[House Report 115-344]
[From the U.S. Government Publishing Office]





115th Congress    }                                 {        Report
                        HOUSE OF REPRESENTATIVES
 1st Session      }                                 {         115-344
======================================================================



 
                     FITARA ENHANCEMENT ACT OF 2017

                                _______
                                

October 10, 2017.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

   Mr. Gowdy, from the Committee on Oversight and Government Reform, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 3243]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Oversight and Government Reform, to whom 
was referred the bill (H.R. 3243) to amend title 40, United 
States Code, to eliminate the sunset of certain provisions 
relating to information technology, to amend the National 
Defense Authorization Act for Fiscal Year 2015 to extend the 
sunset relating to the Federal Data Center Consolidation 
Initiative, and for other purposes, having considered the same, 
report favorably thereon without amendment and recommend that 
the bill do pass.

                                CONTENTS

                                                                   Page
Committee Statement and Views....................................     2
Section-by-Section...............................................     5
Explanation of Amendments........................................     5
Committee Consideration..........................................     6
Roll Call Votes..................................................     6
Application of Law to the Legislative Branch.....................     6
Statement of Oversight Findings and Recommendations of the 
  Committee......................................................     6
Statement of General Performance Goals and Objectives............     6
Duplication of Federal Programs..................................     6
Disclosure of Directed Rule Makings..............................     6
Federal Advisory Committee Act...................................     6
Unfunded Mandates Statement......................................     7
Earmark Identification...........................................     7
Committee Estimate...............................................     7
Budget Authority and Congressional Budget Office Cost Estimate...     7
Changes in Existing Law Made by the Bill, as Reported............     8

                     Committee Statement and Views


                          PURPOSE AND SUMMARY

    H.R. 3243, the FITARA Enhancement Act of 2017, reauthorizes 
several provisions in the Federal Information Technology 
Acquisition Reform Act (FITARA).\1\ These provisions relate to 
requirements aimed at increasing transparency and improving 
risk management of major federal information technology (IT) 
investments and establishing agency reviews of IT portfolios to 
reduce duplication and realize savings. This bill also extends 
requirements related to goals and deadlines for the agency data 
center consolidation initiative from 2018 to 2020.
---------------------------------------------------------------------------
    \1\National Defense Authorization Act for Fiscal Year 2015, Pub. L. 
No. 113-291, Title VIII, Subtitle D, 128 Stat. 3292, 3438-3450 (2014).
---------------------------------------------------------------------------

                  BACKGROUND AND NEED FOR LEGISLATION

    In fiscal year 2017, the Federal Government will spend more 
than $89 billion on IT.\2\ Over 75 percent of this spending is 
on operating and maintaining legacy IT systems.\3\ Legacy IT is 
often inefficient, costly to maintain, and can have greater 
security vulnerabilities. The taxpayer's return on IT 
investments is often at risk with an acquisition system plagued 
with delays and rising costs. Generally, the IT acquisition 
system does not reward innovation and excellence. Large 
government IT investments can take years while the private 
sector rewards speed and innovation. Given this state of 
affairs, Congress recognized the need for reform to address IT 
management and acquisition challenges.
---------------------------------------------------------------------------
    \2\U.S. Budget Fiscal Year 2017, Analytical Perspectives: 
Information Technology 287 (Feb. 2016).
    \3\Gov't Accountability Office, GAO-16-468, Federal Agencies Need 
to Address Aging Legacy Systems (2016).
---------------------------------------------------------------------------
    In December 2014, Congress passed the Federal Information 
Technology Acquisition Reform Act (FITARA) to address some of 
these challenges.\4\ FITARA represented the first serious IT 
acquisition and management reform effort since the Clinger-
Cohen Act of 1996.\5\
---------------------------------------------------------------------------
    \4\National Defense Authorization Act Fiscal Year 2015, Pub. L. No. 
113-291, Title VIII, Subtitle D (Dec. 19, 2014).
    \5\40 U.S.C. Sec. 11101 et seq.
---------------------------------------------------------------------------
    In February 2015, the Government Accountability Office 
(GAO) added ``Improving the Management of IT Acquisitions and 
Operations'' to its annual High Risk List for the first time, 
confirming the need for the reforms codified in FITARA. As of 
January 2015, only 23 percent of the 737 recommendations were 
fully implemented.\6\ GAO designates areas as ``high risk due 
to their greater vulnerabilities to fraud, waste, abuse, and 
mismanagement or the need for transformation to address 
economy, efficiency, or effectiveness challenges.''\7\
---------------------------------------------------------------------------
    \6\Gov't Accountability Office, GAO-15-290, 2015 High Risk Report 
39 (2015).
    \7\Id. at i.
---------------------------------------------------------------------------
    FITARA provides a vital tool for Congress to conduct 
oversight of federal IT management and acquisition. Key FITARA 
provisions include clarifications related to Chief Information 
Officer (CIO) authority, requirements for agency CIOs and the 
Office of Management and Budget (OMB) related to the management 
and acquisition of IT, and directives to the GAO for further 
oversight.
    First, FITARA enhances existing CIO authorities by ensuring 
the CIO has a significant role in the budgeting, execution, 
management, and governance processes related to IT management 
and acquisition.\8\ Second, FITARA establishes key requirements 
to enhance transparency and improve risk management for federal 
IT investments. FITARA does this by requiring OMB to publish on 
the IT Dashboard a list by agency of major IT investments with 
data on cost, schedule, and performance, and requiring agency 
CIOs to certify the accuracy of this data.\9\ This provision 
expires on December 19, 2019. Third, FITARA requires OMB and 
agency CIOs to review annually agency IT investments and 
evaluate their entire IT Portfolio.\10\ Specifically, CIOs must 
identify: (1) ways to increase efficiencies and effectiveness 
of IT investments; (2) potential duplication and waste; and (3) 
cost savings. This provision expires on December 19, 2019. 
Fourth, FITARA requires agencies to develop implementation 
plans to inventory and consolidate data centers and to report 
to OMB on their performance under these plans.\11\ OMB is also 
required to develop metrics, including cost savings, for 
government-wide data center consolidation and optimization 
plans. Further, GAO must review and verify agencies' data 
center consolidation efforts. This provision expires on October 
1, 2018.
---------------------------------------------------------------------------
    \8\Pub. L. No. 113-291, Sec. 831.
    \9\Id. at Sec. 832; see https://www.itdashboard.gov.
    \10\Pub. L. No. 113-291, Sec. 833.
    \11\Id. at Sec. 834.
---------------------------------------------------------------------------
    These provisions were established with sunset dates to 
evaluate the effectiveness of the requirements. These 
provisions have proven valuable in the Committee's IT oversight 
activities and improving federal IT management and operations, 
and therefore should be permanently authorized. The Committee 
has furthered the goals of FITARA with vigorous oversight, 
including the development of a FITARA Scorecard to evaluate 
agencies' FITARA implementation activities and holding several 
FITARA-related hearings since the law was passed in 2014.
    The Committee, with technical assistance from GAO, 
developed the Scorecard to assess implementation of four key 
FITARA provisions.\12\ The Scorecard relies on agency self-
reported data and GAO verification of such data. The Scorecard 
assesses the following areas: (1) CIO authority enhancements; 
(2) enhanced transparency and improved risk management; (3) IT 
Portfolio review; and (4) federal data center consolidation 
initiative. For Scorecard area one (CIO authority 
enhancements), the Scorecard assesses agencies' use of 
incremental development, which is a preferred approach to IT 
development, and requires agency CIO certification of its use. 
For area two (enhanced transparency and improved risk 
management), the Scorecard rewards agencies that are reporting 
more risk on major IT investments because GAO found agencies 
were typically under-reporting risk; thereby putting the 
success of these IT investments at risk. For area three (IT 
Portfolio review), the Scorecard calculates a grade by dividing 
agency's reported savings through the IT Portfolio review 
process by the agency's total IT budget for the most recent 
three fiscal years and assigns a grade relative to other 
agencies' performance in this area. For area four (data center 
consolidation), the Scorecard grades generally are based on the 
percentage of planned savings realized through data center 
consolidation.
---------------------------------------------------------------------------
    \12\The Federal Information Technology Acquisition Reform Act 
(FITARA) Scorecard 4.0: Hearing Before the Information Technology and 
Government Operations Subcommittees of H. Comm. on Oversight & Gov't 
Reform, 115th Cong. (June 13, 2017), available at https://
oversight.house.gov/hearing/federal-information-technology-acquisition-
reform-act-fitara-scorecard-4-0/.
---------------------------------------------------------------------------
    H.R. 3243 permanently authorizes areas two (enhanced 
transparency and improved risk management) and three (IT 
Portfolio review) of FITARA and extends the sunset for area 
four (data center consolidation). This will ensure the 
continuation of FITARA requirements that inform the Congress's 
oversight of federal IT acquisition.
    The Committee highlighted the results of the Scorecard and 
the priority the Committee places on FITARA implementation with 
hearings. Overall, the Committee has held five FITARA-related 
hearings of the Subcommittees on Information Technology and 
Government Operations:
           June 10, 2015, hearing titled, The Federal 
        Information Technology Acquisition Reform Act's Role in 
        Reducing IT Acquisition Risk;\13\
---------------------------------------------------------------------------
    \13\The Federal Information Technology Acquisition Reform Act's 
Role in Reducing IT Acquisition Risk: Hearing Before the Subcomms. on 
Information Technology and Government Operations of the H. Comm. on 
Oversight & Gov't Reform, 114th Cong., Serial NO. 114-43 (June 10, 
2015).
---------------------------------------------------------------------------
           November 4, 2015, hearing titled, The 
        Federal Information Technology Acquisition Reform Act's 
        (FITARA) Role in Reducing IT Acquisition Risk, Part II: 
        Measuring Agencies' FITARA Implementation (first FITARA 
        Scorecard released);\14\
---------------------------------------------------------------------------
    \14\The Federal Information Technology [Acquisition] Reform Act's 
(FITARA) Role in Reducing IT Acquisition Risk, Part II: Measuring 
Agencies' FITARA Implementation: Hearing Before the Subcomms. on 
Information Technology and Government Operations of the H. Comm. on 
Oversight & Gov't Reform, 114th Cong., Serial NO. 114-89 (Nov. 4, 
2015).
---------------------------------------------------------------------------
           May 18, 2016, hearing titled, The Federal 
        Information Technology Acquisition Reform Act Scorecard 
        2.0;\15\
---------------------------------------------------------------------------
    \15\The Federal Information Technology [Acquisition] Reform Act 
Scorecard 2.0: Hearing Before the Subcomms. on Information Technology 
and Government Operations of the H. Comm. on Oversight & Gov't Reform, 
114th Cong., Serial NO. 114-159 (May 18, 2016).
---------------------------------------------------------------------------
           December 6, 2016, hearing titled, The 
        Federal Information Technology Acquisition Reform Act 
        (FITARA) Scorecard 3.0: Measuring Agencies 
        Implementation;\16\ and
---------------------------------------------------------------------------
    \16\The Federal Information Technology [Acquisition] Reform Act 
(FITARA) Scorecard 3.0: Measuring Agencies Implementation: Hearing 
Before the Subcomms. on Information Technology and Government 
Operations of the H. Comm. on Oversight & Gov't Reform, 114th Cong., 
Serial NO. 114-171 (Dec. 6, 2016).
---------------------------------------------------------------------------
           June 13, 2017, hearing titled, The Federal 
        Information Technology Acquisition Reform Act (FITARA) 
        Scorecard 4.0.\17\
---------------------------------------------------------------------------
    \17\The Federal Information Technology Acquisition Reform Act 
(FITARA) Scorecard 4.0: Hearing Before the Subcomms. on Information 
Technology and Government Operations of the H. Comm. on Oversight & 
Gov't Reform, 115th Cong., Serial NO. 115-27 (June 13, 2017).
---------------------------------------------------------------------------
    In light of the improvements agencies made and the 
effectiveness of the FITARA Scorecard, the Committee recognized 
the need to eliminate the sunsets and extend the original 
expiration date for several key FITARA provisions. 
Consequently, H.R. 3243 will: (1) extend the requirements for 
agencies to publicly report schedule and cost information and 
assess the risks of major IT investments; (2) extend the 
requirement for each agency to regularly assess its IT 
portfolio, looking for opportunities to reduce duplication and 
find savings; and (3) continue to hold agencies accountable for 
consolidating and optimizing their data centers by extending 
these requirements through 2020.
    In the June 13, 2017, hearing, GAO, which has been 
instrumental in assisting the Committee with overseeing FITARA 
implementation, expressed support for extending these 
provisions.\18\ GAO has also reported that agencies have made 
progress in addressing GAO recommendations to address the high-
risk status of the management of IT acquisition and operations. 
In a March 28, 2017, hearing, GAO acknowledged that as of 
December 2016, OMB and agencies fully implemented approximately 
46 percent of about 800 related recommendations made by GAO 
(compared to 23 percent in 2015).\19\ In sum, the tools 
provided in FITARA and the Committee's vigorous oversight of 
FITARA implementation by Federal agencies have resulted in 
demonstrable improvements and focused the attention of agencies 
on this high-risk area. H.R. 3243 will facilitate the 
Committee's work in this area by eliminating the sunset 
provisions and extending a deadline for key FITARA provisions.
---------------------------------------------------------------------------
    \18\The Federal Information Technology Acquisition Reform Act 
(FITARA) Scorecard 4.0 Hearing Before Information Technology and Gov't 
Operations Subcommittees of the H. Comm. on Oversight & Gov't Reform, 
115th Cong. (June 13, 2017) (Testimony of David A. Powner, Director of 
Information Technology Mgmt Issues, Gov't Accountability Office).
    \19\Gov't Accountability Office, GAO-17-494T, Implementation of IT 
Reform Law and Related Initiatives Can Help Improve Acquisitions 
(2017).
---------------------------------------------------------------------------

                          LEGISLATIVE HISTORY

    On July 14, 2017, Representative Gerald Connolly (D-VA) 
introduced H.R. 3243, the FITARA Enhancement Act of 2017, with 
Representatives Darrell Issa (R-CA), Mark Meadows (R-NC), and 
Robin Kelly (D-IL). H.R. 3243 was referred to the Committee on 
Oversight and Government Reform. The Committee considered H.R. 
3243 at a business meeting on July 19, 2017, and ordered the 
bill reported favorably by voice vote.

                           Section-by-Section


Section 1. Short title

    The short title is the ``FITARA Enhancement Act of 2017''.

Section 2. Elimination of sunset relating to transparency and risk 
        management of major information technology investments

    Section 2 strikes a sunset related to section 11302(c) of 
title 40, United States Code.

Section 3. Elimination of sunset relating to information technology 
        portfolio, program, and resource reviews

    Section 3 strikes a sunset related to section 11319 of 
title 40, United States Code, and makes a technical amendment.

Section 4. Extension of sunset relating to Federal data center 
        consolidation initiative

    Section 4 extends a sunset related to section 834 of FITARA 
from 2018 until 2020.

                       Explanation of Amendments

    There were no amendments to H.R. 3243 offered or agreed to 
during Committee consideration of the bill.

                        Committee Consideration

    On July 19, 2017, the Committee met in open session and, 
with a quorum being present, ordered the bill favorably 
reported by voice vote.

                            Roll Call Votes

    There were no roll call votes during consideration of H.R. 
3243.

              Application of Law to the Legislative Branch

    Section 102(b)(3) of Public Law 104-1 requires a 
description of the application of this bill to the legislative 
branch where the bill relates to the terms and conditions of 
employment or access to public services and accommodations. 
This bill reauthorizes several provisions of the Federal 
Information Technology Acquisition Reform Act (Pub. L. No. 113-
291, Title VIII, Subtitle D, 128 Stat. 3292, 3438-3450). As 
such, this bill does not relate to employment or access to 
public services and accommodations.

  Statement of Oversight Findings and Recommendations of the Committee

    In compliance with clause 3(c)(1) of rule XIII and clause 
(2)(b)(1) of rule X of the Rules of the House of 
Representatives, the Committee's oversight findings and 
recommendations are reflected in the descriptive portions of 
this report.

         Statement of General Performance Goals and Objectives

    In accordance with clause 3(c)(4) of rule XIII of the Rules 
of the House of Representatives, the Committee's performance 
goal or objective of this bill is to eliminate the sunset of 
certain provisions relating to information technology and to 
extend the sunset relating to the Federal Data Center 
Consolidation Initiative.

                    Duplication of Federal Programs

    In accordance with clause 2(c)(5) of rule XIII no provision 
of this bill establishes or reauthorizes a program of the 
Federal Government known to be duplicative of another Federal 
program, a program that was included in any report from the 
Government Accountability Office to Congress pursuant to 
section 21 of Public Law 111-139, or a program related to a 
program identified in the most recent Catalog of Federal 
Domestic Assistance.

                  Disclosure of Directed Rule Makings

    The Committee estimates that enacting this bill does not 
direct the completion of any specific rule makings within the 
meaning of section 551 or title 5, United States Code.

                     Federal Advisory Committee Act

    The Committee finds that the legislation does not establish 
or authorize the establishment of an advisory committee within 
the definition of Section 5(b) of the appendix to title 5, 
United States Code.

                      Unfunded Mandates Statement

    Pursuant to section 423 of the Congressional Budget and 
Impoundment Control Act (Pub. L. 113-67), the Committee has 
included a letter received from the Congressional Budget Office 
below.

                         Earmark Identification

    This bill does not include any congressional earmarks, 
limited tax benefits, or limited tariff benefits as defined in 
clause 9 of rule XXI of the House of Representatives.

                           Committee Estimate

    Pursuant to clause 3(d)(2)(B) of rule XIII of the Rules of 
the House of Representatives, the Committee includes below a 
cost estimate of the bill prepared by the Director of the 
Congressional Budget Office under section 402 of the 
Congressional Budget Act of 1974.

   New Budget Authority and Congressional Budget Office Cost Estimate

    Pursuant to clause 3(c)(3) of rule XIII of the House of 
Representatives, the cost estimate prepared by the 
Congressional Budget Office and submitted pursuant to section 
402 of the Congressional Budget Act of 1974 is as follows:

                                                September 29, 2017.
Hon. Trey Gowdy,
Chairman, Committee on Oversight and Government Reform,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 3243, the FITARA 
Enhancement Act of 2017.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                                        Keith Hall.
    Enclosure.

H.R. 3243--FITARA Enhancement Act of 2017

    H.R. 3243 would amend the Federal Information Technology 
Acquisition Reform Act (FITARA) to permanently extend some 
expiring provisions. FITARA was enacted as part of the National 
Defense Authorization Act for Fiscal Year 2015 and primarily 
made changes to how the U.S. government buys and manages 
computer technology. Specifically, the bill would extend the 
Federal Data Center Consolidation Initiative (FDCCI), 
PortfolioStat reviews, and the information technology (IT) 
dashboard.
    The FDCCI aims to reduce costs and save energy, 
PortfolioStat reviews are face-to-face meetings between each 
agency's IT officers and the Office of Management and Budget 
(OMB), and the IT dashboard provides online details of federal 
information technology spending. Information from OMB suggests 
that implementing those efforts costs a few million dollars 
annually for agencies to produce the necessary information; 
however, OMB expects that much of this work would continue 
regardless of the expiring authority to conduct them. Thus, CBO 
estimates there would be no significant additional cost or 
savings to continue those efforts under H.R. 3243.
    Enacting the bill could affect direct spending by agencies 
not funded through annual appropriations; therefore, pay-as-
you-go procedures apply. CBO estimates, however, that any net 
increase in spending by those agencies would not be 
significant. Enacting H.R. 3243 would not affect revenues.
    CBO estimates that enacting H.R. 3243 would not increase 
direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2028.
    H.R. 3243 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act and 
would impose no costs on state, local, or tribal governments.
    The CBO staff contacts for this estimate is Matthew 
Pickford. The estimate was approved by H. Samuel Papenfuss, 
Deputy Assistant Director for Budget Analysis.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

TITLE 40, UNITED STATES CODE

           *       *       *       *       *       *       *



SUBTITLE III--INFORMATION TECHNOLOGY MANAGEMENT

           *       *       *       *       *       *       *


 CHAPTER 113--RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY


SUBCHAPTER I--DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET

           *       *       *       *       *       *       *



Sec. 11302. Capital planning and investment control

  (a) Federal Information Technology.--The Director of the 
Office of Management and Budget shall perform the 
responsibilities set forth in this section in fulfilling the 
responsibilities under section 3504(h) of title 44.
  (b) Use of Information Technology in Federal Programs.--The 
Director shall promote and improve the acquisition, use, 
security, and disposal of information technology by the Federal 
Government to improve the productivity, efficiency, and 
effectiveness of federal programs, including through 
dissemination of public information and the reduction of 
information collection burdens on the public.
  (c) Use of Budget Process.--
          (1) Definitions.--In this subsection:
                  (A) The term ``covered agency'' means an 
                agency listed in section 901(b)(1) or 901(b)(2) 
                of title 31.
                  (B) The term ``major information technology 
                investment'' means an investment within a 
                covered agency information technology 
                investment portfolio that is designated by the 
                covered agency as major, in accordance with 
                capital planning guidance issued by the 
                Director.
                  (C) The term ``national security system'' has 
                the meaning provided in section 3542 of title 
                44.
          (2) Analyzing, tracking, and evaluating capital 
        investments.--As part of the budget process, the 
        Director shall develop a process for analyzing, 
        tracking, and evaluating the risks, including 
        information security risks, and results of all major 
        capital investments made by an executive agency for 
        information systems. The process shall cover the life 
        of each system and shall include explicit criteria for 
        analyzing the projected and actual costs, benefits, and 
        risks, including information security risks, associated 
        with the investments.
          (3) Public availability.--
                  (A) In general.--The Director shall make 
                available to the public a list of each major 
                information technology investment, without 
                regard to whether the investments are for new 
                information technology acquisitions or for 
                operations and maintenance of existing 
                information technology, including data on cost, 
                schedule, and performance.
                  (B) Agency information.--
                          (i) The Director shall issue guidance 
                        to each covered agency for reporting of 
                        data required by subparagraph (A) that 
                        provides a standardized data template 
                        that can be incorporated into existing, 
                        required data reporting formats and 
                        processes. Such guidance shall 
                        integrate the reporting process into 
                        current budget reporting that each 
                        covered agency provides to the Office 
                        of Management and Budget, to minimize 
                        additional workload. Such guidance 
                        shall also clearly specify that the 
                        investment evaluation required under 
                        subparagraph (C) adequately reflect the 
                        investment's cost and schedule 
                        performance and employ incremental 
                        development approaches in appropriate 
                        cases.
                          (ii) The Chief Information Officer of 
                        each covered agency shall provide the 
                        Director with the information described 
                        in subparagraph (A) on at least a semi-
                        annual basis for each major information 
                        technology investment, using existing 
                        data systems and processes.
                  (C) Investment evaluation.--For each major 
                information technology investment listed under 
                subparagraph (A), the Chief Information Officer 
                of the covered agency, in consultation with 
                other appropriate agency officials, shall 
                categorize the investment according to risk, in 
                accordance with guidance issued by the 
                Director.
                  (D) Continuous improvement.--If either the 
                Director or the Chief Information Officer of a 
                covered agency determines that the information 
                made available from the agency's existing data 
                systems and processes as required by 
                subparagraph (B) is not timely and reliable, 
                the Chief Information Officer, in consultation 
                with the Director and the head of the agency, 
                shall establish a program for the improvement 
                of such data systems and processes.
                  (E) Waiver or limitation authority.--The 
                applicability of subparagraph (A) may be waived 
                or the extent of the information may be limited 
                by the Director, if the Director determines 
                that such a waiver or limitation is in the 
                national security interests of the United 
                States.
                  (F) Additional limitation.--The requirements 
                of subparagraph (A) shall not apply to national 
                security systems or to telecommunications or 
                information technology that is fully funded by 
                amounts made available--
                          (i) under the National Intelligence 
                        Program, defined by section 3(6) of the 
                        National Security Act of 1947 (50 
                        U.S.C. 3003(6));
                          (ii) under the Military Intelligence 
                        Program or any successor program or 
                        programs; or
                          (iii) jointly under the National 
                        Intelligence Program and the Military 
                        Intelligence Program (or any successor 
                        program or programs).
          (4) Risk management.--For each major information 
        technology investment listed under paragraph (3)(A) 
        that receives a high risk rating, as described in 
        paragraph (3)(C), for 4 consecutive quarters--
                  (A) the Chief Information Officer of the 
                covered agency and the program manager of the 
                investment within the covered agency, in 
                consultation with the Administrator of the 
                Office of Electronic Government, shall conduct 
                a review of the investment that shall 
                identify--
                          (i) the root causes of the high level 
                        of risk of the investment;
                          (ii) the extent to which these causes 
                        can be addressed; and
                          (iii) the probability of future 
                        success;
                  (B) the Administrator of the Office of 
                Electronic Government shall communicate the 
                results of the review under subparagraph (A) 
                to--
                          (i) the Committee on Homeland 
                        Security and Governmental Affairs and 
                        the Committee on Appropriations of the 
                        Senate;
                          (ii) the Committee on Oversight and 
                        Government Reform and the Committee on 
                        Appropriations of the House of 
                        Representatives; and
                          (iii) the committees of the Senate 
                        and the House of Representatives with 
                        primary jurisdiction over the agency;
                  (C) in the case of a major information 
                technology investment of the Department of 
                Defense, the assessment required by 
                subparagraph (A) may be accomplished in 
                accordance with section 2445c of title 10, 
                provided that the results of the review are 
                provided to the Administrator of the Office of 
                Electronic Government upon request and to the 
                committees identified in subsection (B); and
                  (D) for a covered agency other than the 
                Department of Defense, if on the date that is 
                one year after the date of completion of the 
                review required under subsection (A), the 
                investment is rated as high risk under 
                paragraph (3)(C), the Director shall deny any 
                request for additional development, 
                modernization, or enhancement funding for the 
                investment until the date on which the Chief 
                Information Officer of the covered agency 
                determines that the root causes of the high 
                level of risk of the investment have been 
                addressed, and there is sufficient capability 
                to deliver the remaining planned increments 
                within the planned cost and schedule.
          [(5)  Sunset of certain provisions.--Paragraphs (1), 
        (3), and (4) shall not be in effect on and after the 
        date that is 5 years after the date of the enactment of 
        the Carl Levin and Howard P. ``Buck'' McKeon National 
        Defense Authorization Act for Fiscal Year 2015.]
          (5) Report to congress.--At the same time that the 
        President submits the budget for a fiscal year to 
        Congress under section 1105(a) of title 31, the 
        Director shall submit to Congress a report on the net 
        program performance benefits achieved as a result of 
        major capital investments made by executive agencies 
        for information systems and how the benefits relate to 
        the accomplishment of the goals of the executive 
        agencies.
  (d) Information Technology Standards.--The Director shall 
oversee the development and implementation of standards and 
guidelines pertaining to federal computer systems by the 
Secretary of Commerce through the National Institute of 
Standards and Technology under section 11331 of this title and 
section 20 of the National Institute of Standards and 
Technology Act (15 U.S.C. 278g-3).
  (e) Designation of Executive Agents for Acquisitions.--The 
Director shall designate the head of one or more executive 
agencies, as the Director considers appropriate, as executive 
agent for Government-wide acquisitions of information 
technology.
  (f) Use of Best Practices in Acquisitions.--The Director 
shall encourage the heads of the executive agencies to develop 
and use the best practices in the acquisition of information 
technology.
  (g) Assessment of Other Models for Managing Information 
Technology.--On a continuing basis, the Director shall assess 
the experiences of executive agencies, state and local 
governments, international organizations, and the private 
sector in managing information technology.
  (h) Comparison of Agency Uses of Information Technology.--The 
Director shall compare the performances of the executive 
agencies in using information technology and shall disseminate 
the comparisons to the heads of the executive agencies.
  (i) Monitoring Training.--The Director shall monitor the 
development and implementation of training in information 
resources management for executive agency personnel.
  (j) Informing Congress.--The Director shall keep Congress 
fully informed on the extent to which the executive agencies 
are improving the performance of agency programs and the 
accomplishment of the agency missions through the use of the 
best practices in information resources management.
  (k) Coordination of Policy Development and Review.--The 
Director shall coordinate with the Office of Federal 
Procurement Policy the development and review by the 
Administrator of the Office of Information and Regulatory 
Affairs of policy associated with federal acquisition of 
information technology.

           *       *       *       *       *       *       *


SUBCHAPTER II--EXECUTIVE AGENCIES

           *       *       *       *       *       *       *



Sec.  11319. Resources, planning, and portfolio management

  (a) Definitions.--In this section:
          (1) The term ``covered agency'' means each agency 
        listed in section 901(b)(1) or 901(b)(2) of title 31.
          (2) The term ``information technology'' has the 
        meaning given that term under capital planning guidance 
        issued by the Office of Management and Budget.
  (b) Additional Authorities for Chief Information Officers.--
          (1) Planning, programming, budgeting, and execution 
        authorities for cios.--
                  (A) In general.--The head of each covered 
                agency other than the Department of Defense 
                shall ensure that the Chief Information Officer 
                of the agency has a significant role in--
                          (i) the decision processes for all 
                        annual and multi-year planning, 
                        programming, budgeting, and execution 
                        decisions, related reporting 
                        requirements, and reports related to 
                        information technology; and
                          (ii) the management, governance, and 
                        oversight processes related to 
                        information technology.
                  (B) Budget formulation.--The Director of the 
                Office of Management and Budget shall require 
                in the annual information technology capital 
                planning guidance of the Office of Management 
                and Budget the following:
                          (i) That the Chief Information 
                        Officer of each covered agency other 
                        than the Department of Defense approve 
                        the information technology budget 
                        request of the covered agency, and that 
                        the Chief Information Officer of the 
                        Department of Defense review and 
                        provide recommendations to the 
                        Secretary of Defense on the information 
                        technology budget request of the 
                        Department.
                          (ii) That the Chief Information 
                        Officer of each covered agency certify 
                        that information technology investments 
                        are adequately implementing incremental 
                        development, as defined in capital 
                        planning guidance issued by the Office 
                        of Management and Budget.
                  (C) Review.--
                          (i) In general.--A covered agency 
                        other than the Department of Defense--
                                  (I) may not enter into a 
                                contract or other agreement for 
                                information technology or 
                                information technology 
                                services, unless the contract 
                                or other agreement has been 
                                reviewed and approved by the 
                                Chief Information Officer of 
                                the agency;
                                  (II) may not request the 
                                reprogramming of any funds made 
                                available for information 
                                technology programs, unless the 
                                request has been reviewed and 
                                approved by the Chief 
                                Information Officer of the 
                                agency; and
                                  (III) may use the governance 
                                processes of the agency to 
                                approve such a contract or 
                                other agreement if the Chief 
                                Information Officer of the 
                                agency is included as a full 
                                participant in the governance 
                                processes.
                          (ii) Delegation.--
                                  (I) In general.--Except as 
                                provided in subclause (II), the 
                                duties of a Chief Information 
                                Officer under clause (i) are 
                                not delegable.
                                  (II) Non-major information 
                                technology investments.--For a 
                                contract or agreement for a 
                                non-major information 
                                technology investment, as 
                                defined in the annual 
                                information technology capital 
                                planning guidance of the Office 
                                of Management and Budget, the 
                                Chief Information Officer of a 
                                covered agency other than the 
                                Department of Defense may 
                                delegate the approval of the 
                                contract or agreement under 
                                clause (i) to an individual who 
                                reports directly to the Chief 
                                Information Officer.
          (2) Personnel-related authority.--Notwithstanding any 
        other provision of law, for each covered agency other 
        than the Department of Defense, the Chief Information 
        Officer of the covered agency shall approve the 
        appointment of any other employee with the title of 
        Chief Information Officer, or who functions in the 
        capacity of a Chief Information Officer, for any 
        component organization within the covered agency.
  (c)  Limitation.--None of the authorities provided in this 
section shall apply to telecommunications or information 
technology that is fully funded by amounts made available--
          (1) under the National Intelligence Program, defined 
        by section 3(6) of the National Security Act of 1947 
        (50 U.S.C. 3003(6));
          (2) under the Military Intelligence Program or any 
        successor program or programs; or
          (3) jointly under the National Intelligence Program 
        and the Military Intelligence Program (or any successor 
        program or programs).
  [(c)] (d) Information Technology Portfolio, Program, and 
Resource Reviews.--
          (1) Process.--The Director of the Office of 
        Management and Budget, in consultation with the Chief 
        Information Officers of appropriate agencies, shall 
        implement a process to assist covered agencies in 
        reviewing their portfolio of information technology 
        investments--
                  (A) to identify or develop ways to increase 
                the efficiency and effectiveness of the 
                information technology investments of the 
                covered agency;
                  (B) to identify or develop opportunities to 
                consolidate the acquisition and management of 
                information technology services, and increase 
                the use of shared-service delivery models;
                  (C) to identify potential duplication and 
                waste;
                  (D) to identify potential cost savings;
                  (E) to develop plans for actions to optimize 
                the information technology portfolio, programs, 
                and resources of the covered agency;
                  (F) to develop ways to better align the 
                information technology portfolio, programs, and 
                financial resources of the covered agency to 
                any multi-year funding requirements or 
                strategic plans required by law;
                  (G) to develop a multi-year strategy to 
                identify and reduce duplication and waste 
                within the information technology portfolio of 
                the covered agency, including component-level 
                investments and to identify projected cost 
                savings resulting from such strategy; and
                  (H) to carry out any other goals that the 
                Director may establish.
          (2) Metrics and performance indicators.--The Director 
        of the Office of Management and Budget, in consultation 
        with the Chief Information Officers of appropriate 
        agencies, shall develop standardized cost savings and 
        cost avoidance metrics and performance indicators for 
        use by agencies for the process implemented under 
        paragraph (1).
          (3) Annual review.--The Chief Information Officer of 
        each covered agency, in conjunction with the Chief 
        Operating Officer or Deputy Secretary (or equivalent) 
        of the covered agency and the Administrator of the 
        Office of Electronic Government, shall conduct an 
        annual review of the information technology portfolio 
        of the covered agency.
          (4) Applicability to the department of defense.--In 
        the case of the Department of Defense, processes 
        established pursuant to this subsection shall apply 
        only to the business systems information technology 
        portfolio of the Department of Defense and not to 
        national security systems as defined by section 
        11103(a) of this title. The annual review required by 
        paragraph (3) shall be carried out by the Deputy Chief 
        Management Officer of the Department of Defense (or any 
        successor to such Officer), in consultation with the 
        Chief Information Officer, the Under Secretary of 
        Defense for Acquisition, Technology, and Logistics, and 
        other appropriate Department of Defense officials. The 
        Secretary of Defense may designate an existing 
        investment or management review process to fulfill the 
        requirement for the annual review required by paragraph 
        (3), in consultation with the Administrator of the 
        Office of Electronic Government.
          (5) Quarterly reports.--
                  (A) In general.--The Administrator of the 
                Office of Electronic Government shall submit a 
                quarterly report on the cost savings and 
                reductions in duplicative information 
                technology investments identified through the 
                review required by paragraph (3) to--
                          (i) the Committee on Homeland 
                        Security and Governmental Affairs and 
                        the Committee on Appropriations of the 
                        Senate;
                          (ii) the Committee on Oversight and 
                        Government Reform and the Committee on 
                        Appropriations of the House of 
                        Representatives; and
                          (iii) upon a request by any committee 
                        of Congress, to that committee.
                  (B) Inclusion in other reports.--The reports 
                required under subparagraph (A) may be included 
                as part of another report submitted to the 
                committees of Congress described in clauses 
                (i), (ii), and (iii) of subparagraph (A).
          [(6) Sunset.--This subsection shall not be in effect 
        on and after the date that is 5 years after the date of 
        the enactment of the Carl Levin and Howard P. ``Buck'' 
        McKeon National Defense Authorization Act for Fiscal 
        Year 2015.]

           *       *       *       *       *       *       *

                              ----------                              


NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2015

           *       *       *       *       *       *       *



DIVISION A--DEPARTMENT OF DEFENSE AUTHORIZATIONS

           *       *       *       *       *       *       *


  TITLE VIII--ACQUISITION POLICY, ACQUISITION MANAGEMENT, AND RELATED 
MATTERS

           *       *       *       *       *       *       *


Subtitle D--Federal Information Technology Acquisition Reform

           *       *       *       *       *       *       *


SEC. 834. FEDERAL DATA CENTER CONSOLIDATION INITIATIVE.

  (a) Definitions.--In this section:
          (1) Administrator.--The term ``Administrator'' means 
        the Administrator of the Office of Electronic 
        Government established under section 3602 of title 44, 
        United States Code (and also known as the Office of E-
        Government and Information Technology), within the 
        Office of Management and Budget.
          (2) Covered agency.--The term ``covered agency'' 
        means the following (including all associated 
        components of the agency):
                  (A) Department of Agriculture.
                  (B) Department of Commerce.
                  (C) Department of Defense.
                  (D) Department of Education.
                  (E) Department of Energy.
                  (F) Department of Health and Human Services.
                  (G) Department of Homeland Security.
                  (H) Department of Housing and Urban 
                Development.
                  (I) Department of the Interior.
                  (J) Department of Justice.
                  (K) Department of Labor.
                  (L) Department of State.
                  (M) Department of Transportation.
                  (N) Department of Treasury.
                  (O) Department of Veterans Affairs.
                  (P) Environmental Protection Agency.
                  (Q) General Services Administration.
                  (R) National Aeronautics and Space 
                Administration.
                  (S) National Science Foundation.
                  (T) Nuclear Regulatory Commission.
                  (U) Office of Personnel Management.
                  (V) Small Business Administration.
                  (W) Social Security Administration.
                  (X) United States Agency for International 
                Development.
          (3) FDCCI.--The term ``FDCCI'' means the Federal Data 
        Center Consolidation Initiative described in the Office 
        of Management and Budget Memorandum on the Federal Data 
        Center Consolidation Initiative, dated February 26, 
        2010, or any successor thereto.
          (4) Government-wide data center consolidation and 
        optimization metrics.--The term ``Government-wide data 
        center consolidation and optimization metrics'' means 
        the metrics established by the Administrator under 
        subsection (b)(2)(G).
  (b) Federal Data Center Consolidation Inventories and 
Strategies.--
          (1) In general.--
                  (A) Annual reporting.--Except as provided in 
                subparagraph (C), each year, beginning in the 
                first fiscal year after the date of the 
                enactment of this Act and each fiscal year 
                thereafter, the head of each covered agency, 
                assisted by the Chief Information Officer of 
                the agency, shall submit to the Administrator--
                          (i) a comprehensive inventory of the 
                        data centers owned, operated, or 
                        maintained by or on behalf of the 
                        agency; and
                          (ii) a multi-year strategy to achieve 
                        the consolidation and optimization of 
                        the data centers inventoried under 
                        clause (i), that includes--
                                  (I) performance metrics--
                                          (aa) that are 
                                        consistent with the 
                                        Government-wide data 
                                        center consolidation 
                                        and optimization 
                                        metrics; and
                                          (bb) by which the 
                                        quantitative and 
                                        qualitative progress of 
                                        the agency toward the 
                                        goals of the FDCCI can 
                                        be measured;
                                  (II) a timeline for agency 
                                activities to be completed 
                                under the FDCCI, with an 
                                emphasis on benchmarks the 
                                agency can achieve by specific 
                                dates;
                                  (III) year-by-year 
                                calculations of investment and 
                                cost savings for the period 
                                beginning on the date of the 
                                enactment of this Act and 
                                ending on the date set forth in 
                                subsection (e), broken down by 
                                each year, including a 
                                description of any initial 
                                costs for data center 
                                consolidation and optimization 
                                and life cycle cost savings and 
                                other improvements, with an 
                                emphasis on--
                                          (aa) meeting the 
                                        Government-wide data 
                                        center consolidation 
                                        and optimization 
                                        metrics; and
                                          (bb) demonstrating 
                                        the amount of agency-
                                        specific cost savings 
                                        each fiscal year 
                                        achieved through the 
                                        FDCCI; and
                                  (IV) any additional 
                                information required by the 
                                Administrator.
                  (B) Use of other reporting structures.--The 
                Administrator may require a covered agency to 
                include the information required to be 
                submitted under this subsection through 
                reporting structures determined by the 
                Administrator to be appropriate.
                  (C) Department of defense reporting.--For any 
                year that the Department of Defense is required 
                to submit a performance plan for reduction of 
                resources required for data servers and 
                centers, as required under section 2867(b) of 
                the National Defense Authorization Act for 
                Fiscal Year 2012 (10 U.S.C. 2223a note), the 
                Department of Defense--
                          (i) may submit to the Administrator, 
                        in lieu of the multi-year strategy 
                        required under subparagraph (A)(ii)--
                                  (I) the defense-wide plan 
                                required under section 
                                2867(b)(2) of the National 
                                Defense Authorization Act for 
                                Fiscal Year 2012 (10 U.S.C. 
                                2223a note); and
                                  (II) the report on cost 
                                savings required under section 
                                2867(d) of the National Defense 
                                Authorization Act for Fiscal 
                                Year 2012 (10 U.S.C. 2223a 
                                note); and
                          (ii) shall submit the comprehensive 
                        inventory required under subparagraph 
                        (A)(i), unless the defense-wide plan 
                        required under section 2867(b)(2) of 
                        the National Defense Authorization Act 
                        for Fiscal Year 2012 (10 U.S.C. 2223a 
                        note)--
                                  (I) contains a comparable 
                                comprehensive inventory; and
                                  (II) is submitted under 
                                clause (i).
                  (D) Statement.--Each year, beginning in the 
                first fiscal year after the date of the 
                enactment of this Act and each fiscal year 
                thereafter, the head of each covered agency, 
                acting through the Chief Information Officer of 
                the agency, shall--
                          (i)(I) submit a statement to the 
                        Administrator stating whether the 
                        agency has complied with the 
                        requirements of this section; and
                                  (II) make the statement 
                                submitted under subclause (I) 
                                publicly available; and
                          (ii) if the agency has not complied 
                        with the requirements of this section, 
                        submit a statement to the Administrator 
                        explaining the reasons for not 
                        complying with such requirements.
                  (E) Agency implementation of strategies.--
                          (i) In general.--Each covered agency, 
                        under the direction of the Chief 
                        Information Officer of the agency, 
                        shall--
                                  (I) implement the strategy 
                                required under subparagraph 
                                (A)(ii); and
                                  (II) provide updates to the 
                                Administrator, on a quarterly 
                                basis, of--
                                          (aa) the completion 
                                        of activities by the 
                                        agency under the FDCCI;
                                          (bb) any progress of 
                                        the agency towards 
                                        meeting the Government-
                                        wide data center 
                                        consolidation and 
                                        optimization metrics; 
                                        and
                                          (cc) the actual cost 
                                        savings and other 
                                        improvements realized 
                                        through the 
                                        implementation of the 
                                        strategy of the agency.
                          (ii) Department of defense.--For 
                        purposes of clause (i)(I), 
                        implementation of the defense-wide plan 
                        required under section 2867(b)(2) of 
                        the National Defense Authorization Act 
                        for Fiscal Year 2012 (10 U.S.C. 2223a 
                        note) by the Department of Defense 
                        shall be considered implementation of 
                        the strategy required under 
                        subparagraph (A)(ii).
                  (F) Rule of construction.--Nothing in this 
                section shall be construed to limit the 
                reporting of information by a covered agency to 
                the Administrator, the Director of the Office 
                of Management and Budget, or Congress.
          (2) Administrator responsibilities.--The 
        Administrator shall--
                  (A) establish the deadline, on an annual 
                basis, for covered agencies to submit 
                information under this section;
                  (B) establish a list of requirements that the 
                covered agencies must meet to be considered in 
                compliance with paragraph (1);
                  (C) ensure that information relating to 
                agency progress towards meeting the Government-
                wide data center consolidation and optimization 
                metrics is made available in a timely manner to 
                the general public;
                  (D) review the inventories and strategies 
                submitted under paragraph (1) to determine 
                whether they are comprehensive and complete;
                  (E) monitor the implementation of the data 
                center strategy of each covered agency that is 
                required under paragraph (1)(A)(ii);
                  (F) update, on an annual basis, the 
                cumulative cost savings realized through the 
                implementation of the FDCCI; and
                  (G) establish metrics applicable to the 
                consolidation and optimization of data centers 
                Government-wide, including metrics with respect 
                to--
                          (i) costs;
                          (ii) efficiencies, including, at a 
                        minimum, server efficiency; and
                          (iii) any other factors the 
                        Administrator considers appropriate.
          (3) Cost saving goal and updates for congress.--
                  (A) In general.--Not later than one year 
                after the date of the enactment of this Act, 
                the Administrator shall develop, and make 
                publicly available, a goal, broken down by 
                year, for the amount of planned cost savings 
                and optimization improvements achieved through 
                the FDCCI during the period beginning on the 
                date of the enactment of this Act and ending on 
                the date set forth in subsection (e).
                  (B) Annual update.--
                          (i) In general.--Not later than one 
                        year after the date on which the goal 
                        described in subparagraph (A) is made 
                        publicly available, and each year 
                        thereafter, the Administrator shall 
                        aggregate the reported cost savings of 
                        each covered agency and optimization 
                        improvements achieved to date through 
                        the FDCCI and compare the savings to 
                        the projected cost savings and 
                        optimization improvements developed 
                        under subparagraph (A).
                          (ii) Update for congress.--The goal 
                        required to be developed under 
                        subparagraph (A) shall be submitted to 
                        Congress and shall be accompanied by a 
                        statement describing--
                                  (I) the extent to which each 
                                covered agency has developed 
                                and submitted a comprehensive 
                                inventory under paragraph 
                                (1)(A)(i), including an 
                                analysis of the inventory that 
                                details specific numbers, use, 
                                and efficiency level of data 
                                centers in each inventory; and
                                  (II) the extent to which each 
                                covered agency has submitted a 
                                comprehensive strategy that 
                                addresses the items listed in 
                                paragraph (1)(A)(ii).
          (4) GAO review.--
                  (A) In general.--Not later than one year 
                after the date of the enactment of this Act, 
                and each year thereafter, the Comptroller 
                General of the United States shall review and 
                verify the quality and completeness of the 
                inventory and strategy of each covered agency 
                required under paragraph (1)(A).
                  (B) Report.--The Comptroller General of the 
                United States shall, on an annual basis, 
                publish a report on each review conducted under 
                subparagraph (A).
  (c) Ensuring Cybersecurity Standards for Data Center 
Consolidation and Cloud Computing.--
          (1) In general.--In implementing a data center 
        consolidation and optimization strategy under this 
        section, a covered agency shall do so in a manner that 
        is consistent with Federal guidelines on cloud 
        computing security, including--
                  (A) applicable provisions found within the 
                Federal Risk and Authorization Management 
                Program (FedRAMP); and
                  (B) guidance published by the National 
                Institute of Standards and Technology.
          (2) Rule of construction.--Nothing in this section 
        shall be construed to limit the ability of the Director 
        of the Office of Management and Budget to update or 
        modify the Federal guidelines on cloud computing 
        security.
  (d) Waiver of Requirements.--The Director of National 
Intelligence and the Secretary of Defense, or their respective 
designee, may waive the applicability to any national security 
system, as defined in section 3542 of title 44, United States 
Code, of any provision of this section if the Director of 
National Intelligence or the Secretary of Defense, or their 
respective designee, determines that such waiver is in the 
interest of national security. Not later than 30 days after 
making a waiver under this subsection, the Director of National 
Intelligence or the Secretary of Defense, or their respective 
designee, shall submit to the Committee on Homeland Security 
and Governmental Affairs and the Select Committee on 
Intelligence of the Senate and the Committee on Oversight and 
Government Reform and the Permanent Select Committee on 
Intelligence of the House of Representatives a statement 
describing the waiver and the reasons for the waiver.
  (e) Sunset.--This section is repealed effective on October 1, 
[2018] 2020.

           *       *       *       *       *       *       *


                                  [all]