. Is the agile approach 
being adopted on a widespread basis?
    Mr. Hysen. I believe so. That has been a transition that 
has been discussed across the Federal CIO council and among my 
colleagues over the last many years.
    Senator Romney. We have a history of spending a lot more 
than the private sector to get an updated modernization of our 
systems. Is that because of the prior approach, or is it just 
endemic to the way government works?
    Mr. Hysen. I believe it is, in many ways, tied to that 
approach. One of the results of that ``big bang'' approach with 
single-system integrators was that every IT system would build 
everything from the ground up. They would have their own 
infrastructure, their own support teams, their own log-in 
systems, for example. As we have moved to modernize, we are 
looking to break that down, offer up common enterprise services 
for common pieces of functionality--that was the norm, for 
example, when I worked in Silicon Valley--and enable each 
individual system to only focus on their unique functionality 
needs.
    Senator Romney. I cannot resist asking you a personal 
question, which is you were in Silicon Valley. I read stories 
about the billionaires, the popcorn in Silicon Valley. What led 
you to leave Silicon Valley and go to work in the government? 
Are you happy you made that decision? [Laughter.]
    Are you looking for a ticket back, or is this a 
responsibility that you particularly feel is important and that 
you enjoy?
    Mr. Hysen. No, sir, I am not looking for a ticket back. I 
have been thrilled to make this transition. I come from a 
family of public servants. My father is a retired public 
servant at the General Services Administration (GSA). When the 
healthcare.gov disaster occurred in 2014, was looking at the 
work I was doing in Silicon Valley and saw the opportunity to 
use my skills for a bigger purpose. I was thrilled to be able 
to cofound the U.S. Digital Service and have since helped 
recruit dozens of other technologists from the private sector 
into government and look to bring on many more in the years to 
come.
    Senator Romney. I very much appreciate that, as a citizen. 
You described the priorities. The Chair asked about which 
systems you modernize. It struck me that one of those was 
perhaps the highest, which is protecting national security, 
protecting personal information that individuals might have, 
that there is a high degree of sensitivity there.
    Are we fully modernized in that category or are we still 
operating some legacy systems that present a real risk, either 
to national security or to the personal privacy of our 
citizens?
    Mr. Hysen. Senator, we certainly have more work to do. 
Several of the systems that my colleagues here have mentioned 
do present cybersecurity risks through the ongoing operation of 
our legacy systems, and we are focused on modernizing those as 
rapidly as possible.
    Senator Romney. Let me turn now to something I mentioned in 
my opening statement which is AI and the impact of AI on your 
respective responsibilities. I am aware of the writing today 
and the discussion today about how vulnerable we are to machine 
learning to be able to break into our systems.
    What is your sense of that? What are we going to need to do 
to protect the most critical information that we have from 
attack, from malign interests that would seek to undermine our 
national security or our personal privacy?
    Mr. Hysen. Ranking Member, thank you. As you noted, AI 
presents significant opportunities in modernizing our systems 
as well as better harnessing AI to advance our mission 
delivery, but the risk of adversarial use of AI is real as is 
the risk of disparate bias or unintended disparate impact from 
our use of AI.
    Secretary Mayorkas recently launched a Department-wide AI 
Task Force that I am co-chairing, along with our Under 
Secretary for Science and Technology (S&T), that is looking at 
exactly those questions. We are still early in our work but are 
taking this work very seriously and have it as a major focus 
for the year to come.
    Senator Romney. Maybe it is a conjecture at this point, but 
any sense of what we might need to do to protect critical 
information from an AI attack? Do we need to almost go offline 
in some respects with some databases? I wonder how you can 
protect our systems, given the power of an AI approach.
    Mr. Hysen. Senator, one area I would start with is a little 
more basic than that, is even AI literacy among our employees 
and those with access to our data. We expect to see an 
increasing number of AI-generated phishing emails that are 
attempting to trick our employees and other users into giving 
up information, and we need to be able to ensure that our 
employees know what AI is capable of and are on the lookout as 
they are executing their responsibilities first.
    Senator Romney. Thank you.
    Senator Hassan. Thank you, Senator Romney.
    I will recognize Senator Lankford for his questions.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thanks for doing this hearing, and 
gentlemen, thanks for your testimony as we walk through this. 
Mr. Hysen, I want to continue the conversation with you. USCIS 
still uses paper for a lot of the immigration processing, so 
tell me the status of where we are moving right now. Obviously, 
there are a lot of things that are changing along the border 
and trying to update data systems there. USCIS seems to be 
lagging in some of that. Where are we?
    Mr. Hysen. Senator, thank you. I actually believe USCIS is 
now a success story in their digitization journey. The first 
project that I was assigned to work on when I joined the U.S. 
Digital Service was USCIS's transformation program that was 
seeking to digitize their nearly 7 million immigration benefits 
applications every year.
    When we started that effort they were characteristic of the 
old ``big bang'' approach, a single vendor with proprietary 
technology that had been working for years and only digitized a 
handful of forms, and processing of those digital forms ended 
up being slower than paper.
    We worked with USCIS to restructure the program, implement 
agile development, move to the cloud, and implement human-
centered design practices to ensure that today a significant 
majority of USCIS's benefits applications are processed 
digitally, and they are using those capabilities to reduce 
their backlogs and improve their efficiency.
    Senator Lankford. USCIS, U.S. Immigration and Customs 
Enforcement (ICE), and CBP, their systems do not necessarily 
all talk to each other in moments that they need to be able to 
talk to each other. Do you know of an area between the three of 
them, as they are trying to be more interoperable in their 
systems and their data links, where you do not have to actually 
contact somebody else to get that information? They can 
actually pull it as they need to.
    Mr. Hysen. Yes, Senator. Historically that has been 
correct, and that has been something that we have worked very 
hard to address over the last several years. Through our 
Southwest Border Technology Integration Program we have been 
working to digitize the processes for non-citizens encountered 
at the border, to include issuing Notices to Appear (NTA) 
digitally as well as handing off information between agencies.
    One example there is ICE's new Case Acceptance System 
(CAS), which allows CBP to refer a case to ICE for custody 
digitally rather than waiting hours for ICE to come pick up a 
paper file and make a custody determination. This has saved 
millions of hours in transfer time, moving people through our 
process more efficiently.
    Senator Lankford. Yes, it has been helpful. What has been 
interesting is there are still a couple of moments there where 
they still have to contact each other, and we can talk offline 
about some of those. I am sure your team is already making 
contact with you about it.
    I was in Arizona, actually last week, as I am regularly 
down there for my responsibilities from this Committee, 
actually. In that dialog it was interesting to hear several 
folks say this system, the technology piece of it, is so much 
better than what it used to be, and I can see that and see the 
processing and the speed of that, where you have actually got 
people trying to input the data and to get them out.
    The challenge now is that we have more and more people that 
are data input folks at the border, and that is always the 
challenge as the human piece now. I will have a different set 
of questions for DHS on who should be the person actually 
entering all that data. Right now it is a person with a badge 
and a gun is also the person that is sitting there entering all 
the data. That is maybe not the best use of their time, to do 
that. But that has been a real help, but finding other ways 
that we can connect.
    It was interesting, as well, just on a vulnerability issue, 
how many areas of the border where we still do not have cell 
coverage and are very remote. You have folks out there with a 
portable device trying to connect in, and obviously there is no 
connection. That is a larger issue to be solved. Or that when 
you are on the border and you get to a Border Patrol station, 
immediately you open your phone and it says, ``Welcome to 
Mexico,'' when I am 50 feet from Mexico and you suddenly 
realize all the information that I am processing is processing 
through a cell tower on the Mexican side, not on the American 
side.
    There are some clear vulnerabilities there. How are we 
handling some of those vulnerabilities with our data?
    Mr. Hysen. Senator, thank you. I have had that exact same 
experience during my trips down to the border. We are working 
to expand connectivity infrastructure along the border. It is 
challenging given the geography. Some of the areas we are 
looking at include CBP's use of mesh networking kits that can 
extend the coverage of their devices, as well as satellite 
connectivity, and in other cases looking at partnerships with 
other Federal agencies as well as State agencies that have land 
rights along the border, including in parks, that we need to 
look at to put up more cell towers and expand coverage. We 
still have work to do there, but it is something we are looking 
at very closely.
    Senator Lankford. Yes, that is very helpful. Thanks for the 
progress on that, but we obviously still have a little bit of 
progress to go on it. But it is nice to see the work that is 
going on.
    I also appreciate the off-the-shelf focus, to say if there 
is some technology that already exists to do this then let's 
invest our dollars in other areas, in other technologies, I 
think is where you are trying to get at as well, to say that we 
do not have to create this ourselves. When I am along the 
border, and last week, when I was there many of the agents that 
were there, both at the ports of entry (POEs) and between the 
ports of entry, their first comment was, ``A lot of the folks 
that are coming are non-Spanish speakers.'' They had 1,000 
people from Mauritania that came in, in the last 2 weeks, that 
are adult males from Mauritania that are coming in, in large 
numbers. Russians that are coming in, in large numbers. 
Pakistanis, Middle Eastern men that are coming in, that we have 
no criminal records for at all and have no background 
information. But we also have no translator that is there.
    I said, ``OK. How is that going?'' and they all said, 
``Everyone shows up with their phone and with Google Translate 
on, and we stand there and Google Translate, communicate back 
and forth to each other.''
    I am sure there has been a push with DHS saying we need to 
develop our own system to be able to do this, but currently the 
Google Translate is working, and everyone seems to be fine with 
it, and it allows us to use monies in other areas that are 
really must-need, to develop new software technologies. In 
places where we can do that, we have a lot of catching up to 
do.
    I continue to encourage you and your team to use off-the-
shelf, tested software and technologies where we can, to make 
sure that we are investing dollars, trying to get us completely 
caught up with where we are not paper-based in other areas. 
Does that make sense?
    Mr. Hysen. Yes, sir.
    Senator Lankford. OK. Thank you. Thanks for all the work.
    Senator Hassan. Senator Rosen.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Chair Hassan and Ranking Member 
Romney. A really important hearing and I thank you all for 
being here today. Mr. Hysen, as a former tech person myself who 
now serves in government, I appreciate your work and your 
willingness to serve.
    But I want to move right into workforce challenges because 
we know that they are, well, every area in our country has 
workforce challenges, but really particularly in legacy IT. 
Maintaining legacy IT systems requires a specialized workforce 
capable, of course, of supporting technology no longer 
utilized, or I would not say no longer utilized, because it is 
utilized, it is there, but not as nimble as we can be with 
newer technologies. In many cases you cannot find the skilled 
workers trained in dated systems. I hate to use the words 
``dated systems and technologies'' but those kinds of things 
that I programmed in--Common Business Oriented Language 
(COBOL), FORTRAN, Assembler--from the 1980s and 1990s, you are 
trying to find a workforce that can maintain while you still 
have it, that can develop new systems, and then unload and 
reload, make that transition. It is really important. While we 
transition we have to train our IT younger generation coming up 
on how to do those things.
    Mr. Hysen, for maintenance development, for transition 
design and planning, and for unloading a database and reloading 
it to the new system, if you will, or databases, however they 
are, how are you approaching this expected modernization, and 
what are you doing to prepare the workforce that is going to 
live in both of these worlds, and needs to for a little bit 
longer?
    After that Mr. Armstrong and Mr. Oshinnaiye, if you want to 
talk about it as well.
    Mr. Hysen. Senator, thank you. It certainly is always an 
experience when I bring a new engineer or IT professional in 
from Silicon Valley and introduce them to how things do work in 
the government.
    Senator Rosen. The wonders of COBOL.
    Mr. Hysen. We are, thankfully, largely free of COBOL at 
DHS. I think there is probably a pocket or two there.
    Senator Rosen. The lovely Assembler, 16 bit.
    Mr. Hysen. Yes. But it certainly is a different experience 
than working in the private sector. We are focused on training 
across the board. One of the areas that I and my fellow CIOs at 
DHS have identified as a priority is standing up a department-
wide IT academy that will include standardized training for all 
new IT hires into the Department as well as ongoing development 
opportunities for our employees to develop new skills, whether 
that be in AI and data science, customer experience, agile 
development or the like.
    The IT workforce at DHS is a tremendous asset. We have over 
5,000 talented and committed professionals. While we are also 
looking to bring in more talent from the private sector, we 
have opportunities and are focused on enabling our existing 
workforce to grow and continue to increase their impact.
    Senator Rosen. You may have to work with the private sector 
who is still using legacy systems in order to share data or do 
some of that, so it is important.
    Mr. Armstrong? You laughed at my 16 bits. I appreciate 
that.
    Mr. Armstrong. I happen to be one of those legacy COBOL 
programmers.
    Senator Rosen. I have a hexadecimal calculator on my desk 
still, so there you go.
    Mr. Armstrong. It might have helped put my kids through 
college.
    At FEMA--and admittedly, I have only been there about 8 
months now, so I am still learning a lot about FEMA--we have a 
pretty aggressive program in place for retraining some of the 
existing staff on things like cloud technology and trying to 
get them, I would say, retooled for the newer technologies. But 
we are also in the process, unfortunately, because we have lost 
so many folks through attrition, of hiring a little over 100 
people in IT. We are looking for newer skill sets as we are 
bringing people on board.
    The challenge is attracting them away from industry, and 
you do not come into government jobs for the money, obviously. 
You have to really get them wanting to come in and do the 
mission and be part of something bigger than themselves. That 
is kind of our approach.
    Senator Rosen. Thank you. Mr. Oshinnaiye.
    Mr. Oshinnaiye. Thank you, Senator Rosen. What we have done 
at TSA, in addition to what my colleagues mentioned, is kind of 
reducing the fear of getting your hands dirty. Myself and my 
deputy are also former developers, so we allow folks to come in 
and use a technology. We have noticed that very new and very 
tenured staff, if you give them a chance to work with vendors 
and come in and just spend the time, they will be open to it 
and then use that process.
    We actually had a staff member build a system themselves in 
the last 30 days that we are actually using internally. Once 
you reduce that fear factor and let everyone learn and then 
fail forward, we are able to build out what I call the IT IQ.
    We even have, in our airports, what we call LIFT cells, 
innovation cells, which allow folks in the airports to come up 
with ideas and build on platforms. The more you let folks work 
and use it, the smarter they become.
    Senator Rosen. I like that IT IQ. I am going to use that 
one, but thank you.
    I am going to move back over to you, Mr. Armstrong, and 
talk about FEMA disaster grants, because last month I led 
several of my Nevada delegation colleagues in urging the 
Administration to grant our Governor's request to declare a 
major disaster in Nevada due to severe winter storms that 
caused extreme flooding, rockslides, and landslides. I was 
pleased to see a disaster later declared, so it allows our 
Nevada residents, our local businesses, our Tribal communities 
the access to the Federal resources that they need.
    But as Nevadans start to access these vital FEMA resources 
I want to ensure that your systems are up-to-date and secure so 
that my constituents can get what they need to rebuild their 
lives, in many cases.
    Mr. Armstrong, what is the status of the FEMA Grants 
Management modernization, which was started in 2017, and FEMA's 
Individual Assistance and technical support modernization, 
which is really that interface that began last year?
    Mr. Armstrong. Sorry. The IT guy forgot to turn on his 
microphone.
    With respect to Grants Management modernization, we have 
moved over 19 grant types so far. We have another 20 to move, 
and those are projected to be moved by April 2024. In addition 
to that, the program is in the process of getting a new vendor 
on board to start to transition data from the legacy systems 
into the new systems, and that is projected to start in the 
fall of this year.
    The goal would be to get all the grants up and running by 
the spring of next year, data migrated over by mid-summer of 
next year, and decommissioning to happen sometime in 2025, of 
the legacy system.
    Then with respect to your second question about Individual 
Assistance, that planning is still early on. There is some 
initial work that has been done to stand up a cloud environment 
instance as part of our bigger FEMA cloud environment. That 
work should be completed in the fall. Currently the program is 
in the planning/looking-for-funding stage to really get off the 
ground.
    Senator Rosen. That is our trigger, looking for funding. 
But I would urge putting an app as well, because most people, 
if they are in a disaster, what do they leave with? Just a 
phone. They do not maybe have the other things with them, and 
that is an easy way for them.
    Mr. Armstrong. Yes. I do not want you to get the impression 
that nothing is going on. There is still some work to try to 
help modernize some of the legacy processes that are there 
today. We recently, led by the Administrator, had a dogfooding 
session, where we brought in our executives and put them 
through scenarios where they get to the kick the tires on both 
Grants Management and Individual Assistance. We also had 
scenarios where we different types of survivors or different 
types of grant users, and had to interact with the system and 
give feedback to the programs. It was a good opportunity to 
step outside of your comfort zone and put yourself in the shoes 
of someone that actually has to use the system.
    Senator Rosen. Thank you. I appreciate that.
    I do have one more question, Madam Chair, if there is no 
one waiting. Is that OK?
    Senator Hassan. Go right ahead.
    Senator Rosen. I know that Senator Romney talked about the 
vast amounts of data that we have and how do we keep it secure, 
and some of the things that are really important to us. I want 
to talk about the concept of Federal data centers, because in 
2014, OMB launched an initiative to consolidate our Federal 
data centers, which has resulted in a cost savings of $5.8 
billion. The Department of Homeland Security began its own data 
center consolidation efforts long before governmentwide Federal 
data consolidation efforts were launched.
    DHS, you undertook this project with the objective of 
fostering productive collaboration and facilitating improved 
data sharing. In March, this Committee, we are very proud to 
have marked up the Federal Data Center Enhancement Act, 
bipartisan legislation I introduced, that requires OMB to 
coordinate a governmentwide effort to develop minimum 
requirements for Federal data centers related to cyber 
intrusions, data center availability, and resilience against 
both physical attacks and natural disasters.
    Mr. Walsh, how do you assess the success of the Department 
of Homeland Security data center consolidation efforts?
    Mr. Walsh. As you noted, data center consolidation has been 
a great source of cost savings in the government, and DHS, with 
the emphasis that they have placed on enterprise-wide services 
has been working toward that. A prior colleague of mine once 
said that if you cannot consolidate, if you cannot do it well, 
up to snuff, to the metrics that you are talking about, then 
maybe it is time for us to get out of the business. I think the 
government, in many cases over the past 7 or 8 years, has been 
doing exactly that, getting out of the business. I think DHS 
has been doing a good job, as you noted, toward the forefront 
of the government, to eliminating its data centers.
    Senator Rosen. Thank you. Thank you, Madam Chair.
    Senator Hassan. Thank you, Senator Rosen.
    I have a few more questions, and then we will likely wrap 
up unless other Senators come on in.
    Mr. Walsh, before I start with a question to you I want to 
note, for Mr. Hysen and all of the DHS folks here, Senator 
Lankford talked about the lack of cell service, for instance, 
on the Southern Border and the challenges that creates. It is 
also creating a huge challenge, as you know, on the Northern 
Border. I want to raise that and make sure that we are focused 
on trying to make sure that wherever our personnel are they 
have the connectivity that they need to keep us safe. I hope 
you will take that emphasis back with you.
    Now to Mr. Walsh, Federal IT modernization projects take 
many years and considerable resources to plan and execute. We 
have been talking about that. They often face significant 
barriers too. For example, since 2015, DHS has been working to 
update its aging system that in order to assist Federal law 
enforcement in identifying threats integrates biometric data 
from across government, and I believe you commented on that in 
your testimony. However, this project has run into several 
challenges, causing Congress to request an independent 
evaluation of the project.
    Mr. Walsh, you mentioned that GAO has done some monitoring 
of DHS's progress on this particular progress. What challenges 
have you identified that are preventing DHS from completing 
this project?
    Mr. Walsh. First, we are currently doing work on the 
Homeland Advanced Recognition Technology (HART) program, on 
your behalf. We are happy to chat with you at any point on the 
status of that work.
    Our prior issued work identified a series of issues related 
to the HART program, and we made a total of seven 
recommendations. Three of those recommendations remain open. 
They are related to reviewing contract deliverables from 
contractors before accepting them, tracking and monitoring 
costs, defining and monitoring stakeholder involvement. Those 
are the three remaining recommendations--making sure that you 
involve your stakeholders, track your costs, and do not carte 
blanche accept what the contractor gives you and tells you.
    However, as we have been talking, HART is one of these 
``big bang'' approaches. It is not one of these new, smaller, 
fail fast, get a product out the door quick. That is a problem. 
I think DHS has identified their 2020 breach of this program 
due to overly complex and potentially high-risk design as well 
as disagreements with the contractors.
    Senator Hassan. Thank you.
    This is a question for the three DHS representatives here. 
In 2020 and 2022, I wrote to DHS requesting a department-wide 
IT modernization plan. The Department still has not provided 
one. IT modernization plans play an important role in an 
agency's ability to make progress on their IT goals, control 
costs, and provide transparency.
    As much as I appreciate the progress you all have reported 
about today I am still concerned that without an agency-wide IT 
modernization plan DHS will continue to struggle to prioritize 
updating its most critical systems.
    Mr. Hysen, without a department-wide IT modernization plan, 
how do you ensure that the agency is meeting its goals, 
especially in regard to mission-critical systems?
    Mr. Hysen. Thank you. First, we are currently finalizing 
our updated IT strategic plan for the Department. Our current 
plan expires at the end of this fiscal year, and we will be 
releasing the new one prior to its expiration that will 
identify our overall modernization priorities.
    But ultimately, in government, the truest sign of your 
priorities is where you align your budget. I have been focused, 
along with our acting Chief Financial Officer (CFO), on 
strengthening the IT oversight of our budget request. Over the 
last 3 years, we have progressively increased IT involvement in 
the annual budgeting process, under the spirit of FITARA, such 
that now, as we are preparing our 2025 budget request, every IT 
investment proposal by any part of the Department is evaluated 
against the IT modernization priorities that I have set out for 
the Department, and then we are ensuring that my component CIOs 
and then ultimately I have full review and approval over the IT 
budget request.
    Ultimately I believe that our budget request becomes the 
modernization plan, as that is where we intend to align our 
resources.
    Senator Hassan. OK. Thank you. We will follow up with you 
on that.
    Mr. Oshinnaiye and Mr. Armstrong, how would a department-
wide modernization strategy help inform TSA's or FEMA's 
modernization efforts? Mr. Oshinnaiye.
    Mr. Oshinnaiye. Thank you, Chair. As CIO Hysen mentioned, 
we actually follow in tandem with the Department on some of the 
components. We are also building out our strategic plan as well 
and working to align with the Department. Some of the things 
that we have adopted, in addition to technology advancement, is 
technology context, making sure that when we put new technology 
out it actually aligns to the mission. As a part of saving 
money on the mission is making sure we put the right technology 
out so people can use it, and we are not iteratively trying to 
change technology because it does not adapt to what the user 
needs.
    We use that, and we work with the Department on all of our 
upgrades and our processes so that we are in alignment, not 
only to the Department but with other components. Then when we 
find an opportunity to share technology, we do that so we can 
consolidate what we are using.
    Senator Hassan. What I am hearing you say is a department-
wide modernization plan will help you all align and be more 
efficient, more effective, get the technology you need. I am 
trying to understand what the benefits are.
    Mr. Oshinnaiye. Absolutely. When we are in alignment it 
will help us be more effective and optimal.
    Senator Hassan. OK. Mr. Armstrong.
    Mr. Armstrong. Thank you, Madam Chair. Traditionally, the 
components have been a key part of helping develop the 
departmental strategic plan, so I would anticipate we would be 
all providing input into that plan, as we all have different 
mission needs, different technology baselines, and so that 
would get incorporated into the plan.
    Certainly, FEMA would benefit from having an overarching 
plan. We have a strategy from 2022, which will probably need to 
be updated in the next year, after the DHS plan is developed.
    But certainly it helps, one, communicate to the non-IT 
leadership across the Department where are we headed, and two, 
it is critical, as we pointed out, about identifying mission-
critical systems. It also helps identify mission-critical 
strategies about those systems so that throughout that budget 
formulation process we have a strategy to point back to, to say 
that this initiative is supported by this overarching strategy 
to help justify where we are headed, from a funding standpoint.
    Senator Hassan. Thank you.
    Mr. Hysen, another question. Having adequate financial 
resources is obviously a key component of any IT modernization 
project, and in turn, smart investments in modernizing legacy 
IT can save taxpayer dollars. It is important that agencies 
have flexibility for multiyear IT modernization projects to 
help them navigate unpredictable appropriation cycles and to 
keep projects running on time and on budget.
    An example of this flexibility is having an IT working 
capital fund. DHS maintains what it calls a ``non-recurring 
expenses fund.'' Can you describe the similarities and 
differences between that fund and a traditional IT working 
capital fund?
    Mr. Hysen. Thank you, Chair. Yes. Since Congress passed the 
Modernizing Government Technology Act, DHS had been requesting 
budgetary authority to establish an IT working capital fund. In 
the fiscal year 2022 budget, we were granted the authority to 
create this nonrecurring expenditures fund (NEF), that takes 
expired funds and allows us to spend those both on IT 
modernization projects but also on modernizing our facilities, 
which has been a critical priority for Secretary Mayorkas, to 
improve the experience of our employees.
    We have stood that fund up. The funds there will be split 
50/50 across IT and facilities. The initial investments there 
are on some facilities improvement projects, and we are 
preparing now to begin considering the first round of IT 
projects. We believe it does meet the intent of an IT working 
capital fund, even though it is technically a little different.
    Senator Hassan. It is still taking some of those resources 
and using them for non-IT purposes.
    Mr. Hysen. My understanding from the budget discussions, 
when it was being enacted, were that when we expanded the scope 
of the fund to facilities, we also increased the total portion 
of expired funds that were being transferred. Ultimately our 
CFO, our chief readiness support officer, and I viewed the 
proposal as a win-win for the Department.
    Senator Hassan. OK. But you still do not have an IT working 
capital fund that is devoted over years to improving the IT and 
modernizing IT.
    Mr. Hysen. Technically, no, but we believe that the NEF 
will grow considerably as funds expire, year over year, and 
with the intended 50/50 split with IT funding there, that that 
will be a long-term source of much-needed IT modernization 
funding for us.
    Senator Hassan. All right. Thank you.
    Now to Mr. Hysen, Mr. Oshinnaiye, and Mr. Armstrong, you 
are all CIOs. Agency chief information officers play an 
important role in advocating for the IT needs of the agency. As 
we discussed today, you and your peers work to ensure that DHS 
has the technology it needs. That is obviously critical so that 
the agency can fulfill its mission to keep the American people 
safe.
    Mr. Hysen, are there additional authorities that would help 
you do your job more effectively?
    Mr. Hysen. Chair, I believe that FITARA gave us, as CIOs, 
sufficient authority to effectively oversee our IT at our 
departments. My focus is on strengthening our internal 
processes to best leverage those authorities, to ensure that I 
am able to carry out those responsibilities fully.
    Senator Hassan. OK. Mr. Armstrong and Mr. Oshinnaiye, as 
the CIOs of agencies within DHS, what resources or guidance 
could Mr. Hysen's office provide to support your work and meet 
the unique needs of FEMA and TSA? We will start with you, Mr. 
Armstrong.
    Mr. Armstrong. I have to also agree with Mr. Hysen. Having 
been at the Department for quite some time, I will tell you 
FITARA has really made a significant difference in the 
authorities that the CIO has. To give you an example, I come 
from a community where I had a lot of centralized IT under me, 
to an environment where IT is more spread out across the agency 
and more federated. However, I have a lot of checks and 
balances in place, and processes, so that I get to influence 
decisionmaking across the agency with respect to the planning 
of IT, the budgeting of IT, the execution piece of IT. A lot of 
that is through the chief acquisition executive doing regular 
reviews and providing oversight. But I am certainly at the 
table to help move that needle one way or another, where it 
needs to go.
    I feel we have the authorities at this point in time. It is 
a matter of maturing them and executing them.
    Senator Hassan. Thank you. Mr. Oshinnaiye.
    Mr. Oshinnaiye. I will add, I will say FITARA has helped 
support my job and my role in my agency. I will say that at a 
Department level, CIO Hysen and staff, working with other 
counterparts across DHS headquarters, gives a credibility to 
the component to be able to have the authority to sit at a 
table with counterparts like the CFO or the component 
acquisition executive. When we want to make a change or make a 
mandate, if we have to, for the agency, they look to the 
Department, and when they see the collaboration they echo that 
at the component level. That has been very helpful.
    Senator Hassan. Thank you. Before we close I have asked a 
series of questions to the three CIOs at DHS, but Mr. Walsh, 
anything that you want to add or weigh in on here?
    Mr. Walsh. Thank you. I would like to chime in on that last 
bit about CIO authorities. We took a look in GAO-22-104603 at 
the authorities that private sector CIOs had and compared those 
to our Federal CIOs, and found that, for the most part, private 
sector CIOs and Federal CIOs had similar authorities.
    However, we did make a pair of recommendations, one of 
which was to OMB to enhance the coordination not between CIOs 
but between the other C-suite executives, so making sure that 
the C-suite plays nice together. I do think that is relevant 
here. The CIOs perhaps have the authority. Now getting the C-
suite all on the same page is the next challenge.
    Senator Hassan. I appreciate that very much because that 
has been my experience too. Even when the authorities may be in 
place, making sure that everybody is actually recognizing that 
they exist, and including your voices in the planning and 
budgeting process and prioritizing work in the agency is really 
important.
    I will also just note that if there are authorities that 
you realize you need and do not have, or ambiguity about your 
authority creates barriers, we need to know about that because 
that is obviously something we can work with you to address. 
But if you all do not speak up and let us know, we cannot help 
you with that.
    I want to thank all of you--Mr. Hysen, Mr. Oshinnaiye, and 
Mr. Armstrong--for your testimony today, and to the three of 
you for the important work that you do for the Department of 
Homeland Security. The first job of government is to keep 
people safe, and I am very grateful that you are working to do 
that, along with your colleagues each and every day. Thank you, 
Mr. Walsh, to you and your colleagues at the Government 
Accountability Office, for providing accountability and 
guidance to make DHS's work more successful.
    The hearing record will remain open for 15 days, until 5 
p.m. on June 15th, for submissions of statements and questions 
for the record, and this hearing is now adjourned.
    [Whereupon, at 11:26 a.m., the hearing was adjourned.]

                            A P P E N D I X

                              ----------                              


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]