[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]





 
   FEDERAL AGENCIES' RELIANCE ON OUTDATED AND UNSUPPORTED INFORMATION


                    TECHNOLOGY: A TICKING TIME BOMB

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 25, 2016

                               __________

                           Serial No. 114-120

                               __________

Printed for the use of the Committee on Oversight and Government Reform




 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                      
                      
                             ________

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 23-644 PDF                 WASHINGTON : 2017       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001   
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
                 David Rapallo, Minority Staff Director
 Troy Stock, Staff Director, Subcommittee on Transportation and Public 
                                 Assets
                          Julie Dunne, Counsel
                           Willie Marx, Clerk
                           
                           
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 25, 2016.....................................     1

                               WITNESSES

Mr. Dave Powner, Director, IT Management Issues, Government 
  Accountability Office
    Oral Statement...............................................     6
    Written Statement............................................     8
Mr. Terry Milholland, Chief Technology Officer, Internal Revenue 
  Service
    Oral Statement...............................................    35
    Written Statement............................................    37
Mr. Terry Halvorsen, Chief Information Officer, Department of 
  Defense
    Oral Statement...............................................    43
    Written Statement............................................    45
Ms. Beth Killoran, Acting Deputy Assistant Secretary for 
  Information Technology and Chief Information Officer, 
  Department of Health and Human Services
    Oral Statement...............................................    49
    Written Statement............................................    51
Hon. Tony Scott, Federal Chief Information Officer, Office of 
  Management and Budget
    Oral Statement...............................................    57
    Written Statement............................................    59

                                APPENDIX

 GAO summary of Major Information Technology Acquisition 
  Failures, Entered by Chairman Chaffetz.........................    90
GAO Report titled, ``Federal Agencies Need to Address Aging 
  Legacy Systems,'' Entered by Representative Stephen Lynch......    91
Verizon Report titled, ``2016 Data Breach Investigations 
  Report'', Entered by Representative Stephen Lynch..............   178
May 16, 2016 letter from IRS Commissioner John Koskinen to 
  Chairman Chaffetz and Ranking Member Cummings, Entered by 
  Chairman Chaffetz..............................................   263


  FEDERAL AGENCIES' RELIANCE ON OUTDATED AND UNSUPPORTED INFORMATION 
                    TECHNOLOGY: A TICKING TIME BOMB

                              ----------                              


                        Wednesday, May 25, 2016

                  House of Representatives,
      Committee on Oversight and Government Reform,
                                           Washington, D.C.
    The committee met, pursuant to call, at 9:02 a.m., in Room 
2154, Rayburn House Office Building, Hon. Jason Chaffetz 
[chairman of the committee] presiding.
    Present: Representatives Chaffetz, Mica, Farenthold, 
Meadows, Mulvaney, Hurd, Cummings, Lynch, Connolly, Kelly, and 
Lieu.
    Chairman Chaffetz. The Committee on Oversight and 
Government Reform will come to order. I appreciate those in 
attendance today. We are having a hearing about Federal 
agencies' reliance on outdated and unsupported information 
technology, a ticking time bomb.
    The Federal Government is spending more than $80 billion--
$80 billion--annually on IT, and it largely doesn't work. With 
the majority of the spending focused on maintaining and 
operating legacy systems, this is obviously a major concern for 
the United States Congress and the operation of the Federal 
Government.
    Such spending on legacy IT results in higher costs and 
security vulnerabilities where old software and operating 
systems are no longer supported by vendors. The Federal 
Government is years and, in some cases, decades behind the 
private sector. We cannot have Federal agencies buying spare 
parts on eBay for IT systems, such as the case at the 
Department of Labor.
    The Federal Government also cannot rely on 930 million 
lines of code using more than 70 legacy programming languages. 
This is the best estimate that we have on the numbers, based on 
the surveys that we did with the various agencies.
    That includes over 155 million lines of COBOL and 135 
million lines of Fortran, coding language that was first used 
in the 1960s. In fact, 50 years ago--50 years ago--Dartmouth 
described Fortran as ``old-fashioned.'' So 50 years ago, they 
thought it was old-fashioned, and it is still in use today.
    This does not even include the Departments of Defense or 
Labor, because they could not tell us how many lines of code, 
so you can imagine at DOD how many millions upon millions of 
lines of code that are still out there in those agencies.
    Some agencies still use Windows 3.1, which came on the 
market in the early 1990s, or Windows XP, which came on the 
market in the early 2000s.
    I read a document recently from the Department of Justice, 
and it was a WordPerfect document. I love WordPerfect. They are 
from Utah, and they still sell that product and update it. They 
had an update in the last 60 days. But my guess is if they 
tried to send you a WordPerfect document, you might have a 
difficult time opening it.
    The Federal CIO Tony Scott is one of our witnesses today. 
He has stated the need to update IT legacy systems is a crisis 
bigger than Y2K.
    I will note, personally, I am so pleased that Mr. Scott has 
joined the Federal Government. He has quite a background and 
reputation. He is the kind of talent that I think our Federal 
Government needs. To have somebody of his caliber helping to 
tackle these issues, answering the call to service for our 
Nation, is really an important step forward, and I applaud the 
Obama administration for encouraging him and getting him to 
participate here. I think he is part of the solution and not 
part of the problem.
    Let me give you some examples of our deep concern here.
    The Department of Defense Strategic Automated Command and 
Control System is 50 years old and runs on a 1970s IBM Series 1 
computer that uses an 8-inch floppy disk.
    This is an 8-inch floppy disk. It takes 3.2 million of 
these to equal one flash drive. So you can go get a flash drive 
down at Best Buy or you can get 3.2 million of these to get the 
same amount of data stored. And this is still what the 
Department of Defense is using.
    I want to show a couple pictures here. These are from the 
brochure. This is what the Department of Defense in many ways 
is still using, nice 1970s, first-class brochures there. Those 
styles, that is styling. That is literally the kind of 
technology that we are using and up against.
    DOD is only now, by the end of fiscal year 2017, finally 
scheduled to update parts of this system. It is good, but it is 
decades overdue.
    The system reminds me, do you remember the movie WarGames, 
the WOPR, the War Operations Plan Response, from the 1983 
movie? It is still like that, unfortunately.
    The IRS Individual Master Files, sometimes called the IMF, 
which is the authoritative data source for individual taxpayer 
information, is also more than 50 years old. It is written in 
low-level computer code that is difficult to write and 
maintain.
    The IRS has general plans to modernize and has made some 
progress, but provided no specific date on which the IMF will 
be turned off and the new system turned on. I hope that changes 
here today. Goals must have deadlines. Otherwise, they are just 
dreams, and we need specifics.
    The really scary part about all this is that DOD and the 
IRS are not alone among the Federal agencies relying on legacy 
IT systems and unsupported software and operating systems.
    So how do we fix this situation? How do we protect the 
Nation against the vulnerabilities that are inevitably there 
with such outdated technology?
    We are going to hear a lot today about a proposal to 
establish a $3 billion IT modernization fund to help agencies 
move off of these legacy systems. There are three issues that I 
would like to mention proactively about this proposal. I think 
it is a serious proposal based on a lot of good work done in 
the private sector.
    First, the GAO reported last week, at a joint IT-Government 
Operations Subcommittees hearing, there are millions of 
dollars' worth of savings still on the table from data center 
consolidation. To date, agencies have closed more than 3,000 of 
10,500 data centers and achieved $2.8 billion in cost savings. 
Most of these savings are attributed to just four agencies, the 
Department of Commerce, the Department of Defense, the 
Department of Homeland Security, and Treasury. So there is much 
available in terms of savings still on the table.
    I think I am much more inclined to allow CIOs who are 
achieving savings and have the foresight and plan to move 
forward to use those savings to upgrade legacy systems rather 
than simply writing a blank check for all CIOs, regardless of 
how well they are currently managing their resources.
    Second, the committee wants to see progress on its FITARA 
implementation scorecard before giving CIOs additional 
resources. Under FITARA, CIOs now have a proper seat at the 
table.
    To the men and women in the CIO positions, they must be 
qualified, motivated, and empowered to make decisions within 
their agencies, and they must be held accountable. The pattern 
of Fs moving to Ds, and Ds moving to Cs, and so forth, will go 
a long way to convincing the committee that CIOs will 
appropriately utilize additional resources allocated to 
modernizing legacy systems.
    Third, I note that Mr. Milholland appears today under a 
subpoena. IRS Commissioner John Koskinen declined to allow Mr. 
Milholland to testify voluntarily and stated to the committee, 
and I quote, this comes from the letter, ``Spending time 
preparing for a hearing would take Mr. Milholland away from his 
important role in leading IT development and operation, and 
would be disruptive to the IRS.''
    That is wholly and totally unacceptable. This is part of 
the solution, not part of the problem, and the accountability 
before Congress is part of this issue.
    Preparing for, testifying at a hearing on IT issues in 
front of this committee does not take away from the important 
role. It is a key part of your important role.
    The committee hopes IRS attitude and position is not 
widespread across the Federal Government. It is a change in 
attitude from the IRS Commissioner.
    The IRS Commissioner insisted that he personally be here to 
testify, but we want to have the people who are actually 
responsible day-to-day and spend 100 percent of their day 
working on this issue. It is very frustrating.
    Taxpayers deserve a government that leverages technology to 
serve them, rather than one that deploys unsecured, decades-old 
technology that places their sensitive and personal information 
at risk. We have a long way to go to get from COBOL to the 
cloud, but I am committed to helping us get there.
    I know other members of the committee are working on this 
as well. I want to duly note Ranking Member Cummings, Chairman 
Hurd, Ranking Member Kelly, Chairman Meadows, and Ranking 
Member Connolly among those who are spending a significant 
amount of time trying to help tackle and solve the problem. I 
appreciate their insight and their participation.
    This is not a partisan issue. We all need to come together 
on this, on both sides of the aisle. It is the right thing to 
do, and it is a vital part of the infrastructure that we need 
in order to have a fully functional government.
    So we will have a good hearing today. I appreciate the 
witnesses being here.
    I will now recognize the ranking member, Mr. Cummings, for 
his comments.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    There has been an increasing number of sophisticated 
cyberattacks against Federal agencies like the Office of 
Personnel Management as well as private sector companies like 
Anthem, Primera, and Sony Pictures. These devastating 
cyberattacks highlight the challenges faced by public agencies 
and the private sector in keeping their systems secure from 
determined, sophisticated cyber spies.
    They also highlight the need for strong congressional 
action to help agencies strengthen their security and modernize 
their information technology systems.
    The problem, however, is that Republicans in Congress have 
spent the last several years making massive cuts to Federal 
agency budgets, making it harder for these agencies to upgrade 
their information systems, let alone maintain the systems they 
have.
    The Internal Revenue Service is a prime example. 
Republicans slashed the IRS budget by almost 17 percent over 
the past 5 years, cutting it from $12.2 billion in 2010 to 
$11.2 billion in 2016. They cannot pretend that budget cuts of 
this magnitude have no effect.
    Obviously, these massive cuts reduce the amount of funding 
the IRS could devote to system upgrades. These cuts also impair 
the ability of the IRS to hire and retain staff needed to 
modernize and replace outdated information systems.
    As a result of these massive cuts, the IRS IT staff has 
dropped from 7,385 employees in 2011 to 6,730 employees today.
    I completely agree that Federal agencies desperately need 
to upgrade their information technology systems. But if we want 
to talk about a ticking time bomb, let's talk about it. The 
ticking time bomb here is that Republicans keep slashing agency 
budgets year after year, and pretending that these actions have 
no negative repercussions.
    Just yesterday, Republicans on the House Appropriations 
Committee released their fiscal year 2017 budget. It would 
slash another $236 million from the IRS budget.
    We cannot expect Federal agencies to modernize, replace, 
and strengthen their information systems against determined, 
sophisticated cyber attackers without giving them the resources 
and tools they need to do so.
    This is why I am proud to cosponsor the Information 
Technology Modernization Act that was recently proposed by the 
Obama administration and introduced in the House by my 
colleague from the State of Maryland, Congressman Steny Hoyer. 
Our fellow committee members Representatives Connolly, Lieu, 
Kelly, and Duckworth are also cosponsoring this bill.
    The bill would improve cybersecurity by establishing a 
dedicated $3.1 billion information technology modernization 
fund to help agencies replace their outdated information 
systems with more modern, adaptive, and secure systems. The 
bill would take some of the best practices from the private 
sector by establishing a revolving loan fund that would be 
dedicated for the purpose of funding wholesale upgrades and 
replacing outdated information technology infrastructure. The 
fund would be self-sustaining because agencies that receive 
money for modernization projects would be required to repay it 
over time.
    By doing this, the bill would ensure that the fund can 
continue to support modernization projects into the future.
    The bill also would create an independent review board with 
experts in acquisition and cybersecurity to oversee the fund 
and review proposals from agencies to upgrade their systems. 
The board would provide technical support to agencies in 
implementing modernization plans, and it would provide regular 
monitoring to ensure that every project that receives funding 
would be subject to centralized oversight and expertise.
    As the Government Accountability Office's newly released 
report on Federal agency IT systems found, Federal agencies 
spend almost 75 percent of their budgets on maintaining current 
computer systems--75 percent--which leaves little for funding 
the development of more modern but costly technologies that are 
more secure.
    We hope to have the support of our chairman for this 
landmark legislation. And the chairman is absolutely right, 
this is not something that should be done on a partisan basis. 
This is, indeed, a bipartisan problem that must have bipartisan 
solutions.
    So I want to thank you, Mr. Chairman, for calling this 
important hearing, and I look forward to the testimony of our 
witnesses today. And with that, I yield back.
    Chairman Chaffetz. I thank the gentleman.
    I would like to ask unanimous consent to enter into the 
record two documents. The first is a spreadsheet demonstrating 
that, since President Obama took office until now, there is $6 
billion in annual funding increases since the President took 
office. Despite the comments earlier, there are billions of 
dollars on an annual basis more being spent on IT.
    I would also ask unanimous consent to enter into the record 
the GAO summary of major information technology acquisition 
failures. The total about $8 billion, things that have been 
started and scuttled, everything from NOAA to the Department of 
Defense to Veterans Affairs to Homeland Security. I ask 
unanimous consent to enter that into the record as well.
    Without objection, so ordered.
    Chairman Chaffetz. I want to hold the record open for 5 
legislative days for any members who would like to submit a 
written statement.
    It is now time to recognize our witnesses.
    I am pleased to welcome Mr. Dave Powner, director of IT 
management issues at the Government Accountability Office. I 
appreciate your expertise. You have testified before, and we 
are glad to have you here.
    Mr. Terry Milholland, chief technology officer at the 
Internal Revenue Service at the Department of the Treasury, 
thanks for being with us again.
    Mr. Terry Halvorsen, chief information officer at the 
Department of Defense. Again, we welcome you, Mr. Halvorsen, 
and your presence again before this committee.
    Ms. Beth Killoran--did I pronounce it properly?
    Ms. Killoran. Killoran.
    Chairman Chaffetz. Killoran. I believe this is your first 
time testifying in front of Congress, and we welcome you here 
today.
    She is the acting Deputy Assistant Secretary for 
information technology and chief information officer at the 
Department of Health and Human Services.
    Thank you for being here.
    And the Honorable Tony Scott, the Federal chief information 
officer at the Office of Management and Budget.
    Welcome and thank you all for being here.
    Pursuant to committee rules, witnesses are to be sworn 
before they testify.
    If you will please rise and raise your right hand?
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    Thank you. Let the record reflect that all witnesses 
answered in the affirmative.
    We would appreciate you limiting your verbal comments to 5 
minutes. Your entire written statement will be entered into the 
record. We will give you a little latitude, but if it gets to 
be too long, we will cut you off, so we can ask some pertinent 
questions.
    But, again, we appreciate you being here.
    Mr. Powner, you are now recognized for 5 minutes.

                       WITNESS STATEMENTS

                    STATEMENT OF DAVE POWNER

    Mr. Powner. Chairman Chaffetz, Ranking Member Cummings, 
members of the committee, thank you for holding this hearing 
that highlights a significant issue for our Nation. We have too 
many old legacy systems that are not serving citizens well, 
cost too much to maintain, are at risk of failing, and pose 
significant security vulnerabilities.
    This morning, I will summarize some of these systems and 
why we got into the situation, the dire security situation 
these systems pose, and what needs to occur to fix this issue.
    I would like to start by highlighting the fact that the 
Federal Government spends roughly 75 percent of its IT dollars 
on operations and maintenance and only 25 percent on 
modernizing or new development. So last year, roughly $60 
billion was spent on legacy, and $20 billion went to new 
development. Some of this legacy goes toward duplicative 
systems and inefficient data centers. In your committee hearing 
last week, you administered FITARA implementation grades that 
directly address this, could move savings from the legacy 
bucket to development, and greatly help the situation.
    At that hearing, Commerce CIO Steve Cooper illustrated this 
best when he discussed significant savings resulting from 
consolidating data centers and how these funds can be moved 
toward new modernization efforts.
    Within that $60 billion spent are many old legacy systems, 
some of which have components over 50 years old. Our report 
being released today highlights numerous systems that are still 
being run with outdated languages, like Assembly, COBOL, and 
Fortran; have old parts that are obsolete and difficult to 
find; and contain hardware and software that is no longer 
supported by vendors.
    A key point here is that many of these systems are tied to 
mission-critical functions, not just administrative or 
financial management systems, not to downplay the importance of 
those systems. But our report highlights these aging systems 
that process our tax returns, coordinate operational functions 
for nuclear forces, determine Social Security eligibility and 
amounts. In addition, these aging systems maintain information 
on hazardous materials important to the Department of 
Transportation. They also serve as a key communications hub for 
our Nation's weather warnings.
    A couple key reasons why we have this situation is CIO 
tenure and poor governance over IT spending. The average CIO 
tenure is roughly only 2 years, and most CIOs are not tackling 
these large modernization efforts that typically involve 
massive application and data conversions.
    Also, agency IT governance over legacy spending is 
typically either lacking or poor at best. Not only are these 
old systems difficult and expensive to maintain because 
agencies have to rehire retired programmers or pay a premium to 
vendors for such services, but they also pose significant 
security risks.
    Having all this unsupported hardware and software is a 
recipe for security breaches. In fact, during our review, we 
asked for and took pictures of these older systems, and four 
agencies told us that they could not provide us with these 
pictures because that alone created significant security 
concerns.
    This is a difficult yet fixable problem. To address this 
situation, agencies need to first identify and prioritize their 
old legacy systems in need of replacement. Tony Scott's draft 
guidance does just this, and this committee's inquiries also 
help agencies to complete this first step.
    Next, agencies need to develop replacement plans with clear 
milestones for their replacement efforts. Our report highlights 
far too many instances where these plans are not in place.
    Finally, these plans need to be implemented effectively by 
tackling these efforts incrementally and having aggressive 
governance that monitors progress that should include clear 
transparency on the IT dashboard.
    Again, your FITARA implementation grades that stress 
incremental development and accurate CIO ratings could be 
extremely helpful in fixing the government's aging legacy 
system problem.
    Mr. Chairman, thank you for your leadership on this 
important issue, and I look forward to your questions.
    [Prepared statement of Mr. Powner follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
        
    
    Chairman Chaffetz. Thank you. I appreciate it.
    Mr. Milholland, you are now recognized for 5 minutes.

                 STATEMENT OF TERRY MILHOLLAND

    Mr. Milholland. Chairman Chaffetz, Ranking Member Cummings, 
and members of the committee, thank you for the opportunity to 
testify here today.
    The IRS recognizes the need to continue work to modernize 
our information technology. We make every effort to stay 
current and efficient in our data centers and our processing 
platforms while remaining vigilant about the security of our 
systems and the taxpayer data entrusted to us.
    We operate a number of legacy systems vital to our tax 
administration mission. Our goal is to retire all of these 
legacy systems as quickly as possible. We consider them to be 
legacy because their programming languages and data structures 
were generally designed and built decades ago when computer 
infrastructure was extremely expensive and technology 
capabilities were limited.
    Over time, the underlying hardware and operating 
infrastructures of the legacy systems have been modernized. 
Together with the movement to electronic filing technology, and 
despite the restrictions of the programming language and data 
structures, this modernization has made it possible for the IRS 
to deliver smooth filing seasons year after year.
    To give the committee an idea of what our submission 
systems can handle, over this last filing season, we received 
4.4 million tax returns on our peak day. At that peak, our 
systems accepted more than 800,000 filings in a single hour, 
which equates to more than 225 filings per second.
    But the main challenge posed by our legacy systems is that 
their data structures stored on computer tapes make it very 
difficult to use that data in our downstream service and 
compliance systems to better serve taxpayers.
    So we have been working for many years within the 
constraints of our budget to transition our legacy systems' 
programming languages and data structures so that we can make 
that data more available for more modern, Web-based 
applications and data analytics that we use in other key 
mission functions, like enforcement and compliance.
    Our most visible effort in this regard has been the 
development of a centralized relational database for all 
individual taxpayer accounts called the Customer Account Data 
Engine, CADE2. When fully implemented, it will replace the 
legacy Individual Master File, or IMF, which historically has 
been the primary data source for individual taxpayer accounts.
    We think that will happen in three major steps, or what we 
call transition states. The first step of this transition state 
in implementing CADE2 was the launch in January 2002 of that 
relational database. Up to this point, we had been performing 
core account processing on a weekly basis. Launching this phase 
of CADE2 meant that the IRS can now process updates to accounts 
on a daily basis. This has fundamentally changed the way the 
IRS provides information and services to taxpayers, and has 
delivered significant and lasting benefits to our tax system.
    For example, taxpayers can now receive their refunds 
faster, and IRS customer service representatives have much more 
up-to-date customer account information.
    This, however, is a complex, multistep process, not a 
single switch to be thrown. It is not an easily accomplished 
action because connections for these legacy systems are 
intertwined throughout the IRS for both system and data 
repositories.
    There is a lot more work to be done on CADE2, but the steps 
we have taken so far have improved our ability to interact with 
taxpayers efficiently and effectively.
    I also want to mention that GAO has acknowledged the 
importance of the IRS work in this area. In 2013, GAO removed 
our business system modernization program from its high-risk 
list, singling out delivery of the initial phase of CADE2 as 
the main reason for determining that business system 
modernization was no longer high risk.
    I also should point out that all new development work over 
the past 7 years has been using state-of-the-art programming 
languages and database technologies so that the problems of 
older legacy systems will not be repeated.
    In working to transition our legacy systems to more modern 
ones, we have a number of challenges. None is more critical 
than the budget situation. IRS funding was cut each year for 5 
years from 2011 to 2015, and our budget is currently about $900 
million below what it was in 2010. Making progress at a faster 
pace on transitioning our legacy systems will require 
significant, sustained, additional resources in the IT area.
    Another way Congress can help is by reauthorizing 
streamlined critical pay authority. The loss of this authority 
has made it very difficult and time-consuming to recruit and 
retain employees with expertise in highly technical areas in 
IT, such as legacy system modernization, cybersecurity, 
architecture, engineering, and operations.
    Chairman Chaffetz, Ranking Member Cummings, and members of 
the committee, this concludes my statement, and I am happy to 
take your questions.
    [Prepared statement of Mr. Milholland follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Chairman Chaffetz. Thank you.
    Mr. Halvorsen, you are now recognized for 5 minutes.

                  STATEMENT OF TERRY HALVORSEN

    Mr. Halvorsen. Good morning, Mr. Chairman, Ranking Member, 
and distinguished members of the committee. Thank you for this 
opportunity to testify before you on the Department of Defense 
legacy information technology spending plans for modernization 
and the implications of IT acquisition reform and security.
    As the department CIO, I am the principal adviser to the 
Secretary of Defense for information management, IT, 
cybersecurity, communications, positioning, navigation and 
timing, spectrum management, and senior leadership and Nuclear 
Command and Control and Communications matters. My written 
testimony provides more detailed information on these matters, 
but I want to highlight some of the department's activities in 
this area.
    All of the services have modernization plans that align 
with DOD and service priorities. The DOD and the services have 
recognized some critical areas to which funds have been added 
for modernization. NC3, PNT, the Joint Regional Security Stacks 
are some examples. All of the services are committed to moving 
to Windows 10, and we are working on moving toward a common 
private cloud supported by various hybrid and public clouds.
    The department and services are committed to modernization 
as it relates to improved cybersecurity. For example, within 
the services, the Army is moving forward with upgrading its 
camp, post, station, and base communications IT infrastructure. 
The Air Force is implementing Communications Squadron Next. The 
Navy is moving forward with shipboard modernization with 
programs such as CANES. And the USMC has focused its efforts to 
modernize IT at the edge by creating a seamless Marine Corps 
enterprise network.
    I believe we are correctly balancing between mission 
priorities, legacy systems, and modernization within current 
budget constraints. Today, about 25 percent of our budget goes 
to modernization. That doesn't mean that we don't have 
challenges or that there are enough resources.
    OPTEMPO also has a major impact on IT equipment and 
modernization. DOD has been busy, and we continue to have high 
demand for our services.
    Our priority for investments are C2 systems and direct 
combat support systems. We aren't modernizing business systems 
as fast as we would like, but we have prioritized DOD resources 
to ensure overall mission success.
    The DOD is ``Fortune Zero.'' It is the largest IT operation 
in the world.
    I think it is important to note that DOD is not out of 
balance with large enterprise IT in the private sector. We are 
not out of balance in investment, use of cloud, percentage 
using older languages. I think we should note that COBOL runs 
70 percent to 80 percent of all business transactions in the 
world.
    IT modernization competes for dollars with other DOD 
modernization efforts, like aviation platforms, ship weapons, 
combat vehicles, et cetera. Again, I think we've got the 
priorities right, given the budget constraints. The budget, 
however, is constrained, and that affects all modernization 
efforts, to include IT.
    While I am the CIO, DOD must look at the entirety of the 
department's modernization efforts, not just IT, and prioritize 
accordingly.
    Thank you for the time. I look forward to your questions 
today.
    [Prepared statement of Mr. Halvorsen follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
      Chairman Chaffetz. Thank you.
    Ms. Killoran? Did I get it better that time?
    Ms. Killoran. Yes, thank you. Good morning.
    Chairman Chaffetz. You are now recognized for 5 minutes. 
Thank you.

                   STATEMENT OF BETH KILLORAN

    Ms. Killoran. Good morning, Chairman Chaffetz, and Ranking 
Member Cummings, and members of the committee. Thank you for 
giving me the opportunity to discuss our legacy Federal IT 
technology at HHS.
    As the chief information officer acting for the Department 
of Health and Human Services, my testimony today will describe 
how we have been able to decrease some of our end-of-life 
systems through both a risk mitigation approach as well as our 
plans moving forward.
    HHS is the U.S. Government's principal agency for 
protecting the health of all Americans and providing essential 
human services, especially for those who are least able to help 
themselves. Information technology is critical to enabling HHS 
to achieve its mission by fostering advances in medicine, 
public health, and social services. HHS currently spends 
approximately $5 billion annually on our internal IT and over 
$7 billion in IT grants that are primarily given to States and 
local agencies to facilitate our programs.
    In managing our IT programs, one of the key risks 
associated with operational systems is our ability to secure 
them. Last year, HHS did make measurable progress in our 
increase of Federal Information Security Modernization Act 
score, or FISMA. But our work there isn't done.
    HHS is currently working to implement the next phase of 
Einstein, and we are working to improve our trusted Internet 
connection and deploy different tools under DHS's continuous 
diagnostics and mitigation program.
    All of this work will not only strengthen our systems, but 
will build on HHS Cyber Sprint success that we had and 
strengthen our overall cyber infrastructure resiliency.
    When our agency decides to replace a legacy system, cloud 
offerings can help our agency reduce time to develop those 
products and services. Cloud solutions have helped already HHS 
reduce program risk and development time.
    Our most successful cloud implementation to date is our HHS 
financial systems upgrade of our core backbone, which occurred 
last year. This ambitious program modernized our IT 
infrastructure by using cloud capabilities to improve our 
systems over all. and through a shared technology, we were able 
to add cutting-edge technology in a shorter period of time.
    Given the importance of our IT mission, I worked diligently 
over the last year to also improve our IT portfolio review 
process. Through this, I have launched a number of initiatives 
in collaboration with our operating divisions to address the 
most common systematic issues, improve transparency, and 
enhance governance. Our HHS Federal information technology 
reform act implementation plan helps support that path moving 
forward.
    One initiative that I have done is to enhance our program 
evaluation model to make sure that we are looking at enterprise 
risk overall, and implemented changes to how we look at and 
score our programs for the IT Federal dashboard last October. 
This new model incorporates new risks, operational performance 
objectives, and factors both from scoring and risk factors that 
OMB has established in GAO.
    This data is used to closely monitor our IT programs and 
risks, and identify those that are at risk. And if something is 
at high risk for a certain period of time, we do conduct 
TechStats, of which we actually conducted 10 within the last 
year, including both the programs cited in the recent GAO 
report.
    We will continue to work on mitigating risks as we look at 
our legacy systems and work to improve.
    By working one-on-one with our program managers, we can 
increase the probability of success. We have found that 
investing in those individuals is critical to our success. We 
have trained 300 people over the last year, and we have an HHS 
human capital pilot to increase our cybersecurity work force 
and competencies over the next year.
    HHS does spend significantly more on operations, 71 
percent, than on our development at 29 percent. HHS recognizes 
the need for greater development spending, but challenges 
exist.
    Some of our challenges include lack of authority, uncertain 
grantee systems, the ability to make sure that we are 
accomplishing Federal mandates, the interdependencies of our 
systems, and funding by smaller organizations.
    As we move forward with some of these capabilities, we will 
make sure that we look at our inventory and make sure that our 
FITARA plan establishes how we will evaluate those and look at 
our modernization moving forward.
    One way that we know that we can address a funding 
challenge is by Congress passing the IT modernization fund. 
This model can help agencies with upgrading their systems, and 
the business case we have is our nonrecurring expense fund. 
This is provided to use unobligated balances to allow us to 
make changes to our critical systems, and we have succeeded in 
enhancing our DME significantly from 2012 and 2013 to current 
standards.
    Simply put, doing nothing is not doing nothing. As systems 
age, the risk to security, reliability, and availability have 
to be addressed. To reduce exploitation and system 
vulnerabilities' associated risk, we need to look at those 
systems and make sure that we are looking at business and 
security risks to make our priorities.
    Thank you for your time, and I will yield to any questions 
you might have.
    [Prepared statement of Ms. Killoran follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
    
    
    Chairman Chaffetz. Thank you.
    Mr. Scott, you are now recognized for 5 minutes.

                    STATEMENT OF TONY SCOTT

    Mr. Scott. Thank you, Chairman Chaffetz, Ranking Member 
Cummings, members of the committee. I appreciate the invitation 
to appear before you today.
    As has been noted, Federal agencies spend nearly three-
quarters of their IT budgets maintaining legacy systems. They 
are particularly vulnerable to malicious cyber activity, and 
they are often unable to utilize current cybersecurity best 
practices, such as data encryption, multifactor authentication, 
and other techniques.
    But in addition to posing security vulnerabilities, these 
systems are often very inefficient and subject to rising costs 
over time, and the inability to meet mission requirements. To 
address these challenges, the administration has proposed the 
creation of an information technology modernization fund to 
facilitate the transition of Federal systems to more secure, 
cost-effective, and more modern infrastructure, such as cloud 
platforms.
    The ITMF would address these challenges associated with 
legacy IT by better aligning with the following private sector 
best practices.
    First, a board of experts acting independently of any one 
agency will review agency proposals and select the highest 
priority projects across the government, ensuring that the 
Federal Government's most pressing and highest risk systems are 
targeted for replacement.
    Second, the ITMF will require agencies to pay back the 
funds as projects complete. Doing so will ensure that projects 
receive significant buy-in and attention from agency 
leadership, and that, over time, the ITMF is self-sustaining 
and continues to support future modernization projects. We 
estimate that the $3.1 billion in one-time seed funding could 
address at least $12 billion in modernization projects over the 
first 10 years and would continue to remain available in the 
future.
    Third, experts in IT acquisition and development will 
provide expertise to agencies in implementing their 
modernization plans. To increase the probability of success, 
every project that receives funding will have access to 
centralized expertise, including a public-facing dashboard that 
tracks key milestones and financial expenditure data.
    Fourth, the ITMF will have the ability to provide funding 
in smaller increments tied to real-world delivery of working 
products. This agile approach ensures that agencies employ 
modern development techniques and that these funds support 
successful projects.
    Finally, by requiring agencies to apply and compete for 
incremental funding, the ITMF will provide strong incentives 
for agency leadership to develop and implement comprehensive, 
high-quality, and cost-effective modernization plans.
    Retiring or modernizing vulnerable and inefficient legacy 
IT systems will not only make the government more secure, it 
will also save us money. As a means of acting on this necessary 
next step, we look forward to working with Congress on enacting 
the ITMF, which will enhance agencies' ability to protect 
sensitive data, reduce costs, and deliver world-class digital 
services to the American people.
    I thank the committee for holding this hearing, and I would 
be pleased to answer any questions that you might have.
    [Prepared statement of Mr. Scott follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
    
    
    Chairman Chaffetz. Thank you. Thank you all.
    I will now recognize myself for 5 minutes, but I will yield 
my time to the chairman of the Subcommittee on IT, Mr. Hurd of 
Texas.
    Mr. Hurd. Thank you, Mr. Chairman. Thank you and the 
ranking member for the leadership on this issue.
    I always say that nobody is going to hold a rally for IT 
procurement, but when I am back home, everybody asks about this 
question because they recognize that $80 billion is being spent 
on IT procurement and 80 percent of it is on legacy systems. It 
is about using American taxpayer dollars wisely. It is about 
making sure we have an efficient government that is providing 
services to our citizens. And it is making sure that we are 
using technology that is keeping us safe and protecting our 
digital infrastructure.
    My first question is to Mr. Halvorsen. When did you come 
into the position as CIO?
    Mr. Halvorsen. I have been in this position about 2.5 
years.
    Mr. Hurd. Are you familiar with the Expeditionary Combat 
Support System?
    Mr. Halvorsen. I am.
    Mr. Hurd. And that is a system that was canceled in 2012, 
after spending more than $1 billion and failing to deploy 
within 5 years of initially obligating funds. Is that accurate?
    Mr. Halvorsen. It is.
    Mr. Hurd. One of the things that we are looking at in the 
FITARA scorecard is incremental development. It's major 
development investments and are they achieving measurable goals 
every 6 months? DOD is listed as an F when it comes to 
delivering this. As of May 2016, only 41 percent of those 
projects are being delivered.
    In asking for a modernization fund and additional funds, 
what is going to be done differently in the Department of 
Defense to ensure that, if you do have more money for 
investments on updating legacy IT systems, that you are going 
to actually hit the mark on time?
    Mr. Halvorsen. I would say a couple things.
    One, we are a little out of sync with the grading criteria 
in that we have a 6- to 12-month, not a zero- to 6-month grade 
within DOD. We are moving that more forward, so we leveled that 
time to 6 to 12. It was higher before.
    I think if you look at the things we have done recently, 
you will see that we are doing things in modernization. The 
move to Windows 10 is the single biggest move to a single 
operating system ever undertaken by any organization. We are 
getting that done. We have a 1-year time frame. We are on track 
to do that. We will hit 80 percent of DOD in a year.
    We have done more modernization with the commercial sector. 
I think that is the important piece that we need to recognize 
here. Our modernization needs to be done much more in 
conjunction and partnership with the commercial sector.
    Mr. Hurd. So, Mr. Halvorsen, are you saying buy, not build?
    Mr. Halvorsen. I am saying buy mostly, not build.
    Mr. Hurd. Excellent.
    My next question is for Mr. Milholland. What is Treasury's 
strategy to manage unsupported technologies, such as the 
mainframe capabilities where it states the Treasury will assume 
the risk of the expired support technology? We sent a letter 
out to every agency asking for old programming language that is 
being used, systems that are no longer supported by vendors. In 
some of these systems that are no longer supported by vendors, 
Treasury is saying that they are assuming the risk for that 
expired technology.
    What is the strategy to manage these unsupported 
technologies?
    Mr. Milholland. I am not the Treasury CIO, so I cannot 
answer that completely, but we are a large part of that 
organization.
    Mr. Hurd. In some of these, the response was saying that 
the IRS will be assuming the responsibility for managing that.
    Mr. Milholland. Yes. We believe that all of the 
technologies we have today are, in fact, supported. For 
example, when we were completing the drive to get to Windows 7, 
we worked out a special support deed with Microsoft to cover 
the Windows XP environments while we were completing the job, 
for example.
    The rest of the environments, like what you call the 
mainframes, which is a Systems z, is, in fact, fully supported 
by the supplier, IBM. It is a very modern operating system. We 
are running Linux on the z. In fact, our main migration path 
for all new development is to build these applications with 
Java and run it on the z, or wherever best. It could be on an 
Intel processor.
    We are also using the dollars to stay current whether it is 
the BIOS, whether it is operating systems, whether it is the 
middleware, whether the tools you are using, or the cross 
product, be more no more than n or n-1 versions behind.
    Mr. Hurd. I copy, Mr. Milholland, and I only have 10 
seconds left.
    Do you have a modernization roadmap that creates a common 
modern platform for mission delivery?
    Mr. Milholland. Absolutely. In fact, we have shared it with 
this committee. We call it the technology roadmap, part of 
delivering of what we call the future state for the IRS.
    Mr. Hurd. Where are you in implementation?
    Mr. Milholland. We are just at the very beginning for that, 
for the migration to be the digital enterprise. But part of 
that is the modernization of all the legacy systems, which 
includes replacing that assembly language code with Java. That 
is in part driven by the CADE2 project that is underway.
    Mr. Hurd. Thank you, Mr. Chairman. I yield back.
    Chairman Chaffetz. We will now recognize the gentleman from 
Virginia, Mr. Connolly, for 5 minutes.
    Mr. Connolly. Thank you, Mr. Chairman, and I thank the 
ranking member for his ongoing support that has allowed us to 
elevate this issue in this committee and actually created 
enormous common ground.
    Thank you, Mr. Cummings, especially.
    Welcome to the panel.
    Mr. Scott, we are talking about legacy systems, but has 
there been a comprehensive audit of Federal agencies, so we 
actually know the full universe we are talking about?
    Mr. Scott. There is a data collection effort underway 
currently where we hope to gain better insight into actually 
what it is. I would say that some of this is problematic in the 
sense that much of the data isn't automated in the sense that 
you can just push a button and get a digital report in the as-
is environment. So we don't have a comprehensive ----
    Mr. Connolly. But the fact of the matter is --anecdotally, 
right?--we've had, maybe we still have, Federal agencies with 
multiple email systems ----
    Mr. Scott. Correct.
    Mr. Connolly.--not all of which are compatible; multiple HR 
systems, not all of which are compatible; huge numbers of data 
centers that proliferated, and God only knows what coordination 
exists among the thousands of data centers we are trying to 
consolidate; and legacy systems. And on top of legacy systems, 
isn't it also true we have widely distributed software products 
that also need updating or patching?
    Mr. Scott. This is correct. One of the techniques we have 
used to estimate the level of legacy systems is I recently went 
to some of our key suppliers of network storage computer 
equipment and asked them to provide us data in terms of what 
they know about the Federal Government.
    One of the interesting things coming back was, in many 
cases, we pay for support contracts for hardware, software that 
they have sold the Federal Government.
    I asked them to look at what is either expired or will 
expire in the next 3 years, to try to get some handle on what 
that might look like, just from their own records.
    These are systems that we are paying today for support 
contracts on.
    In just the next 3 years, we will have over $3 billion 
worth of hardware, software, and services that will go out of 
support, meaning no spare parts, no patches, no upgrades, no 
security.
    Mr. Connolly. Isn't it also true--I am running out of time, 
so forgive me for interrupting--that we have had to hire 3,427 
IT professionals just to maintain legacy systems?
    Mr. Scott. That sounds about right, yes.
    Mr. Connolly. Wow. Any idea what the estimated cost is to 
replace all the legacy systems in the Federal Government?
    Mr. Scott. We don't have an accurate estimate of that. 
We've tried to triangulate it in a number of different ways. 
That's why we ended up with the $3 billion proposal. We think 
that is at the low end of what would be required to make a 
meaningful start to this.
    But I think the more important concept we should all 
embrace is, given the rapid advance of technology, we really 
need to get into a continuous upgrade mode, not a ``wait until 
it breaks'' mode.
    Mr. Connolly. Right. And I want to deal with something, 
because the chairman has on several occasions cited the fact 
that you have $82 billion a year you spend on procurement. He 
cited in his opening statement the fact that this 
administration, over its lifespan, has increased that. That 
total amount represents an increase of about $6 billion.
    Why isn't that sufficient? Why do you need more money? Why 
do you need this modernization fund, when you have such a 
substantial amount of money we are spending every year, and 
even that amount might be understated, in terms of not 
capturing other expenses within the Federal family?
    Mr. Scott. I agree with the wide observation that there is 
an opportunity to save money. The challenge is, as was already 
said, a lot of that money is spent on just keeping the lights 
on the current old stuff.
    Unfortunately, we cannot shut that off until we have a 
replacement in place, so you cannot actually capture the 
savings until after you have done something to replace it. That 
is why this concept is important.
    Mr. Connolly. Sort of dovetailing with, I think, one the 
chairman's points, I do think the burden is going to be on the 
Federal Government, the executive branch.
    Okay, let's say, we authorize the modernization fund, 
buying the argument that we are going to have to make an 
initial outlay to achieve savings. There is going to have to be 
a codified savings and efficiency plan that shows we can make 
IRS, DOD, and HHS, and every other Federal agency, this much 
more efficient, and either keep a budget stable or, in fact, 
effectuate net savings because we have replaced those legacy 
systems.
    I think the chairman has expressed that it is 
counterintuitive that we would actually need to add more money. 
I think you can sell that, the argument you just made, Mr. 
Scott, if you can demonstrate, ``And here will be the payoff. 
Here is the return on that investment.''
    I think we have to spend some real time with Congress in 
making that case.
    I yield back.
    Chairman Chaffetz. I thank the gentleman, because those 
last comments, I do agree with. I think that is the seminal 
question we have to get out and agree that is the question that 
we need to analyze on that particular piece of legislation.
    I now recognize the gentleman from Florida, Mr. Mica, for 5 
minutes.
    Mr. Mica. Thank you, Mr. Chairman. And thank you for 
holding this, it's kind of a meat-and-potato hearing. It is not 
flashy like some we do.
    I had the privilege to serve with a very capable ranking 
member, Mr. Connolly, with Government Operations. He is very 
knowledgeable, in fact, more knowledgeable than I was when I 
assumed that position and learned a lot from him.
    Our objective was to look at the total amount of money we 
were spending at the time, which at that time was $80 billion. 
Now I see with your report that was released today, they are 
spending $89 billion.
    The estimate when Mr. Connolly and I were doing our review 
was that about 50 percent of this money is wasted either on 
outdated technology, on duplicate data centers.
    Would GAO or OMB, would you say that about 50 percent is 
not properly spent, is wasted? Is that still about where we 
are?
    Mr. Scott. Yes, I think it would make sense to say, if you 
missed multiple generations of the opportunity to improve your 
computing environment, you are wasting money. It is very clear.
    Mr. Mica. What do you think, GAO?
    Mr. Powner. I do not know if it is 50. I will say this, I 
don't know that I have a precise number, but there is a lot of 
money spent on inefficient operations, data centers, and there 
are a lot of failed acquisitions. So clearly, there are 
billions wasted.
    Mr. Mica. Your report says Federal legacy IT investments 
are becoming increasingly obsolete. Many use outdated software 
languages and hardware parts that are unsupported. Agencies 
reported using systems that have components that are in some 
cases at least 50 years old.
    This is your finding.
    Mr. Powner. Correct.
    Mr. Mica. Well, we won't even go half, if we just go $40 
billion in waste.
    When Mr. Connolly and I started this exercise, we asked you 
all how many data centers there were. I think, first, we got 
800 or something. Then we got 1,200. Then we got, oh my God, we 
were in the thousands.
    I was interested to see in your report here how many 
thousand data centers we have.
    What is that current number?
    Mr. Powner. It is about 10,500.
    Mr. Mica. Ten thousand five hundred. What would you 
guesstimate we could reduce that to?
    Mr. Powner. Well, we have closed 3,100 to date and saved 
$2.8 billion. We can close another 2,000 and save $5.4 billion. 
I think that $5.4 billion is greatly understated because many 
agencies ----
    Mr. Mica. So we can actually spend less and get better 
technology, better results, and improved systems. Is that 
correct?
    Mr. Powner. Yes, we need to definitely get more modern.
    Mr. Mica. So the opening salvo from the other side was that 
Republicans are slashing the money. But actually, we have 
actually saved money by going to the cloud. Is that correct, 
sir?
    Mr. Powner. Yes, there have been savings.
    Mr. Mica. And there are certain concerns about security. We 
do have the cyberthreat.
    A great deal of the data in the Federal Government is not 
classified or necessarily high-security risk, is it, Mr. 
Powner?
    Mr. Powner. It varies. It clearly varies.
    Mr. Mica. But again, your report points out there can be 
very substantial savings consolidating these data centers, 
10,000--we have done some--and then moving to the cloud and 
other--now the question came from Mr. Hurd a little bit about 
buy or build, and the answer was build. What about buy or 
lease? Can somebody say we should be leasing?
    The problem is that the Federal Government buys equipment, 
and the equipment, I will take you back here, we have it even 
in our offices, is outdated. Maybe Mr. Davis bought some of it, 
but now Mr. Chaffetz has inherited it. That is the way agencies 
work, the same way.
    So buy or lease, anyone want to respond? Mr. Scott? Mr. 
Powner?
    Mr. Scott. Well, I think our guidance as proposed would 
rate projects that use cloud, use these more modern techniques, 
the buy-by-the-drink kind of thing, versus build it yourself. 
That is a high-scoring criteria for those projects.
    Mr. Mica. But where are you going to get equipment in an 
office, buy or lease?
    Mr. Scott. You have to have a replacement strategy and 
often that means leasing.
    Mr. Powner. Yes, so I think, clearly, we want to build less 
in the Federal Government. There is less risk with that.
    Mr. Mica. Thank you. I yield back.
    Chairman Chaffetz. I thank the gentleman.
    We will now recognize the ranking member of the 
Subcommittee in IT, Ms. Kelly of Illinois, for 5 minutes.
    Ms. Kelly. Thank you, Mr. Chair.
    As ranking member of the IT Subcommittee, I have been 
working with Chairman Hurd on the very issue of legacy systems. 
One of the topics consistently discussed is moving to the 
cloud.
    The CIO.gov Web site says the government's current 
information technology environment is characterized by, and I 
quote, ``low-asset utilization, a fragmented demand for 
resources, duplicative systems, environments that are difficult 
to manage, and long procurement times.'' It goes on to say, and 
I quote, ``Cloud computing has a potential to play a major part 
in addressing these inefficiencies.''
    Mr. Scott, can you briefly explain what is cloud computing?
    Mr. Scott. Generally, it is an environment that leverages 
the power of virtualization, of compute, of storage, of 
networking, as though it were one operating system that allows 
individual programs to scale up or scale down and get better 
asset utilization in aggregate than would be the case in the 
alternative, which is to have a bunch of individual servers.
    It is often surrounded by sets of utilities and other 
mechanisms that allow for the provisioning and de-provisioning 
of computer environments very quickly, which also saves time 
and makes IT more efficient.
    Ms. Kelly. So you started explaining what an important role 
it can play in helping agencies modernize their IT systems. Can 
you expand on that?
    Mr. Scott. One of the benefits of the cloud is the agility 
factor, and then just the scale that most cloud environments 
exist in.
    So I used to talk about the double-double rule as the 
primary way by which system engineers create and compute. If 
you are in the old days an engineer and you are configuring a 
server, you would figure out what it was going to take to 
support that application. You would double it, and then you 
would double it again. That was just an unwritten rule about 
how engineers would configure systems.
    So it was no wonder that when you went into the data 
center, you would find things running at 15 percent or 20 
percent of their capacity.
    What cloud does is aggregate all of that together. Then you 
can run the whole plant at 70 percent, 80 percent, or 90 
percent efficiency instead of 15 percent. That saves money.
    Ms. Kelly. Can you tell us what, if anything, the Office of 
Management and Budget has been doing to encourage agencies to 
move toward cloud computing solutions?
    Mr. Scott. As we have talked with agencies about their 
plans, we have highlighted the opportunity to do that and ask 
questions. We are requiring them to show us what their 
modernization plans are and highly favoring both cloud but also 
virtualization and other modern development techniques. We are 
encouraging the buying of services rather than developing them 
themselves. We are also encouraging the use of shared services.
    So one of the challenges is, in the old world, every agency 
thought it had to do everything top to bottom by itself. As was 
mentioned in the case of email or shared networks or payroll 
systems or financial systems, there is a great opportunity to 
use more shared services and not have every agency do 
everything top to bottom on its own.
    Ms. Kelly. I'm glad to hear that, because I wondered in 
another hearing, but didn't get a chance to ask the question, 
about how often do we share.
    Back in July 2010, David McClure, then associate 
administrator of the General Services Administration, testified 
before this committee that cloud computing would, and I quote, 
``increase the overall IT security posture of the government.''
    Can you explain how cloud computing can improve the Federal 
Government's overall IT security?
    Mr. Scott. We have a FedRAMP standard that takes all of the 
best practices of security and puts together a template and a 
process that providers can certify against that includes 
background checks and other things like that on the people that 
are actually operating the systems, and, taken altogether, is 
much more comprehensive than what we would typically find in a 
sampling of individual agencies or individual environments.
    These are businesses that depend on high security for their 
reputation and future business models, so they often take it 
far more seriously and can put the resources toward it that 
maybe a small organization might not be able to.
    Ms. Kelly. Thank you.
    Thank you, Mr. Chair. I yield back.
    Mr. Mulvaney. [Presiding] I thank the lady.
    The gentleman from Texas, Mr. Farenthold, is now recognized 
for 5 minutes.
    Mr. Farenthold. Thank you, Mr. Chairman.
    Mr. Milholland, you and I think several other members of 
the panel testified that one of the things holding you back 
from getting rid of these legacy systems and upgrading was 
budget concerns. I have to tell you, one of the things I 
consistently hear from everybody who comes into my office, 
whether they are advocating for education or increased medical 
research is, ``Give me more money today, and I will give you 
savings tomorrow.''
    Now, this is, I think, part of our Federal Government 
budgeting mentality, that we do not think enough like the 
private sector. You look at what is happening in the private 
sector right now, when I started practicing law, we were on IBM 
Selectrics. We moved to a mini-computer and moved to a PC 
network. And we went from one assistant for every lawyer now to 
one assistant for every four or five lawyers through the 
technology.
    You look at what the IRS has done. You have millions of 
people e-filing your taxes. You now don't need people in data 
centers keying that into the computer.
    So the savings are coming naturally. So I have a kind of 
two-part question here. One, can you quantify, ``If you give me 
X billion dollars today, I will save you Y billion dollars over 
the next,'' and we will take a lifespan of the computer, 5 to 7 
years? Can that be quantified?
    Second of all, isn't there a way within your budget to pay 
for this incrementally with the savings you are going to get?
    Mr. Milholland. I will try to answer that two-part 
question.
    With respect to the IRS and investment in IRS, people have 
said returns for about every dollar are $4 in revenue to the 
U.S. Often, a lot of that occurs because of the investment in 
the underlying IT infrastructure.
    Where we have suffered is that the budget has been 
reducing, not staying flat. I have been told that we are ----
    Mr. Farenthold. Isn't that what we are trying to do? I am 
going to give you a dollar and then, over the next 10 years, 
I'm going to reduce your budget by $4, and we are going to be 
in the same place by your figures.
    Mr. Milholland. But, sir, you also increased the tasks that 
we have. For example, far more people now are, in fact, filing 
income taxes.
    Mr. Farenthold. I would be much happier if you guys weren't 
having to fool with Obamacare, I will tell you that.
    Mr. Milholland. Well, there are a number of unfunded 
mandates like that that we have had to absorb, whether it has 
been Obamacare, FATCA, there is HCTC, the ABLE Act ----
    Mr. Farenthold. I do not have much time, so let me go to 
Mr. Scott.
    Can you talk about that on a broader scale?
    Mr. Scott. Yes, in fact, if we can show the chart that I 
brought, I don't know if they can put that up.
    What we did is we studied--we took a sample out of our 
database of projects across the Federal Government, this is 
across hundreds and hundreds and hundreds of investments, where 
there was an injection of modernization money prior to 2013. 
Then we looked and we compared that against projects where 
there was no injection, and what happened to the maintenance 
costs of those investments over time.
    What you see is a very clear trend. Where there was no 
injection of money to go fix things, costs continued to rise at 
a rate of around 6 percent.
    Mr. Farenthold. This number doesn't even take in reduced 
personnel costs. I'm assuming that as we modernize technology, 
as we see in law firms or banks with ATMs instead of tellers, 
we ought to see an even bigger cost decrease as people are able 
to work more efficiently. So we ought to be able to save money 
and deliver better service to the hardworking American 
taxpayers who are our customers.
    Mr. Scott. I think we would see, if we factored all those 
factors in, an even sharper drop. In cases, as shown in the 
chart there, where there was an investment, costs would 
continue to go down at a much faster rate. So they went down at 
least 5 percent a year on average, where there was an ----
    Mr. Farenthold. I would love to see an agency come in here 
and say, ``All right, give me this much money to modernize my 
IT, and you can cut my budget by this much.''
    Mr. Scott. Well, this is actual data over an at least 4-
year period, based on actual experience in the government, so I 
think it proves the case.
    Mr. Farenthold. All right, if I am able to get back for a 
second round of questions, I do want to address the DOD 
hackathon and the success that had.
    But my time has expired, and I will yield back.
    Mr. Mulvaney. I thank the gentleman.
    I now recognize the gentleman from California for 5 
minutes, Mr. Lieu.
    Mr. Lieu. Thank you, Mr. Chairman.
    Let me first say I've read the biographies of the witnesses 
today, and all of you could be making a lot more money in the 
private sector, so thank you for your public service.
    I do have a question for Mr. Halvorsen. The GAO identified 
a 53-year-old legacy system in the Department of Defense known 
as the Strategic Automated Command and Control System. This 
system coordinates operational functions of the United States 
of nuclear forces, such as intercontinental ballistic missiles 
and nuclear bombers. Is that correct?
    Mr. Halvorsen. Not exactly.
    Mr. Lieu. All right, what does the system do?
    Mr. Halvorsen. It is a tertiary--I can only go into the 
system a little bit. It is a tertiary system that is 
responsible for delivering two small, very important messages 
as a third backup. That is what that system does today. It is a 
tertiary system.
    And we are actually investing in the NC3 system to change 
the way we deliver that whole product.
    Mr. Lieu. The reason you cannot talk more is because the 
rest is classified?
    Mr. Halvorsen. That is correct.
    Mr. Lieu. Okay. This system is still running on IBM Series 
1 computer, which is in 1970s computing system, according to 
the GAO, and written in Assembly language code. The GAO also 
reports that the system currently uses 8-inch floppy disks, 
which are a 1970s-era storage device. Is that accurate, sir?
    Mr. Halvorsen. That is correct.
    Mr. Lieu. Okay. So this system also, as I think you noted, 
sends and receives emergency action messages to nuclear forces. 
Is that correct?
    Mr. Halvorsen. A tertiary system for doing that, yes, sir.
    Mr. Lieu. I got that, but it does send and receive 
emergency action messages to nuclear forces.
    You would agree that our nuclear forces are pretty darn 
important?
    Mr. Halvorsen. I would.
    Mr. Lieu. Okay. You had in your testimony earlier today 
said that the Department of Defense is not of balance with 
other private sector companies, and that your priorities are 
right. Are you aware of any other successful private sector 
company that uses 8-inch floppy disks?
    Mr. Halvorsen. I am not, but I am aware of other private 
companies that use similar technology. No one is saying that we 
should continue to use the 8-inch discs much longer, but I 
would point out a couple things. The reliability factor on that 
system is where I need it to be, which is five 9s, 99.999 
percent. It is completely secure because it is a closed system. 
So while I want to fix it, all I am saying is that in the 
priority of things that I need to fix, that will be in probably 
year 3 of my next 5-year plan. It is not in the top priority of 
things I think either I want to fix or you would want me to 
fix, in terms of priority.
    Mr. Lieu. Why are you fixing it at all, if it is not as 
important as you say it is, if it is just this classified 
system you cannot even really talk about for nuclear forces?
    Mr. Halvorsen. I didn't say it wasn't important. I said it 
was a tertiary system. And what I am fixing is the entire way 
that we are going to deliver that whole process.
    I won't actually replace this system. The system is going 
to go away and be replaced by a different method of delivery.
    Mr. Lieu. And it'll be done by year 3?
    Mr. Halvorsen. It will.
    Mr. Lieu. Okay, thank you, sir.
    So, Ms. Killoran, I have a question for you about another 
system the GAO identified. It is the Health and Human Services 
Medicare appeals system. Can you explain what that is?
    Ms. Killoran. Yes. That system is a system that we actually 
have that plaintiffs can file appeals to claims that they have. 
It is actually a business process flow and goes through three 
of the five levels of appeals.
    Mr. Lieu. And a fair number of Americans have Medicare 
appeals, and the system helps them?
    Ms. Killoran. Yes. It allows them to get not only 
notifications and status, but it also sends out letters.
    Mr. Lieu. And the system also helps respond to 
congressional inquiries, correct?
    Ms. Killoran. Correct.
    Mr. Lieu. Do you have any plans to update that legacy 
system?
    Ms. Killoran. So that legacy system is 10 years old. We 
actually do have--the system has been updated to make sure that 
the software is current and the hardware is current. One of the 
things that we slightly disagree with on the audit is just 
because something has a particular age doesn't necessarily mean 
that it is end-of-life.
    As Mr. Scott had talked about, all of the operating system, 
the software and the hardware for this particular system, is 
completely up-to-date and supported by the vendor at this time. 
So we don't have a plan to replace, but we are going to keep 
updating it and making sure that it is current.
    Mr. Lieu. So your view is the system is working currently, 
and there is no need to upgrade it?
    Ms. Killoran. So we have been doing continual upgrades as 
we have different mandates and there have been requirements for 
operating system changes and software to keep it current, yes.
    Mr. Lieu. Thank you.
    Let me conclude by thanking Ranking Member Cummings and 
Chairman Chaffetz for holding this hearing, and I want to thank 
the ranking member for his support of the IT modernization 
bill, which I'm a co-author of as well, and hopefully we can 
get that through.
    With that, I yield back.
    Chairman Chaffetz. [Presiding] I thank the gentleman.
    We will now recognize the gentleman from South Carolina, 
Mr. Mulvaney, for 5 minutes.
    Mr. Mulvaney. I thank the chairman. I'm over here in the 
corner.
    I guess my questions are, Mr. Connolly was here, and I'm 
always frightened when I agree with him, but I agree with him 
more and more when we do these oversight hearings. I want to 
focus a little bit on how we got here.
    I heard the ranking member talk about the draconian budget 
cuts. Mr. Milholland, I heard you mention draconian budget 
cuts. Certainly, at the IRS, I apologize, I don't have the HHS 
numbers or DOD, so I don't want to appear to be picking on the 
IRS, but they are the numbers I could get in the last 5 
minutes. Certainly, your budget has been cut in the last couple 
years, 3 percent this year. It was up 0.8 percent the year 
before that. Down 5 percent the year before that. Down 2.5 
percent the year before that.
    But I think we would all agree that when you are still 
using technology and computer systems from the 1970s and 1980s, 
this is not a problem that started in 2012, okay?
    I see that Mr. Milholland is nodding his head.
    I go back to 2000, Mr. Milholland, when the Republicans 
were in charge, actually, and your budget went up almost 6 
percent, the next year 8.5 percent, the next year almost 4 
percent, then 4 percent, 4 percent after that. The Democrats 
take over in 2007, your budget is up 4.73 percent, 3.8 percent, 
5.4 percent.
    How can you really sit there and tell us this is money? I 
mean, you got bigger increases than everybody else in the 
country in 2008. I can assure you there were private industries 
and businesses and households that didn't see a 5.4 percent 
increase in their budgets during the recession.
    I mean, how can you sit there with a straight face and say 
it is money? While that is convenient today and ties into what 
the ranking member was saying, haven't you been mismanaging the 
money since the 1970s and 1980s? Isn't that the only way you 
end up in this problem?
    Mr. Milholland. I think there is a different way to 
characterize it than management. I can't speak for my 
predecessors at all, but decisions made back in the 1970s and 
continued into the 1980s and 1990s and the first decade of this 
century basically said, ``Let's build a set of systems that 
automate the paper processing set of systems.'' So the way 
taxes were handled in the 1940s and 1950s and 1960s became 
automated in the way that computer systems were designed.
    That means that when you file your taxes even 
electronically today, they are actually batched up 
electronically in a set of files that then need to be passed 
from system to system. There are lots and lots of 
interconnections that make that possible.
    The program was written in Assembly language. By the way, 
it is written very elegantly. It is incredibly well-engineered 
for the time it was designed and built. The underlying 
infrastructure is very much state-of-the-art. That is why we 
can process returns so fast.
    But we are constrained by those past decisions and the 
ability to share that data with I will just say new programs 
that we want to provide, so we are--I'm sorry, go ahead.
    Mr. Mulvaney. Does anybody that you know, anybody on the 
whole panel, does anybody in the private sector do it the way 
the government does it? Are there any private companies out 
there using 8-inch floppy disks and expired languages and 
machines they cannot get pieces for? Is there anybody out there 
who does this?
    Mr. Milholland. There are certainly companies that use old 
programming languages like Assembly language and COBOL and 
Fortran and others. Most are converting themselves like we are 
to a modern programming language, all new development beginning 
with Java, for example, or other modern programming languages.
    They use modern development techniques, so that you start 
with building a data model for your enterprise rather than have 
it as an afterthought with security built in.
    I think the current practices, we would not have done it 
that way, if we had the knowledge we have today.
    Mr. Mulvaney. Mr. Milholland, you mentioned something about 
your predecessor, and someone mentioned something in the 
previous testimony. How long have you been in this position at 
the IRS?
    Mr. Milholland. I have been here not quite 8 years.
    Mr. Mulvaney. What is the average tenure? This may be to 
the OMB or GAO. What is the average tenure of a CIO at our 
major agencies?
    Mr. Powner. Two years.
    Mr. Mulvaney. Is that a problem?
    Mr. Powner. It is a huge problem.
    Mr. Mulvaney. Why?
    Mr. Powner. Well, in regards to legacy systems, what CIO 
wants to come in over a 2-year period and undertake one of 
these massive conversion efforts? They pick the low-hanging 
fruit and get quick wins, and they don't tackle the difficult 
stuff often enough.
    Mr. Mulvaney. Who controls the tenure of a CIO at a major 
agency or department? Does Congress? Anybody?
    Mr. Scott. It depends. Some are Senate confirmed. Most are 
appointed politically.
    Mr. Mulvaney. Right, but if we are going to say that Mr. 
Halvorsen is going to be CIO at DOD, and we leave him there 2 
years, whose call is that? Is it ours or somebody else's?
    Mr. Halvorsen. Depending on when the 2 years started, it 
would generally be the Secretary of Defense's call. But I am 
politically appointed, so I will change out with the 
administration.
    Mr. Mulvaney. It is an executive decision. It was sort of a 
rhetorical question. Congress doesn't say that you have a 2-
year term at DOD, or a 2-year term at HHS, or at any agency. It 
is an executive decision under both administrations.
    Mr. Powner, I take it your data goes back to Republican 
administrations as well.
    Mr. Powner. Yes, it goes back a long way. We have done 
multiple studies dating back for years on this.
    Mr. Mulvaney. Thank you, Mr. Chairman.
    Chairman Chaffetz. I thank the gentleman.
    We will now recognize the gentleman from Massachusetts, Mr. 
Lynch, for 5 minutes.
    Mr. Lynch. Thank you, Mr. Chairman and the ranking member, 
for holding this hearing. It's very important.
    I would like to ask unanimous consent to enter into the 
record the GAO report to congressional requesters entitled, 
``Federal Agencies: The Need to Address Aging Legacy Systems.'' 
We have been referring to that during our questions. I just 
wanted to get on the record.
    Chairman Chaffetz. Without objection, so ordered.
    Mr. Lynch. Thank you, Mr. Chairman.
    I also have another report here that was generated with a 
bunch of folks, including the Department of Homeland Security, 
Intel, EMC, a whole bunch of people. And it is entitled, ``2016 
Data Breach Investigations Report.''
    Chairman Chaffetz. Without objection, so ordered.
    Mr. Lynch. Thank you.
    The trend that the data are indicating from these reports 
are that the time frame for breaches and infiltration is going 
down, so it is measured now in days or, in many cases, minutes, 
yet our time for detecting breaches and infiltrations and the 
detection of fraud and response is weeks and months. So the 
numbers are going against us. Time is not on our side, as some 
have said.
    At a previous hearing, we had OPM up here. They did not 
even encrypt the Social Security numbers for 21.5 million 
Federal employees. So while I hear a lot of this positive talk, 
I am concerned about factually what is going on.
    Mr. Powner, the GAO did a great report, by the way. Thank 
you very much. I appreciate that. But one of the GAO's key 
findings is, and I quote, ``While Federal agencies had specific 
plans to retire or modernize some of these legacy investments, 
most of those legacy investments did not have specific plans 
with time frames, with activities to be performed, or functions 
to be replaced or enhanced.'' Is that correct?
    Mr. Powner. That is correct.
    Mr. Lynch. So all this talk here is happy talk, and it 
worries me, especially as Mr. Lieu's line of questioning.
    With respect to the Internal Revenue Service Individual 
Master File, GAO stated, and I quote, ``The agency has general 
plans to update the system, but there is no time frame 
established for this transition.'' Would you agree with that 
statement?
    I want to ask you next, Mr. Milholland.
    Mr. Powner. Yes, that is true.
    I will add, though, there has been a lot of good work done 
to get the ball rolling that ----
    Mr. Lynch. Yes, that's not what I'm asking.
    Mr. Powner.--Mr. Milholland started. I will say his tenure 
over 6 years, he has done a lot.
    Mr. Lynch. I know.
    Mr. Powner. Hopefully, he can stick around a little bit 
longer and get IMF decommissioned.
    Mr. Lynch. Yes, that is not what I want to hear, but as Mr. 
Mulvaney said, this problem didn't happen yesterday. You are 
not to blame for the existence of this problem, but we have to 
do better, a lot better.
    So, Mr. Milholland, do you want to defend yourself? Go 
ahead.
    Mr. Milholland. We, in fact, do have ----
    Mr. Lynch. And thank you for your service, by the way.
    We just have a problem here, and we have to fix it.
    Mr. Milholland. Yes, sir.
    Mr. Lynch. So a little criticism ----
    Mr. Milholland. I described the replacement of the 
Individual Master File. We are doing it in three phases. The 
second phase will end in 2019, at the latest 2020, again, 
depending on funding.
    The principal issue there is now to convert the mainline 
code from Assembly language to Java. We have, in fact, have 
tackled the hardest, knottiest, most gruntiest part of this 
code, which is critical for processing taxpayer returns, to 
convert it to Java.
    Mr. Lynch. Okay.
    Mr. Milholland. We, in fact, think, literally, we have 
found a breakthrough that we can do this. We think we can apply 
for three patents for this that will allow, once we are done, 
next March ----
    Mr. Lynch. Okay, sounds good.
    Let me ask you, the master file there, so is our health 
care information on that now with Obamacare, because you are 
the repository for our health care information. How are you 
protecting that? Is that in the same file?
    Mr. Milholland. It is not in the same file, but there are 
links to it. It is actually in a relational database that we 
built separate from the Individual Master File. But the systems 
are interconnected with appropriate data calls and ----
    Mr. Lynch. All right, let me jump to the GAO here.
    The same GAO report found that HHS Medicare appeals system 
says, this is the report, ``Agency officials state that they do 
not have any plans to address the gaps that were found by GAO 
and that doing so was contingent on funding.''
    So let's go right to Ms. Killoran on that one.
    Ms. Killoran. So, as I mentioned, for the Medicare appeals 
system, we actually have been making sure that that system is 
up-to-date, both with patches and software, and on a platform 
that is actually supported by the vendors.
    So as a total system, we don't have plans to replace, but 
we are keeping it current and making sure that it is able to be 
supported.
    Mr. Lynch. Okay, my time is expired. Maybe we will do 
another round. Thank you.
    Chairman Chaffetz. We will soon. Thank you.
    Mr. Meadows of North Carolina is now recognized for 5 
minutes.
    Mr. Meadows. Thank you, Mr. Chairman.
    Ms. Killoran, let me come to you. I think earlier in your 
testimony, you were talking about the fact that the FISMA 
reporting, you have submitted that. Is that correct?
    Ms. Killoran. Yes, sir.
    Mr. Meadows. So you have submitted that. Who do you submit 
that to?
    Ms. Killoran. So we submit that to all of our FISMA 
committees, and we did that through our legislative channels.
    Mr. Meadows. Okay. So who is responsible for that 
oversight? Is that Mr. Scott at OMB? Is he charged with making 
sure that those are all submitted properly? Do you submit it to 
OMB?
    Ms. Killoran. So if you could clarify the question, are you 
talking about the report or ----
    Mr. Meadows. Let me ask Mr. Scott. Mr. Scott, as the chief 
financial officer, is it your responsibility, I guess, for the 
executive branch, for the implementation of FISMA?
    Mr. Scott. Yes, and we collect--I am the chief information 
officer, not the chief financial officer, but it is our ----
    Mr. Meadows. Excuse me. You are the CIO for the Federal 
Government.
    So essentially, it all comes to you, so they are required 
to submit that to you and to Congress, is that correct?
    Mr. Scott. Correct. We aggregate and then submit to 
Congress.
    Mr. Meadows. All right. So as it is submitted in those 
FISMA reports, as we look at that, each agency is required to 
do that. Is that correct, Mr. Scott?
    Mr. Scott. Right.
    Mr. Meadows. So let me ask you this. It appears that the 
Executive Office of the President, basically the White House, 
including OMB and the National Security Council, hasn't 
submitted the required FISMA. Is that correct?
    Mr. Scott. I don't know off the top my head. I would have 
to check and get back to you. I don't know ----
    Mr. Meadows. Well, we have done some checking, and we have 
been looking. Can you name a single year where the Executive 
Office of the President and OMB and the National Security 
Council have submitted a FISMA report?
    Mr. Scott. We submit to Congress what has been submitted to 
us.
    Mr. Meadows. I am talking about you. I understand they are 
doing it, but you are the one that has the charge. So has OMB, 
the White House, submitted it?
    Mr. Scott. Oh, I see.
    Mr. Meadows. Because we couldn't find yours.
    Mr. Scott. Yes, we are not required by the law ----
    Mr. Meadows. Well, but that's not correct.
    Mr. Scott. That is our ----
    Mr. Meadows. Is that what you're saying?
    Mr. Scott. Our legal counsel has given us that ----
    Mr. Meadows. Well, your legal counsel doesn't make the law.
    So, Mr. Scott, let me remind you, Congress was very clear, 
extremely clear, that, indeed, the White House, and, indeed, 
OMB, is required to submit that. Yet we can't find where you've 
done it, and we specifically in the legislation mention the 
White House.
    So you are saying your legal counsel has told you that?
    Mr. Scott. That is the opinion we have gotten.
    Mr. Meadows. When did you get that?
    Mr. Scott. I have asked multiple times.
    Mr. Meadows. Okay, I would suggest that you go back, check 
the law, and report back to this. Do you not think that if you 
are required by law to do it, and all these other folks are 
doing it, that it sets a bad example for you not to do that?
    Would that set a bad example, if you are required to do 
that?
    Mr. Scott. If we are required to, I think it sets a bad 
example, correct.
    Mr. Meadows. All right. So you have counsel behind you. Are 
they saying that you are not required to by law?
    Mr. Scott. I will go back and check and report back to you.
    Mr. Meadows. Okay. And we would like to know some of the 
correspondence and actually where you've gotten that opinion 
from. Are you willing to give that to this committee as well?
    Mr. Scott. That is not my call, sir.
    Mr. Meadows. Okay, well, obviously, you are saying that you 
were told that, that you checked on it, and this is a conscious 
decision not to give a FISMA report on behalf of OMB and the 
office of the executive branch. Is that correct? That was a 
conscious decision?
    Mr. Scott. It was a discussion and that was the conclusion 
that we came to.
    Mr. Meadows. So what rationale would you really embark on 
embracing that would suggest that it is not a good idea to give 
information that you are requiring all the other agencies to 
give to Congress? Why would it not be a good idea for you?
    Mr. Scott. Again, our intent is to comply with the law.
    Mr. Meadows. But do you think it is a good idea that, even 
if it is not required, since you are requiring all the other 
agencies, don't you think it would be a good idea for you? I 
think the answer--don't you think it would be good idea?
    Mr. Scott. I don't have an opinion on that, sir.
    Mr. Meadows. Well, I do, and I think it would be a good 
idea.
    Let me come to the GAO. We are talking about all these 
legacy systems, and we continue to have hearing after hearing 
after hearing. What I find troubling is, is there a lot of 
savings that could be realized if we get rid of the legacy 
systems, jump off the cliff and say, ``Let's make a commitment. 
We are going to do it.'' Is there substantial savings that 
could happen?
    Mr. Powner. Yes, there are. That $60 billion we spend on 
O&M. We have old legacy that if we could get more efficient 
systems, it would be less costly to maintain, it would be more 
secure. Then you already know that we have duplicative spending 
on commodity IT and inefficient data centers.
    So the $60 billion has all kinds of inefficiencies in it. 
Our point is, we need more plans. I agree not everyone needs a 
plan. There might be some higher priorities. But we need more 
plans, so that we move that spending from 60 into the 20 
bucket.
    Mr. Meadows. Well, thank you. And I thank your staff for 
their great work.
    And I yield back, Mr. Chairman.
    Chairman Chaffetz. I thank the gentleman.
    I'll recognize the ranking member, Mr. Cummings, for 5 
minutes.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    I intentionally wanted to wait and listen to some of the 
testimony. I listened to Mr. Lieu, and I agree with him. When 
we read the resumes of you all, we realize that you could be 
somewhere else, making a lot more money. I think, in a way, 
that's what is kind of depressing about this. We have people 
who, first of all, care, who are experts. You come into 
government to try to make a difference, or you have been in 
government, and we seem to be going in a circle, trying to get 
off the merry-go-round, Mr. Scott, but still going in a circle.
    I'm not blaming you all. It just seems that we have a set 
of circumstances where we have an old system that is breaking 
down, trying to keep that afloat, and at the same time trying 
to catch up with technology that is not changing by the week, 
but changing by the hour. That is a tough one.
    Sometimes we can start talking politics, and we still don't 
get to where we have to go to. That's what I want to talk about 
for a moment here.
    Mr. Scott, you have been in your job a little less than 2 
years?
    Mr. Scott. About 1.5 years, sir.
    Mr. Cummings. The chairman was very complimentary, gave you 
a lot of nice compliments, and they are deserved. You come from 
private industry, is that right?
    Mr. Scott. That's correct.
    Mr. Cummings. Do you see, first of all, progress? You've 
been there 1.5 years. Do you see us moving in the right 
direction?
    And this is the thing that bothers me, this wrestling with 
this issue of money. I don't want to sit here and wrongfully 
say that, if we had more money, we can do better, if that is 
wrong, if that is not accurate. But on the other hand, if we 
need the money, I don't want to act like we don't.
    And then there's a second part of it. We may need the 
money, but then the question is whether or not we are using the 
funds that we have effectively and efficiently.
    Can you address that for me? And then tell me how does the 
modernization act, because I understand it is like the best 
practices, it's an example of best practices from private 
industry, how that would remedy this.
    I know I have said a lot.
    Mr. Scott. Sure, I'd be happy to.
    I would say, in answer to one of your questions, I do think 
we are making progress, just not fast enough and 
comprehensively enough. Almost every agency is trying to 
prioritize in some way or another, and address the most urgent 
issues. But what we see quite often is that it takes too long 
for them to put together the money to go do the replacement, or 
to try to harvest savings to put together in one place to go 
fix things.
    I think there is a broader set of issues that ITMF tries to 
address.
    Comprehensively, what it does is marries management, money, 
and a different mode of operation than the pattern that we have 
been in. The world of digitization, and our government is 
digitizing just like every other enterprise, digitization 
starts to tear down traditional boundaries of the org chart, 
and so on, and comes at what we do from a citizen-centric 
perspective.
    Today, because of our boundaries and our funding models and 
the way we have architected IT, we require our citizens to 
decode our org chart in a way that, frankly, they don't want to 
do.
    So this modernization fund relies on principles that we 
borrowed from the private sector. If you are in the private 
sector, you go to a capital committee, and you come in and you 
make a business case for why you want to do what you're going 
to do. And the capital committee evaluates your ability to do 
that. They look at the business case. They ensure the 
commitment, that the money is going to get paid back.
    We think that that commitment of management, along with 
this different mode of operation that we are proposing, will 
start to help us along the path to a much more and needed 
modernization of our Federal Government.
    I will note as well that if we continue to do the same 
thing we have been doing before, we are just making the 
situation worse. A good friend of mine once told me, if you are 
riding a dead horse, best dismount. I think it is time for us 
to dismount from this past practice and get onto a more modern 
method.
    Mr. Cummings. You don't have to tell us what your plans 
are, but if I were to guess, you probably will not be in this 
position but so much longer.
    So the question becomes, what are you doing to try to put 
something in place so that, after you leave, there is at least 
the mechanism to take us where you just said we need to go? 
Because I can see somebody else coming in and saying, ``You 
know what? Scott was a nice guy, but now he's gone, and now 
we're going to start all over,'' and our problems are 10 times 
worse.
    By the way, the reason I am asking is because the American 
people are just totally, totally frustrated with us.
    Mr. Scott. Certainly.
    Mr. Cummings. They feel like we cannot get anything done, 
and I'm trying to figure out how we get something done that 
makes sense, solve the problems that we are talking about here, 
Mr. Mulvaney and all of us trying to figure out, how do we 
spend our money wisely and how do we get the American people 
what they deserve? That is a well-run system that keeps up 
with, as best we can, the changes in technology and, at the 
same time, serve them well?
    Mr. Scott. Well, there are a couple things we're doing.
    First of all, we're putting together a set of requirements 
that will require the agencies to identify modernization 
efforts in a much more comprehensive way, whether this fund 
comes through or not.
    Secondly, we are revising the job descriptions for CIOs to 
make sure that, as we hire future CIOs, we get the right kind 
of talent in place.
    Frankly, this is important work, and I think there are 
quite a number of people who, given the right point in their 
career, are perfectly willing to come and do public service and 
help fix this, if there is hope that they can make progress. 
Nobody wants to come in and say, ``I just want to be saddled 
with the old dead horse way of doing things.'' So I think that 
is key to attracting talent and continuing to make progress on 
this.
    Lastly, I will say I intend to be involved and influence 
one way or another even beyond this job. I think it is 
critically important that we do this. I think our relevance to 
citizens is going to depend on how good a job we do in this 
area.
    The ITMF is my best guess about the fastest way to 
accelerate progress toward that goal. I'm happy to listen to 
any other alternatives.
    What I do know is what won't work. Going around tin-cupping 
7,000 different investments across the Federal Government is 
the slow way to nowhere, as far as I'm concerned.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Chairman Chaffetz. Thank you. I now recognize myself.
    Mr. Milholland, you have been a good witness to us a couple 
times. You provide a lot of candor. The question is, why did we 
have to subpoena you this time to attend?
    Mr. Milholland. That was the decision of the Commissioner, 
and he wanted to testify himself. I understand the reasoning. 
He didn't speak to me about it, but in the past, he thinks that 
the political appointee should be the one to speak to the 
Congress, not careerists like me.
    Chairman Chaffetz. Were you willing to testify without a 
subpoena?
    Mr. Milholland. Yes, sir.
    Chairman Chaffetz. This is something we are going to have 
to continue to discuss, because on the one hand, in another 
committee, the IRS Commissioner said he was too busy and didn't 
have time to prepare, couldn't show up to answer hard 
questions. Then we have a hearing here, where we have to dive 
deep into how the IT systems are working, and he is begging to 
come and, in fact, told our office that we have to issue a 
subpoena to have Mr. Milholland come here.
    I think it puts a bad light on the IRS. I think it puts a 
bad light on you personally. But I did want to clarify and 
appreciate your candor in saying that was totally and wholly 
unnecessary. We did it. It's paperwork. I can do it 
unilaterally, but I shouldn't have to do it. Nobody else 
required a subpoena to be here.
    Again, it is not a personal reflection on you, but I think 
it is a personal reflection on Mr. Koskinen and the ridiculous 
manner in which he tries to manage a 90,000-person 
organization.
    The Congress of the United States of America and certainly 
the Oversight Committee, we can talk to anybody at any time. We 
can investigate anything anywhere and we can call anybody we 
want before this committee, not just the Senate-confirmed IRS 
Commissioner. It is arrogant. It is beyond belief. And it 
continues to thwart our activities here in Congress.
    And I am not letting go of this. I do think he should be 
impeached. I do think he should get out of government. He 
should do the right thing for this country, and somebody else 
should be at the helm. He was hired by the President with the 
best of intentions, and the President made a personal 
commitment. He made a personal commitment that we are going to 
work together. We are going to do is hand-in-hand. And that is 
not happening. And this is another example here today.
    Enough of that speech about that. I do want to talk about 
the Obamacare files that were mentioned before.
    Mr. Powner, do you have a position on this? Have you looked 
at how, from the GAO perspective, how this is going? It is a 
massive undertaking, a great vulnerability.
    Have you done anything in this regard? Do you have any 
perspective on this?
    Mr. Powner. I have colleagues who have looked at Obamacare 
implementation, as well as some of the IT issues, in 
particular, security around the systems with Obamacare. We have 
some outstanding recommendations on security.
    I, personally, have not done that. I will say, though, I 
did testify in front of this committee when there was the 
initial failure with the rollout, and I will say I worked 
closely with Mr. Milholland, because at the time I was doing 
IRS work and I knew where they were at getting their systems 
ready for Obamacare, which was different than where HHS and 
some others were.
    Chairman Chaffetz. So the housing of all this data and 
information, I guess as a follow-up, Mr. Milholland, at the 
IRS, and certainly Mr. Powner from the GAO, we would love to, 
and request, if we need to do this formally, we will do it 
formally, but we would appreciate a keen eye on this, just 
because of the vulnerability and sensitivity and the sheer 
number of people that will be involved and engaged in this.
    Mr. Powner. Okay.
    Mr. Milholland. Yes, sir.
    Chairman Chaffetz. I want to switch gears here to HHS, 
Health and Human Services.
    This is your first time testifying, and I appreciate that. 
How long have you been working IT at HHS?
    Ms. Killoran. About a year and a half.
    Chairman Chaffetz. A year and a half, okay.
    The committee made a request. I thought it was a fairly 
benign request, and it gives us a perspective. We asked to 
identify the top three mission-critical IT systems in need of 
modernization. That seems like a simple request. Every other 
agency and department we asked for it was willing to cooperate. 
The only one that wasn't was HHS.
    You claim that it was classified information. It is not the 
Department of Defense. This is not the CIA. This is Health and 
Human Services. Why claim it's classified?
    Ms. Killoran. It is around the sensitivity of the 
information that is stored in the systems. As folks have 
mentioned today, some of my colleagues, information, especially 
around personal health information, it is one of the increasing 
threat vectors across the organization and in the public 
overall. So we want to make sure that we are protecting the 
American public and the health information.
    Chairman Chaffetz. But you understand that that information 
that we are asking for is not classified, correct?
    Ms. Killoran. As an individual system, but there are 
concerns about what those systems are and the targets that 
would ----
    Chairman Chaffetz. And you understand that the Oversight 
Committee can access classified information, correct?
    Ms. Killoran. Yes. We were actually able to--we actually 
had members of the committee come over yesterday to our ----
    Chairman Chaffetz. Why should the committee have to come to 
you? Why do we have to go to look at in camera?
    Ms. Killoran. We are just concerned about what those 
systems are and putting ----
    Chairman Chaffetz. Yes, well, here's what you need to 
understand. We are entrusted with nuclear secrets, CIA 
information, a lot of very sensitive information. You cannot as 
an agency start to make up new classifications and new rules 
saying, ``Well, we're sensitive and we don't trust Congress.'' 
We shouldn't have to go to HHS to review this information in 
camera.
    In fact, it gives us a real sense that you really don't 
know what you're doing over there.
    Ms. Killoran. These are not classified systems. We actually 
transmitted the information to OMB that it requested as 
classified. These are not classified systems, and they do not 
have ----
    Chairman Chaffetz. Correct. You used a classified system to 
transmit it, but then when we request it, why do we have to 
ratchet this up?
    Again, Health and Human Services has already identified one 
of the three systems to GAO, and another system that the HHS 
told us about was shut down.
    We are just asking for the top-level review of what are the 
three mission-critical systems. Then we finally get to see one, 
and then it is figured out that you had to come back to us and 
say, ``No, it was really shut down.''
    Can you see where you have a flashing red light over there 
at HHS that nobody else has?
    Ms. Killoran. Understood. Like I said, we are actually 
willing to provide that information.
    Chairman Chaffetz. Okay, just to be clear, and again, you 
strike me as an exceptionally nice person. You are going to 
provide--the request that we made, by this committee, you are 
going to provide those to us, correct?
    You have a staff person there. Feel free to talk to them, 
if you want to confer.
    But I need to know if we are going to get this information 
or not.
    Ms. Killoran. Yes. Yes, you will.
    Chairman Chaffetz. Okay.
    I have some other questions, but let me recognize another 
member, and I will come back on another round here.
    Let's recognize Mr. Lynch of Massachusetts.
    Mr. Lynch. Thank you, Mr. Chairman.
    I have to say, it is a bipartisan frustration sometimes, 
especially with these data breaches. Everybody is getting 
hacked. All the agencies are getting hacked. It seems like the 
hackers have better access to the information than the 
Oversight Committee does. That is the frustration here, that 
the information is going out the door, and then there is some 
stonewalling going on. When this committee asks for 
information, it is not forthcoming. So that is some of what you 
are hearing.
    I want to go back to Mr. Scott. I know you have a set of 
guidelines, a guidance, I guess you would call it, to these 
agencies on how to prioritize their responses to some of these 
high-risk legacy systems.
    Are any of the agencies on that right now? Have any of the 
agencies actually adopted that guidance and are implementing 
it?
    Mr. Scott. Let me clarify the guidance that you are 
referring to. As a part of the Cyber National Action Plan, and 
the earlier Cyber Sprint, we asked agencies to look at their 
high-value assets, and then some corrective measures were taken 
immediately on the initial set of things.
    There is a review going on now with a larger set of 
identified high-value assets. That is in progress right now.
    Mr. Lynch. Maybe you could drill down on that a little bit 
more. High value, is that the same as high risk? Because in the 
GAO report, it indicated there was a guidance to prioritize 
high-risk legacy systems. Now, that may not be high-value 
systems, but ones with greatest vulnerability, I guess.
    Mr. Scott. Let me talk about our guidance, generally.
    It is best practice to constantly be evaluating your 
systems for all kinds of different things. Risk would be one of 
the factors that you would look at there. Technology 
obsolescence would be another one. So that is, in fact, a part 
of our guidance.
    Mr. Lynch. Okay. It indicated in this report that the 
Department of Transportation and USDA had started acting in 
compliance with this. I thought you might have some information 
regarding that.
    Mr. Scott. It is work in progress right now.
    Mr. Lynch. All right.
    Mr. Powner. If I could clarify that?
    Mr. Lynch. Please.
    Mr. Powner. So there was draft guidance, and we did our 
review. We think that guidance is really good. We would like to 
see OMB finalize that guidance and have agencies apply the 
guidance, so that we could have a prioritization of these 
things that need to be replaced, similar to the chairman's 
questions that he asked directly with this data call, and that 
we would like to see more action on the prioritization and what 
we are tackling to modernize.
    I actually think that's needed to implement the 
modernization fund, if, in fact, that moved forward.
    Mr. Lynch. Yes, it makes sense, especially when you talk 
about the continuity problem that Mr. Cummings raised where, if 
Mr. Scott leaves at some point, we want the person coming in 
behind him to follow that same guidance and maintain those same 
priorities and get that job done, rather than somebody coming 
in with a whole new idea and taking us in a new direction.
    So those are some of the problems we see coming down the 
pike.
    But look, I appreciate your work, and I know you are all 
trying to do the right thing. We just need to do it faster.
    Thank you. I yield back.
    Chairman Chaffetz. I thank the gentleman. I will recognize 
myself again. I want to pick up on Health and Human Services.
    Health and Human Services, unlike the DOD, which has had 
significant cuts in its budget by billions of dollars in annual 
expenditure, Health and Human Services has more than doubled--
doubled--the funding for your operations in the IT sector, 
going from roughly $5.6 billion to more than $13 billion. So 
they are in a totally different mode here.
    Your responsibility includes CMS. Is that right?
    Ms. Killoran. That is correct.
    Chairman Chaffetz. I want to talk about, for a second, 
Health and Human Services has to deal with Medicare appeals. 
And from the information I've read, the HHS Inspector General's 
Office reported that the Office of Medicare Hearings and 
Appeals, OMHA, is still largely paper-based. It is so bad that 
Medicare contractors were converting records from electronic to 
paper format to send to administrative law judges.
    Can you give us the status of where this is at and what is 
being done to solve this?
    Ms. Killoran. Thank you for the question.
    Yes, that is the case, but they actually are in the process 
right now of establishing a system to do that automated 
process. And CMS is actually working with that organization, as 
that system comes online, of how to integrate the medical 
appeals system with the system that OMHA is working on right 
now.
    Chairman Chaffetz. Health and Human Services entered into a 
$1.3 billion settlement with hospitals to clear the backlog on 
Medicare appeals. This lack of automation, did that contribute 
to this problem?
    Ms. Killoran. That I would have to get back to you on, 
because, obviously, I need to get to program and get a full 
answer on what were the factors in that particular issue.
    Chairman Chaffetz. So with a little bit more specificity, 
when do we expect the implementation of this plan that CMS--is 
there a CMS plan?
    Ms. Killoran. So the system that you are specifically 
talking about is actually not in CMS. It is in the Office of 
Medicare Hearings and Appeals. And yes, they do have a plan. 
That process--that program is in development, and they are 
working toward an implementation within the next year.
    Chairman Chaffetz. Are they building their own system or 
are they buying something or leasing something?
    Ms. Killoran. It is a combination of some custom 
development and also commercial off-the-shelf.
    Chairman Chaffetz. Has that been contracted out yet?
    Ms. Killoran. Yes. Development is actually in plan. We are 
actually working with them to do security testing and are in 
the final stages of development.
    Chairman Chaffetz. We will send a letter, but are you 
committed to providing us the details of that plan?
    Ms. Killoran. Yes, sir.
    Chairman Chaffetz. Thank you. That would be very helpful.
    Let me go back to the Department of Defense here. The 
Department of Defense identified a system called the MOCAS, 
which stands for Mechanization of Contract Administration 
Services. It is an example of a mission-critical system 
scheduled for modernization. It had its 50th birthday in 2008, 
so it is a bit old. We congratulate on how robust it is.
    But this contract management payment system for DOD is 
jointly managed by the Defense Contract Management Agency, the 
DCMA, and DFAS, the Defense Finance and Accounting System.
    It was originally developed, as I said, back in the 1960s. 
It supports business processes for more than 350,000 DOD active 
contracts with roughly $1.6 trillion in contract obligations 
and entitlements valued at approximately $230 billion annually.
    The DOD in 2014 released a request for information for 
ideas on how to modernize this. Can you give us a sense of 
where this monster is? And what is the plan is moving forward?
    Mr. Halvorsen. We definitely need to modernize the front 
end of that system. One of the reasons that we are delayed a 
little bit is, in looking at that, I wanted more input from the 
private sector. This is one where I do believe we could buy the 
front end of this.
    The backend of the system is in pretty good shape. It is 
old, but it is in COBOL language. It supports it.
    One of the things I do think that we want to recognize here 
is that the front end of systems, obviously, many times, we 
need to fix those. When you are interacting with customers, 
we've got that, and we have examples of that. Some of these 
backend systems I do think we want to make that investment the 
same way the private sector would, which is to do the business 
case to say, ``Does it pay to change that?'' In many cases 
right now, it will not pay to change the backend of some of the 
systems we have.
    COBOL is not going away anytime soon. The predictions you 
look at, it is going to be around as our major business system 
for a while.
    The front ends, make it look more consumer-friendly. Go 
with what the private sector is doing there. And that is what 
we will end up with here.
    Chairman Chaffetz. When do you think you have a game plan 
in order to actually address this?
    Mr. Halvorsen. By the end of the summer.
    Chairman Chaffetz. Okay.
    One more question back for Health and Human Services.
    Today, the committee issued a report about Cover Oregon. We 
looked at this for a year. The Federal Government, through HHS, 
gave the State of Oregon more than $300 million to develop a 
Web site. They never got a Web site. They never got any money 
back.
    What is Health and Human Services doing about that?
    Ms. Killoran. So that would be done through our grants 
programs, so we would actually have to talk to--I would have to 
get back to you with our grant system owners and make sure I 
provide you with the right answer of how they are doing 
oversight and giving the grants. It is outside of the purview 
that I have.
    Chairman Chaffetz. So the money that is appropriated to 
Health and Human Services for IT, help me on how it is broken 
down. So you don't feel any obligation, you have no 
responsibility to oversee the grants that are given?
    Ms. Killoran. There are two sets of funds. There is 
internal IT funding, which is $5 billion that we spend 
internally. That is where the oversight I have authority and 
responsibility over.
    There is another over $7 billion that is given to our 
grants programs through that business mechanism. They are 
responsible through legislation for providing those grants out 
to States, locals, tribal, and education, universities, and 
other things for either access to our systems or to do research 
on our behalf. All of that funding is actually the 
responsibility of those individual programs to provide out and 
to provide oversight to.
    Chairman Chaffetz. Okay, you can let Health and Human 
Services--they are about to get some inquiries from the 
Oversight Committee about what obligation they think they have 
or don't have when they give out a grant. Because in this case, 
$300-plus million went out the door, again, no Web site and no 
money back.
    I think there was a lot of misrepresentation. I think there 
was fraud. I think there are potential criminal elements to 
this that we have referred now to the Office of Attorney 
General here in the United States and also the Attorney 
General, who we believe who should recuse herself there in 
Oregon, because the mix of political with the government, it 
was something that I believe was done fraudulently.
    We issued about a 150-page report, and we will continue to 
follow up.
    But I appreciate the clarification, because the grant 
system is the majority of that IT budget, and it does make you 
wonder. We are looking for $3 billion. There is $7 billion that 
is given to HHS that is just given away to other entities not 
even within the Federal Government.
    So if we want to go capture and claw back and find $3 
billion to make major changes--I really am warming up to this 
idea that Mr. Hoyer has presented, and Mr. Cummings and others.
    And I do believe you and your perspective, Mr. Scott.
    This may be the type of area where maybe we are going to 
have to trim those feathers back in order to do the right thing 
with the Federal dollars and the Federal obligations.
    I will now recognize Mr. Cummings for 5 minutes.
    Mr. Cummings. Mr. Scott, I want to just follow up on a few 
things. I want to go back to this modernization act and how it 
works.
    According to estimates by the administration, after an 
initial funding of the $3.1 billion, the fund would be self-
sustaining and would address at least $12 billion in 
modernization projects over the next 10 years. Is that right?
    Mr. Scott. That is correct.
    Mr. Cummings. Can you explain to us how the fund would be 
self-sustaining over that period of time?
    Mr. Scott. Essentially, as projects get funded, and then 
either go live or--each project would have its own contracted 
repayment schedule. As those funds are paid back to the fund, 
they could then be reused for the next series of projects.
    As was mentioned before, one of the criteria for funding a 
project would be its elimination of risk, its adoption of 
modern technology, and the business case that underlies it.
    So we think there is a high likelihood, given the 
governance model we put in place, that the funds would both be 
repaid, but also be able to be reused.
    Mr. Cummings. So how would the funds support modernization 
projects that exceed the initial amount of funding?
    Mr. Scott. The modernization fund could supplement what an 
agency has in its budget and accelerate plans. That is one 
example. We have seen cases where agencies are doing the right 
thing, but they have a project that will last 5 or 6 or 7 
years, and they tell us they could do it in 2 or 3 years, save 
a ton of money, and start the savings actually that would come 
from modernization much sooner.
    That is just one example of a business case.
    Mr. Cummings. As part of the proposal, the fund would be 
overseen by an independent review board, as I understand it, 
and that would provide technical assistance to agencies in 
connection with any upgrade projects the board approves. Is 
that the way it works?
    Mr. Scott. That is our proposal.
    Mr. Cummings. Can you explain how that review board would 
work in overseeing the fund?
    Mr. Scott. Sure. The idea behind the board is we wanted to 
take a more holistic look at the factors that make a project 
successful. So is the right governance in place? Is this the 
right technical architecture? Do we have the right procurement 
strategy in place? Do the economics make sense?
    Some of those kinds of factors that, frankly, in the 
private sector are now just the norm and are sometimes missing 
from what we see.
    But we also, and this is an important point, want to 
encourage cross-agency collaboration for shared services in 
some of these projects. Getting that to work across agencies is 
not a mechanism that works terribly well today.
    Mr. Cummings. So I take it one of the things that they 
would be doing, this board, is trying to make sure that folks 
use best practices. Is that right?
    Mr. Scott. Correct.
    Mr. Cummings. And how would they accomplish that?
    Mr. Scott. First, the sharing of best practices as we find 
them in the Federal Government is one of the key things, but we 
would also leverage expertise from the private sector and make 
sure that that was available to projects that are funded by the 
fund.
    Mr. Cummings. Now what are the cost savings the Federal 
Government would realize if this bill were adopted and 
implemented? I mean, I know you have to guess that.
    Mr. Scott. Well, I think our common experience in the 
private sector is that if you get in a continuous refresh mode, 
you can either do one of two things. You can either can 
increase your capacity or you can lower costs, or something in 
between.
    I think, in this case, we will see some of both. We have, 
certainly, agencies where there is more demand than we can 
satisfy today, and some of the savings could be used to address 
that demand. But we have many other cases, such as data center 
consolidation, where this activity would accelerate 
consolidation and accelerate savings, and that money could then 
be used for other purposes.
    Mr. Cummings. So I guess it would be safe to say that it 
would exceed the $3.1 billion.
    Mr. Scott. I'm quite comfortable in that. You saw it in the 
chart that I showed earlier. We have direct evidence where 
injection of modernization funds leads to savings, and the 
question is just, do we want to accelerate that?
    Mr. Cummings. My last question, folks in Washington--that 
is us, Members--get concerned about risk. What are the 
arguments against doing something like this?
    Mr. Scott. Well, I think the risk that we all see is that 
we have an accelerating amount of risk. The longer we don't 
address these ----
    Mr. Cummings. That is the greater risk.
    Mr. Scott. That is the greater risk. I am quite concerned 
about it, in total.
    In particular, it is not just applications. We also have to 
address the infrastructure, the networks and the storage and 
all of the other components, not just the applications. We have 
to address this holistically.
    Mr. Cummings. I want to thank all of you very much.
    Mr. Chairman, I yield back.
    Chairman Chaffetz. Thank you. I would just like to allow 
you each 30 or 45 seconds, you can go shorter or a little bit 
longer, if you want. What are the things the Congress, what 
would you like to see us do in order to make sure we are moving 
in the right direction?
    Let's start with Mr. Scott and go this direction.
    Mr. Powner, you take a lot longer, if you like.
    Mr. Scott. Sure. I'll be quick, because I think I have said 
most of what I had to say earlier.
    But I appreciate the support this committee has shown for 
this important topic. And in formulating the idea for the 
modernization fund, we looked at a number of different 
alternatives. Our team at OMB asked a bunch of hard questions 
about how else could we do this, what would be the best way, 
what is faster rather than slower, what is more effective? We 
borrowed heavily from private sector best practice, in terms of 
formulating this.
    While we are open to any alternative that makes sense, it 
is our recommendation at this point that this is the best we 
can think of, in terms of how to go forward.
    So I appreciate all the support that we felt in a 
bipartisan way on this topic. Thank you.
    Chairman Chaffetz. Thank you.
    Ms. Killoran. So HHS also agrees that what OMB is putting 
forward on the ITMF is the right move. Being able to invest in 
our technology and making sure that we are using technology 
that is current, that is scalable, and meets not only the needs 
of today, but is scalable for the needs of the future, is the 
right direction for us to go into.
    We have been able to make small incremental changes with 
the funding that we have, and we have actually seen those 
successes. So we are a good case study on what positively can 
happen in this type of situation, and we would be willing, 
obviously, to share that not only with the members of this 
committee, but also with OMB as we move forward and work to 
adopt this model.
    Thank you.
    Chairman Chaffetz. Thank you.
    Mr. Halvorsen?
    Mr. Halvorsen. I thank the committee. This committee has 
taken this problem seriously, and I do appreciate that. And I 
think you've understood the complexity of the problem, which is 
very helpful, in itself.
    The other area that this committee has been helpful with, 
and I hope that will continue, is giving us some flexibility on 
how we hire the cyber and IT work force.
    Thank you.
    Chairman Chaffetz. Thank you. I happen to agree. I think 
the personnel issue is probably as big as anything. Attracting 
the talent, retaining the talent, I mean, it's--I have a new 
son-in-law, a couple weeks old, this son-in-law. But he just 
graduated and that kid is more employable than I am, so I 
agree.
    [Laughter.]
    Mr. Milholland, you are now recognized.
    Mr. Milholland. Thank you for asking that question. I think 
there are two things. I put it in my written statement and in 
my opening remarks.
    It comes down to, from an IT point of view, certainty in 
our budget, at least restore us back to the levels we were at a 
number of years ago. It has really handicapped our ability to 
modernize our legacy environments and our aging infrastructure 
and provide the services that taxpayers need.
    The second thing deals with the people issue you just 
mentioned, and it is the streamlined critical pay authority. We 
have nine IT folk who a year from now will disappear. They are 
absolutely critical to the architecture work we are doing for 
legacy system modernization, the engineering, the 
implementation and operations. And they said that they would 
serve their country, but right now, if the law is not renewed, 
they will literally leave and increase the risk on the IT 
organization to serve the taxpayers of this country.
    So thank you.
    Chairman Chaffetz. Again, not your fault, not your issue, 
the senior leadership, the Commissioner himself, is the number 
one impediment to moving those things forward. Nobody believes 
him. Nobody trusts them. He is not trustworthy.
    I think that problem will continue to linger as long as he 
is the Commissioner. If he changes out, I think the world will 
change.
    Mr. Powner, you are now recognized.
    Mr. Powner. Mr. Chairman, I would like to thank you for 
highlighting this legacy IT issue. We talked a lot today also 
about transition. There is a lot of talent sitting here to the 
left of me. And I would like to highlight the importance of 
FITARA and your efforts in ensuring that we continue to 
implement that law.
    The first part of FITARA is about strengthening CIO 
authorities. We need more CIOs like some of the folks sitting 
here. But FITARA is also about understanding what we spend on 
IT and then executing it.
    Legacy IT management is executing, so it is all part of 
FITARA.
    So your grades looking at areas you looked at to date have 
made a lot of progress to date, and we need to continue to make 
progress through this transition period that we are in.
    Chairman Chaffetz. Thank you. It is important, and again, 
particularly to the agencies that are represented, and those 
that aren't, it really is the FITARA model, I think, is a way 
for us to gain perspective and set reasonable goals and do 
self-analysis and be candid in where we're at.
    Again, I want to thank you all personally for your 
commitment to our country. It's a difficult thing. If this was 
easy, it would have been done a long time ago.
    Making these transitions away from legacy systems, that is 
a major, major overhaul and very difficult project, to say the 
least.
    So I appreciate your expertise and working with this 
committee and your presence here today.
    The committee stands adjourned.
    [Whereupon, at 11:12 a.m., the committee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]