[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]





 
      THE FEDERAL INFORMATION TECHNOLOGY REFORM ACT SCORECARD 2.0

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                AND THE

                            SUBCOMMITTEE ON
                         GOVERNMENT OPERATIONS

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 18, 2016

                               __________

                           Serial No. 114-159

                               __________

Printed for the use of the Committee on Oversight and Government Reform





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                      
                      
                            _________ 

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 26-068 PDF               WASHINGTON : 2017       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001     
                      
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
                      Julie Dunne, Senior Counsel
                          William Marx, Clerk
                 David Rapallo, Minority Staff Director
                 Subcommittee on Information Technology

                       WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking 
MARK WALKER, North Carolina              Minority Member
ROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois
                                     TED LIEU, California
                                 ------                                

                 Subcommittee on Government Operations

                 MARK MEADOWS, North Carolina, Chairman
JIM JORDAN, Ohio                     GERALD E. CONNOLLY, Virginia, 
TIM WALBERG, Michigan, Vice Chair        Ranking Minority Member
TREY GOWDY, South Carolina           CAROLYN B. MALONEY, New York
THOMAS MASSIE, Kentucky              ELEANOR HOLMES NORTON, District of 
MICK MULVANEY, South Carolina            Columbia
KEN BUCK, Colorado                   WM. LACY CLAY, Missouri
EARL L. ``BUDDY'' CARTER, Georgia    STACEY E. PLASKETT, Virgin Islands
GLENN GROTHMAN, Wisconsin            STEPHEN F. LYNCH, Massachusetts


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 18, 2016.....................................     1

                               WITNESSES

Mr. Steven I. Cooper, Chief Infomation Officer, U.S. Department 
  of Commerce
    Oral Statement...............................................     6
    Written Statement............................................     9
Ms. Dawn Leaf, Chief Information Officer, U.S. Department of 
  Labor
    Oral Statement...............................................    13
    Written Statement............................................    15
Mr. Michael M. Johnson, Chief Information Officer, U.S. 
  Department of Energy
    Oral Statement...............................................    20
    Written Statement............................................    22
Ms. Renee P. Wynn, Chief Information Officer, National 
  Aeronautics and Space Administration
    Oral Statement...............................................    26
    Written Statement............................................    28
Mr. David A. Powner, Director, IT Management Issues, U.S. 
  Government Accountability Office
    Oral Statement...............................................    35
    Written Statement............................................    38

                                APPENDIX

Opening Statement of Mr. Meadows.................................    82
FITARA Scorecard documents for the record........................    85


      THE FEDERAL INFORMATION TECHNOLOGY REFORM ACT SCORECARD 2.0

                              ----------                              


                        Wednesday, May 18, 2016

                  House of Representatives,
Subcommittee on Information Technology, joint with 
         the Subcommittee on Government Operations,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittees met, pursuant to call, at 2:04 p.m., in 
Room 2154, Rayburn House Office Building, Hon. William Hurd 
[chairman of the Subcommittee on Information Technology] 
presiding.
    Present from Subcommittee on Information Technology: 
Representatives Hurd, Walker, Blum, Kelly, and Lieu.
    Present from Subcommittee on Government Operations: 
Representatives Meadows, Jordan, Walberg, Buck, Carter, 
Connolly, and Plaskett.
    Mr.  Hurd. The Subcommittee on Information Technology and 
the Subcommittee on Government Operations will come to order. 
Without objection, the chair is authorized to declare a recess 
at any time.
    We believe votes are probably going to be called around 
2:20, so we are going to try to get through as many of the 
opening statements as we can before we have to take a break and 
come back for the questioning.
    So thank you for being here and good afternoon.
    Earlier in this Congress, the Subcommittee on Information 
Technology and the Subcommittee on Government Operations began 
a joint effort to hold agencies accountable for implementation 
of FITARA. Our oversight on this issue is part of an ongoing 
effort to reform the state of IT in the Federal Government.
    FITARA can play a key role in ensuring broader authorities 
for agency CIOs and a reduction of waste, fraud, and abuse. I 
think it is important to keep that broader goal in mind as we 
discuss today's grades.
    The intent of grading agencies is to provide an objective 
measurement of progress and challenges. Some agencies continue 
to do better than others. Today, I am pleased to see moderate 
improvement in the grades from the first scorecard.
    The overarching goal is for Federal agencies to transition 
to deploying modern technology rather than spending funds on 
outdated systems. Technology is a wonderful thing. It should 
reduce errors, save taxpayer money, and be a tool to help 
agencies accomplish their missions. It should not be a burden.
    To agency CIOs looking to improve your score, I would say, 
three things.
    First, understand that the grade is a snapshot in time. The 
committee realizes, in many cases, the situations CIOs find 
themselves in developed long before they got there and are the 
result of decisions made by people who are long gone.
    Second, the risk assessment transparency metric is entirely 
within the CIO's control. GAO reports validate the common-sense 
conclusion that major IT projects carry much more risk than 
agency CIOs are currently acknowledging to Congress and the 
American people. I would encourage CIOs to take a good look at 
the risk ratings they are assigning to projects on the 
dashboard.
    And third, there are millions of dollars' worth of savings 
still on the table for data center consolidation. GAO has 
reported that agencies have closed over 3,000 of about 10,500 
data centers and achieved $2.8 billion in cost savings rate. 
Most of these savings are attributed to just four agencies, 
including Commerce, who I believe is going to talk about that 
today. So there is much more in terms of savings left 
available. GAO calculates plan savings of around $1.5 billion 
per year from consolidating data centers.
    For those advocating for billions of additional funding to 
help modernize IT, I would suggest that savings from data 
center consolidation might be a better place to look than a new 
appropriation.
    Under FITARA, CIOs now have a proper seat at the table. No 
longer are technology and cyber issues confined to tech geeks 
in some backroom. In the digital age, IT issues are front and 
center. They are central to what government does and how it 
does it.
    This committee intends to focus on ensuring the men and 
women in these CIO positions are qualified, accountable, and 
empowered to make decisions and lead within their agencies. The 
American taxpayers deserve agency CIOs who understand the value 
proposition of the cloud rather than CIOs who believe their 
agencies are so special that a proprietary mainframe database 
is needed.
    Congress requires accurate and complete data, and answers 
from agencies, rather than conflicting numbers and obfuscation. 
Ultimately, taxpayers deserve a government that leverages 
technology to serve them rather than one that deploys 
unsecured, decades-old technology and keeps sensitive 
information in nonencrypted databases.
    We are not there yet, and we have a long way to go, but I 
am cautiously optimistic that we are moving the needle in the 
right direction.
    I thank the witnesses for being here today, and I look 
forward to their testimony.
    Now, I would like to recognize Ms. Kelly, the ranking 
member of the Subcommittee on Information Technology from the 
great State of Illinois, and my friend, for her opening 
statement.
    Ms.  Kelly. Thank you, Mr. Chairman.
    And thank you, Chairman Meadows and Ranking Member 
Connolly. I know they will be joining us shortly.
    Today's hearing is the third in a series that our 
subcommittees have held to learn how agencies are implementing 
the requirements of the Federal Information Technology 
Acquisition Reform Act. As was noted, during November's 
hearing, these hearings help us ensure that agencies are 
hitting the required benchmarks as we move toward a more 
efficient, modern, and secure Federal Government.
    At the last hearing, we released a FITARA scorecard 
assessing agencies' implementation of four of the seven 
initiatives required by the act. Today, we release an updated 
FITARA scorecard measuring agencies progress in the areas of 
data center consolidation, IT portfolio review savings, 
incremental project development, and risk assessment 
transparency.
    I am looking forward to discussing the grades received by 
the four agencies here today.
    Since the last scorecard, I am encouraged to see that out 
of the 24 agencies that are covered by FITARA, seven have shown 
improvement in their overall grade, and others have improved in 
individual categories.
    Looking beyond the grades, let me say that I have been 
encouraged by the responsiveness of most agencies and the 
progress in FITARA implementation to date. I especially want to 
recognize, as the chairman said, the Department of Commerce's 
work in exceeding their goal of saving $222 million through 
fiscal year 2016 in data center consolidations. I hope to see 
this effort to continued.
    Government-wide data center consolidations alone have 
realized $1.3 billion in savings, and we are expecting to save 
an additional $8.2 billion by 2019. These are good first steps, 
but it is clear that there are obstacles to overcome in 
implementation.
    This new scorecard shows that numerous agencies have hit 
roadblocks and others have fallen behind in implementation. I 
look forward to addressing these challenges today, also.
    I'm especially interested in hearing how agencies plan to 
stick to their FITARA implementation plans as a new 
presidential administration takes charge next year. No 
transition is seamless, so I look forward to learning what 
steps your agencies are taking to ensure a transition that will 
continue the progress we have made so far.
    We all know what is at stake here. The Federal Government's 
IT acquisition process isn't just an inefficient use of 
taxpayer money. It is also a security risk. Too many agencies 
are still reliant on outdated legacy systems. With each passing 
year, these systems cost more and more to secure and maintain.
    FITARA not only helps Federal agencies save money in IT 
procurement, it also helps them make smarter IT investments. 
Quite frankly, FITARA implementation is a change that the 
Federal Government has sorely needed.
    I want to thank the witnesses for testifying today. I know 
that an overhaul of your IT acquisition and management is not 
an easy task, so I look forward to hearing how your agencies 
are handling the challenges in implementing FITARA.
    Thank you, Mr. Chairman. I yield back.
    Mr.  Hurd. Thank you, Ms. Kelly.
    I would like to now recognize the chairman of the 
Subcommittee on Government Operations, Mr. Meadows, for his 
opening statement.
    Mr.  Meadows. Thank you, Mr. Chairman. Thank you for your 
leadership on this particular issue.
    I'm going to keep my remarks very brief. They are about to 
call votes here shortly.
    So in doing that, I think it is more important that we 
emphasize the fact that FITARA is not a law that was passed 
with no expectation of implementation. We are going to continue 
to follow up and continue to have these types of hearings.
    We are hearing news that two of our witnesses hopefully 
have plans that are either on their way or very close to being 
done, so I applaud you for those efforts.
    Really, this is more about accountability. For us, we want 
to see progress. We are going to work with the GAO on a number 
of fronts.
    As we look at that, it is going to be a critical component 
of what we look at. I have already been talking to 
appropriators on a number of fronts. I'm willing that, if you 
are willing to do a good job, I am willing to be your advocate. 
So I want to just stress that.
    But thank you. I will submit a written statement for the 
record, Mr. Chairman.
    With that, I will yield back.
    Mr.  Hurd. Thank you, sir.
    I now would like to recognize Mr. Connolly, the ranking 
member of the Subcommittee on Government Operations, and the 
architect of FITARA, or, as most people like to call it, the 
Connolly-Issa bill.
    Mr.  Connolly. You are my very favorite chairman.
    [Laughter.]
    Mr.  Connolly. I've always thought that, except for Mr. 
Meadows. It is kind of a tie. Both wonderful human beings.
    Thank you, Chairman Hurd, Chairman Meadows, and my friend 
Ranking Member Kelly.
    I welcome this latest joint subcommittee hearing to examine 
the implementation of FITARA. I'm particularly grateful to my 
two colleagues on the other side of the aisle.
    They made a promise we weren't going to let this go. Unlike 
Clinger-Cohen, we were going to stick with this, and we were 
going to provide oversight. And they have kept their word. And 
the four of us operate seamlessly. I think that is good for the 
United States Government.
    I think, in partnership with the executive branch, we can 
make a big difference on something that may seem deceptively 
uninteresting, but that actually can help transform agencies 
and how they do business and save lots of dollars for our 
taxpayers.
    Today, we release our second scorecard on FITARA. As I 
stated at our last hearing, the scorecard is not intended to be 
a scarlet letter on some agency's back. It is meant to 
incentivize agencies to improve management of Federal IT 
investments and to create metrics so that we can look at 
progress.
    On the initial scorecard issued prior to December 31, for 
all agencies to have FITARA implementation plans, it was 
understandable that we some grades on the lower end of the 
scale. We were just beginning. Ds and Fs outnumbered As, Bs, 
and Cs more than 2-to-1. Today, we are pleased to see a very 
marked improvement in the latest scorecard with higher marks 
now out numbering lower ones.
    Seven agencies improved their overall grades, including the 
Department of Energy, one of today's witnesses, which jumped 
two letter grades.
    I also want to commend the Department of Commerce for its 
work on data center consolidation, a very critical part of 
FITARA. It originally set the goal of saving $222 million and 
actually reported $260 million in savings, an example to which 
other agencies ought to inspire.
    While the Department of Energy and the Department of Labor 
are performing well on some aspects of the scorecard, I would 
note both agencies only recently received OMB approval--
recently, I think it's in the last 24 hours, but all right, 
good--for the initial implementation plan. Obviously, we expect 
to hear more from those agencies today about why their plans 
were delayed and what actions they are taking to advance those 
important IT management and acquisition reforms.
    It is also encouraging to see the Department of Energy 
reporting all three of its major IT projects meeting the 
incremental development benchmark for delivering functionality 
every 6 months.
    Similarly, I want to applaud the Labor Department for its 
realistic evaluation of the risks present in its IT projects. 
The department rated nearly three-fourths of its projects as 
high-risk, earning it high marks for risk assessment 
transparency. I know Dave Powner and GAO are looking for 
realistic assessment of project risks and what they entail.
    Accurately calculating and reporting project risk is a 
continuing challenge. Agencies currently report two-thirds of 
their IT investments pose low risk. Based on GAO's more 
thorough reviews of those projects, that risk, we believe, is 
understated.
    Accurately capturing the risk so we can respond to it and 
anticipate problems is one of the pillars of FITARA. It is a 
management concept, so we look forward to hearing more from GAO 
on how to address that challenge as we move forward.
    I also want to hear from today's witnesses about whether we 
are accurately defining IT investments and how that may affect 
implementation of reforms.
    For example, neither the Commerce Department nor NASA 
includes spacecraft or satellites in their reporting. Surely, 
those systems fall under the IT umbrella, so we would like to 
hear their thoughts about that.
    It is also puzzling that the government agency with 
arguably the most innovative and technologically demanding 
mission continues to receive the lowest marks on the scorecard, 
NASA. NASA has not reported anything under incremental 
development and received failing grades for the other three 
metrics. For example, it says that it plans to spend $731 
million on major IT investments this year, but reports none of 
those projects are high-risk. That stretches credulity, and we 
want to talk about that today.
    Mr. Chairman, before closing, let me share an example of 
one agency doing the right thing, though it might not have been 
reflected in its initial grades. As my colleagues will recall, 
the Department of Transportation scored at the lower end in 
certain areas, but CIO Rich McKinney actually demonstrated that 
he gets what we are trying to deal when we put a freeze on IT 
acquisitions for 90 days at the end of last year because he 
discovered component agency CIOs did not have a good handle on 
what their agencies were spending.
    We want more CIOs exercising that kind of new authority 
under FITARA.
    Today's hearing is just the latest in what we all hope will 
be an ongoing series as we continue to push agencies to adopt 
these reforms.
    Again, I thank my three colleagues for their willingness to 
collaborate as one to try to make the government function 
better and to save money for our hardworking taxpayers. Thank 
you very much.
    Mr.  Hurd. Thank you, Mr. Connolly.
    I would like to hold the record open for 5 legislative days 
for any members who would like to submit a written statement.
    We will now recognize our panel of witnesses. I am pleased 
to welcome Mr. Steven Cooper, chief information officer at the 
U.S. Department of Commerce; Ms. Dawn Leaf, CIO at the U.S. 
Department of Labor; Mr. Michael Johnson, CIO at the U.S. 
Department of Energy; Ms. Renee Wynn, chief information officer 
at NASA; and Mr. David Powner, director of IT management issues 
at the U.S. Government Accountability Office.
    It is always a pleasure to have you here, David.
    Welcome to you all. Pursuant to committee rules, all 
witnesses will be sworn in before they testify, so please rise 
and raise your right hands.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    Thank you. Please be seated.
    Let the record reflect that the witnesses answered in the 
affirmative.
    In order to allow time for discussion, we would appreciate 
if you would implement your testimony to 5 minutes. Your entire 
written statements will be made part of the record. If the 
bells go off while you are talking, just keep going. We will 
conclude at your statement.
    Now, I would like to thank Mr. Cooper at the Department of 
Commerce. You got a B, the highest grade that we gave. Mr. 
Cooper, you get to kick us off today, starting with your 5 
minutes.

                       WITNESS STATEMENTS

                 STATEMENT OF STEVEN I. COOPER

    Mr.  Cooper. Thank you very much. Chairman Hurd, Ranking 
Member Kelly, Chairman Meadows, Ranking Member Connolly, and 
members of the subcommittees, thank you for the opportunity to 
appear before you today to discuss Commerce's work on the 
implementation of the Federal Information Technology 
Acquisition Reform Act, and thank you for your resolute 
bipartisan efforts to ensure that this critical law is 
implemented successfully.
    To begin, I believe FITARA is one of the strongest and most 
helpful pieces of legislation to improve CIO involvement with 
the decision processes and policies related to managing 
information technology resources and increased government 
efficiency and effectiveness. I am committed to its success.
    Secretary Pritzker and Deputy Secretary Andrews strongly 
support FITARA and have made FITARA one of their and my key 
priorities. They have made it clear to DOC's executive 
leadership that FITARA is the responsibility not only of the 
CIO, but all their senior staff.
    Since October 2015, the department's FITARA team, 
representing my office and the department's budget, 
acquisition, personnel, and legal offices, has been meeting 
weekly to ensure the full implementation of our FITARA plan and 
FITARA across the Department of Commerce.
    FITARA implementation is one of my top goals, and I have 
named one of my senior staff, Ms. Erin Cavanaugh, who is with 
me today, our full-time program manager for FITARA 
implementation, making the department one of only a few 
departments to create a full-time FITARA program official.
    Let me now highlight progress we have collaboratively made 
in three specific areas, and why I believe we are on a path to 
achieve full implementation in the budget, personnel, and 
acquisition areas required by FITARA.
    First, budget. My office is working closely with the 
department's offices of budget to ensure that I am fully 
engaged in the budget formulation and review process to enable 
me to review and approve the overall DOC IT budget. Leveraging 
FITARA has allowed me as the DOC CIO to have full visibility 
into each bureau's IT budget, which enhances my understanding 
of our full ask and spend, and helps me identify opportunities 
for strategic and operational collaboration all across all 12 
of our bureaus in areas like cybersecurity, enterprise 
licensing agreements, cost savings, and contract consolidation. 
I am particularly pleased that the NOAA and Census CIOs and 
their budget offices have worked closely with my office and the 
DOC budget office to introduce greater involvement in budget 
formulation and visibility.
    Second, acquisition. Our Office of Acquisition Management 
has revised the Commerce acquisition manual, so that the CIO 
now participates in the review and approval of all acquisitions 
above $10 million, whether or not a program was initially 
determined to be IT. This is a significant change. Previous 
acquisition policy only required my office participation on 
acquisition over $75 million.
    Third, personnel. Our chief human capital officer and I 
drafted and reviewed and signed a new department bulletin, 
which gives me direct involvement in the selection 
responsibility over all SES IT and all CIO-titled positions 
across the department. That said, our IT work force planning is 
not complete, but I expect to see considerable progress in the 
next 6 months in addressing the hiring and retention of 
critical IT resources for cyber and IT risk management, data 
analytics, agile development, and Web services.
    Another notable goal of FITARA and of every CIO is cost 
savings in the IT environment. While my particular driver is 
not the cost savings per se, I fully expect implementing FITARA 
will help me drive the unit cost of every IT service we deliver 
down. This will result from opportunities identified through 
greater oversight, visibility, and collaboration across IT 
acquisition and budget formulation.
    In closing, for our DOC FITARA implementation to fully 
succeed, we need more than just law or policy. We need to 
institutionalize best IT practices and processes across the 
department. My staff is working with their counterparts in each 
bureau CIO office and in our H.R., finance, and acquisition 
offices to improve visibility and participation in all IT 
budget and acquisition processes. I expect to have initial 
process improvements and reviews in place by the end of this 
fiscal year, and to operate more efficiently in the future.
    I thank the subcommittees for holding this hearing and for 
your commitment to ensuring successful implementation of 
FITARA. I would be pleased to answer any questions you may 
have.
    [Prepared statement of Mr. Cooper follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
    
    Mr.  Hurd. Thank you, Mr. Cooper.
    I now would like to recognize Ms. Dawn Leaf, CIO at the 
Department of Labor, who had a grade of C, which is one step 
better than you were the last time we issued these grades.
    So, Ms. Leaf, over to you for 5 minutes.

                     STATEMENT OF DAWN LEAF

    Ms.  Leaf. Chairman Hurd, Ranking Member Kelly, Chairman 
Meadows, Ranking Member Connolly, and members of the 
subcommittees, good afternoon and thank you for the opportunity 
to brief you on the Department of Labor's FITARA 
implementation.
    I would like to focus on some challenges, highlight some 
progress, and provide you a working-level perspective on how 
FITARA can help the department to improve its IT services.
    First, let me state that, historically, the Department of 
Labor has had decentralized IT organizations and resources, 
that these have been fragmented and siloed at the department 
bureau level. We have experienced the same inefficiencies and 
issues that I know this committee has heard described in other 
hearings by other agencies.
    Another relevant factor that I would like to emphasize is 
that decades of information technology underinvestment and the 
fragile state of our IT infrastructure and our application 
systems make it challenging for the department to improve its 
performance in some of the FITARA metrics.
    Specifically, it is difficult for the Department of Labor 
to achieve high scores and cost savings because we are on a 
bare-bones IT budget to start with. There is not much to cut.
    On the positive side, we have a great opportunity with cost 
avoidance, to leverage enterprise investments in IT, to add 
technology capabilities and services, and to do so more 
efficiently.
    Turning to progress, the department has improved and 
strengthened its IT governance processes, and that has helped 
us to improve transparency, to improve our risk management, and 
to improve our incremental delivery and development.
    In 2012, the department launched an initiative to 
consolidate nine separate agency infrastructures. We have made 
some progress, and we have proven that we can deliver modern IT 
services on time and within budget.
    By the end of 2016, we will have closed 38 of our 90 data 
centers. We will have achieved or met our 40 percent data 
center consolidation target.
    In 2014, the department migrated 17,000 employees from nine 
separate legacy email systems to a commercial Federal community 
cloud service. For the same cost, we are able to give our 
employees 400 times as much storage, which gives them back 2 
hours per month per employee, because now they are able to just 
work instead of spending 2 hours a month archiving email so 
that they have enough space to work, so they can send and 
receive emails.
    In 2015 and 2016, the department improved our cybersecurity 
posture, including a 95 percent reduction in security 
vulnerabilities by implementing an aggressive security patch in 
our patch management process.
    We are planning a 2017 through 2019 unified communications 
project to redesign, modernize, and consolidate nine decades-
old networks in over 600 locations throughout the U.S. This is 
not only critical for security, it also allows us to reduce 
costs. We will be able to reduce 85 percent of our voice 
circuits and 50 percent of our phone management costs.
    In closing, I would like to just touch on two ways that 
FITARA can help the Department of Labor with its IT challenges.
    FITARA is especially important to an agency that is 
starting in an underfunded position, because it encourages the 
department to make IT investments that are not only effective 
for agency missions, but efficient. FITARA also provides 
structure to help us manage change, organization change and 
technology change.
    While the Department of Labor is moving forward, we realize 
that we have a long road ahead. Thank you for the opportunity 
to share my thoughts, and I am happy to answer any questions.
    [Prepared statement of Ms. Leaf follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
    
    Mr.  Hurd. Thank you, Ms. Leaf.
    Mr. Johnson, you are now recognized for 5 minutes, and the 
Department of Energy has moved the most in their grades to a C, 
I believe from an F, the last score. So thank you for that, Mr. 
Johnson. You are now recognized for 5 minutes.

                 STATEMENT OF MICHAEL M. JOHNSON

    Mr.  Johnson. Good afternoon, Chairman Hurd, Ranking Member 
Kelly, Chairman Meadows, Ranking Member Connolly, and 
distinguished members of the committee. On behalf of the 
Department of Energy, I appreciate the opportunity to appear 
before you to discuss the department's implementation of the 
Federal Information Technology Acquisition Reform Act.
    The department has been working closely with OMB to 
implement FITARA and cyber best practices across the complex 
ecosystem that is the Department of Energy as we meet our 
diverse mission. We are pleased that the committees' just-
release May 2016 FITARA implementation scorecard 2.0 
acknowledges that the department is making progress.
    Just this last Friday, DOE submitted to OMB the third major 
revision to our initial FITARA implementation plan submission. 
I am pleased to say that yesterday OMB approved DOE's FITARA 
implementation plan, and we will post it to our public Web site 
within the next 30 days.
    DOE's FITARA implementation plan is transformational for 
the department, and it results in unprecedented CIO engagement 
and DOE enterprise-wide transparency into IT budget formulation 
and review, acquisition review and approval, and IT work force 
planning. In addition, the plan provides for the collection of 
detailed IT and cyber performance metrics across all DOE IT 
investments.
    At the request of the Secretary, I joined DOE a little over 
a year ago to develop and implement an effective cyber strategy 
for the DOE enterprise. The complex DOE enterprise comprises 97 
entities across 27 States, to include 19 staff offices, 10 
program offices, 19 field sites, 17 National Laboratories, four 
technology centers, and the four Power Marketing 
Administrations.
    Each entity is structured to perform its area of our 
diverse mission that spans nuclear security, scientific 
research, energy, and environmental management. All but one of 
our National Laboratories are government-owned, contractor-
operated facilities managed through the management and 
operating, or M&O, contracts designed to enable innovation and 
management efficiencies.
    Our cyber governance is both transparent and responsive, 
and includes close collaboration involvement with all entities 
across DOE, notably the National Laboratories.
    The Deputy Secretary chairs the DOE cyber council. As CIO, 
I chair the DOE Information Management Governance Board. We use 
these entities to oversee development, coordination, and 
implementation of DOE's cyber- and IT-related policies.
    The information technology portion of DOE's budget is 
approximately $1.7 billion, which often is integrated into the 
larger non-IT investments. We have expanded our processes to 
ensure CIO involvement in all phases of annual and multiyear IT 
planning, programming, budgeting, and decision-making. The 
department has also developed an enterprise plan for review and 
approval of IT acquisitions that covers acquisition plans, 
statements of work, evaluation, and selection criteria.
    DOE understands the need to leverage human capital for 
success. Accordingly, we are focusing on the development of a 
DOE cyber work force strategy that will increase the CIO's 
involvement in DOE's human capital selection practices with a 
focus on developing performance goals with results-driven 
critical elements and enhanced recruitment and retention of 
vital IT personnel.
    The DOE continues to consolidate and optimize its data 
centers to include advanced metering facility upgrades to 
improve power utilization effectiveness.
    From 2010 to present, for our updated and expanded 
inventory of 217 enterprise computing data centers, including 
both Federal and M&O, we closed 75, increasing cost savings to 
the department of just over $17 million.
    We developed a unified DOE cyber strategy and 
implementation plan that consolidates and prioritizes the 
excellent cyber enterprise information resources management 
initiatives ongoing at the DOE into five key areas: information 
resources management best practices, to include reliability and 
enhanced efficiencies; modernization, to quickly move from 
legacy to transformative solutions; strengthen cybersecurity 
fundamentals, to reduce risk and enhance defense in-depth 
capabilities; seamless integration of operations in 
cyberdefense, to combine situational awareness and threat 
operational status in enterprise-wide, real-time indicator-
sharing; and cyber research and development intended to out-
innovate our adversaries and stay ahead of advanced persistent 
threats.
    In conclusion, DOE is actively engaged in FITARA 
implementation and related transformational reforms, which will 
result in significant insights into and enhanced oversight of 
DOE information and IT. Through a department-wide collaborative 
and inclusive process, we have made major strides toward the 
goal, although further work is needed.
    I thank the subcommittees for their commitment to ensuring 
successful implementation of FITARA. Your support is vital to 
our success.
    It has been my honor to provide this testimony, and I will 
be pleased to address any questions you may have. Thank you.
    [Prepared statement of Mr. Johnson follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
       
    Mr.  Hurd. Thank you, Mr. Johnson.
    Votes have been called. It is a six-vote series, so we are 
going to stand adjourned until the end of the final vote.
    [Recess.]
    Mr.  Hurd. The Subcommittees on Information Technology and 
Government Operations will reconvene.
    I think we left off with you, Ms. Wynn, for your opening 
statement of 5 minutes. Since I have called out the grades for 
everyone else, NASA had the lowest grade of the folks reviewed 
with an F. Ms. Wynn, over to you for 5 minutes.

                   STATEMENT OF RENEE P. WYNN

    Ms.  Wynn. Thank you, Chairman Hurd, Chairman Meadows, and 
other members of the Information Technology and Government 
Operations Subcommittees for allowing me to appear before you 
today to update you on NASA's implementation of the Federal 
Information Technology Acquisition Reform Act.
    Unfortunately, NASA is at the bottom of the FITARA 
scorecard. That is not something we are proud of. NASA is fully 
committed to implementing the FITARA law. We know we have a lot 
of work to do, and I am here today to assure you that 
significant changes are already underway at NASA to improve our 
management of IT.
    But before I get into more detail about our implementation 
plans, I would like to introduce myself. My name is Renee Wynn, 
and I have more than 26 years of Federal service, spending most 
of those years at the Environmental Protection Agency. I joined 
NASA 10 months ago as the deputy CIO, and, 2 months later, I 
was promoted to be the agency CIO.
    Since then, I have initiated listening meetings to learn 
the needs of my IT customers and how they can inform our joint 
path forward. I have visited each center, meeting with the CIOs 
and the center directors, and I've been meeting with each 
mission office at headquarters.
    Everywhere I go, people are frank with me about IT needs, 
about governance, and operational changes they are believe are 
needed, or changes they fear are coming. So I am listening and 
taking action as quickly as I can.
    The ball is now in my court to manage and secure the 
agency's IT resources, so that is what I and my amazing team 
are going to do.
    To its credit, over the last several years, NASA has 
transformed its IT governance structure to empower the CIO with 
greater authority, and thus, today, I am the beneficiary of 
these many changes.
    For example, I now report directly to the Administrator and 
can talk to him whenever I want. The CIO now sits on all key 
NASA decision-making councils, and the CIO has direct authority 
and oversight over the center CIOs, including their IT 
decisions and acquisitions.
    Better yet, NASA recently completed an internal business 
services assessment of NASA's IT program. In this BSA outlined 
a series of steps the agency should take and plans to take to 
optimize and protect our IT assets.
    In my personal opinion, this review has been a gift to 
current and future NASA CIOs in that it says NASA supports you 
as the CIO and we do want you to transform the way NASA manages 
IT. Like FITARA, the BSA results will ensure that IT is seen as 
a strategic agency resource establishing clear direction for 
the NASA CIO to approve the agency's IT spend for non-highly 
specialized and highly specialized IT.
    Additionally, NASA is strengthening its alignment of IT 
resources against mission goals. My office will be held 
accountable for additional agency IT costs, schedule, and 
performance through a new portfolio review process. NASA is 
providing me with greater visibility into the overall budget 
planning cycle, allowing me to spot IT resource problems at a 
mission level earlier on.
    These are big steps forward for NASA, and NASA should be 
commended for starting this process even before FITARA became 
law.
    It is important to remember that NASA's scientific and 
technical mission is unique. For example, cooperation with 
other nations, the public, and scientists around the world is 
one of NASA's founding principles. Therefore, NASA has always 
sought the widest practical and appropriate distribution of 
information about our missions. But in doing so, we must also 
safeguard our IT assets against well-resourced and highly 
motivated individuals who wish to harm us.
    Malicious threats to our network are constantly evolving, 
which means our work is never done. Thus, I want to reassure 
you today that IT is a top priority at NASA. While the number 
of attempted cyber instances against NASA continues to 
increase, I am confident that NASA continues to appropriately 
address them.
    For example, NASA did not experience any major incidents in 
fiscal year 2015, as defined by the Office of Management and 
Budget. NASA has successfully met all capability targets 
established in the 2015 cyber sprint activity. And the DHS 
cyber hygiene report for NASA currently shows that there are a 
zero critical vulnerabilities older than 30 days.
    In conclusion, I appreciate the opportunity to appear 
before you today to reassure you that NASA has a strong 
foundation upon which to successfully implement FITARA and that 
we are committed to fully implementing FITARA. We remain ever 
vigilant with protecting our information assets as well.
    I would be happy to answer any questions that you may have.
    [Prepared statement of Ms. Wynn follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
    
    Mr.  Hurd. Thank you, Ms. Wynn.
    Now someone who has testified many times before this 
committee, Mr. Powner, you are recognized for your 5-minute 
opening statement.

                  STATEMENT OF DAVID A. POWNER

    Mr.  Powner. Chairmen Hurd and Meadows, Ranking Members 
Kelly and Connolly, and members of the subcommittees, I would 
like to thank you and your staff for your continued oversight 
of the implementation of FITARA with the second set of grades.
    We recently completed, at your request, detailed work on 
three of the four scorecard areas to support your grading 
efforts. This afternoon, I would like to briefly discuss the 
grades overall in each of the three areas we performed our 
work. Those are data centers, dashboard accuracy, and 
incremental development, all major areas of emphasis with 
FITARA.
    Starting with the grades, overall, there has been some 
progress with seven agencies having higher grades, one lower, 
and 16 having no change. We view the 6-month progress as quite 
positive, since implementing FITARA and receiving higher grades 
will take time to address long-standing, systemic weaknesses in 
IT management.
    To comprehensively implement this law to better invest our 
Nation's IT dollars, CIO authorities need to be strengthened. 
Critical to that are the FITARA implementation plans that are 
to provide an assessment of gaps in CIO authorities and agency 
efforts to improve those authorities. We are pleased to hear 
that both Labor and Energy now have approved plans, so they are 
all in, and we will actually be looking at the next round of 
iterations on those plans.
    Now turning to data center consolidation, of the roughly 
10,500 data centers, 3,121 have been closed to date and another 
2,100 are planned. Interestingly, 84 percent of the closures to 
date have come from four agencies, Ag, DOD, Treasury, and 
Interior. Your uptick of the data center grades is quite 
appropriate.
    We want consolidation, and we want savings. This next slide 
shows savings to date with data center consolidation. I know it 
is hard to read. There are the closures, if you look at 3,100, 
if we go back to that prior one, the prior slide, please. The 
3,100, that is what has been closed to date.
    I want to emphasize there are four agencies that are 
accountable for 84 percent of those 3,100 closures. Your uptick 
in their grades is appropriate.
    If we flip to the next slide, this is savings. That gray 
shaded area there from 2011 through 2015, there has been 
collectively about $2.8 billion in savings to date. There is 
another $5.4 billion remaining. When you look at out-years, 
over $1 billion each year.
    This is why FITARA is so important, because without FITARA, 
we would not have this focus and attention on data center 
consolidation.
    A couple points on this chart. Four agencies account for 86 
percent of the $2.8 billion in savings. Those are Commerce, 
Defense, DHS, and Treasury. Again, rewarding these departments 
with higher grades for their substantial savings is an 
excellent idea.
    The other point I would like to make is that out-years 
savings of $5.4 billion, we actually have a lot more than $5.4 
billion on the table. There were 10 agencies that had planned 
closures that did not have out-year estimates that were called 
for by OMB. We made recommendations to those 10 agencies.
    And your downgrading those 10 agencies to emphasize the 
importance of these out-year projections is really the right 
way to go. So what we want to do is we want to reward closures 
and savings, and we want to make sure there are not out-year 
projections that we have to down tick in their grade. So that 
is going to be really helpful in ensuring we get the 
appropriate savings here.
    Next, I would like to turn to dashboard transparency. 
FITARA codified the IT dashboard and CIO risk ratings for 
approximately 750 major IT investments across the departments. 
These ratings indicate whether each investment is low, 
moderate, or high risk. The dashboard currently tells us there 
are about 200 investments totaling about $12 billion that are 
moderate or high risk, and that 72 percent of IT dollars the 
government invests is low risk.
    Although CIOs are acknowledging a bit more risk from your 
last hearing, these IT dashboard CIO ratings still greatly 
underestimate risk.
    This next chart shows the results of our latest review on 
CIO ratings. We looked at approximately 100 investments on the 
IT dashboard and performed our own risk assessments compared to 
the CIO ratings. So, for instance, that green bar on the top, 
there were 61 CIO ratings that were rated as low risk or green. 
Our assessment concluded that only 10 of those were green, 28 
should have been yellow, and 23 should have been red. So that 
is an indication of where we need to get better transparency 
and accuracy so that we can better manage these major IT 
investments.
    Your grading scheme, Mr. Chairman, which equates higher 
grades with acknowledging more risk is definitely the way to go 
until CIOs start acknowledging more risk with their ratings.
    Turning to incremental development, FITARA requires that 
CIOs certify that IT investments deliver in increments 
consistent with OMB policy, which requires that major 
investments deliver in 6 months. Agencies collectively report 
that 65 percent of their IT projects government-wide plan to 
deliver in 6 months.
    Our review found some agencies were accurately reporting 
this, like DHS and Transportation. However, others, like 
Commerce and Treasury, were not, and your grades adjustments to 
those two agencies were appropriate.
    I would like to conclude by thanking your subcommittees for 
your aggressive oversight of FITARA implementation with your 
scorecard and your many other actions. With the upcoming change 
in administration, it will be very important not to lose the 
positive momentum we have. Our team at GAO will be working very 
hard through this transition, addressing several requests from 
you to keep the focus on CIO authorities, delivering 
transformational IT solutions, and replacing antiquated, 
inefficient, and, in many cases, insecure systems and 
infrastructure.
    Chairmen Hurd and Meadows, Ranking Member Kelly, I thank 
you for your leadership. Our team at GAO looks forward to 
continuing to work supporting your efforts on FITARA 
implementation.
    [Prepared statement of Mr. Powner follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
       
    Mr.  Hurd. Thank you, Mr. Powner.
    I will now recognize myself for 5 minutes for opening 
questioning.
    Mr. Cooper, I want to start with you. Commerce is one of 
the four agencies that is responsible for 86 percent, 87 
percent of the savings in closing down the data centers. How 
are you able to use that money that you save?
    Mr.  Cooper. We have an internal process that is set up. As 
we realize savings, we have a prioritized bureau-specific list 
of priorities. The bureaus bring forward, through our 
investment review process, their savings dollars redirected 
against that prioritized list.
    So it comes through the bureau investment review process up 
to the department review process. That way we have ----
    Mr.  Hurd. Mr. Cooper, I'm going to interrupt there.
    Mr.  Cooper. Please.
    Mr.  Hurd. If you realize savings in your operations, you 
should be able to use that savings also to go after some of the 
other projects of legacy systems that you have already 
identified. Are you able to do that?
    Mr.  Cooper. Yes. I was going into a little bit of detail 
on how we do that. The answer is yes. We have a process. We 
actually do, both at the department level and at the bureau 
level, redirect that savings. It is redirected based upon the 
priorities of new investments or risk-based issues that need to 
be addressed at the bureau level and the department level.
    Mr.  Hurd. Thank you, Mr. Cooper.
    Ms. Wynn, 10 months at NASA, correct? Two months in the CIO 
job?
    Ms.  Wynn. I was 2 months as the deputy CIO and then 
promoted to the CIO the last 8 months.
    Mr.  Hurd. So are we going to be able to get to Mars if we 
are still using Fortran?
    Ms.  Wynn. Thank you for your question, Chairman. At this 
point, I am not an expert on what it is going to take to get to 
Mars, but I'm happy to take the question for the record, and 
add the question about programming language as well.
    Mr.  Hurd. Please do.
    My question for you is, so you have come in and inherited a 
situation, and we recognize that. What additional 
responsibilities or authorities would you like to have in order 
to right this ship?
    Ms.  Wynn. Chairman, thank you for the recognition to the 
newness. It is much appreciated.
    On March 31, the agency approved our transformation plan. 
It is about 219 pages. That gives me a lot of authority that is 
aligned with the FITARA law, as well as some things that NASA 
saw that needed to change. So at this juncture, we are changing 
our governance structure, changing the way we take a look at 
the budget, as well as taking a look at how we do portfolio 
review.
    At this juncture, that feels like it is going to be an 
excellent start for me at NASA.
    Mr.  Hurd. When did the CIO report directly to the 
Administrator, when did that change happen?
    Ms.  Wynn. It is my understanding that that started about 2 
years ago.
    Mr.  Hurd. When it comes to incremental developments, on 
your scorecard, there is no data on this. Is that because there 
are no IT projects in the works? Or is it because we don't know 
which IT projects are in the works?
    Ms.  Wynn. Chairman, the lack of incremental spending is 
due to, I believe, a couple things. One is, in my opening 
statement testimony, I emphasized the ability of the CIO to 
look at specialized and nonspecialized IT. The nonspecialized 
IT is our mission IT where a lot of development work is in our 
regular, ongoing basis. I recently have been given the 
authority to begin to look to make more transparent what goes 
on there. That is where a lot of our development happens, and 
that is where I am expecting to be able to say to you, yes, we 
are doing incremental.
    Mr.  Hurd. In the next review cycle, what should we expect 
from NASA?
    Ms.  Wynn. At this juncture, in discovering this in 
preparation for the hearing, this is what I expect to be able 
to deliver to you. One is information on how much we have 
actually saved in closing our data centers, to be able to say 
to you that we have a good plan for a modified portfolio review 
process that includes the infrastructure IT as well as our 
mission IT, and then finally be able to report to you where we 
have actually driven a lot of savings in our software 
management.
    Mr.  Hurd. I think that would be pretty successful.
    Mr. Johnson, the 14 or 17 National Labs, why do they need 
an exemption from FITARA?
    Mr.  Johnson. Thank you for the question, Chairman.
    So, as you know, DOE does not have a position on the 
legislation, which exempted the National Labs from FITARA 
implementation. However, we have been working closely with the 
National Labs just over 1 year that I have been the CIO within 
DOE. Through a collaborative process, which included not only 
the program offices and the National Labs, we have been putting 
in place a number of what we call transparency reforms that get 
to an effective management of our IT and cyber work force and 
information across our entire enterprise to include our 
National Labs.
    Mr.  Hurd. In my opinion, the National Labs are probably 
some of the most important things to protect, and they are 
probably the biggest target when you look at nation sponsors 
that are looking at cutting-edge technology.
    Not adhering to some of what I would consider some very 
basic standards for good digital hygiene to me does not make 
sense. This is an area where my expectation is that these 
National Labs have some greater transparency on what they are 
doing, how they are doing it, and ensuring they are not using 
Fortran and systems that are super old and outdated.
    I think as we go forward and have new laws and go through 
appropriations, some of those things may change.
    Ms. Leaf, what took so long to get the implementation plan 
approved?
    Ms.  Leaf. Thank you for the question.
    The department leadership felt that it was very important 
that we complete due diligence in understanding the 
relationship of FITARA with the Confidential Information 
Protection and Statistical Efficiency Act, or CIPSEA.
    So the department reviewed that internally. They requested 
guidance from OMB, which we received. When we received it, we 
incorporated it and finished our plan.
    Mr.  Hurd. Ms. Leaf, thank you very much.
    I now would like to recognize my colleague, Ms. Kelly, for 
5 minutes of questioning.
    Ms.  Kelly. Thank you, Mr. Chair.
    Last November, the committee received a briefing on GAO's 
review of how the 24 agencies identified in the Chief Financial 
Officers Act of 1990 had begun implementation of FITARA. At the 
committee's request, four key areas of FITARA were scored, 
enhancement to agency chief information officer authorities, 
transparency and risk management, portfolio review, and Federal 
data center consolidations.
    Mr. Powner, this question is for you. Can you explain why 
those areas were selected and how the scores were calculated?
    Mr.  Powner. First of all, in working with your staff, I 
think we all collectively decided, and it was a great 
bipartisan effort, that these were areas directly tied to 
FITARA. They were areas that where needed reform needed to 
occur. They were also areas where agencies had data.
    So if you look at incremental development, scores on the 
dashboard, and savings, there is publicly reported data on the 
dashboard, on the CIO ratings, and incremental development, and 
then also, too, there is savings information that goes to the 
Appropriations Committees for both portfolios stats and data 
centers.
    So it is the agency's data, and I thought it was a great 
idea on your part to use the agency's data to score them 
initially on those initial grades back in November. Now this 
go-around, there were some tweaks to the data, because it was 
all self-reported initially, but there were some tweaks. Like 
on incremental development, we didn't think it was quite 
accurate with a couple agencies.
    Mr. Cooper, one of them was Commerce. So there was a 
downgrade on that score for incremental development.
    But it was also great that these committees, that you 
decided to uptick agencies who saved a lot and closed a lot, 
because that is really what we want to do. So I think there has 
been a nice little initial evolution of the grades where it 
evolved from more just self-reporting and had some of our GAO 
reports validate the self-reporting, and to reward what you 
really want, closures and savings.
    Ms.  Kelly. Thank you.
    Mr.  Johnson and Ms. Leaf, you represent two agencies that 
showed improvement. Can you quickly review what steps you took 
to improve?
    Mr.  Johnson. Ranking Member, thank you for the question.
    Let's see, as I mentioned, I have been at the department 
just over a year. One of the things we prioritized was 
streamlining governance so that we can make sure that we have a 
common view on what issues we face as a department, both from 
an IT information resource management point of view, and also 
from a cyber point of view.
    As part of that process, we have an integrated team now 
that includes management all the way to the top of the 
department. It includes all the elements of our department, 
including our field and the previously mentioned National Labs.
    What we have attempted to do is focus all of those great 
minds and all of that great effort on focusing where we can 
make improvements. Two places where DOE did improve, as you can 
see from the scorecard, one, in particular, was in data 
centers, something that we are focusing on specifically to try 
to gain efficiencies that we can, as mentioned earlier, provide 
funds back into mission to try to address the other issues we 
have.
    So I would account most of the success to opening up the 
aperture of the governance and making sure that everyone is on 
the same page, but, in addition, having a focused plan on what 
we need to do.
    Ms.  Kelly. Thank you.
    Ms.  Leaf. So at the Department of Labor, what we have 
primarily done is strengthened our IT governance processes.
    The two areas that we have really improved are more 
detailed review of agency IT spend plans and acquisitions, so 
that we really do understand what the agencies are buying and 
how that fits with the overall strategic department objectives. 
We also, for the first time, expanded our IT program review 
board to include agency projects and programs. Before it was 
just for enterprise-level projects.
    So those are our two governance areas that we have improved 
and I think what has contributed to our improvement.
    Ms.  Kelly. I am happy to see that all 24 agencies' plans 
have been approved or submitted. That is one thing. But, of 
course, they have to be implemented.
    Can you guys quickly go down the line and talk about what 
are your plans for the transition? Because we know, one way or 
another, there will be a new administration.
    Mr.  Cooper. I'm happy to start. Thank you for the 
question. At Commerce, we have already taken steps that 
actually even preceded my coming into the role at the 
Department of Commerce as the CIO.
    We have already institutionalized in a memo actually signed 
by our Acting Secretary back in 2012 a significant amount of 
the authorities granted to the CIO and then reinforced by 
FITARA. That has allowed Commerce to kind of have a bit of a 
head start, if you want to think of it that way.
    But in addition, we have implemented, through our 
governance process for IT, some additional reviews that did not 
exist until we had FITARA to leverage, two specific ones that 
are now part of the CIO oversight review.
    First, programmatic reviews that my office or I or any 
bureau CIO can request. That is a formal review. You can think 
of them as being analogous or the equivalent of TechStat. But 
we launched those. We invite OMB to join us and, in some cases, 
GAO, depending upon what is under review.
    The second is, and this is brand new, it is kind of unique 
to Commerce that we have implemented, is what we call a CIO 
review. That is a review that didn't previously exist. I 
leveraged FITARA, the authorities granted to the CIOs, to be 
able to call a CIO review. We are using it specifically to take 
a look at programs that fall below our investment thresholds.
    We are focused on the following three major types of 
programs: one, any public-facing type of initiative that 
reaches to our constituents, stakeholders, citizens; second, 
any introduction of new technologies that could be state of the 
market, but they have not been used within the department 
before; and third, anything that we believe constitutes not 
abnormal risk but risk of a different nature than we are used 
to addressing.
    An example, moving into the cloud requires new IT skill 
sets. We consider that a high risk. So even though you might 
have an initiative in a bureau that might represent less than 
$10 million for a lifecycle investment, we can now conduct a 
CIO review on that program.
    Ms.  Kelly. Briefly. My time is up.
    Ms.  Leaf. Okay, so quickly, we are really focusing on 
process improvements that will be in place and are 
institutionalized, irrespective of the individuals that are in 
place.
    There are two areas for that. One is our actual FITARA plan 
has quarterly milestones, so we have committed to those. The 
other is that we are actually implementing the processes in the 
department through directives. So those should stand regardless 
of who is in place.
    Ms.  Kelly. Thank you.
    Mr.  Johnson. So within the Department of Energy, three 
main changes.
    One, as it relates to, as mentioned earlier, our 
implementation plan also has quarterly deadlines that we are 
following.
    We are also modifying our program review process to include 
modifying the charters by which those are run, including our 
Information Management Governance Board, which will be used as 
our internal investment review board for the department. That 
charter is being modified, and it will be signed out by the 
Deputy Secretary.
    And finally, for the first time within the department, I, 
as CIO, am going to be included on an Energy systems advisory 
board that analyzes all major investments to include $400 
million and above, to include facilities that might include IT 
major investments like high-performance computing, et cetera, 
which is hugely transformational for the department.
    Ms.  Kelly. Thank you.
    Ms.  Wynn. For NASA, and thank you for the question, 
Congresswoman, that is, we basically have one thing and that is 
implement our business services assessment, which covers such 
things, but not just these things. It would be our governance, 
our roles and responsibilities, as well as our security, the 
way we focus on security. And there are policies and procedures 
that go underneath that. And a huge element of this one is a 
culture change element.
    So as long as we stay the course on what we have committed 
to do, we should be in good stead.
    Ms.  Kelly. I don't know if you have a comment?
    Mr.  Powner. I would just add that I think the improvements 
in governance is really needed across the Federal Government, 
not only on the large acquisitions, but where that governance 
also looks at the legacy spend.
    I know, next week, we are going to look more closely at 
these old legacy systems and the challenges in maintaining and 
the security vulnerabilities.
    But that governance perspective really needs to look at 
everything, so it is encouraging that these processes are being 
approved.
    Ms.  Kelly. Thank you.
    Thank you, Mr. Chair.
    Mr.  Hurd. Thank you, Ms. Kelly.
    I now would like to recognize Chairman Meadows for 5 
minutes.
    Mr.  Meadows. Thank you, Mr. Chairman. I thank each of you 
for your testimony. I will try to be brief as we work through 
this issue.
    Ms. Leaf, I want to come to you. Your particular position, 
do you think it is an impediment to accomplishing your overall 
goal with where you are in the reporting status to the very top 
of your agency?
    Ms.  Leaf. So let me just address what the department is 
going to do in the FITARA plan to strengthen the role of the 
CIO. We have two items. We are adding the CIO, and I am 
currently in that position, to the department management 
meeting, which is where they agency heads meet regularly. We 
have an action item to reassess this in 2017, with respect to 
the reporting structure.
    My honest answer to you is that I report to an Assistant 
Secretary, who is a strong champion of IT. I participate with 
him in meetings with the Deputy Secretary and with the 
Secretary. So in this particular instance, the reporting 
structure is not an impediment, because of the individuals who 
are in the positions.
    I do think that it is appropriate for the department to 
reconsider it, however, with the transition.
    Mr.  Meadows. I would concur with your last statement. I 
guess what I would say is, knowing that the reporting is a 
critical component after you are gone, or perhaps after those 
you report to are gone, I would encourage, while you have a 
cooperative mood, to express the sense of Congress that that 
reporting relationship is being looked at. How about that?
    Ms. Wynn, I want to come to you. Obviously, your grade was 
not one that I jumped up and down about, nor do you, I can 
tell. I even questioned GAO. The gentleman to your left will 
admit that when I saw it I said that this has to be wrong, 
because I visited NASA, and I know the commitment to the 
mission at NASA, so certainly it has to be wrong.
    So I guess my question to you is twofold. Do you know what 
it would take to get from an F to a C?
    Ms.  Wynn. Chairman, thank you.
    We are not proud of our ----
    Mr.  Meadows. I am not here to beat you up.
    Ms.  Wynn. I'm glad GAO said yes, we did not make a mistake 
in our reporting, so great on that one.
    So I think with our business services assessment, we are on 
track to head toward a C. As long as we stay on that particular 
plan that the agency approved--and, as you know, in order for 
us to make the changes in the CIO world, we have to have the 
support of senior leadership, and we have to have that because 
of the culture change. I have that in place now, so it is time 
for me and my team to capture that moment and get through the 
implementation process.
    Mr.  Meadows. So in a roundabout way, I guess the answer 
was yes, you know how to get to a C.
    So the question becomes, at the next briefing, will we see 
you at a C?
    Ms.  Wynn. Chairman Meadows, yes, your summary is right. We 
are to do that.
    As far as guaranteeing a C, as long as the grading stays 
precisely as it is right now, we know how to make those 
changes. But I would say that there are a couple areas where 
there are bigger changes. That is on the incremental side, 
taking a look at some of our projects. We are headed toward 
getting that insight. I just can't guarantee what day I'm going 
to get that one.
    Mr.  Meadows. I am not asking for that. I knew many of your 
teammates in other areas, and we expect the culture to be one 
that would embrace--just to be frank, they will not be 
satisfied with being an F, so you have big shoes to fill.
    But I guess my question is, do you have the tools and the 
insight and the commitment to improve?
    Ms.  Wynn. Chairman Meadows, I do.
    Mr.  Meadows. Okay, all right.
    So let me go to the GAO very quickly, because one of the 
graphs that you put up there had to do with what you identified 
as I guess low risk, that was identified by the agencies as low 
risk, but it looked like most of that was either medium or high 
risk, according to your analysis of where it should be.
    So is there a disadvantage for agencies to self-report now 
that the scorecard is already out, to say, ``Okay, we made a 
mistake. They are, indeed, medium risk, high risk, or 
whatever.'' By self-reporting to you at this point, do they get 
adversely affected by getting a different dashboard quicker? Or 
is there an incentive to go ahead and have all the agencies 
call you tomorrow and say, ``Gosh, we agree with your 
assessment. Put us at high risk, low risk, here.''
    Mr.  Powner. So I think, if they had more red than yellow 
investments, they would have a higher grade. Right now, we need 
to still move in that direction.
    Right now, the dashboard shows 72 percent of our dollars, 
this is both major investments in acquisition or operations, 
are low risk. There is no one in this room that believes 72 
percent of our major investments are low risk. They are just 
not.
    Mr.  Meadows. So what you are saying, your testimony here 
today, and it needs to be a clear message to all of the 
agencies, is they can get a higher score-- am I understanding 
you right?--just by reporting it correctly?
    Mr.  Powner. Correct. So Commerce and Labor both have As. 
They acknowledge a fair amount of yellows. And Labor has one 
red, but there is a fair amount of yellows in their 
assessments. It is not all green. NASA is all green, so they 
get an F on dashboard.
    So that is kind of how it works right now. We have seen 
changes. There is more acknowledgment of risk since your last 
hearing, but that review we did for you shows that we still 
have a long way to go.
    Even Commerce, there were a couple assessments that Steve 
has that we weren't in full agreement. We think he could still 
acknowledge some more risk on certain ones.
    Our point on this is you cannot manage these IT investments 
appropriately unless you acknowledge the risk. If you say it is 
green, you are not going to get reviewed when we all know that 
there are a lot of yellows and reds.
    We need that governance that every one of these CIOs talk 
about. And collectively, these four CIOs spend $5 billion 
collectively on IT in a given year. That is a lot of money that 
we need to manage more appropriately, and it starts with 
acknowledging risk.
    Mr.  Meadows. All right. So that message needs to be clear.
    Let me finish up with two very small points.
    One, Mr. Cooper, congratulations on moving forward. Do you 
have a full-time CIO in place for Census yet?
    Mr.  Cooper. We have made the selection. That individual 
will be moving into that office. I apologize. I do not know the 
specific timing, but very shortly.
    Mr.  Meadows. Without getting into the weeds here, we 
really have some to-do items as it relates to Census. I won't 
beat you up in public, so let's just follow up on that.
    Ms. Leaf, is it true that you had to buy replacement parts 
on eBay for some of your system?
    Ms.  Leaf. Yes, sir, it is. But I'm happy to say that those 
servers have been upgraded and replaced.
    Mr.  Meadows. All right, so here is my last admonishment to 
all of you, and the chairman talked about it with Ms. Wynn with 
regards to Fortran. We have legacy systems that must--not 
maybe, must--must be changed. So the message that needs to go 
from you to those who work in IT is that we will no longer 
accept that this is the way that we have always done it, 
whether it is COBOL, Fortran, or any other language that is 
grayer than I am.
    It is imperative, without mentioning it in a public forum, 
we have agencies who are taking IT dollars to prop up legacy 
systems and stealing from the future of our IT systems to prop 
it up.
    Mr.  Connolly and Mr. Hurd are much better versed at this 
than I am. I will dig from an investigative standpoint, and 
then let them weigh in from a technical standpoint, but let 
this day be the day that we start to address that.
    I will yield back, Mr. Chairman.
    Mr.  Hurd. Thank you, Chairman Meadows.
    I would like to recognize Mr. Connolly for 5 minutes.
    Mr.  Connolly. Thank you, Mr. Chairman. I echo everything 
my friend from North Carolina and my friend from Texas have 
said.
    Picking up on a very interesting line of questioning Mr. 
Hurd had, Mr. Johnson, I want to state for the record that the 
carveout for the National Labs was an outrageous thing to do.
    They used their influence here on the Hill. They used an 
appropriations vehicle to get around this committee and this 
bill. The ink was barely dry on the bill. We didn't have 
implementation evaluation, and those labs got an exception.
    Who could be hurt by that? Well, anybody depending on the 
National Lab.
    The whole point here isn't another pain in the neck set of 
requirements and compliances. It is to transform how we do 
business. It is to get at legacy systems. It is to make sure 
things are encrypted and secure. It is to try to streamline 
management. It is to save resources and plow them back into the 
enterprise.
    If there is anyone who could have benefited from FITARA, it 
is the National Labs.
    So I hope you will go home to the Department of Energy with 
this message: We are not going to stand for it. We will revisit 
this issue.
    I do not presume to speak for my colleagues on the other 
side of the aisle, but I think this will be a broad bipartisan 
assault on the National Labs if they try it again. And if we 
have to go toe-to-toe with Appropriations Committee, we will do 
so, because it has been evident that others are benefiting from 
this effort.
    It would be one thing if we were many years into the 
process and it was onerous and it was hard and it was 
bureaucratic and it was costing money and the promise wasn't 
being realized. I still might not like it, but I could 
understand why you might pursue your other options--not you, 
but the National Labs, did not wait.
    I hope you will go back and warn them. This time, there 
will be a fight. And I think it will be bipartisan.
    At any rate, other than that, Mr. Cooper, you were talking 
in your testimony about cost savings. This really isn't about 
cost savings. I take that point very well. But on the other 
hand, as Ms. Leaf pointed out, there are cost savings. She 
specifically cited one that makes my heart go pitty-pat, data 
center consolidation.
    How are we doing at DOC on that? And do you have some kind 
of number you can ascribe to it?
    Mr.  Cooper. Yes, we are doing very well, and we continue 
to do well.
    We have realized about--I think the number, and I will 
verify this to make sure I'm giving you an accurate number, so 
I will come back with a follow-up. But I think we now stand at 
about $308 million that we have actually realized. We are on 
track to continue our very solid record of adding to that 
savings figure.
    If I may, I want to clarify very quickly what my remark 
was. It was to differentiate between a focus on absolute cost 
savings in IT. One of the things that is misunderstood in my 
executive leadership team that we are working to clarify is the 
difference between absolute cost of IT--for example, for 
capacity expansion or newer demand, new capability. That will 
drive the total cost of IT up. But some folks are 
misunderstanding that if the total cost of IT is going up, then 
I as the CIO and other CIOs must be doing something incorrect. 
They believe that the total cost should be moving down or stay 
flat.
    What we are doing is we are trying to educate our entire 
work force in Commerce that the correct metric to use around 
cost savings is to ensure that the unit cost of any IT service 
that we deliver, we are constantly driving the unit cost down. 
That way, both can be true. We can reflect true efficiency, 
true cost savings, even when the total amount of spend may, in 
fact, be going up.
    Mr.  Connolly. A good point, and that is why I wanted you 
to have the opportunity to clarify. I will give you a political 
note on that.
    But all of what you said takes a little time to 
institutionalize, to get everybody right with the program, to 
have a plan, to make sure the National Labs--we have this 
moment in time where the leadership here is completely united. 
We have GAO and GSA and OMB all on that script. That ain't 
going to last forever. There are not always going to be people 
appear who go, ``Yes, I get that, no problem, as long as 
trajectories are right.'' As you heard Mr. Hurd ask, I hope you 
are able to reinvest the savings, not everyone is going to have 
that point of view.
    That is why one of the things we are keen on here is taking 
advantage of this moment while you can.
    Mr. Powner, what changes might be made as we look down the 
road to the scorecard, to make it even more useful and 
hopefully more accurate?
    By the way, I like the fact that we are using some 
subjective judgment. When we see all green, you get an F. You 
are not rewarded for that. That is terrific. That is a very 
non-bureaucratic approach to a very important subject. I mean, 
one could just absolve oneself and go check, it's all green, 
how wonderful. We know that is not true. We know that we have 
lost billions of dollars sometimes in waste and mistaken 
investments. So trying to catch them early is a good thing. 
Exercising that judgment, to me, is also a very welcoming, good 
thing.
    But what might we add to the scorecard that would round it 
out and give us a better picture of DOE and NASA and others?
    Mr.  Powner. A couple key examples. I think, one, fixing 
the CIO authority issue, you need to find some way to score 
that, because if you do not fix the CIO authority issue in the 
cultures and bureaucracies at all these departments and 
agencies, you are not going to be able to accomplish FITARA in 
all of these areas as well as you possibly could. So looking at 
those plans and measuring whether the CIO authorities are truly 
being tackled is, as I think Ms. Leaf clearly pointed out that 
they are doing at the Department of Labor, that is what we need 
to find a way to look into. That is critical.
    The other thing, if you look at data center consolidation, 
over time, it is not going to be about closures and savings, 
although we are always going to have savings, but it is about 
optimization metrics, too, because there are some agencies that 
I still think are low-balling their estimates. It looks like 
they are done, but their optimization metrics are nowhere 
utilizing the equipment and the facilities at those departments 
and agencies. So that means they probably still have more 
savings.
    I think when we mature this in the future, looking at 
optimization metrics, but clearly, the CIO authority needs to 
be tackled aggressively.
    Mr.  Connolly. By the way, just for the record, now every 
Federal agency has submitted a FITARA implementation plan, 
right?
    Mr.  Powner. Yes.
    Mr.  Connolly. Okay. The last two came in recently.
    Mr.  Powner. Yes. You can take your C- off the scorecards 
and make them C.
    Mr.  Connolly. Ms. Wynn, two points, and then my time is 
up. One following up on what the chairman asked you, which I 
think is a brilliant question, are we going to get to Mars 
using Fortran? I think you said, well, I have to get back to 
you for the record. That is one I want to read.
    But I think he was getting at, with legacy systems, with 
antiquated systems, what could go wrong with that, in terms of 
Mars? Of all Federal agencies, yours in some ways is the most 
critically dependent on technology and technology working.
    I guess I would just ask you, for the record, would you not 
concede the point I think implied in the chairman's question, 
which is that technology, the IT piece, is really important to 
really all of your missions at NASA, and, therefore, getting 
them right and making sure we have them sort of updated and 
upgraded is pretty important?
    Ms.  Wynn. Congressman Connolly, you are absolutely right. 
IT is important for NASA's mission.
    Mr.  Connolly. One final point with you, Ms. Wynn, as you 
are relatively new, as you are working through the FITARA plan, 
I think you said you have a 219-page plan, setting metrics in 
advance, to me, is really important. If you do not have 
metrics, it is all interesting but--so, for example, on data 
center consolidation, I think it is really important, a priori, 
to say we have X number and we are going to reduce it by this 
much by this date.
    And it has to be a stretch. It has to push the organization 
a little bit, not an impossible goal, but if you don't have 
stretch goals, we are not really meeting our mission.
    So I would commend to you as you work through that plan set 
some of those metrics for the organization and your other 
colleagues, because that is the only way we are going to 
achieve progress. And it is the only way we are going to use 
FITARA as it was intended, which is a useful management tool 
for you and ultimately for the head of NASA itself.
    All right, I want to thank all of you for being here. I 
really benefited a lot.
    And my concern about the National Labs ought not to color, 
Mr. Johnson, the progress DOE is making. I thank you, but I 
wanted you to go back, because I think the chairman is 
absolutely right to ask that question, and it did not go 
unnoticed up here. Thank you.
    Mr.  Hurd. Thank you, Mr. Connolly.
    Mr. Meadows?
    Mr.  Meadows. Thank you, Mr. Chairman.
    A very brief follow-up, since we are talking about legacy 
systems, and since most of the people working on those legacy 
systems I would surmise are closer to retirement than not, what 
I would like from each one of you is the cost estimate of 
really not waiting for 2 or 3 or 5 years for us to fall off the 
cliff, the cost estimate of getting rid of those legacy systems 
for your agencies, if you would do that.
    Then, Mr. Cooper, let me come back to the CIO. It is 
obvious that you get this here, and we have the Census coming 
up and we cannot afford to fail. Has it been contemplated that 
the CIO role for Census would be incorporated as part of your 
responsibility, or that you take that on, since you obviously 
get it and are willing to work? Because I need to get the 
Census side with the GAO counterpart because we have GAO and we 
all stakeholders, to be frank, that are very, very concerned 
that we are not getting it. And we have a great relationship, 
but we are reaching a point of ``go, no go'' on a lot of 
decisions that are creeping up.
    You get it. I'm not so sure the new CIO would get it, so 
have you looked at that?
    Mr.  Cooper. Yes, and, Chairman Meadows, may I offer this, 
would this be acceptable, I will carry back--I know the planned 
timing. As I mentioned, we selected the individual. I know the 
planned timing. Would you allow me to go back, work with 
Director Thompson, and speed that up and allow us to put that 
individual in place?
    My commitment to you and this committee is that I will then 
commit to working directly with that individual to ensure that 
we help that individual come up to speed as rapidly as 
possible, but leveraging myself and my office to ensure that we 
honor the commitments that I previously made to this committee 
and that director Thompson has previously made to this 
committee?
    Mr.  Meadows. That sounds fair, because what we cannot have 
is someone in the job 8 months later, and we get an F on the 
Census. So I appreciate that.
    I yield back.
    Mr.  Hurd. Mr. Powner, the issue of the CIO responsibility 
still perplexes me. Of the 24 CFO agencies, how many of the 
CIOs report directly to the agency head?
    Mr.  Powner. I do not have that exact number, but I think 
very few of them do. Even if they do--we looked at this years 
ago and did some work on this. It is dated, but even those that 
on paper report to the agency head typically report to the 
DepSec. We found that reporting to the DepSec actually gives 
most CIOs the right visibility and a seat at the table at most 
of the agencies. That is what we concluded.
    Mr.  Hurd. So how many report directly to the Deputy 
Secretary or the Secretary?
    Mr.  Powner. I don't have an exact number on that. But I 
can tell you not enough.
    Mr.  Hurd. So in your opinion, would an appropriate grade 
when it comes to CIO authorities be whether they report 
directly to the Secretary or the Deputy Secretary, and do all 
of the CIOs within the agency report to them?
    Mr.  Powner. Yes, that is a good way to measure. That is 
the intent of FITARA, where you have the CIOs reporting to the 
department or agency ----
    Mr.  Hurd. Would you agree that this metric is 
disproportionately more influential in the overall grading of 
an agency over all the other areas that FITARA looks at?
    Mr.  Powner. Yes, if you don't fix those CIO authorities, I 
think you're going to continually struggle.
    The other thing I think to keep in mind is the relationship 
with the other CFOs. We have heard many agencies, when CIOs 
have a solid relationship with the chief financial officers, 
things work out a lot better.
    Mr.  Hurd. Mr. Powner, you are reading my mind.
    How are CFOs responding to the implementation of FITARA?
    Mr.  Powner. Mixed bag. I don't have GAO reports that say 
this, but we have enough anecdotes, and you have heard it. Some 
CFOs are worried about losing power. Some CFOs are working 
closely with CIOs. We are seeing some progress, but we need to 
see more progress so we have equal footing there.
    I think a true measure, too, is going to be trying to get 
your arms around the IT budget. I don't think CIOs can do that 
without CFOs' help. So you have to partner with CFOs to get 
your arms around the IT budget. That is a clear position in 
FITARA. There was a reason FITARA was written that way, 
starting with this committee.
    Mr.  Hurd. At FITARA 3.0, I think it would be interesting 
to have some of the CFOs sitting alongside their CIO 
colleagues, having these conversations.
    Mr.  Connolly. Mr. Chairman?
    Mr.  Hurd. Yes?
    Mr.  Connolly. You have asked a very, very important 
question, and I would just say, when we wrote FITARA, we 
decided to make it less prescriptive and more expansive. We 
took cognizance of the fact that we had multiple CIOs, and 
rather than by fiat say there shall be one, we kind of 
encouraged the system to evolve, so that there would be a 
primus inter pares, first among equals, in the CIO 
constellation, because there were 240 or 250 CIOs. And your 
question is absolutely apt.
    So will that sort of flexible legislative framework work, 
or do we have to resort to codifying and deciding by fiat? And 
that is why I think your question is so irrelevant, and I hope 
the CFOs understand that.
    Thank you, Mr. Chairman, for the question.
    Mr.  Hurd. My last question goes to Mr. Cooper.
    I appreciate everyone being here today, and for the delay 
for votes.
    Commerce got the highest grade, yet Commerce has 114 
million lines of Fortran code, which they have 525 employees 
supporting that. There are 37 systems that are using operating 
systems that are no longer supported by the vendor. Por que? 
Why?
    Mr.  Cooper. In most cases, those support operations that 
cannot easily be replaced by commercial, off-the-shelf 
software.
    Mr.  Hurd. You are talking about the Fortran code?
    Mr.  Cooper. The Fortran code is, in most cases that I am 
aware of--I accept what you're telling me as far as the numbers 
of systems and lines of code.
    What we are doing is working with those bureaus directly 
where we have a legacy system exactly like you described. It is 
no longer vendor-supported.
    Now, what we are doing in a lot of cases is we actually are 
backporting, meaning we are getting patches through the public 
domain, and we are applying those patches on a very regular 
basis, much as we would do if we received a vendor patch. We 
are doing that in every situation that we can.
    We are also doing the following. In a situation where we 
cannot take that approach, we are doing everything we can to 
basically quarantine that legacy system. We are doing that 
specifically to prevent cyber risk in the spread of something 
coming in through a vulnerability in those legacy systems. We 
are trying to quarantine it so that we can shut it off and it 
won't then propagate across our networks or across other 
applications.
    Lastly, we are working as rapidly and effectively as we 
can, quality with speed, to replace those legacy systems. But 
because, in most cases, we can't find readily available 
commercial, off-the-shelf software, we still have to build it. 
We are taking advantage of savings we are realizing through our 
data center consolidation initiative and optimization efforts 
to redirect that savings into new development and replacement 
of some of, but not all, some of those legacy systems.
    Mr.  Hurd. Thank you, Mr. Cooper.
    I would like to thank the rest of the witnesses for taking 
the time to appear before us today. If there is no further 
business, without objection, the subcommittees stand adjourned.
    [Whereupon, at 4:29 p.m., the subcommittees were 
adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
               
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]