[Senate Report 113-262]
[From the U.S. Government Publishing Office]


113th Congress                                                   Report
                                 SENATE
 2d Session                                                     113-262
_______________________________________________________________________

                                     

                                                       Calendar No. 577

         FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                               H.R. 1232

   TO AMEND TITLES 40, 41, AND 44, UNITED STATES CODE, TO ELIMINATE 
    DUPLICATION AND WASTE IN INFORMATION TECHNOLOGY ACQUISITION AND 
                               MANAGEMENT




               September 18, 2014.--Ordered to be printed
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                  THOMAS R. CARPER, Delaware, Chairman
CARL LEVIN, Michigan                 TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio
JON TESTER, Montana                  RAND PAUL, Kentucky
MARK BEGICH, Alaska                  MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin             KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota

                  Gabrielle A. Batkin, Staff Director
               John P. Kilvington, Deputy Staff Director
                    Mary Beth Schultz, Chief Counsel
                   Johathan M. Kraden, Senior Counsel
               Keith B. Ashdown, Minority Staff Director
         Christopher J. Barkley, Minority Deputy Staff Director
               Andrew C. Dockham, Minority Chief Counsel
            Kathern M. Edelman, Minority Senior Investigator
                     Laura W. Kilbride, Chief Clerk


                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for Legislation..............................1
III. Legislative History.............................................11
 IV. Section-by-Section Analysis of the Bill, as Reported............13
  V. Congressional Budget Office (CBO) Cost Estimate.................17
 VI. Evaluation of Regulatory Impact.................................20
VII. Changes in Existing Statute Made by the Bill, as Reported.......20


                                                       Calendar No. 577
113th Congress                                                   Report
                                 SENATE
 2d Session                                                     113-262

======================================================================



 
         FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT

                                _______
                                

               September 18, 2014.--Ordered to be printed

                                _______
                                

 Mr. Carper, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                        [To accompany H.R. 1232]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (H.R. 1232), to amend 
titles 40, 41, and 44, United States Code, to eliminate 
duplication and waste in information technology acquisition and 
management, having considered the same, reports favorably 
thereon with an amendment in the nature of a substitute and an 
amendment to the title, and recommends that the bill, as 
amended, do pass.

                         I. Purpose and Summary

    The Federal Information Technology Acquisition Reform Act 
(H.R. 1232) seeks to improve how the federal government 
acquires, implements, and manages its information technology 
(``IT'') investments. First, the bill would give agency Chief 
Information Officers more authority over the budget, 
governance, and personnel processes for agency IT investments. 
Second, the bill would make agency IT investments more 
transparent to the public and require agencies to review 
troubled investments. Third, to eliminate duplication and 
waste, the bill would require agencies to annually review all 
of their IT investments. Fourth, the bill builds on the 
Administration's efforts to consolidate and streamline data 
centers--the facilities in which federal agencies house 
computer systems and related components.

                II. Background and Need for Legislation

    Information technology has transformed how the private 
sector operates and has revolutionized the way in which 
businesses serve their customers. Likewise, IT has the 
potential to enable federal agencies to accomplish their 
missions more efficiently, effectively, and economically.
    Over the last twenty years, IT has become firmly interwoven 
into the mission of every federal agency, offering new ways of 
doing business and creating both opportunities and challenges 
for government agencies. Fully exploiting this potential, 
though, has presented longstanding challenges to federal 
agencies. Too many federal IT projects run over budget, fall 
behind schedule, or fail to deliver on their promises, 
hampering agency missions and wasting taxpayer dollars. Despite 
spending billions of dollars annually on IT,\1\ the federal 
government has had a decidedly mixed record in acquiring, 
developing, and managing federal IT investments.\2\
---------------------------------------------------------------------------
    \1\In Fiscal Year 2014, the Federal government will spend over $80 
billion in developing, modernizing and maintaining IT projects and 
systems. OMB, Analytical Perspectives, Budget of the U.S. Government, 
Fiscal Year 2014, at 349 (2013), available at http://
www.whitehouse.gov/sites/default/files/omb/budget/fy2014/assets/
spec.pdf.
    \2\See GAO-13-796T, Information Technology: OMB and Agencies Need 
to More Effectively Implement Major Initiatives to Save Billions of 
Dollars, Appendix 1, for an extensive list of IT projects that have 
failed and been cancelled as well as other IT projects that faced 
significant challenges.
---------------------------------------------------------------------------
    To improve the ability of federal agencies to manage IT 
investments, H.R. 1232 would strengthen and reinforce the 
authorities and responsibilities of agency Chief Information 
Officers (CIOs) to be key leaders for IT at their 
organizations.\3\ In addition to empowering agency CIOs, the 
bill focuses on four other areas which the Committee believes 
will help achieve better outcomes in IT investments across the 
federal government. Specifically, H.R. 1232 seeks to (1) 
improve the accuracy of investment performance information on 
the Office of Management and Budget's IT Dashboard, a 
publically accessible online tool that presents cost and 
schedule information along with an evaluation from agency CIOs 
on major IT investments, (2) require agencies to hold 
investment review sessions on at-risk investments, (3) continue 
the Administration's Federal Data Center Consolidation 
Initiative to consolidate and optimize data centers--the 
facilities in which federal agencies house computer systems and 
related components, and (4) use portfolio review processes to 
identify and eliminate duplicative IT investments in 
agencies.\4\
---------------------------------------------------------------------------
    \3\This report describes the Committee's substitute amendment to 
H.R. 1232. Although the underlying bill and the substitute amendment 
address many of the same problems, they take substantially different 
approaches. The House report (H.R. Rep. No. 113-359) on H.R. 1232 
explains the underlying bill's provisions, while this report confines 
itself to describing the substitute amendment considered and passed by 
the Committee.
    \4\These four areas are aligned with the General Accountability 
Office's top recommendations to this Committee on how to best improve 
outcomes in federal IT investments. See Management Matters: Creating a 
21st Century Government: Hearing before the Senate Homeland Security 
and Governmental Affairs Committee, 113th Congress (March 12, 2014) 
(Gene Dodaro, Comptroller General, response to questions for the 
record).
---------------------------------------------------------------------------

               THE ROLE OF THE CHIEF INFORMATION OFFICER

    Poor management of IT systems is a problem that has plagued 
the federal government for years. Nearly two decades ago, 
Senator William Cohen of Maine led a Governmental Affairs 
Committee subcommittee investigation into the federal 
government's ability to manage its IT investments.\5\ The 
resulting 1995 report, entitled ``Computer Chaos,'' could just 
as easily have been written today. In his report, Senator Cohen 
found many of the same problems that our agencies face today--
poor management of IT systems, wasted and duplicative 
investments, and billions of dollars spent on older, outdated, 
and expensive ``legacy'' systems.\6\
---------------------------------------------------------------------------
    \5\Prior to the creation of the Department of Homeland Security, 
this Committee was known simply as the Governmental Affairs Committee.
    \6\Computer Chaos: Billions Wasted Buying Federal Computer Systems. 
Investigative Report of Senator William S. Cohen, Ranking Minority 
Member, Subcommittee on Oversight of Government Management, Senate 
Governmental Affairs Committee (October 12, 1994). Available at https:/
/acc.dau.mil/adl/en-US/22163/file/2121/
Cohen%20Computer%20Chaos%201994.pdf.
---------------------------------------------------------------------------
    To address these problems, Congress passed the Clinger-
Cohen Act in 1996. That law, among other things, established 
the position of agency CIO to serve as a focal point for IT 
within an agency.\7\ The Clinger-Cohen Act set forth detailed 
requirements for IT capital planning, investment control, 
performance, and results-based management.\8\ Several years 
later, the E-Government Act of 2002 reiterated the CIO's 
responsibility for agency IT management and information 
security at their respective agencies.\9\
---------------------------------------------------------------------------
    \7\The Clinger-Cohen Act of 1996 was originally enacted as the 
Information Technology Management Reform Act of 1996 (Divisions D and E 
of P.L. 104-106). The law was renamed the Clinger-Cohen Act by Pub. L. 
104-208,110 Stat. 3009-393 (1996).
    \8\40 U.S.C. Sec. Sec. 11312 and 11313.
    \9\E-Gov Act of 2002, P.L. 107-347 (Dec. 17, 2002). Many of the 
Act's provisions were incorporated into Title 44, U.S. Code.
---------------------------------------------------------------------------
    Together, these statutes require CIOs to be key leaders in 
managing IT and other information functions at an agency. 
Specifically, they make the CIO responsible for:
      providing advice and other assistance to the head 
of an agency to ensure that IT is acquired and information 
resources are managed in accordance with the law and the 
priorities of the head of the agency;\10\
---------------------------------------------------------------------------
    \10\40 U.S.C. Sec. 11315(b)(1).
---------------------------------------------------------------------------
      developing, maintaining, and facilitating the 
implementation of a sound, secure, and integrated IT 
architecture;\11\
---------------------------------------------------------------------------
    \11\40 U.S.C. Sec. 11315(b)(2).
---------------------------------------------------------------------------
      promoting the effective and efficient design and 
operation of all major information resources management 
processes for an agency, including improvements to an agency's 
work processes;\12\
---------------------------------------------------------------------------
    \12\40 U.S.C. Sec. 11315(b)(3).
---------------------------------------------------------------------------
      ensuring that information resources,\13\ 
management operations, and decisions are integrated with an 
organization's planning, budget, financial management, human 
resources management, and program decisions;\14\
---------------------------------------------------------------------------
    \13\44 U.S.C. Sec. 3502(6) defines ``information resources'' as 
``information and related resources, such as personnel, equipment, 
funds, and information technology.''
    \14\44 U.S.C. Sec. 3506(b)(3)(A).
---------------------------------------------------------------------------
      monitoring the performance of IT programs and 
advising the agency head whether to continue, modify, or 
terminate such programs;\15\ and
---------------------------------------------------------------------------
    \15\40 U.S.C. Sec. 11315(c)(2).
---------------------------------------------------------------------------
      managing agency information security, including 
compliance with the Federal Information Security Management Act 
(``FISMA'').\16\
---------------------------------------------------------------------------
    \16\44 U.S.C. Sec. Sec. 3541, et seq.
---------------------------------------------------------------------------
    In creating the position of Chief Information Officer, 
Congress intended for an agency CIO to serve as a senior 
decision maker, providing leadership and direction for 
information resource development, procurement, and management. 
A primary goal of the Clinger-Cohen Act was to shift agencies' 
approach on IT investments away from one focused only on 
technical issues towards one that focused on truly managing IT 
investments, and the CIO of an agency was seen as a key figure 
in accomplishing that objective.\17\ The CIO was envisioned as 
the person responsible and accountable for an agency's IT 
investments, a key leader who would implement and enforce 
applicable government-wide and agency IT management policies.
---------------------------------------------------------------------------
    \17\Opening statement of Senator William Cohen, Subcommittee on 
Oversight of Government Management and the District of Columbia of the 
Committee on Governmental Affairs, S. 946, the Information Technology 
Management Reform Act of 1995 at 3 (July 25, 1996). See also Id. at 12, 
(Testimony of Gene Dodaro, Assistant Comptroller General, Accounting 
and Information Management Division, U.S. General Accounting Office).
---------------------------------------------------------------------------
    The Committee recognizes that there are many factors that 
must be in place for an agency to successfully acquire, 
implement, and manage its IT investments. In a May 2014 hearing 
focused on identifying the key factors that make for successful 
IT investments, the Committee heard testimony regarding the 
importance of senior executive support of the program, active 
end-user involvement in developing requirements and testing, 
having skilled program managers and teams, and having 
consistent and stable government and contractor staff.\18\ 
Likewise, witnesses discussed the importance of utilizing an 
``incremental'' approach to deliver on IT investments, where 
investments are divided into smaller pieces in order to reduce 
investment risk and deliver capabilities in shorter time 
frames. This approach differs from the more traditional ``big 
bang'' approach often used by agencies, which relies on 
delivering all of the capabilities of a large-scale IT system 
at one time, often resulting in failure.\19\ Ultimately, the 
successful acquisition and implementation of IT systems 
requires the involvement of a variety of stakeholders across 
many disciplines including acquisition, human capital, and 
financial management.
---------------------------------------------------------------------------
    \18\Senate Committee on Homeland Security and Governmental Affairs 
Hearing, Identifying Critical Factors for Success in Information 
Technology Acquisitions (May 8, 2014). See also GAO-12-7, Information 
Technology: Critical Factors Underlying Successful Major Acquisitions 
(October 2011); Key Success Factors for Major Programs that Leverage 
IT: 7-S for Success available at https://actiac.org/sites/default/
files/7-S_for_Success_0.pdf.
    \19\Id. See also GAO-14-361, Information Technology: Agencies Need 
to Establish and Implement Incremental Development Policies (May 2014).
---------------------------------------------------------------------------
    However, the CIO of an agency plays a very important role 
in providing technical expertise and objective, knowledge-based 
assessments on the wisdom of every key decision made over the 
lifespan of an IT investment. Thus, it is extremely important 
that a CIO, and the staff who reports to the CIO, be fully 
integrated into all the elements of the agency's process for 
developing and delivering IT investments as an independent 
stakeholder. It is not enough for a CIO and his or her team to 
``have a seat at the table''--they must also be an integral 
part of any decision processes at the agency. Unfortunately, 
despite statutory requirements and policy guidance from the 
Office of Management and Budget (``OMB''), many CIOs do not 
have the necessary authority and are frequently not recognized 
as the key leaders in managing IT at an agency. For example, in 
a 2011 survey of agency CIOs, the Government Accountability 
Office (``GAO'') found that many CIOs faced limitations in 
their ability to influence agency decisions on IT investments 
because a significant portion of an agency's IT funding is 
allocated and spent at the component, or bureau level, of an 
agency.\20\
---------------------------------------------------------------------------
    \20\See GAO-11-634 at 29-30, Federal Chief Information Officers: 
Opportunities Exist to Improve Role in Information Technology 
Management. See also GAO-04-823, Federal Chief Information Officers: 
Responsibilities, Reporting Relationships, Tenure, and Challenges (July 
2004).
---------------------------------------------------------------------------
    In recognition of the challenges that many agency CIOs 
face, in August 2011, OMB issued a memorandum designed to move 
the role of the CIO ``away from just policymaking and 
infrastructure maintenance, to encompass true portfolio 
management for all IT.''\21\ By updating its policies, OMB 
sought to hold agency CIOs ``accountable for lowering 
operational costs, terminating and turning around troubled 
projects, and delivering meaningful functionality at a faster 
rate while enhancing the security of information systems.''\22\
---------------------------------------------------------------------------
    \21\Memorandum from Jacob J. Lew, U.S. Office of Management and 
Budget, Chief Information Officer Authorities, at 1 (Aug. 8, 2011), 
available at http://www.whitehouse.gov/sites/default/files/omb/
memoranda/2011/m11-29.pdf.
    \22\Id.
---------------------------------------------------------------------------
    The memorandum laid out what OMB envisioned as the CIO's 
responsibilities in four primary areas:
      Governance--CIOs are to drive the IT investment 
review process by assuming ``responsibility over the entire IT 
portfolio for an Agency'' and by working to ``ensure IT 
portfolio analysis is an integral part of the yearly budget 
process of an agency.''\23\
---------------------------------------------------------------------------
    \23\Id.
---------------------------------------------------------------------------
      Commodity IT--CIOs are to ``focus on eliminating 
duplication and rationalize . . . IT investments.'' The 
services to be examined are: data centers, networks, desktop 
computers, mobile devices, e-mail, collaboration tools, web 
infrastructure, human resources systems, and finance systems. 
CIOs are also directed to ``pool their agency's purchasing 
power across the entire organization to drive down costs and 
improve service'' and are required to ``show a preference for 
using shared services . . . instead of standing up separate 
independent services.''\24\
---------------------------------------------------------------------------
    \24\Id. at 2.
---------------------------------------------------------------------------
      Program Management--CIOs are charged with 
``identifying, recruiting, and hiring top IT program management 
talent'' and are required to ``train and provide annual 
performance reviews'' for employees in charge of major programs 
as well as lower-level CIOs. CIOs will also be held accountable 
for the performance of IT program managers based on their 
governance process and the IT Dashboard, an online tool that 
presents the cost and schedule information of an agency's major 
IT investments, as well as an evaluation of that investment by 
an agency CIO.\25\
---------------------------------------------------------------------------
    \25\Id. at 2. The IT Dashboard is ``a website enabling federal 
agencies, industry, the general public, and other stakeholders to view 
details of federal information technology investments.'' See ``IT 
Dashboard FY2015 Edition,'' http://www.itdashboard.gov/.
---------------------------------------------------------------------------
      Information Security--CIOs, or designated agency 
officials who report to the CIO, are required ``to implement an 
agency-wide information security program and to provide 
information security for both the information collected and 
maintained by the agency, or on behalf of the agency, and for 
the information systems that support the operations, assets, 
and mission of the agency.''\26\
---------------------------------------------------------------------------
    \26\Id. at 2.
---------------------------------------------------------------------------
    Building off existing statutory requirements and OMB 
policy, the Committee substitute to H.R. 1232 seeks to further 
empower the agency CIO by ensuring that the CIO has a 
significant role in the annual and multi-year planning, 
programming, budgeting, and execution processes as well as the 
management, governance, and oversight processes related to IT. 
The bill directs the Director of OMB to require in its annual 
IT capital planning guidance that the CIO of the agency: (1) 
approve the agency's information technology budget request; (2) 
certify that IT investments are implementing incremental 
development as defined by OMB; and (3) work with the Chief 
Human Capital Officer to review all IT positions requested in 
the budget to ensure the needs of the agency are being met.
    The Committee substitute to H.R. 1232 would also require 
approval by the CIO of contracts for IT or IT services, the 
reprogramming of funds for IT programs, and the hiring of key 
agency IT personnel. Ultimately, the bill would do more than 
just create a seat at the ``CEO-level'' table for the Chief 
Information Officer--it would also make the CIO a key part of 
the agency's decision-making processes, a position with both 
the authority to help make decisions and the responsibility to 
ensure that programs are well managed and produce good 
outcomes.

 INFORMATION TECHNOLOGY DASHBOARD AND TECHSTAT ACCOUNTABILITY SESSIONS

    In June 2009, the Obama Administration and OMB launched an 
Information Technology Dashboard (``IT Dashboard'' or 
``Dashboard'') to quickly and easily illustrate IT investments 
that were on-track, having trouble, or calling out for 
cancellation. The IT Dashboard is a publically accessible 
online tool that presents cost and schedule information, as 
well as an evaluation from agency CIOs on the performance of 
major IT investments.
    Less than a year after the IT Dashboard debuted, the 
Administration started holding TechStat Accountability Sessions 
(``TechStats'') in January 2010. A TechStat is a ``face-to-
face, evidence-based review of an IT investment'' with OMB and 
agency leadership.\27\ TechStat sessions seek to focus 
management attention on troubled IT investments and help 
terminate or turnaround IT investments that are failing or not 
producing results. When used in concert, the IT Dashboard and 
TechStat sessions have helped agencies, OMB, and Congress 
identify at-risk IT projects and implement corrective 
measures.\28\
---------------------------------------------------------------------------
    \27\See https://cio.gov/what-is-techstat/.
    \28\By March 2011, OMB estimated that use of the IT Dashboard and 
corresponding TechStat sessions had led to over $3 billion in cost 
reductions. See http://www.whitehouse.gov/blog/2011/03/31/open-
sourcing-it-dashboard-techstat-process.
---------------------------------------------------------------------------
    While the IT Dashboard and TechStat sessions have been 
widely recognized as valuable oversight tools, concerns remain 
with the accuracy and usefulness of some of the information on 
the IT Dashboard and a decrease in the number of TechStat 
sessions led by OMB.
    The GAO has issued a series of reports highlighting 
deficiencies with the accuracy and reliability of the cost and 
schedule data reported on the Dashboard.\29\ While the accuracy 
of the Dashboard ratings appears to have improved over time, 
GAO has raised concerns about how some agencies have removed 
investments from the Dashboard by reclassifying their 
investments.\30\ For example, the Department of Energy 
reclassified supercomputer investments as facilities, rather 
than as IT, and removed them from public reporting on the 
Dashboard.\31\ Furthermore, the public version of the Dashboard 
is frequently not updated because OMB chooses not to update the 
Dashboard while the President's budget request is being 
created. For example, in a December 2013 review of the IT 
Dashboard, GAO noted that the Department of Justice downgraded 
an investment in July 2012, but the information on the 
Dashboard was not updated to reflect this downgrade until April 
2013.\32\
---------------------------------------------------------------------------
    \29\See IT Dashboard: Agencies are Managing Investment Risk, but 
Related Ratings Need to Be More Accurate and Available, GAO-14-64 (Dec. 
12, 2013); Information Technology Dashboard: Opportunities Exist to 
Improve Transparency and Oversight of Investment Risk at Select 
Agencies, GAO-13-98 (Oct. 16, 2012); IT Dashboard: Accuracy Has 
Improved, and Additional Efforts Are Under Way to Better Inform 
Decision Making, GAO-12-210 (Nov. 7, 2011); Information Technology: OMB 
Has Made Improvements to Its Dashboard, but Further Work Is Needed by 
Agencies and OMB to Ensure Data Accuracy, GAO-11-262 (Mar. 15, 2011); 
and Information Technology: OMB's Dashboard Has Increased Transparency 
and Oversight, but Improvements Needed, GAO-10-701 (July 16, 2010).
    \30\IT Dashboard: Agencies are Managing Investment Risk, but 
Related Ratings Need to Be More Accurate and Available, GAO-14-64 (Dec. 
12, 2013).
    \31\Id. at 18.
    \32\See IT Dashboard: Agencies are Managing Investment Risk, but 
Related Ratings Need to Be More Accurate and Available, GAO-14-64 at 22 
(Dec. 12, 2013).
---------------------------------------------------------------------------
    In 2013, GAO also reviewed agency implementation of 
TechStat sessions and reported that although OMB and selected 
agencies had held multiple TechStats, additional oversight was 
needed to ensure that these sessions were having the 
appropriate impact on underperforming projects.\33\ 
Additionally, GAO found that the number of TechStats held was 
relatively small compared to the current number of at-risk IT 
investments. Specifically, as of May 2013, of the 162 at-risk 
IT investments, only 30 (18.5 percent) had undergone an OMB-led 
TechStat. Further, of the 69 at-risk investments at four 
selected agencies as of May 2013, only 23 (33.3 percent) had 
undergone an OMB or agency TechStat.\34\
---------------------------------------------------------------------------
    \33\GAO, Information Technology: Additional Executive Review 
Sessions Needed to Address Troubled Projects, GAO-13-524 (Washington, 
D.C.: June 13, 2013).
    \34\GAO-13-524 at 27. The selected agencies were the Departments of 
Agriculture, Commerce, Homeland Security, and Health and Human 
Services.
---------------------------------------------------------------------------
    Despite the above-mentioned problems, the IT Dashboard and 
TechStat sessions have proven to be very valuable tools that 
have increased the transparency and performance of major 
federal IT investments. Building off the promise of these 
initiatives, the Committee substitute to H.R. 1232 requires a 
government-wide IT Dashboard and improves upon the quality of 
the data displayed on the Dashboard by requiring the agency CIO 
to certify on a quarterly basis that the cost, schedule, and 
performance information is accurate. In addition, the 
substitute improves upon the accuracy of the CIO's evaluation 
by requiring that an IT investment's overall risk rating align 
more closely to the cost and schedule risks identified for the 
investment, and by requiring that IT investments that do not 
employ an incremental approach be automatically rated at a 
medium-risk level to ensure they receive adequate management 
attention. The substitute also requires that agencies use the 
Dashboard as a foundation for a TechStat-like process to help 
agencies and OMB manage the riskiest IT projects. If an 
investment continues to be rated as high-risk for more than a 
year following completion of the required review, the Director 
of OMB is required to deny requests for future development 
funding until the agency CIO can certify that risks have been 
sufficiently addressed. Collectively, the requirements in the 
Committee substitute to H.R. 1232 will allow Congress, OMB, and 
the general public to use the Dashboard to hold agencies 
accountable for results and performance.

                            PORTFOLIO REVIEW

    In addition to the challenges that agencies face in 
acquiring and developing specific IT investments, the stove-
piped nature of many Federal agencies has led to a 
proliferation of duplicative IT investments. Many agencies 
manage their IT systems in a decentralized manner with 
authorities and responsibilities spread throughout the 
agency.\35\ As a result, departments are unable to take an 
enterprise-wide view of their IT investments which frequently 
results in duplication, waste, and poor outcomes. Too often, 
agencies, or components of agencies, seek to develop new 
solutions first, before assessing existing options, or 
identifying ways to achieve shared agency-wide IT solutions. 
For example, in 2012, OMB reviewed over 7,000 Federal agency IT 
investments that had been reported to OMB and found many 
potential redundancies and billions of dollars in potential 
savings that could be achieved through either consolidation or 
a shared approach to IT service delivery.\36\
---------------------------------------------------------------------------
    \35\See GAO-11-634 at 29-30.
    \36\See Federal Information Technology Shared Services Strategy at 
4, May 2, 2012.
---------------------------------------------------------------------------
    To address this problem, in March 2012, the Administration 
implemented the PortfolioStat process, which requires agency 
Chief Operating Officers (or their designees), on an annual 
basis, to lead an agency-wide review of the IT systems 
operating within an organization.\37\ Through the PortfolioStat 
process, an agency must take a holistic view of its IT 
investments to identify potential duplication within the 
agency, investments that do not appear to be well-aligned with 
agency missions, and other key considerations regarding an 
agency's IT portfolio. In comparison to the TechStat reviews 
discussed above (which examine IT performance at the specific 
project or investment-level), PortfolioStat examines an 
agency's IT portfolio as a whole to help identify and eliminate 
areas of duplication and waste.
---------------------------------------------------------------------------
    \37\See M-12-10, Implementing PortfolioStat, Office of Management 
and Budget, (March 30, 2012).
---------------------------------------------------------------------------
    In June 2013, the Committee held a hearing on IT management 
issues focused in large part on the Administration's 
PortfolioStat process. In the first round of PortfolioStat 
reviews, agencies identified more than $2.5 billion in spending 
reductions that could be achieved from FY 2013 through FY 
2015.\38\ However, in November 2013 GAO reported that OMB's 
PortfolioStat initiative has the potential to save between $5.8 
and $7.9 billion by fiscal year 2015.\39\ GAO also found that 
many agencies were not fully implementing the requirements of 
the initiative. For example, only one agency fully addressed 
the key requirements of OMB's initiative, and twelve agencies 
were not able to ensure that their commodity IT baseline was 
complete.\40\
---------------------------------------------------------------------------
    \38\See statement of Steven VanRoekel, Senate Committee on Homeland 
Security and Governmental Affairs Hearing, Reducing Duplication and 
Improving Outcomes in Federal Information Technology (June 11, 2013).
    \39\GAO, Information Technology: Additional OMB and Agency Actions 
are Needed to Achieve Portfolio Savings, GAO-14-65 (Washington, D.C.: 
Nov. 6, 2013). GAO found that the potential savings from the first 
round of agency PortfolioStats are likely understated because several 
large agencies, including the Departments of Defense and Justice were 
not included in the estimates.
    \40\Id. at 15.
---------------------------------------------------------------------------
    The PortfolioStat process is a promising initiative that 
can both save money and improve the management of IT systems 
throughout the federal government. Accordingly, the Committee 
substitute to H.R. 1232 requires the Director of OMB and agency 
CIOs to annually review the IT investments of an agency to 
identify, among other things, ways to increase the efficiency 
and effectiveness of an agency's IT investments, opportunities 
to increase the use of shared services, potential duplication, 
waste and cost-savings, and a multi-year strategy to reduce 
duplication within an agency's IT portfolio. The Committee 
expects that agencies will review the entire portfolio of an 
agency's IT investments, including hardware, software, and IT 
services. The Director of OMB would also be required to develop 
metrics and performance indicators for agencies to use in their 
annual portfolio review.

                       DATA CENTER CONSOLIDATION

    A data center is a room or building that houses computer 
systems and associated components that are used for the 
storage, management, and dissemination of data and 
information.\41\ Over the years, the federal government's 
demand for IT has led to a dramatic rise in the number of 
federal data centers and an increase in operation costs. The 
number of data centers operated by the federal government has 
grown from several hundred in the 1990s to more than six 
thousand as of July 2013.\42\
---------------------------------------------------------------------------
    \41\OMB's definition of a ``data center'' has evolved over the 
years. It most recently has settled on defining ``data center'' as ``a 
closet, room, floor or building for the storage, management, and 
dissemination of data and information.'' OMB's guidance further 
explains that ``such a repository houses computer systems and 
associated components, such as database, application, and storage 
systems and data stores. A data center generally includes redundant or 
backup power supplies, redundant data communications connections, 
environmental controls (air conditioning, fire suppression, etc.) and 
special security devices housed in leased (including by cloud 
providers), owned, collocated, or stand-alone facilities. This 
definition excludes facilities exclusively devoted to communications 
and network equipment (e.g., telephone exchanges and telecommunications 
rooms).'' Office of Management and Budget Memorandum for Chief 
Information Officers, Implementation Guidance for the Federal Data 
Center Consolidation Initiative (March 19, 2012).
    \42\In July 2013, the Government Accountability Office reported 
that the number of agency-reported federal data centers stood at 6,836. 
Government Accountability Office, Information Technology: OMB and 
Agencies Need to More Effectively Implement Major Initiatives to Save 
Billions of Dollars, GAO-13-796T (July 2013). That is more than triple 
the number reported in 2010, when OMB first started counting, an 
increase resulting not so much from an actual growth in data centers, 
as from agencies' growing familiarity with OMB's requirements and OMB's 
expansion of the definition of ``data center.''
---------------------------------------------------------------------------
    Operating these data centers imposes significant costs on 
the federal government. The government has to purchase 
hardware, software, and the facilities in which to place them, 
and it has to pay people to run the machines in the centers. 
Moreover, the Environmental Protection Agency reported that in 
2006 (the most recent year for which the information is 
available), federal servers and data centers accounted for 
approximately six billion kilowatts of electricity use, for a 
total annual electricity cost of about $450 million.\43\ These 
data centers typically run 24 hours a day, seven days a week, 
and require significant electricity to power the ``always-on'' 
equipment. In addition, data centers produce significant heat, 
requiring a substantial expenditure for energy to cool 
them.\44\ Furthermore, GAO has cited ``the growth in the number 
of federal data centers, many offering similar services and 
resources'' as a source of overlap and duplication (and 
therefore unnecessary expenditures) in the federal 
government.\45\
---------------------------------------------------------------------------
    \43\U.S. Environmental Protection Agency, ENERGY STAR Program, 
Report to Congress on Server and Data Center Energy Efficiency at 25 
(pursuant to Public Law 109-431) (August 2, 2007).
    \44\See Time Magazine, The Surprisingly Large Energy Footprint of 
the Digital Economy, 
April 14, 2013 at http://science.time.com/2013/08/14/power-drain-the-
digital-cloud-is-using-more-
energy-than-you-think/.
    \45\Government Accountability Office, Opportunities to Reduce 
Potential Duplication in Government Programs, Save Tax Dollars, and 
Enhance Revenue, 26-29, GAO-11-318SP (March 2011).
---------------------------------------------------------------------------
    In 2010, OMB, through the Federal CIO, launched the Federal 
Data Center Consolidation Initiative (``Consolidation 
Initiative'' or ``Initiative'') to consolidate redundant 
federal data centers and achieve cost-savings. The goals of the 
initiative were to: promote the use of green IT by reducing the 
overall energy and real estate footprint of government data 
centers; reduce the cost of data center hardware, software, and 
operations; increase the overall IT security posture of the 
government; and shift IT investments to more efficient 
computing platforms and technologies.\46\
---------------------------------------------------------------------------
    \46\Office of Management and Budget Memorandum for Chief 
Information Officers, Federal Data Center Consolidation Initiative 
(February 26, 2010).
---------------------------------------------------------------------------
    Under the Consolidation Initiative, OMB required the 24 
departments and agencies on the CIO Council\47\ to submit an 
inventory of each agency's data centers and a plan for 
consolidating them. Agencies were then required to annually 
update their asset inventory and report on the progress made 
toward implementing the agency consolidation plan. OMB set a 
target goal of closing 40 percent of the federal data centers 
agencies had identified, and it estimated saving between $3 and 
$5 billion--both by the end of 2015.\48\
---------------------------------------------------------------------------
    \47\The 24 agencies on the CIO Council are: Department of 
Agriculture; Department of Commerce; Department of Defense; Department 
of Education; Department of Energy; Department of Health and Human 
Services; Department of Homeland Security; Department of Housing and 
Urban Development; Department of the Interior; Department of Justice; 
Department of Labor; Department of State; Department of Transportation; 
Department of the Treasury; Department of Veterans Affairs; 
Environmental Protection Agency; General Services Administration; 
National Aeronautics and Space Administration; National Science 
Foundation; Nuclear Regulatory Commission; Office of Personnel 
Management; Small Business Administration; Social Security 
Administration; and United States Agency for International Development.
    \48\See Fiscal Year 2012 Budget of the U.S. Government, page 29 
(http://www.whitehouse.gov/sites/default/files/omb/budget/fy2012/
assets/budget.pdf) and Fiscal Year 2013 Budget of the U.S. Government, 
page 43 (http://www.whitehouse.gov/sites/default/files/omb/budget/
fy2013/assets/budget.pdf).
---------------------------------------------------------------------------
    At the request of this Committee, GAO conducted several 
reviews of the progress that OMB and agencies have made under 
the Initiative.\49\ GAO's ongoing work on the Consolidation 
Initiative has confirmed two things. First, data center 
consolidation is an economical way to achieve more efficient IT 
operations, as well as cost-savings or cost avoidance.\50\ 
Second, significant work must still be done before agencies 
realize the full benefits of consolidation.
---------------------------------------------------------------------------
    \49\See Government Accountability Office, Data Center 
Consolidation: Agencies Need to Complete Inventories and Plans to 
Achieve Expected Savings, 8-19, GAO-11-565 (July 2011); Government 
Accountability Office, Data Center Consolidation: Agencies Making 
Progress on Efforts, but Inventories and Plans Need to be Completed, 
12, GAO-12-742 (July 2012); and Government Accountability Office, Data 
Center Consolidation: Strengthened Oversight Needed to Achieve Cost 
Savings Goal 14, GAO-13-378 (April 2013).
    \50\See Government Accountability Office, Opportunities to Reduce 
Potential Duplication in Government Programs, Save Tax Dollars, and 
Enhance Revenue, 26-29, GAO-11-318SP (March 2011).
---------------------------------------------------------------------------
    For example, in July 2011, GAO assessed the completeness of 
each agency's first submission of data center consolidation 
documents and found that, at that time, only one agency out of 
24 had submitted a complete data center asset inventory and no 
agency had submitted a complete consolidation plan.\51\ A year 
later, in July 2012, GAO reported on agencies' second 
submission of data center consolidation documents. These 
submissions demonstrated that the Consolidation Initiative 
could potentially save the government billions of dollars.\52\ 
However, GAO's review also found that there were still large 
gaps in agency inventories and plans.\53\
---------------------------------------------------------------------------
    \51\Government Accountability Office, Data Center Consolidation: 
Agencies Need to Complete Inventories and Plans to Achieve Expected 
Savings, 8-19, GAO-11-565 (July 2011).
    \52\Government Accountability Office, Data Center Consolidation: 
Agencies Making Progress on Efforts, but Inventories and Plans Need to 
be Completed, 12, GAO-12-742 (July 2012). GAO found that nineteen 
agencies reported anticipating a combined total of more than $2.4 
billion in cost-savings and more than $820 million in cost avoidances 
between 2011 and 2015. GAO noted that actual savings could reach even 
higher, because fourteen of the agencies provided incomplete 
projections, one agency does not expect to accrue net savings until 
2017, and three agencies did not provide any estimated cost-savings at 
all.
    \53\Id.
---------------------------------------------------------------------------
    GAO's next report on the Consolidation Initiative, issued 
in April 2013, once again evaluated agency progress in 
consolidating data centers. GAO expressed frustration over the 
failure to track cost-savings associated with the Consolidation 
Initiative, stating, ``the lack of initiative-wide cost-savings 
data makes it unclear whether agencies will be able to achieve 
OMB's projected savings of $3 billion by the end of 2015.''\54\ 
GAO also found that OMB had not measured agencies' progress 
toward OMB's cost-savings goal of $3 billion, because OMB had 
not determined a consistent and repeatable method for tracking 
cost-savings. GAO further stated that until OMB begins tracking 
and reporting on performance measures such as cost-savings, OMB 
would be limited in its ability to oversee agencies' progress 
towards key initiative goals.\55\
---------------------------------------------------------------------------
    \54\Government Accountability Office, Data Center Consolidation: 
Strengthened Oversight Needed to Achieve Cost Savings Goal 14, GAO-13-
378 (April 2013).
    \55\ Id. at 10.
---------------------------------------------------------------------------
    The Committee substitute to H.R. 1232 builds on the 
Administration's efforts to consolidate and streamline data 
centers. The bill does so by requiring agencies, among other 
things, to devise and implement plans to inventory and 
consolidate existing data centers and to report to OMB on the 
extent to which they are implementing those plans. To assist 
agency consolidation efforts, the Committee substitute to H.R. 
1232 requires OMB to implement government-wide data center 
consolidation and optimization metrics. These metrics include 
cost-savings metrics that ensure accurate calculation of cost-
savings and cost avoidances, as well as server efficiency (i.e. 
server utilization) metrics.
    Finally, the Committee substitute to H.R. 1232 requires OMB 
to develop a cost-savings goal for the FDCCI and regularly 
report to Congress on cost-savings realized, and the 
completeness of each agency's data center inventories and 
consolidation strategies. It also directs the GAO to review and 
verify agencies' data center consolidation efforts.

                        III. Legislative History

    H.R. 1232 was introduced on March 18, 2013, by 
Representatives Darrell Issa and Gerald Connolly. On February 
25, 2014, the bill was agreed to in the House by voice vote on 
a motion to suspend the rules and pass the bill. The bill was 
received in the Senate on February 26, 2014 and referred to the 
Homeland Security and Governmental Affairs Committee.
    The Committee considered the bill at a business meeting on 
June 25, 2014. Senator Carper offered two amendments to the 
bill. The first was a substitute amendment that Senator Carper 
and Senator Coburn offered that would strengthen the 
authorities of agency CIOs, improve upon the public 
transparency and review processes required of agency IT 
investments, require agencies to conduct annual reviews of the 
IT investments of the entire agency, and build on the 
Administration's efforts to consolidate and streamline data 
centers. The second amendment was a technical amendment to the 
title of the bill.
    The Committee adopted both amendments, and ordered the 
underlying bill reported favorably, all by voice vote (with 
Senator Levin asking to be recorded as ``present'' for the 
voice vote on the underlying bill). Members present for the 
vote on the amendments and on the bill were Senators Carper, 
Levin, McCaskill, Tester, Heitkamp, Coburn, McCain, Johnson, 
and Portman.
    The Carper-Coburn substitute is based on the Committee's 
extensive work on the subject. The Committee and its 
subcommittees have held six hearings over the last three years 
on IT management and related issues:
           On April 12, 2011, the Subcommittee on 
        Federal Financial Management, Government Information, 
        Federal Services, and International Security held a 
        hearing entitled ``Examining the President's Plan for 
        Eliminating Wasteful Spending in Information 
        Technology.'' The hearing explored efforts by the Obama 
        administration to rein in the federal government's IT 
        budget and the President's 25-point plan to reform 
        federal IT management.
           On May 25, 2011, the full Committee held a 
        hearing entitled ``How to Save Taxpayer Dollars: Case 
        Studies of Duplication in the Federal Government.'' One 
        of the case studies examined at the hearing was the 
        Consolidation Initiative's effort to reduce unnecessary 
        federal data centers.
           On May 24, 2012, the Subcommittee on Federal 
        Financial Management, Government Information, Federal 
        Services, and International Security held a hearing 
        entitled ``Innovating with Less: Examining Efforts to 
        Reform Information Technology Spending.'' The hearing 
        examined the Obama administration's progress in 
        implementing its plan to transform the management of 
        federal IT systems.
           On June 11, 2013, the full Committee held a 
        hearing entitled ``Reducing Duplication and Improving 
        Outcomes in Federal Information Technology.'' During 
        the hearing, several critical IT areas were identified 
        as offering potential opportunities to reduce 
        duplication and the cost of government operations, 
        including reducing the number of underutilized federal 
        data centers.
           On May 8, 2014, the full Committee held a 
        hearing entitled ``Identifying Critical Factors for 
        Success in Information Technology Acquisitions.'' The 
        hearing examined the critical factors that lead to the 
        successful acquisition of information technology 
        investments, what challenges organizations (both 
        government and industry) face in implementing IT 
        systems, and ongoing efforts to consolidate data 
        centers, empower agency CIOs, and strengthen management 
        of IT projects.
           On June 10, 2014, the Subcommittee on the 
        Efficiency and Effectiveness of Federal Programs and 
        the Federal Workforce, held a hearing entitled ``A More 
        Efficient and Effective Government: Examining Federal 
        IT Initiatives and the IT Workforce.'' The hearing 
        examined the state of major federal IT projects, as 
        well as the process through which they are solicited 
        and coordinated government-wide.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    Section 1 gives the bill the short title of the Federal 
Information Technology Acquisition Reform Act.

Sec. 2. Table of contents

    Section 2 provides a table of contents for the bill.

TITLE I--Management of Information Technology within Federal Government


Sec. 101. CIO authority enhancements

    Section 101(a) adds a new section 11319 to chapter 113 of 
title 40, United States Code, entitled ``Resources, planning 
and portfolio management.''
    New section 11319(a) defines the following terms:
           ``Covered agency'' means each agency listed 
        in sections 901(B)(1) and 901(b)(2) of title 31, which 
        includes the following agencies: The Department of 
        Agriculture, the Department of Commerce, the Department 
        of Defense, the Department of Education, the Department 
        of Energy, the Department of Health and Human Services, 
        the Department of Homeland Security, the Department of 
        Housing and Urban Development, the Department of the 
        Interior, the Department of Justice, the Department of 
        Labor, the Department of State, the Department of 
        Transportation, the Department of the Treasury, the 
        Department of Veterans Affairs, the Environmental 
        Protection Agency, the National Aeronautics and Space 
        Administration, The Agency for International 
        Development, the General Services Administration, the 
        National Science Foundation, the Nuclear Regulatory 
        Commission, the Office of Personnel Management, the 
        Small Business Administration, the Social Security 
        Administration; and
           The bill delegates to OMB the responsibility 
        to provide a precise definition of the term 
        ``Information Technology'' through OMB's capital 
        planning guidance. The current definition of 
        ``Information Technology'' in OMB's Fiscal Year 2015 
        guidance is ``any equipment or interconnected system or 
        subsystem of equipment that is used in the automatic 
        acquisition, storage, manipulation, management, 
        movement, control, display, switching, interchange, 
        transmission, or reception of data or information by an 
        executive agency. IT is related to the terms capital 
        asset, IT investment, program, project, sub-project, 
        service, and system.''\56\
---------------------------------------------------------------------------
    \56\http://www.whitehouse.gov/sites/default/files/omb/assets/
egov_docs/fy2015_e53_and_ 300_guidance_final_july2013.pdf.
---------------------------------------------------------------------------
    New section 11319(b) gives new authorities for CIOs. New 
subsection (b)(1)(A) first requires the head of each covered 
agency and each military department to ensure that the CIO of 
the agency has a significant role in the annual and multi-year 
planning, programming, budgeting, and execution processes, as 
well as the management, governance, and oversight processes 
related to information technology (IT).
    Next, new subsection (b)(1)(B) requires the OMB Director to 
require in OMB's annual IT capital planning guidance that the 
CIO of the agency (1) approve the agency's information 
technology budget request; (2) certify that IT investments are 
implementing incremental development as defined by OMB; and (3) 
work with the Chief Human Capital Officer to review all IT 
positions requested in the budget to ensure the needs of the 
agency are being met.
    Finally, new subsection (b)(1)(C) requires the CIO of 
covered agencies and the military departments to review and 
approve IT contracts or other agreements for information 
technology or information technology services. An agency CIO 
would also review and approve any request to reprogram funds 
for IT programs, prior to such funds being reprogrammed. The 
agency may utilize existing governance processes to obtain 
approval provided that the CIO of the agency is a full 
participant in those governance processes. This subsection also 
allows the CIO to delegate the approval of a contract or 
agreement to an individual who reports directly to the Chief 
Information Officer for contracts or agreements for non-major 
IT investments, as that term is defined by OMB. However, the 
CIO may not delegate the approval for major IT investments.
    New subsection (b)(2) provides that the agency CIO shall 
approve the appointment of any other employee with the title of 
Chief Information Officer at the agency, or who functions in 
the capacity of Chief Information Offer, for any component 
organization within the agency.

Sec. 102. Enhanced transparency and improved risk management in 
        information technology investments

    Section 102(a) amends 40 U.S.C. Sec. 11302(c) to codify 
OMB's IT Dashboard program, requiring OMB to make publicly 
available the cost, schedule, and performance data for each 
major IT investment at an agency. This section also sets forth 
a review process that must take place for major IT investments 
that receive a high or moderately high risk for four 
consecutive quarters.
    Section 102(a) first adds two definitions: (1) ``Covered 
agency'' once again means each agency listed in sections 
901(B)(1) and 901(b)(2) of title 31 and (2) ``Major information 
technology investment'' means an agency IT investment that is 
designated by the executive agency as ``major'' in accordance 
with capital planning guidance issued by OMB.
    Section 102(a) then creates a new subsection 40 U.S.C. 
Sec. 11302(c)(3)(A), which requires the Director of OMB to make 
publicly available the cost, schedule, and performance data for 
each major IT investment for both new acquisitions and for 
operations and maintenance of existing IT. This information is 
required to be continuously available to the public, but the 
Director of OMB may waive or limit the information that is made 
publicly available if the Director determines that such a 
waiver or limitation is in the national security interests of 
the United States.
    New subsection 11302(c)(3)(B) further requires the agency 
CIO to certify each quarter that the information is current, 
accurate, and reflects the risks associated with each 
investment and also to identify significant data quality 
issues. The OMB Director must publicly identify executive 
agencies with an incomplete certification.
    Under new subsection 11302(c)(3)(C) the agency CIO is 
required to categorize each investment according to its risk 
level. The CIO cannot categorize the level of risk as not lower 
than medium risk for any investment that is not using 
incremental development. Incremental, or modular, development 
involves ``dividing investments into smaller parts in order to 
reduce investment risk, deliver capabilities more rapidly, and 
permit easier adoption of newer and emerging 
technologies.''\57\
---------------------------------------------------------------------------
    \57\See Office of Management and Budget, Contracting Guidance to 
Support Modular Development (June 14, 2012), available at http://
www.whitehouse.gov/sites/default/files/omb/procurement/guidance/
modular-approaches-for-information-technology.pdf.
---------------------------------------------------------------------------
    New subsection 11302(c)(4) then sets forth a review process 
that applies to major IT investments that receive a high or 
moderately high risk rating for four consecutive quarters. 
First, the Administrator of the Office of E-Government and 
Information Technology at OMB (``E-Gov Administrator''), in 
conjunction with the CIO of the agency and the program manager 
of the investment, must review the investment to identify: (1) 
the root causes of the high level of risk of the investment; 
(2) the extent to which these causes can be addressed; and (3) 
the probability of future success. The E-Gov Administrator then 
sends the results of the review to the Senate Committee on 
Homeland Security and Governmental Affairs, the House Committee 
on Oversight and Government Reform, the Senate and House 
Appropriations Committees, and to any other Congressional 
committee upon request. If within one year of the date of 
completion of the above-mentioned review, the investment is 
still evaluated as high risk, the OMB Director shall deny any 
request for all future development, modernization, and 
enhancement funding until such time as the agency CIO certifies 
that the root causes have been addressed and there exists 
sufficient capability to deliver on the investment within the 
planned cost and schedule.
    Finally, new subsection 11302(c)(5) requires that the 
Director of OMB send a report to Congress, analyzing the trends 
of ``covered agencies'' reflected in the performance risk 
information required in paragraph (3).

Sec. 103. Governmentwide software purchasing program

    Section 103(a) requires the Administrator of the General 
Services Administration (``GSA''), in collaboration with the 
Secretary of Defense, to identify and develop a strategic 
sourcing initiative to enhance Governmentwide acquisition, 
shared use, and dissemination of software.
    Section 103(b) requires the GSA Administrator, in 
developing the initiative under subsection (a), to allow for 
the purchase of a license agreement that is available for use 
by all executive agencies as one user to the maximum extent 
practicable and as appropriate.

   TITLE II--Portfolio Review and Federal Data Center Consolidation 
                               Initiative


Sec. 201. Portfolio review

    Section 201(a) adds a new subsection 11319(c) to chapter 
113 of title 40, United States Code, that requires the Director 
of OMB and agency CIOs to annually review each agency's IT 
investments.
    New subsection 11319(c)(1) requires OMB to first set forth 
the process by which agencies should identify, among other 
things, ways to increase the efficiency and effectiveness of an 
agency's IT investments, opportunities to increase the use of 
shared services, potential duplication, waste and cost-savings, 
and a multi-year strategy to reduce duplication within an 
agency's IT portfolio.
    New subsection 11319(c)(2) requires the Director of OMB to 
develop metrics and performance indicators that agencies shall 
use in their annual portfolio review.
    New subsection 11319(c)(3) requires the CIO of a covered 
agency to work with the agency's Chief Operating Officer and 
the E-Gov Administrator to conduct an annual review of the IT 
portfolio of the agency.
    New subsection 11319(c)(4) requires the E-Gov Administrator 
to submit quarterly reports on the cost-savings and reductions 
in duplicative IT investments that were identified through the 
portfolio review process.

Sec. 202. Federal Data Center consolidation initiative

            Subsection 202(a): Definitions
    The section defines the terms: ``Administrator,'' ``Covered 
Agency,'' ``FDCCI,'' and ``Government-Wide Data Center 
Consolidation and Optimization Metrics.''
            Subsection 202(b): Federal Data Center consolidation 
                    inventories and strategies
    Subsection 202(b)(1) establishes annual data center 
consolidation reporting requirements for 24 key agencies. Each 
year, agencies are required to submit to OMB a data center 
inventory and a multi-year strategy to consolidate and optimize 
their data centers. The strategy shall include performance 
metrics, a consolidation timeline, and cost-saving estimates. 
Each agency is then required to implement the consolidation 
strategies submitted to OMB and provide quarterly updates to 
OMB on the implementation process.
    Subsection 202(b)(1) also makes clear that OMB may allow 
agencies to submit information through existing reporting 
structures and that each agency CIO must annually state that 
their agency has complied with the requirements of this Act. 
Finally, this subsection contains a Rule of Construction to 
make it clear that nothing in this Act limits the reporting of 
information by agencies to OMB or Congress.
    Subsection 202(b)(2) lays out the responsibilities of the 
E-Gov Administrator under this Section. These responsibilities 
include: establishing deadlines for annual reporting by 
agencies and requirements that agencies must meet to be 
considered in compliance with the Act, ensuring that agency 
progress is made available to the public, reviewing the 
inventories and strategies submitted pursuant to this Act, 
monitoring the implementation of agency strategies, updating 
the cost-savings realized through data center consolidation, 
and creating government-wide data center consolidation and 
optimization metrics.
    Subsection 202(b)(3) requires the E-Gov Administrator to 
develop a cost-savings goal for data center consolidation, with 
a year-by-year break-down of anticipated savings. This 
subsection requires OMB to submit regular updates to Congress 
on cost-savings realized, and the completeness or 
incompleteness of each agency's data center inventories and 
consolidation strategies.
    Subsection 202(b)(4) requires GAO to review the quality and 
completeness of each agency's asset inventory and consolidation 
strategy.
            Subsection 202(c): Ensuring cybersecurity standards for 
                    data center consolidation and cloud computing
    This subsection establishes that data center consolidation 
must be done in accordance with federal guidelines on cloud 
computing security, including guidance published by the 
National Institute of Standards and Technology and the Federal 
Risk and Authorization Management Program, a government-wide 
program that aims to provide a standardized approach to 
security assessments and authorizations for cloud computing 
products and services.
            Subsection 202(d): Waiver of disclosure requirements
    This subsection provides the Director of National 
Intelligence (``DNI'') the ability to waive the requirements of 
the Act if the DNI determines that such disclosure is in the 
interest of national security. Within 30 days after making such 
a determination, the DNI would need to file a statement 
describing the waiver and the reasons for the waiver to the 
Senate Homeland Security and Governmental Affairs Committee, 
the House Committee on Oversight and Government Reform, and the 
Senate and House Intelligence Committees.
            Subsection 202(e): Sunset
    This subsection repeals the Federal Data Center 
Consolidation Initiative on October 1, 2018.

           V. Congressional Budget Office (CBO) Cost Estimate

                                                     July 25, 2014.
Hon. Tom Carper,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 1232, the Federal 
Information Technology Acquisition Reform Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                              Douglas W. Elmendorf.
    Enclosure.

H.R. 1232--Federal Information Technology Acquisition Reform Act

    Summary: H.R. 1232 would amend the laws governing the 
procurement and management of information technology (IT) 
systems throughout the federal government. Specifically, the 
legislation would expand the existing Federal Data Center 
Consolidation Initiative to require agencies to inventory their 
data centers (facilities used to house computer systems and 
associated components) and to submit plans for optimizing their 
use. In addition, the bill would increase the authority of 
federal Chief Information Officers (CIOs), and require reports 
and analysis by government agencies concerning their IT 
investments.
    CBO estimates that implementing H.R. 1232 would cost $30 
million over the 2015-2019 period, assuming appropriation of 
the necessary amounts. Although improving the procurement and 
management of IT systems, including optimizing the use of 
federal data centers, ultimately could reduce spending, CBO 
does not expect that there would be any significant savings 
from implementing this legislation for the next few years.
    Enacting the bill could affect direct spending by agencies 
not funded through annual appropriations; therefore, pay-as-
you-go procedures apply. CBO estimates, however, that any net 
change in spending by those agencies would not be significant. 
Enacting the bill would not affect revenues.
    H.R. 1232 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act (UMRA) 
and would impose no costs on state, local, or tribal 
governments.
    Estimated cost to the Federal Government: The estimated 
budgetary impact of H.R. 1232 is shown in the following table. 
The costs of this legislation fall within all budget functions 
that include funding to purchase information technology.

----------------------------------------------------------------------------------------------------------------
                                                                 By fiscal year, in millions of dollars--
                                                         -------------------------------------------------------
                                                            2015     2016     2017     2018     2019   2015-2019
----------------------------------------------------------------------------------------------------------------
                                  CHANGES IN SPENDING SUBJECT TO APPROPRIATION

Estimated Authorization Level...........................        2        7        7        7        7        30
Estimated Outlays.......................................        2        7        7        7        7        30
----------------------------------------------------------------------------------------------------------------

    Basis of estimate: For this estimate, CBO assumes that H.R. 
1232 will be enacted in late 2014 and that the necessary 
amounts for implementing the bill will be appropriated for each 
year.

Administration of Information Management and Procurement

    The federal government spends about $80 billion annually on 
IT investments. Many provisions of H.R. 1232 would codify and 
expand upon the government's current practices concerning IT 
management and procurement. Office of Management and Budget 
(OMB) memoranda, Presidential directives, Administration 
initiatives, and other plans have directed federal agencies to 
improve the oversight of underperforming IT systems, more 
effectively manage IT costs, address duplicative investments 
through the IT Dashboard (a system with detailed information on 
major IT investments by the federal government), hold TechStat 
reviews (meetings to terminate or turnaround poorly performing 
federal IT investments), and implement plans to consolidate 
federal data centers.
    H.R. 1232 would require 24 major agencies to submit 
comprehensive inventories of their IT facilities to OMB as well 
as plans for phasing out some data centers and optimizing 
performance at the remaining facilities. Under the bill, 
agencies also would be required to submit estimates of cost 
savings from consolidating those facilities. The Government 
Accountability Office (GAO) would be required to annually 
review and verify agency efforts in this area and report to the 
Congress on its findings. In addition, the legislation would 
expand the role and responsibilities of agency CIOs and expand 
the analysis needed to justify and report on government-wide IT 
procurements.
    Based on information from selected agencies, OMB, and GAO 
studies and reports on similar efforts to improve the cost 
effectiveness of IT spending, CBO expects that the 
administrative workload of most agencies would increase under 
H.R. 1232, mostly to prepare additional reports and to conduct 
more thorough reviews of IT spending. CBO estimates that 
implementing H.R. 1232 would cost $7 million a year, assuming 
appropriation of the necessary amounts.

Savings

    The President's Budget for Fiscal Year 2015 reported that 
agencies have saved about $1.6 billion through IT reform 
initiatives in recent years. Some of those savings come from 
the current Federal Data Center Consolidation Initiative to 
close up to 40 percent of the 1,200 consolidated data centers 
by the end of 2015 and from using tools like PortfolioStat 
reviews to reduce inefficiency, duplication, and unnecessary 
spending. Because most of the requirements of H.R. 1232 would 
make incremental changes to the current policies and practices, 
CBO expects that any additional savings from implementing this 
bill over the next five years would be small.
    Previous CBO estimates: On December 6, 2013, CBO 
transmitted a cost estimate for S. 1611, the Federal Data 
Center Consolidation Act of 2013, as ordered reported by the 
Senate Committee on Homeland Security and Governmental Affairs 
on November 6, 2013. On November 12, 2013, CBO transmitted a 
cost estimate for H.R. 1232, as ordered reported by the House 
Committee on Oversight and Government Reform on March 20, 2013. 
Both S. 1611 and the Senate version of H.R. 1232 contain 
identical provisions on data center consolidation. Although the 
House and Senate versions of H.R. 1232 both address the 
management and procurement of federal IT systems, CBO estimates 
that the House bill would have a greater cost because it has a 
larger scope.
    Pay-As-You-Go considerations: The Statutory Pay-As-You-Go 
Act establishes budget-reporting and enforcement procedures for 
legislation affecting direct spending or revenues. Enacting the 
bill could affect direct spending by agencies not funded 
through annual appropriations; therefore, pay-as-you-go 
procedures apply. CBO estimates, however, that any net increase 
in spending by those agencies would not be significant. 
Enacting the bill would not affect revenues.
    Intergovernmental and private-sector impact: H.R. 1232 
contains no intergovernmental or private-sector mandates as 
defined in UMRA and would impose no costs on state, local, or 
tribal governments.
    Estimate prepared by: Federal costs: Matthew Pickford; 
Impact on state, local, and tribal governments: Michael Hirsch 
and Leo Lex; Impact on the private sector: Tristan Hanon.
    Estimate approved by: Theresa Gullo, Deputy Assistant 
Director for Budget Analysis.

                  VI. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill. The Committee 
agrees with the Congressional Budget Office that the bill 
contains no intergovernmental or private-sector mandates as 
defined in the Unfunded Mandates Reform Act and would impose no 
costs on state, local, or tribal governments, or private 
entities.

     VII. Changes in Existing Statute Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, the following changes in existing 
law made by the bill, as reported, are shown as follows: 
(existing law proposed to be omitted is enclosed in black 
brackets, new matter is printed in italic, existing law in 
which no change is proposed is shown in roman):

UNITED STATES CODE

           *       *       *       *       *       *       *



TITLE 40--PUBLIC BUILDINGS, PROPERTY, AND WORKS

           *       *       *       *       *       *       *



 CHAPTER 113--RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY

Sec.
11301. Responsibility of Director.
     * * * * * * *
11319. Resources, planning, and portfolio management.
     * * * * * * *

Sec. 11302. Capital planning and investment control

    (a) * * *
    (b) * * *
    (c) Use of Budget Process.--
          (1) Definitions.--In this subsection--
                  (A) the term ``covered agency'' means an 
                agency listed in section 901(b)(1) or 901(b)(2) 
                of title 31; and
                  (B) the term ``major information technology 
                investment'' means an investment within a 
                covered agency information technology 
                investment portfolio that is designated by the 
                covered agency as major, in accordance with 
                capital planning guidance issued by the 
                Director.
          ([1]2) Analyzing, tracking, and evaluating capital 
        investments. As part of the budget process, the 
        Director shall develop a process for analyzing, 
        tracking, and evaluating the risks, including 
        information security risks, and results of all major 
        capital investments made by an executive agency for 
        information systems. The process shall cover the life 
        of each system and shall include explicit criteria for 
        analyzing the projected and actual costs, benefits, and 
        risks, including information security risks, associated 
        with the investments.
          (3) Public availability.--
                  (A) In general.--The Director shall make 
                available to the public the cost, schedule, and 
                performance data for each major information 
                technology investment, without regard to 
                whether the investments are for new information 
                technology acquisitions or for operations and 
                maintenance of existing information technology.
                  (B) Quarterly review and certification.--
                          (i) In general.--For each major 
                        information technology investment 
                        listed under subparagraph (A), the 
                        Chief Information Officer of the 
                        covered agency and the program manager 
                        of the investment within the covered 
                        agency shall, at least once every 
                        quarter--
                                  (I) certify that the 
                                information is current, 
                                accurate, and reflects the 
                                risks associated with each 
                                listed investment; and
                                  (II) identify significant 
                                data quality issues that affect 
                                the quality of data made 
                                available under subparagraph 
                                (A).
                          (ii) Incomplete certifications.--The 
                        Director shall publicly identify 
                        covered agencies with an incomplete 
                        certification under clause (i)(I).
                  (C) Investment evaluation by agency CIO.--For 
                each major information technology investment 
                listed under subparagraph (A), the Chief 
                Information Officer of the covered agency 
                shall--
                          (i) categorize the investment 
                        according to level of risk;
                          (ii) categorize the level of risk of 
                        the investment at a risk rating that is 
                        not lower than the higher of the cost 
                        rating and schedule risk rating of the 
                        investment, as determined in accordance 
                        with guidance issued by the Director; 
                        and
                          (iii) categorize the level of risk as 
                        not lower than medium risk for any 
                        investment determined by the Chief 
                        Information Officer and program manager 
                        to not employ incremental development, 
                        as determined in accordance with 
                        capital planning guidance issued by the 
                        Director.
                  (D) Continuous availability.--The information 
                required under subparagraph (A), in its most 
                updated form, shall be publicly available at 
                all times.
                  (E) Waiver or limitation authority.--The 
                applicability of subparagraph (A) may be waived 
                or the extent of the information may be limited 
                by the Director, if the Director determines 
                that such a waiver or limitation is in the 
                national security interests of the United 
                States.
          (4) Risk management.--For each major information 
        technology investment listed under paragraph (3)(A) 
        that receives a high risk rating, as described in 
        paragraph (3)(C), for 4 consecutive quarters--
                  (A) the Administrator of the Office of 
                Electronic Government, in conjunction with the 
                Chief Information Officer of the covered agency 
                and the program manager of the investment 
                within the covered agency, shall conduct a 
                review of the investment that shall identify--
                          (i) the root causes of the high level 
                        of risk of the investment;
                          (ii) the extent to which these causes 
                        can be addressed; and
                          (iii) the probability of future 
                        success;
                  (B) the Administrator of the Office of 
                Electronic Government shall communicate the 
                results of the review under subparagraph (A) 
                to--
                          (i) the Committee on Homeland 
                        Security and Governmental Affairs and 
                        the Committee on Appropriations of the 
                        Senate;
                          (ii) the Committee on Oversight and 
                        Government Reform and the Committee on 
                        Appropriations of the House of 
                        Representatives; and
                          (iii) upon a request by any committee 
                        of Congress, to that committee; and
                  (C) if, on the date that is 1 year after the 
                date of completion of the review required under 
                subparagraph (A), the investment is rated as 
                high risk under paragraph (3)(C), the Director 
                shall deny any request for additional 
                development, modernization, or enhancement 
                funding for the investment until the date on 
                which the Chief Information Officer of the 
                covered agency certifies that--
                          (i) the root causes of the high level 
                        of risk of the investment have been 
                        addressed; and
                          (ii) there is sufficient capability 
                        to deliver the remaining planned 
                        increments within the planned cost and 
                        schedule.''.
    ([2]5) Report to congress.--At the same time that the 
President submits the budget for a fiscal year to Congress 
under section 1105(a) of title 31, the Director shall submit to 
Congress a report on the net program performance benefits 
achieved as a result of major capital investments made by 
executive agencies for information systems and how the benefits 
relate to the accomplishment of the goals of the executive 
agencies. The report shall include an analysis of covered 
agency trends reflected in the performance risk information 
required in paragraph (3).

           *       *       *       *       *       *       *


Sec. 11319. Resources, planning, and portfolio management

    (a) Definitions.--In this section--
          (1) the term ``covered agency'' means each agency 
        listed in section 901(b)(1) or 901(b)(2) of title 31; 
        and
          (2) the term ``information technology'' has the 
        meaning given that term under capital planning guidance 
        issued by the Office of Management and Budget.
    (b) Additional Authorities for CIOs.--
          (1) Planning, programming, budgeting, and execution 
        authorities for cios.--
                  (A) In general.--The head of each covered 
                agency and each agency listed in section 102 of 
                title 5 shall ensure that the Chief Information 
                Officer of the agency has a significant role 
                in--
                          (i) the decision processes for all 
                        annual and multi-year planning, 
                        programming, budgeting, and execution 
                        decisions, related reporting 
                        requirements, and reports related to 
                        information technology; and
                          (ii) the management, governance, and 
                        oversight processes related to 
                        information technology.
                  (B) Budget formulation.--
                          (i) In general.--The Director of the 
                        Office of Management and Budget shall 
                        require in the annual information 
                        technology capital planning guidance of 
                        the Office of Management and Budget 
                        that the Chief Information Officer of 
                        each covered agency--
                                  (I) approve the information 
                                technology budget request of 
                                the covered agency;
                                  (II) as part of an approval 
                                under subclause (I), certify 
                                that information technology 
                                investments are adequately 
                                implementing incremental 
                                development, as defined in 
                                capital planning guidance 
                                issued by the Office of 
                                Management and Budget; and
                                  (III) acting in conjunction 
                                with the Chief Human Capital 
                                Officer of the covered agency, 
                                review all positions with 
                                information technology 
                                responsibilities requested in 
                                the budget request of the 
                                covered agency to ensure the 
                                positions meet the ongoing 
                                requirements of the covered 
                                agency.
                  (C) Review.--
                          (i) In general.--A covered agency and 
                        an agency listed in section 102 of 
                        title 5--
                                  (I) may not enter into a 
                                contract or other agreement for 
                                information technology or 
                                information technology 
                                services, unless the contract 
                                or other agreement has been 
                                reviewed and approved by the 
                                Chief Information Officer of 
                                the agency;
                                  (II) may not request the 
                                reprogramming of any funds made 
                                available for information 
                                technology programs, unless the 
                                request has been reviewed and 
                                approved by the Chief 
                                Information Officer of the 
                                agency; and
                                  (III) may use the governance 
                                processes of the agency to 
                                approve such a contract or 
                                other agreement if the Chief 
                                Information Officer of the 
                                agency is included as a full 
                                participant in the governance 
                                processes.
                          (ii) Delegation.--
                                  (I) In general.--Except as 
                                provided in subclause (II), the 
                                duties of a Chief Information 
                                Officer under clause (i) are 
                                not delegable.
                                  (II) Non-major information 
                                technology investments.--For a 
                                contract or agreement for a 
                                non-major information 
                                technology investment, as 
                                defined in the annual 
                                information technology capital 
                                planning guidance of the Office 
                                of Management and Budget, the 
                                Chief Information Officer of a 
                                covered agency or an agency 
                                listed in section 102 of title 
                                5 may delegate the approval of 
                                the contract or agreement under 
                                clause (i) to an individual who 
                                reports directly to the Chief 
                                Information Officer.
          (2) Personnel-related authority.--Notwithstanding any 
        other provision of law, for each covered agency, the 
        Chief Information Officer of the covered agency shall 
        approve the appointment of any other employee with the 
        title of Chief Information Officer, or who functions in 
        the capacity of a Chief Information Officer, for any 
        component organization within the covered agency.
    (c) Information Technology Portfolio, Program, and Resource 
Reviews.--
          (1) Process.--The Director of the Office of 
        Management and Budget shall implement a process to 
        assist covered agencies in reviewing their portfolio of 
        information technology investments to identify or 
        develop--
                  (A) ways to increase the efficiency and 
                effectiveness of the information technology 
                investments of the covered agency;
                  (B) opportunities to consolidate the 
                acquisition and management of information 
                technology services, and increase the use of 
                shared-service delivery models;
                  (C) potential duplication and waste, 
                including unnecessary or duplicative software 
                licenses;
                  (D) potential cost-savings, including cost-
                savings and cost avoidance opportunities 
                related to software licenses of the covered 
                agency;
                  (E) plans for actions to optimize the 
                information technology portfolio, programs, and 
                resources of the covered agency;
                  (F) ways to better align the information 
                technology portfolio, programs, and financial 
                resources of the covered agency to the multi-
                year funding profiles and strategic plans, when 
                such plans are required by Congress;
                  (G) a multi-year strategy to identify and 
                reduce duplication and waste within the 
                information technology portfolio of the covered 
                agency, including component-level investments, 
                and projected cost-savings and avoidances 
                resulting therefrom; and
                  (H) any other goals that the Director may 
                establish.
          (2) Metrics and performance indicators.--The Director 
        of the Office of Management and Budget shall develop 
        standardized cost-savings and cost avoidance metrics 
        and performance indicators, which shall be used by 
        agencies for the purposes of paragraph (1).
          (3) Annual review.--In accordance with the process 
        implemented under paragraph (1), the Chief Information 
        Officer of each covered agency, in conjunction with the 
        Chief Operating Officer or Deputy Secretary (or 
        equivalent) of the covered agency and Administrator of 
        the Office of Electronic Government, shall conduct an 
        annual review of the information technology portfolio 
        of the covered agency.
          (4) Quarterly reports.--
                  (A) In general.--The Administrator of the 
                Office of Electronic Government shall submit a 
                quarterly report on the cost-savings and 
                reductions in duplicative information 
                technology investments identified through the 
                review required by paragraph (3) to--
                          (i) the Committee on Homeland 
                        Security and Governmental Affairs and 
                        the Committee on Appropriations of the 
                        Senate;
                          (ii) the Committee on Oversight and 
                        Government Reform and the Committee on 
                        Appropriations of the House of 
                        Representatives; and
                          (iii) upon a request by any committee 
                        of Congress, to that committee.
                  (B) Inclusion in other reports.--The reports 
                required under subparagraph (A) may be included 
                as part of another report submitted to the 
                committees of Congress described in clauses 
                (i), (ii), and (iii) of subparagraph (A).

                                  
