[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


 
       THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT


                         (FITARA) SCORECARD 5.0

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                AND THE

                            SUBCOMMITTEE ON
                         GOVERNMENT OPERATIONS

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           NOVEMBER 15, 2017

                               __________

                           Serial No. 115-55

                               __________

Printed for the use of the Committee on Oversight and Government Reform




[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




         Available via the World Wide Web: http://www.fdsys.gov
                       http://oversight.house.gov
                       
                       
                       
                            _________ 

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 29-502 PDF              WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                            
                       
                       
              Committee on Oversight and Government Reform

                  Trey Gowdy, South Carolina, Chairman
John J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, 
Darrell E. Issa, California              Ranking Minority Member
Jim Jordan, Ohio                     Carolyn B. Maloney, New York
Mark Sanford, South Carolina         Eleanor Holmes Norton, District of 
Justin Amash, Michigan                   Columbia
Paul A. Gosar, Arizona               Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts
Blake Farenthold, Texas              Jim Cooper, Tennessee
Virginia Foxx, North Carolina        Gerald E. Connolly, Virginia
Thomas Massie, Kentucky              Robin L. Kelly, Illinois
Mark Meadows, North Carolina         Brenda L. Lawrence, Michigan
Ron DeSantis, Florida                Bonnie Watson Coleman, New Jersey
Dennis A. Ross, Florida              Stacey E. Plaskett, Virgin Islands
Mark Walker, North Carolina          Val Butler Demings, Florida
Rod Blum, Iowa                       Raja Krishnamoorthi, Illinois
Jody B. Hice, Georgia                Jamie Raskin, Maryland
Steve Russell, Oklahoma              Peter Welch, Vermont
Glenn Grothman, Wisconsin            Matt Cartwright, Pennsylvania
Will Hurd, Texas                     Mark DeSaulnier, California
Gary J. Palmer, Alabama              Jimmy Gomez,California
James Comer, Kentucky
Paul Mitchell, Michigan
Greg Gianforte, Montana

                     Sheria Clarke, Staff Director
                  Robert Borden, Deputy Staff Director
                    William McKenna, General Counsel
   Troy Stock, Subcommittee on Information Technology Staff Director
                         Kiley Bidelman, Clerk
                 David Rapallo, Minority Staff Director
                 Subcommittee on Information Technology

                       Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair  Robin L. Kelly, Illinois, Ranking 
Darrell E. Issa, California              Minority Member
Justin Amash, Michigan               Jamie Raskin, Maryland
Blake Farenthold, Texas              Stephen F. Lynch, Massachusetts
Steve Russell, Oklahoma              Gerald E. Connolly, Virginia
                                     Raja Krishnamoorthi, Illinois
                                 ------                                

                 Subcommittee on Government Operations

                 Mark Meadows, North Carolina, Chairman
Jody B. Hice, Georgia, Vice Chair    Gerald E. Connolly, Virginia, 
Jim Jordan, Ohio                         Ranking Minority Member
Mark Sanford, South Carolina         Carolyn B. Maloney, New York
Thomas Massie, Kentucky              Eleanor Holmes Norton, District of 
Ron DeSantis, Florida                    Columbia
Dennis A. Ross, Florida              Wm. Lacy Clay, Missouri
Rod Blum, Iowa                       Brenda L. Lawrence, Michigan
                                     Bonnie Watson Coleman, New Jersey
                                     
                                     
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on November 15, 2017................................     1

                               WITNESSES

Mr. Dave Powner, Director of IT Management Issues, Government 
  Accountability Office
    Oral Statement...............................................     4
    Written Statement............................................     6
Mr. Max Everett, Chief Information Officer, Department of Energy
    Oral Statement...............................................    41
    Joint Written Statement......................................    43
Ms. Alison Doone, Acting Chief Financial Officer, Department of 
  Energy.........................................................    53
Mr. John Bashista, Director of Acquisition Management, Department 
  of Energy......................................................    58
Ms. Barbara Helland, Associate Director of Advanced Scientific 
  Computing Research, Department of Energy.......................    58

                               Panel II:

Mr. Dave Powner, Director of IT Management Issues, Government 
  Accountability Office
    Oral Statement...............................................    60
Mr. Wade Warren, Acting Deputy Administrator, U.S. Agency for 
  International Development
    Oral Statement...............................................    60
    Written Statement............................................    62
Mr. Jay Mahanand, Chief Information Officer, U.S. Agency for 
  International Development......................................    67
Mr. Reginald Mitchell, Chief Financial Officer, U.S. Agency for 
  International Development......................................    68

                               Panel III:

Mr. Dave Powner, Director of IT Management Issues, Government 
  Accountability Office
    Oral Statement...............................................    74
Ms. Althea Coetzee Leslie, Deputy Administrator, Small Business 
  Administration
    Oral Statement...............................................    75
    Written Statement............................................    77
Ms. Maria Roat, Chief Information Officer, Small Business 
  Administration.................................................    82
Mr. Tim Gribben, Chief Financial Officer, Small Business 
  Administration.................................................    84

                                APPENDIX

Opening Statement of Ranking Member Gerald E. Connolly...........    86
Memo from Mr. Max Everett to the Secretary of the Department of 
  Energy regarding the designation of the CIO as direct report to 
  the Secretary, submitted by Chairman Hurd......................    89


       THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT



                         (FITARA) SCORECARD 5.0

                              ----------                              


                      Wednesday, November 15, 2017

                  House of Representatives,
 Subcommittee on Information Technology Joint with 
             Subcommittee on Government Operations,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittees met, pursuant to call, at 2:45 p.m., in 
Room 2154, Rayburn House Office Building, Hon. Will Hurd 
[chairman of the Subcommittee on Information Technology] 
presiding.
    Present: Representatives Hurd, Amash, Massie, Gianforte, 
Blum, Kelly, Connolly, Norton, and Krishnamoorthi.
    Mr. Hurd. The Subcommittee on Information Technology and 
the Subcommittee on Government Operations will come to order.
    Without objection, the chair is authorized to declare a 
recess at any time.
    And I now recognize myself for 5 minutes for my opening 
remarks.
    Good afternoon. I appreciate you all being here today. 
Today's hearing is part of this committee's continuing 
oversight of Federal IT. This began with GAO's high-risk report 
and the designation of IT acquisition on that report back in 
February of 2015, and it's been a priority of ours ever since.
    And due to the importance we place on this issue, our 
committee staffs worked with GAO to develop a scorecard to 
assess agencies' FITARA implementation efforts. This bipartisan 
scorecard has been issued every 6 months, beginning 2 years ago 
on November 4, 2015.
    The scorecard has evolved each iteration in response to GAO 
recommendations and stakeholder feedback. Scorecard 5.0 adds a 
fifth graded category to assess agencies' management of 
software licenses. We previewed this category as part of 
scorecard 4.0. For scorecard 6.0, a measure of whether agencies 
have established working capital funds as authorized by the MGT 
Act, which I was pleased to see included in the final NDAA, 
will be made a part of the scorecard.
    Ultimately, I'd like to see the scorecard evolve beyond 
FITARA implementation to more of a digital hygiene score for 
agencies. Adding megabyte implementation to this scorecard is a 
step in that direction.
    The inclusion of software licensing had a negative overall 
impact on the grades. Since the last scorecard, 3 agencies' 
grades increased, 15 agency grades stayed the same, and 6 
decreased. If software licensing were not included, 8 agencies' 
grades would have increased, 14 would have stayed the same, and 
2 would have decreased. So progress is being made, just not as 
quick as it should be and needs to be.
    Legacy IT is a continuing fiscal and cybersecurity risk to 
our Nation. Those 17 agencies received an F on this new metric 
for the FITARA scorecard 5.0. It is worth noting that each of 
these agencies has efforts underway to create and use an 
inventory of software licenses.
    I hope to hear from each agency today how they plan to 
improve their score in this area. I also hope to hear from Mr. 
Powner, his thoughts on where we will be governmentwide on this 
metric in 6 months for scorecard 6.0.
    Today's hearing features three panels, with officials from 
the Department of Energy, the United States Agency for 
International Development, and the Small Business 
Administration. Their grades are a D-plus, A-minus, and C-
minus.
    As always, I'm honored to be exploring these issues in a 
bipartisan fashion with my friend and ranking member, the 
Honorable Robin Kelly, from Illinois. I'm also pleased to be 
joined by Chairman Meadows and Ranking Member Connolly from the 
Government Operations Subcommittee. I could not have asked for 
better partners in the effort to modernize technology in the 
Federal Government. And I thank my colleagues and the witnesses 
and all who have joined us in person, and for those folks who 
are watching online, for participating today.
    I now recognize my friend, the ranking member of the 
Information Technology Subcommittee, Ms. Kelly, for 5 minutes 
and her opening statement.
    Ms. Kelly. Before we begin today's hearing, I also want to 
thank you, Chairman Hurd, Chairman Meadows, and Ranking Member 
Connolly, for your steadfast leadership as our subcommittees 
continue working together to oversee the improvement of Federal 
IT systems. I'm glad to have such great partners in this 
endeavor.
    Improving the efficiency and security of the Federal 
Government's IT systems is essential to our Nation's security. 
Crucial to that effort is the ongoing oversight conducted by 
our subcommittees to hold agencies accountable for implementing 
key aspects of the Federal Information Technology Acquisition 
Reform Act. An important part of that oversight has been the 
scorecard our subcommittees developed for grading agency 
progress and meeting the FITARA requirements.
    Today, our subcommittee released the fifth version of the 
scorecard. It's been 2 years since we released the first one 
and held our first hearing on this issue. Since that time, 
we've strengthened the role of the CIO at many agencies, 
increased transparency in project management, and we've saved 
billions of taxpayer dollars. I'm proud of the work we've 
accomplished together so far.
    The new scorecard, however, shows that progress is 
difficult and that we still have a long way to go. For example, 
as the chairman talked about, while some agencies like the U.S. 
Agency for International Development has done well, going from 
a D in 2015 to an A-minus today, others like the SBA has fallen 
behind and gone from D in 2015 to a C-minus today.
    Overall, the grades for only three agencies went up on the 
scorecard, 15 stayed the same, and 6 actually went down. The 
scorecard makes clear that agencies still have a long way to go 
to address the challenge of reducing the growing number of 
Federal data centers.
    The FITARA Enhancement Act that was introduced by Ranking 
Member Connolly earlier this year would extend the timeline for 
agencies to close any unneeded data centers. The bill will also 
provide greater support to agency CIOs in their effort to 
eliminate and consolidate large numbers of data centers.
    Since the release of the last scorecard, the subcommittees 
have added software licensing as a metric of performance to 
this one. The overall grades in this category indicate that 
agencies are struggling when it comes to the management of 
their software licenses.
    I am concerned about this most recent scorecard 
performance, and look forward to hearing from today's agencies 
on the struggles and challenges they are facing in FITARA 
implementation and how Congress can be more helpful.
    There is simply too much at stake when it comes to FITARA. 
This isn't just about saving taxpayer money; it's about 
improving the overall general hygiene of the Federal 
Government, and the scored metrics here are the basics of 
running any shop.
    I want to thank the witnesses for testifying today.
    Mr. Powner, you might just be the most popular witness on 
the Hill. This is your fifth hearing with us on FITARA. I'm 
also looking forward to hearing from all the agencies here 
today. Thank you so much.
    Thank you, Mr. Chair.
    Mr. Hurd. Thank you, Ranking Member.
    And when the other members get here and want to do opening 
remarks, we can do that at the next panel. But let's go ahead 
and get into our first panel.
    I'd like to introduce the witnesses. As the gentlewoman 
from Illinois recognized, Mr. Dave Powner, one of probably--
holds the record of number of times coming before this 
committee, the director of IT management issues at the 
Government Accountability Office.
    Max Everett, chief information officer at the Department of 
Energy; Ms. Alison Doone, acting chief financial officer at the 
Department of Energy; and Mr. John Bashista, director of 
acquisition management, also at DOE; and Ms. Barbara Helland, 
associate director of advanced scientific computing research at 
the Department of Energy. Appreciate you all being here.
    And pursuant to committee rules, all witnesses will be 
sworn before you testify, so please rise and raise your right 
hand.
    Do you solemnly swear or affirm that the testimony you're 
about to give is the truth, the whole truth, and nothing but 
the truth, so help you God?
    Thank you.
    Let the record reflect all witnesses answered in the 
affirmative.
    In order to allow time for discussion, please limit your 
testimony to 5 minutes, and your entire written statement will 
be made part of the record. As a reminder, the clock in front 
of you shows your remaining time. The light will turn yellow 
when you have 30 seconds left, and the red is when your time is 
up. Please also remember to push the button to turn on your 
microphone before speaking.
    And now I'd like to recognize Mr. Dave Powner for his 
opening remarks.

                       WITNESS STATEMENTS

                    STATEMENT OF DAVE POWNER

    Mr. Powner. Chairman Hurd, Ranking Member Kelly, and 
members of the subcommittees, I would like to thank you and 
your staff for your continued oversight on the implementation 
of FITARA with this fifth set of grades.
    We've added a fifth category to grades, software licensing, 
at your request, so now the FITARA scorecard covers five of the 
seven major areas of this law. Overall, three agencies' grades 
went up: Education, OPM, and SBA; 6 went down; and 15 remained 
the same. Of the six that went down--Energy, DHS, HUD, 
Transportation, EPA, and Justice--none had a software license 
inventory, and received Fs in this subcategory.
    Regarding the software license area, 6 months ago when you 
previewed this area with scorecard 4.0, only three agencies had 
complete inventories. Now, seven do. And six of these seven 
report savings in this area: Ag, Education, GSA, NASA, VA, and 
USAID. Those six received As for this. Labor gets a C, and 17 
agencies without inventories receive Fs. Progress, but clearly 
not enough, given that this was a major section of FITARA and 
was followed up with the MEGABYTE Act.
    Another area where significant progress needs to be made is 
optimizing data centers. SSA, EPA, and GSA report solid 
progress against the five optimization metrics. Education and 
HUD are out of the data center business, as they no longer have 
any agency-owned data centers. The other 19 agencies have a 
ways to go to optimize these centers.
    The key point here is that additional and substantial 
savings can still be realized as we see better utilization of 
these facilities and equipment.
    I'd like to conclude this overview by thanking this 
committee, Chairman Hurd and Meadows, and Ranking Members Kelly 
and Connolly, and your dedicated staff, not only for your 
consistent and thorough oversight of FITARA, but also for your 
followup with the FITARA extension and the MGT Act to give 
agencies more time to implement more completely and to provide 
additional avenues for reinvesting savings in modernization 
priorities.
    Now turning to the Department of Energy. Energy plans to 
spend about $1.8 billion on IT this year. About half of this 
spending is for IT programs at the National Nuclear Security 
Administration. Energy's grades have fluctuated over the five 
scorecards between Fs and Cs, and their current grade is a D-
plus.
    The plus here is of major significance, and I would very 
much like to commend Max Everett and the Department's 
leadership as Energy is the only agency that has elevated their 
CIO reporting since FITARA was enacted.
    Another positive note is in the area of incremental 
development where they received an A. This is consistent with 
the report that we just issued on this topic where Energy was 
only one of four agencies that had incremental certification 
policy consistent with OMB guidance in FITARA.
    Turning to areas where Energy needs to improve, let's start 
with CIO tenure. Since 2004, the average CIO tenure at Energy 
has only been 1.7 years. This is a major issue and reason why 
IT has not been effectively managed.
    On data centers, Energy is reported saving $21 million 
between 2012 and 2017. However, they report not meeting any of 
the five metrics and have no additional planned savings. Their 
closures will fall short of OMB's goals for both small and 
large centers. The bottom line here is that if you're short on 
metrics, there is likely more closures and savings to be had.
    Energy's software license inventory is not complete. It 
covers CIO-controlled licenses, and they're working on 
completing the inventory for the other components.
    Finally, I'd like to note that our work for this committee 
on IT budgeting and CIO authorities shows that Energy's CIO has 
challenges in the area of IT budgeting and execution, meaning 
that there needs to be more visibility into the IT budget and 
better governance over their important system acquisitions.
    Mr. Chairman, this concludes my comments on the Department 
of Energy.
    [Prepared statement of Mr. Powner follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
        
    Mr. Hurd. Thank you, Mr. Powner.
    Now every agency is going to provide one oral remark, and I 
believe, Mr. Everett, you're going to do that for Department of 
Energy. So now you're recognized for 5 minutes.

                    STATEMENT OF MAX EVERETT

    Mr. Everett. Good afternoon, Chairman Hurd and Ranking 
Member Meadows, Ranking Member Kelly, and Ranking Member 
Connolly, and distinguished members of the committee.
    On behalf of the Secretary and deputy secretary, I want to 
thank you for inviting me to testify about the Department of 
Energy's implementation of FITARA. FITARA and its cybersecurity 
complement, FISMA, provide me the authority I need to manage 
DOE's information technology resources and cybersecurity 
program.
    I would also like to just mention, my colleagues have come 
up here who are helping us, that you introduced, they are going 
to be a critical part of telling you about the progress we're 
making at the Department.
    I would also like to acknowledge the dedicated career and 
contractor IT and cybersecurity professionals across the 
Department whose critical efforts transcend changes in 
administration. The team provided me a strong baseline from 
which to build, specifically, Mr. Robby Green, who did an 
outstanding job as the acting DOE CIO prior to my appointment.
    In order to effectively exercise FITARA responsibilities, I 
now report directly to the Secretary and deputy secretary, as 
Mr. Powner noted. They recognize not only the statutory 
requirement for this, but the best practice for public and 
private sector organizations to have technology leadership 
represented at the executive level.
    This change originated with a secretarial memorandum, and 
is reflected in the DOE organizational chart. I have regular 
meetings with the deputy secretary who every month calls to 
order the Department's senior leadership to evaluate progress 
on DOE's IT and cybersecurity strategic goals. My reporting and 
working relationships with them are evidence of the success of 
this FITARA requirement. Direct access to senior leadership is 
critical to effective IT management at the program office level 
as well.
    My office is developing guidance to program offices with 
embedded CIOs or officials with CIO-like functions, that they 
follow the FITARA reporting model and elevate these officials 
to a direct reporting relationship with their respective senior 
leadership.
    The deputy secretary has instructed that my office should 
be engaged in the hiring process for any IT management series 
2210s across the Department. Both at DOE and throughout Federal 
Government, the traditional outdated model of an IT worker is a 
challenge. We need professionals with multidisciplinary skills, 
not just the coding and network and typical skills that we look 
at for IT professionals.
    With respect to consolidation and optimization of data 
centers, we've closed 84 data centers since 2010, resulting in 
savings of approximately $21 million, and plan to shutter 
another 11 more by the end of fiscal year 2018. That said, we 
need to do more in this area, which is why we're examining ways 
to effectively accelerate that process.
    One catalyst for optimizing DOE data centers is our 
expanded use of cloud services. Our diverse department with 97 
sites in 27 States can see significant value from increasing 
our use of cloud computing.
    The National Labs are an integral component of the 
department, and as CIO, I engage with the labs through a number 
of means, including the annual laboratory planning and 
appraisal reviews. I have the opportunity to comment on 
National Lab IT activities and can refocus our efforts to 
address our concerns through development of performance 
evaluation and measurement plans, which define notable outcomes 
that the labs must meet in the coming year. I have regular 
meetings with our National Lab CIOs. I also speak regularly 
with the National Lab directors, as well as the lab operating 
board and participate in their governance meetings.
    DOE is closely monitoring the pending MGT Act to leverage 
any benefits that come out of that. We intend to use FITARA as 
well to continue to be more granular and transparent in our IT 
cost in order to prioritize the digital transformation that we 
need to undertake as a department.
    In detailing the changes, improvements, and the many 
challenges that I have seen, it's been my aim to demonstrate 
that our department is moving in the right direction. The 
Department's IT and cybersecurity governance mechanisms are 
inclusive, transparent, and we're seeking to facilitate timely 
performance of our diverse mission.
    I firmly believe we're continuing to advance and improve, 
which would not be possible without the authorities granted by 
FITARA. I'm encouraged by the interest and the efforts of this 
committee and the efforts as well shown by our leadership at 
the Department, and I look forward to achieving those shared 
goals.
    It's been my distinct honor to testify here today. And I 
would be pleased now to address your questions. Thank you.
    [Prepared joint statement of Mr. Everett, Ms. Doone, Mr. 
Bashista, and Ms. Helland follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Hurd. Thank you, Mr. Everett.
    Now I'm going to recognize the gentleman from Montana, Mr. 
Gianforte, for 5 minutes of questions.
    Mr. Gianforte. Thank you, Mr. Chairman and Ranking Member 
Kelly.
    I'm new on the Hill. I spent my career in the private 
sector doing IT deployments for large organizations, including 
deployments at 170 Federal agencies. So I very much appreciate 
you each being here.
    I wanted to focus on three specific things: First, for Mr. 
Powner generally and then Mr. Everett specifically at DOE, 
around some best practices that are used in the private sector 
and to what extent they're present. You've already mentioned 
one, Mr. Everett, the movement to the cloud. Why don't we start 
there.
    I'm curious, Mr. Powner, to what extent is movement to the 
cloud a priority within the agencies that you work with and 
audit? And do you have any metrics around percentage of 
enterprise applications moved into cloud facilities?
    Mr. Powner. I don't have good metrics on those percentages, 
but we have tracked movement to the cloud as a percentage of 
their IT budget. That's been somewhere in like--on average, 
it's about 4 to 5 percent when you look at agencies' IT budget.
    So the bottom line on this is clearly there needs to be 
more movement to the cloud. You know, we started this years 
ago, and the security was the big concern, and then you had the 
intel community going to the cloud. Folks felt more comfortable 
with that. We clearly need to go more to the cloud.
    I think when you look at the data center situation, there 
are about at least a third of the agencies that project they're 
going to be nowhere near optimizing their centers, and they 
ought to be looking to outsource that and go towards the cloud, 
you know, for many of those data centers and everything.
    A couple agencies are already out of the business. We 
probably need a few more of them if they can't manage this more 
effectively.
    Mr. Gianforte. And when you say cloud, do you mean 
consolidated data centers or are you actually moving to more 
commercial, multi-tenant applications?
    Mr. Powner. It's all the over the board. There's--you know, 
infrastructure is a service. You've also got software as a 
service. So it's both the infrastructure and some of the 
applications.
    Clearly, when you look at the commodity or business 
systems, there is--that's kind of a no-brainer. In a lot of 
those areas we ought to be going more towards cloud services. 
There is some big applications, electronic health records, I 
know we've talked to the chairman about this a lot, with the VA 
and DOD going to the common electronic health record. There's 
commercial products that are out there.
    Mr. Gianforte. Mr. Everett, at DOE.
    Mr. Everett. Sure. So I would certainly address, across the 
Federal Government, I think the numbers are disappointing. At 
DOE, I think they're--you know, having come in, I think they're 
very disappointing. We need to be moving much more quickly on--
again, I think you hit on that--the commodity IT activities we 
need to move more quickly to the cloud. I think that will help 
us certainly with data center. I think there is some value to 
moving out of Federal data centers into hosted environments, 
not as an end goal, but I think that starts to break some of 
the workforce and cultural challenges we have.
    We've got to have the right skill sets to make a move to a 
cloud. It's a different--it is different skill sets. It's much 
more about managing services, managing service levels, rather 
than managing people and sort of the turning dials. We've got 
to do a lot of work around that. Those things have to go 
together. I believe they can go together in peril.
    In some cases, you know--frankly, my hope is that we just 
find some things and rip the Band-Aid and just move things. 
We've got a lot of commodity things that should, frankly, be 
able to move very quickly to the cloud.
    Mr. Gianforte. Yeah. As we talk about these scorecards, it 
might be interesting to look at what percentage have we moved 
to the cloud. I know in our own experience doing these 
enterprise deployments, an off-the-shelf cloud deployment 
typically can speed deployment by 5X and typically reduces 
operating cost by 80 percent over the life of the system, and 
that's just good for taxpayers and it's better from a security 
perspective.
    The second area I want to talk on, you mentioned the 
shortage of labor, particularly in the cybersecurity area. One 
of the practices in the private sector is the use of commercial 
third-party firms for either cybersecurity audits or 
penetration testing. To what extent is that a general practice, 
Mr. Powner, and then specifically at DOE?
    Mr. Powner. I think when you start looking at contractors 
and third parties, it's pretty heavy in the Federal Government. 
I think the challenge in the Federal Government is having 
enough of an IT workforce to oversee those contractors. I mean, 
because we've got prime contracts and then you've got program 
management that's being outsourced to private sector firms. 
Clearly, the security penetration tests and all that, that's 
going out.
    So the challenge, I think, in the government is having 
enough of qualified IT workforce to oversee those key contracts 
where we don't have the internal skills.
    Mr. Gianforte. Okay. Mr. Everett, we have about 30 seconds.
    Mr. Everett. I would concur with that. I think one of our 
challenges is we're, you know--frankly, we're very contractor 
heavy. We depend on the skills that our contractors bring, but 
we need--our Federal workforce has got to have some skills in 
terms of, again, managing them, managing business requirements, 
managing the budgets around that. I think those are a critical 
element to doing that. And we've got--and, again, that takes 
some of the Federal workforce. They have to know the right 
questions. They have to be looking for the right solutions to 
then bring in the proper contracting and talent and capability.
    And I think you know that recruiting, you know from your 
private sector experience as I do, that's an extraordinary 
challenge we face right now.
    Mr. Gianforte. Yeah. Okay. Thank you.
    I yield back, Mr. Chairman.
    Mr. Hurd. The gentleman yields back.
    I now recognize Ms. Kelly for 5 minutes of questions.
    Ms. Kelly. Thank you, Mr. Chair.
    The committee's scorecard shows that since the release of 
one of its last scorecards, June 2017, many agencies appear to 
have hit roadblocks in their progress under FITARA. For 
example, as we've talked about, the current scorecard shows 
that the overall letter grades for 15 agencies stayed the same, 
6 went down, and only 3 increased.
    Mr. Powner, in which of the five key areas of FITARA that 
was scored has GAO found agencies are struggling the most?
    Mr. Powner. Well, clearly, when you look back on the 4.0, I 
think the data center optimization, because we added the 
metrics category there, it wasn't just based on savings, and 
that was at the request of a lot of folks.
    And, again, there's about--there's 2 agencies that are out 
of the data center business, 3 agencies doing a decent job, and 
19 that I would say are doing poorly, and that's a big reason 
why the grades went down. And then now with 5.0, when you have 
17 agencies getting Fs because they don't have a software 
license inventory, that's a key reason. So those are the two 
big ones.
    Ms. Kelly. And so what accounts for the challenges? Is it 
just the software license, or what's accounting for the 
challenges?
    Mr. Powner. I think when you look at the data centers, I do 
think it's--given where we were at, for instance, on server 
utilization, to try to go from a 9 to 12 percent to 65 percent 
metric that OMB has, okay, that's a big leap.
    The software licensing, I have a hard time understanding 
that. We did a report 4 years ago that told agencies that they 
should get software licenses. It was in FITARA. It's one of the 
seven sections. You followed up with MEGABYTE. I think it's 
inexcusable that we do not have software license inventories at 
this point in time.
    Ms. Kelly. Thank you.
    Mr. Everett, the Department of Energy was one of the three 
agencies whose letter grade actually went down. What are the 
challenges you're facing?
    Mr. Everett. There's a number, as you can clearly see. I 
think, look, the reality is our scorecard accurately represents 
some significant challenges we have. And Mr. Powner hit on, 
frankly, two of them. One of them is we have too many data 
centers that we don't have a handle around, and we need to more 
aggressively--again, part of this is we're--on the data centers 
we're doing some things around DCIM, which gives us some better 
measurements of actually how we're using those existing data 
centers.
    I think that will drive some business requirements and some 
business cases to close some and help us actually use them 
better. But the better answer to that is move to the cloud. 
Again, for things that are a simple commodity, the answer is 
we've got to get to the cloud and we've got to do it faster.
    I can't disagree either on--you know, look, some of my 
nontechnical colleagues at the Department have asked me, why 
don't we have a software asset inventory. And they're right. It 
shouldn't be that hard.
    Now, I will say that we did a data call. We have, I think, 
over 64,000 lines within the database we collected of that. We 
have a significant inventory. It's not complete, and we're not 
going to represent it as complete until it is. The vast 
majority of that that came back was, in fact, provided 
electronically, so that exists in pockets in parts of our 
department.
    We have a number of gaps in the Department, areas that 
don't have that capability. So one of the things we're doing is 
leveraging. We're going back and looking at CDM. We have gaps 
in our CDM deployment, and we're actually going back and trying 
to line that up and find out, all right, where do we have gaps 
within programs and offices that need help at the enterprise 
level from my office to come back and fill the gaps so that we 
can have a complete software asset inventory.
    And, again, I just want to add, the software asset 
inventory is valuable not just to have it; it drives--you know, 
as I work with our acquisition team and work in conjunction 
with them, it's going to save us money. We know that for a 
fact.
    It's going to help us reduce our threat surface because 
it's going to tell us what kind of software we have or don't 
have. And then it's going to help us drive our IT 
transformation as we can see the gaps in capability or, 
frankly, where we have overlap in capability where we probably 
have people buying two or three different of the same 
capability in different software packages. That just needs to 
be eliminated.
    So there's no painting it any other way. Again, I 
understand many people are failing at it, but I don't--it's not 
rocket science. It's not hard. And we are pushing rapidly 
through those means to get it fixed.
    Ms. Kelly. And do you have any, not saying everything all 
at once, but any time projections or what do you see?
    Mr. Everett. So with respect to--certainly with the 
software inventory piece, we're in the process right now, we've 
brought somebody into actually to help us be strategic about 
CDM. And, again, our focus there is what are the gaps.
    We have a lot of people that have really great capabilities 
that meet many of the CDM requirements and needs. What we're 
looking for is where are the gaps. And then as an enterprise, 
as a department, how do we come in and help them fill those 
gaps.
    And, again, because we have a number--we have a very 
federated, diverse department, we have a lot of good best 
practices. We've got a lot of labs and other folks who have 
great tools in place. We're working with them to get actually 
what's working for them and try and replicate that or build it 
across the Department.
    I'll say on, again, on data centers, one of the immediate 
things we're working on is we've had some folks working on this 
DCM pilot. And, again, our labs have actually led the way. A 
number of our labs have put DCM tools in place and have worked 
with my team to share best practices that we can do across the 
Department. So our next step there is a pilot that we expand 
across the Department. That's going to give us a more accurate 
picture. And I think what it's going to show is that we have a 
lot of data centers. We just don't need anymore.
    Ms. Kelly. Thank you.
    Mr. Hurd. My first question's actually for Mr. Powner, but 
you're going to have to look for something. Towards the end of 
your statement, you talked about budget and system acquisition. 
I want you to pull that up. And while you're looking for that, 
I'm going to go to Mr. Everett.
    Mr. Everett, take about 30 seconds and tell me how your 
position changed from to reporting to directly to the agency 
head or the deputy agency head.
    Mr. Everett. Sure. Well, I--as I walked to the Department 
in July, you know, obviously I'd done a little research before 
I walked in. I knew that was the case. I've been around Federal 
Government and private sector the last number of years, so I 
was very aware that this is a challenge across government. And 
I knew walking in the door that that was something I was going 
to immediately have changed.
    The good news for me was I have a Secretary and a deputy 
secretary, both of whom have seen in public and private sector 
that that was valuable and important. They understood, without 
really any argument from me, that that was simply a best 
practice. And so, literally, it probably would have even 
happened faster. It just took a while to get the memo written 
and get it passed up to the front office.
    But for our office, I'll simply tell you that our 
leadership understood that it wasn't even really a question. It 
was an expectation that IT would be part of the leadership and 
part of this process.
    Mr. Hurd. I would like to attribute that to Secretary 
Perry's training at the illustrious Texas A&M University for 
giving him that understanding.
    And without objection, I'd like to introduce into the 
record a memo from Max Everett to the Secretary of Department 
of Energy about the designation of the CIO as a direct report 
to the Secretary, deputy secretary.
    So ordered.
    Mr. Hurd. For those that are going to read about this on 
FedScoop, and CIOs that are not reporting directly to an agency 
head or deputy agency head, they should see this memo. And 
unfortunately, there is still 12 departments or agencies where 
the Federal CIO doesn't report directly.
    I just want to clarify a point, Mr. Everett, because I 
think you addressed it fairly well. Can you answer that you 
know 100 percent of what's on your network?
    Mr. Everett. Right now, I would have to tell you the answer 
is no. I think the vast majority of people who tell you that, 
I'm not sure that they're being accurate.
    Mr. Hurd. Gotcha. Because my assumption is, if you have a 
number of agencies that don't understand what software they 
have on their system, they also don't know what hardware they 
have on their system. And that introduction of unknown 
vulnerabilities is scary.
    Mr. Powner, did you find the quote I was looking for?
    Mr. Powner. Yes, I did.
    Mr. Hurd. Can you repeat that statement, please?
    Mr. Powner. ``Finally, I'd like to note that our work for 
this committee on IT budgeting and CIO authority shows that 
Energy CIO is challenged in the areas of IT budgeting in 
execution, meaning that there needs to be better visibility 
into the IT budget and better governance over their system 
acquisitions.''
    Mr. Hurd. Ms. Doone, you're the CFO, correct, acting CFO?
    Ms. Doone. Yes.
    Mr. Hurd. What are you going to do to help Mr. Everett with 
that problem?
    Ms. Doone. We have been working--the CFO office has been 
working with CIO since the enactment of FITARA to do just that, 
to improve the alignment of the IT portfolio with the budgeting 
process.
    Even before the OMB guidance was issued back in 2015 for 
the fiscal year 2017 budget cycle, we issued guidance out to 
all the program offices to have them identifying their IT spend 
by program activity and by project. CIO did the likewise, so 
that their IT portfolio would start delineating the IT across 
the entire department.
    Mr. Hurd. Ms. Doone, do you have responsibility--financial 
responsibilities over the National Laboratories as well?
    Ms. Doone. The National Laboratories financial 
responsibility is managed by the program offices. So they 
report and they submit their budget request up through the 
program offices, who put their budgets included in their 
program office budgets that come to CFO.
    Mr. Hurd. So as the CFO of Department of Energy, you have 
the similar challenges that your colleague, Mr. Everett, has 
with these siloed activities by the National Labs, that even 
though you're responsible for all the Department of Energy, 
that you may not have the greatest insight into that. Is that 
an accurate statement?
    Ms. Doone. It is an accurate statement, but I would suggest 
that it's getting better. With the expansion of the IT 
portfolio over the last couple of years, we and CIO have 
expanded the number of data elements that the program offices 
are providing us. So we are now able to reconcile the IT 
portfolio with the budget submission that we are getting from 
the program offices.
    And I think one of the biggest benefits that we've had--we 
started working directly with CIO from the very beginning of 
the enactment of FITARA. I think the biggest accomplishment has 
been the budget and financial management staff in the program 
offices and their IT counterparts working closely together for 
the first time. And I think that's where we're going to begin 
to see more visibility and better transparency, and it's been 
both at the Federal program office level and at the National 
Laboratory level.
    Mr. Hurd. Thank you.
    The gentleman from the Commonwealth of Virginia is now 
recognized for his 5 minutes of questions.
    Mr. Connolly. I thank the chair, and welcome to the panel.
    By the way, I would say to my friend from Montana, as 
someone who also spent 20 years in the private sector before 
coming here, in the technology sector, one might look for 
metrics. If you want to know how you're doing in cloud, look at 
the data on data center consolidation, because you're not 
moving to the cloud if that's not being consolidated. If you're 
consolidating it, you are moving to the cloud, because you have 
to.
    Now, Mr. Everett, let me just say, I believe you get it and 
I believe you are an agent of change. And I think the memo the 
chairman cited gives evidence of that. So don't take this 
hostilely, but your words are welcome, but you got an F in data 
center consolidation. Your score went down, not up, which 
suggests regression.
    And it is the Department of Energy, the National Labs, that 
kind of in the dead of night went to the U.S. Senate and got an 
exemption for themselves. The ink wasn't even dry in FITARA. 
Last time I checked, that's under your purview, which would 
suggest resistance to change, to trying to get this right.
    So why should we believe, you notwithstanding, all of you 
being sincere human beings, why should we not believe that, 
frankly, the Department of Energy is retrograde, they're not 
with the program, they're not cooperating, they're treading 
water in the hopes we'll give up and stop looking, and 
progress, you know, is just not in the forecast?
    Mr. Everett. Well, we have to make that change.
    Mr. Connolly. I can't hear you.
    Mr. Everett. Apologies. Ranking Member, I think the answer 
is we have to make that change. I hope that you don't give up.
    Mr. Connolly. Oh, we won't give up.
    Mr. Everett. I know you won't, but, you know, even beyond 
my tenure, I hope that you don't give up. One of the reasons 
that Ms. Helland is up here is, I can tell you, in my 4\1/2\ 
months at the Department, her work in the Office of Science has 
been a huge help and a huge part of correcting some of those 
issues.
    I can tell you that our approach, and this starts directly 
with my Secretary and deputy secretary, and I have been in 
their presence when they told this directly to the lab 
directors was that there is one department. That is their 
expectation. That is the expectation they have given to me. 
That is the expectation I repeat on a regular basis.
    And so I believe that's--you know, history aside, I believe 
that's a starting point. I'm glad that Ms. Helland joined us, 
because, again, she has been an ally to me. I think she can 
talk about some of the work she's actually been doing to help 
us build some of the reporting mechanisms around CPIC, around 
FITARA, around how we hold the labs to a level of 
accountability that we expect for everyone in the Federal 
Government.
    Mr. Connolly. And I want to hear that from Ms. Helland, 
but--just one more--but you got an F in data center 
consolidation, which is the heart and sole of FITARA. It's how 
we save money. It's how we reinvest in ourselves. It's how--
it's an actual metric whereby we measure are we making progress 
or not. Tell me why you got an F.
    Mr. Everett. Because we haven't done the job. I mean, there 
is no way around it.
    Mr. Connolly. All right. Have you set metrics for yourself 
internally?
    Mr. Everett. We have.
    Mr. Connolly. Okay. How many data centers are there in the 
Department of Energy?
    Mr. Everett. I'll pull it up here, but there are----
    Mr. Connolly. All right. Take you time while we listen to 
Ms. Helland.
    Mr. Everett. 289.
    Mr. Connolly. 289, okay. He's telling the truth, right? No. 
So 289. Have you set a goal for yourself that by, you know, a 
year from now or the next report card there will be 289 minus 
X?
    Mr. Everett. The existing goal is 11, is to reduce it by 
11.
    Mr. Connolly. By 11?
    Mr. Everett. By 11.
    Mr. Connolly. Well, that's a pretty modest goal.
    Mr. Everett. I think that's exceedingly modest.
    Mr. Connolly. So can we be a little more robust in our goal 
setting?
    Mr. Everett. We will be more robust. We are pulling 
together and working hard. I want to be thoughtful. I don't 
want to give a number I can't back up.
    Mr. Connolly. I understand.
    Mr. Everett. But at the same time, no, the answer is 11 is 
a pittance.
    Mr. Connolly. But so I would just say, also again to my 
friend from Montana, and I think he would agree, I have 
experience both in the public sector and the private sector. If 
you don't set heroic goals, stretch goals, nothing happens. 
Now, not impossible goals, because then nothing happens either, 
but stretch goals. And so 11 is hardly a stretch goal. And I 
hope when you come back here, you're able to say, well, we said 
11 and it's 110. We got it off by a zero.
    My time is going to run out, but, Ms. Helland, I want to 
give you an opportunity to comment on the National Labs.
    Ms. Helland. Thank you. We actually started in 2015, July 
of 2015, working with the Office of Science labs. And at that 
time, we also had three Energy labs that we were working with 
to look at our lab planning and appraisal process, which is a 
way that we actually included CIOs in that process so that we 
could see--we asked them to report on their current IT spending 
and their current research computing, so that this instrument 
became effective for the other program office--or other program 
offices in the Office of Science.
    Mr. Connolly. Well, I just want to say in closing that I 
echo what the chairman and Ms. Kelly said. What makes me feel 
better about your score is you, because I think you are 
committed to making this happen, and the reporting sequence is 
now right. And when you're in that kind of position, you can 
make things happen, and it's pretty clear you're committed to 
doing that. And so we'll back you up. We'll help you. We're not 
going away.
    And I applaud my colleague, Mr. Hurd, on the Republican 
side of the aisle, for absolutely--and Mr. Meadows is near, but 
the four of us, you know, are just not going to give up. And 
we're here to try to both nudge and support and use it to your 
advantage. Thank you so much.
    Thank you, Mr. Chairman.
    Mr. Hurd. Now it's my pleasure to recognize the 
distinguished gentlewoman from the District of Columbia, Ms. 
Eleanor Holmes Norton, for her 5 minutes of questioning.
    Ms. Norton. I thank my friend for yielding, and I thank him 
for this hearing, and our witnesses for their informative 
testimony.
    This is a hearing about the Federal Information Technology 
Reform Act, the act itself. I'm trying not to use letters and 
acronyms. And it's essentially about IT and the progress we are 
making at a time when that can determine, in private industry, 
go or stop. I regard it as just as important for the Federal 
Government.
    I was intrigued by the work of the chief information 
officers that GAO looked at how enhanced authority was 
assisting the chief information officers in certifying major IT 
investments. And here's where I need clarification. They said, 
and I'm quoting here, ``adequately implementing incremental 
development.'' I got intrigued, what in the world is that, and 
had staff look it up, and discovered that adequately 
implementing incremental development is for the investment to 
deliver functionality every 6 months.
    So in order for me to understand what that meant, I took as 
an example, since you were testifying here today, Department of 
Energy, because it was among the agencies that achieved an A 
score on this particular--in this particular category.
    What was responsible--you make me understand incremental 
development. If you apply it to the Department of Energy, and 
make me understand how the Department of Energy earned an A 
rating for incremental development.
    Mr. Everett. So I'd love to take all the credit for that, 
but that I think has been a historical strength of the 
Department. And, again, some of our career folks have been a 
key component of keeping that going.
    The focus of that is around--I don't think it's a secret to 
many of us who have been around D.C. that, historically, when 
departments engage in long, multiyear projects, those tend to 
have significant problems in financial management and delivery.
    So the--I think it's a very good thing to be measuring 
that, because the importance of that is, when you're actually 
delivering capability--you know, this is--you know, in the 
private industry, it would typically cause sort of agile 
development. You're constantly adding showing capability. 
You're demonstrating that you're actually producing something.
    The flip side of that would be if we did some large, 
multiyear development and said, we'll start here, 2 years 
later, we'll see what happens, historically that has been a 
very poor management technique in IT and certainly in the 
Federal Government.
    What I've observed so far at the Department of Energy is I 
think we're deserving of that grade, because I think there's a 
lot of focus on, again, that incremental movement to make sure 
we're delivering something in sort of bite-sized manageable 
chunks.
    Ms. Norton. That really does make me understand it. It 
certainly makes me understand why this every 6 months. And for 
IT, clearly every 6 months is important.
    But since you already are looking every 6 months, what will 
you suggest for those who don't have--I mean, you're looking at 
them every 6 months too. So what do they need to do so that 
every 6 months--do we need a shorter timeframe for people who 
don't have A scores, for example?
    Mr. Everett. Yeah. I mean, I think you--you've got to 
start--you know, you may start to drive the metric a little 
shorter. You may not necessarily have delivery. But finding 
ways to measure that--again, the goal of it is just practically 
to be intermittently actually watching and seeing what's----
    Ms. Norton. Well, does it, in fact, result in increases in 
the score?
    Mr. Everett. Oh, yeah, it does. I mean, it certainly has 
for us.
    Ms. Norton. By looking every 6 months, even with those who 
haven't received this A rating, then their ratings tend to go 
up because you're looking every 6 months.
    Mr. Everett. Yeah. I think you've constantly got to watch 
that and measure it and make sure that they really are showing 
actual measurable deliverables and improvements.
    Ms. Norton. Mr. Powner, did you have anything to add to 
that?
    Mr. Powner. No. I think it's clearly a best practice to go 
with shorter deliveries instead of longer deliveries. I do 
think--you know, when we measure this, we know where all the 
warts are looking under the covers here. So the one thing is 
this is how they plan. If you look closely at whether they 
deliver against the plan, it might be a little less so we 
shouldn't get too comfortable.
    The other thing that I would like to say is, as we 
understand more what we actually spend on IT, there's probably 
more software development projects that should get listed under 
this category, and it might not look so rosy.
    So I don't want to rain on the parade, but I do think it's 
important to make sure we understand that there's still work 
for some of the those agencies that have As. Go small and it's 
much better.
    Ms. Norton. Appreciate that criticism.
    And thank you, Mr. Chairman.
    Mr. Hurd. Thank you.
    A couple of quick questions for you, Ms. Doone, and you, 
Ms. Helland.
    Ms. Doone, what are you going to do to help Mr. Everett 
populate the Working Capital Fund that we are going to create 
with a successful implementation of the MGT Act?
    Ms. Doone. Well, once the MGT is enacted, we'll have to 
take a look at the structure of the Working Capital Fund.
    DOE has an existing Working Capital Fund, and there are 
several line items in our current Working Capital Fund that are 
managed by CIO. The most significant one is a cybersecurity 
investment of about $35 million, which is intended for 
enterprise-wide cybersecurity. So we already leverage our 
existing Working Capital Fund to support his efforts in a 
number of areas, including network support as well.
    Mr. Hurd. So the Working Capital Funds created by MGT is 
something that only the CIO can touch, and it's to put money 
that is saved from doing things like transitioning into the 
cloud, getting your software licensing under control, because 
the savings that they're going to realize, they're not going to 
be able to use in that calendar year.
    How do we make sure that that's captured so that by the end 
of next fiscal year, that money is transferring to that 
account?
    Ms. Doone. Yeah. That would be something that we would have 
to look at. And, yes, if this were a mechanism totally 
dedicated to capturing the savings from the variety of IT 
savings, then that would be something that we could do and 
perhaps look at that and see if that could then support it. 
Because that would be a mechanism that would target that money, 
those savings directly recouping them and allowing CIO to 
invest into much-needed enterprise IT modernization.
    Mr. Hurd. Do you think we can do that within a calendar 
year, 12 months? There's only one answer to that, by the way.
    Ms. Doone. It's certainly a very straightforward request to 
recapture savings. The challenge is identifying those savings 
and getting them captured and moving them over to----
    Mr. Hurd. As long as you're in this position, are you 
committed to helping Mr. Everett do that?
    Ms. Doone. Oh, absolutely.
    Mr. Hurd. Mr. Bashista, are you involved too?
    Mr. Bashista. Yes, sir. A number of initiatives that we're 
supporting the CIO, as we discussed, the CFO and CIO in 
procurement and contracting, we face a lot of the same 
challenges being decentralized. So on a programmatic basis----
    Mr. Hurd. I get it. But are you going to help Mr. Everett 
make sure we capture that savings when he improves the software 
licensing, introduces CDM, and figures out their technology 
doesn't have, and he saves money, are you going to help us make 
sure and work with Ms. Doone in getting that in an MGT Working 
Capital Fund?
    Mr. Bashista. Absolutely.
    Mr. Hurd. Awesome.
    Ms. Helland, the National Laboratory CIO's council, who 
does that report to?
    Ms. Helland. It actually reports to--I mean, it was formed 
by the National Lab--the CIOs at the National Labs for them to 
identify common practices and best practices across the labs so 
that they could work together. Technically, I'm not sure it 
reports to anybody, but we certainly--both Max and I sit on the 
executive board.
    Mr. Hurd. Mr. Everett, do you have a response to that?
    Mr. Everett. So the NL CIO council reports to the--I 
believe it's to the National Lab director's executive council.
    Mr. Hurd. Do you have insight into the types of things the 
CIOs at the National Labs are putting on their network?
    Mr. Everett. We do. And we're--so we don't have full--
again, and I tell you, in all honesty, I don't have that fully 
on our current network. We are in the process. And, again, at 
the direction of our deputy secretary, within 2 weeks of his 
joining, we put forward a memo under his name that I am 
responsible for as part of our iJC3, which is for our 
enterprise SOC, that all elements of the Department, including 
all laboratories, sites, Federal program offices, everybody is 
going to be responsible. And we're working right now to deliver 
certain data that I have put together a taxonomy on that will 
come up for us in a consolidated manner so that we have--and, 
again, that's an initial visibility across every network in the 
Department.
    The move from that will be to then incorporate the CDM 
capabilities, to your point, so that we can see hardware, 
software, all the other pieces, so that we can have that 
visibility of our cybersecurity posture across the entire 
Department, labs included.
    Mr. Hurd. Great. And, Mr. Powner, I'm looking forward to 
GAO reviewing and ensuring that is moving in that direction.
    I want to thank our witnesses for appearing before us.
    Mr. Connolly. Mr. Chairman?
    Mr. Hurd. Yes, sir.
    Mr. Connolly. Just a footnote to----
    Mr. Hurd. I yield to my gentleman--my friend from the 
Commonwealth.
    Mr. Connolly. I thank my friend.
    Just I was listening to your questioning of Ms. Doone, if 
you're looking for more savings, maybe you might expand that 
goal of 11 data centers being consolidated. I was just doing a 
little quick math on the back of my envelope, and with that--if 
that's our annual goal, it's going to take 27 years to address 
the total number of data centers you've got at the Department 
of Energy.
    So, I mean, I do think there's some real room for expansion 
there that would have big payoff, and the MGT legislation 
rewards it. And, oh, by the way, working with Mr. Powner and my 
colleagues, the FITARA extension bill that extends the sunsets, 
including a data center consolidation, is, as we speak, on its 
way to the President for his signature.
    So there will be several more years of scrutiny over data 
center consolidation. So use that time and effectuate those 
savings, especially in anticipation of the authority you're 
going to get, especially through the leadership of my friend 
Mr. Hurd, in the MGT legislation.
    Thank you, Mr. Chairman.
    Mr. Hurd. Thank you.
    I'd like to thank our witnesses for appearing before us 
today. The subcommittees will now have a very, very brief 
recess, 2 minutes, to set up for our second panel.
    The subcommittee stands in recess, subject to the call of 
the chair.
    [Recess.]
    Mr. Hurd. The subcommittees will come to order.
    I'm pleased to introduce our second panel. Again, the 
illustrious Dave Powner; Mr. Jay Mahanand, the CIO for the U.S. 
Agency for International Development; Mr. Reginald Mitchell, 
CFO for USAID; and Mr. Wade Warren, acting deputy 
administration at USAID. Welcome to you all.
    And pursuant to committee rules, all witnesses will be 
sworn in before they testify, so please rise and raise your 
right hand.
    Do you solemnly swear or affirm the testimony you're about 
to give is the truth, the whole truth, and nothing but the 
truth, so help you God?
    Thank you.
    Let the record reflect all witnesses answered in the 
affirmative.
    Again, in order to allow time for discussion, please limit 
your testimony to 5 minutes. The entire written statement will 
be made part of the record.
    Again, as a reminder, the clock in front of you, when it 
turns yellow, you have 30 seconds; when it turns red, your time 
is up. And please turn on and off your microphone.
    I now recognize Mr. Powner for an abbreviated statement.

                           PANEL II:

                    STATEMENT OF DAVE POWNER

    Mr. Powner. Thank you, Mr. Chairman.
    USAID plans to spend about $40 million on IT this year. 
Eighty-two percent of this is used for operational systems, 
leaving just over $25 million for new development. One of the 
largest investments is its financial management system that is 
used to manage and report on foreign assistance funds. Last 
year, over $13 million was spent on the system, and over the 
years, over $225 million has been spent on this critical 
system.
    USAID's overall grade jumped from three straight Ds with 
your first three scorecards to an A the last two. They are the 
only agency to receive an A on the FITARA scorecard.
    There are lots of positives here. Their CIO tenure is 
better than most. They have had only two CIOs since 2009. They 
have As in four of the five areas. They report the second 
highest portfolio stat savings as a percentage of their overall 
spend. Management of their software licenses has been 
centralized since 2004, resulting in an A in this area.
    The one area where we did not see an A is on data center 
optimization. USAID still needs to meet the server utilization 
metrics for its 80-plus nontiered or smaller data centers.
    Finally, I'd like to note that our work for this committee 
on CIO authorities shows that there is still some work to do on 
IT budgeting and execution, especially on improving governance 
over its IT acquisitions.
    Mr. Chairman, this concludes my comments on USAID.
    Mr. Hurd. Thank you, sir.
    Again, only one person is going to provide remarks for 
USAID. Who is that going to be?
    Mr. Warren, you're now recognized for 5 minutes.

                    STATEMENT OF WADE WARREN

    Mr. Warren. Thank you.
    Thank you, Chairman Hurd and Ranking Member Kelly and 
members of the subcommittee, for inviting me here to testify 
today regarding USAID's progress on FITARA. We're grateful for 
your support on this effort.
    I brought with me today my colleagues, Regi Mitchell, who 
is USAID's chief financial officer; and Jay Mahanand, who is 
our chief information officer. They have both been very 
instrumental in our technology reform efforts, and I'm happy to 
have them with me here today and to help answer questions.
    As you know, USAID is a global agency. Our work is often 
done under the most difficult circumstances, from a tent in 
Mexico City after the recent earthquake, to a small mission in 
East Timor where the internet connection is less than reliable, 
to a refugee camp in Jordan.
    Strong and effective information technology systems are 
essential to USAID achieving its mission in a modern world. And 
so USAID is proud to have received the first A rating ever 
given under the FITARA scorecard. But it hasn't always been 
this way at USAID.
    Eight years ago, USAID's IT was in disarray. In Washington, 
we spent hundreds of thousands of dollars every year acquiring 
new equipment and on powering and cooling our data center. What 
we got for it were regular outages and a system that left 
employees tethered to their desks.
    In the field, the situation was even worse. USAID often 
operates in countries with low bandwidth, and our old email 
system did not function well in this environment, leaving many 
staff waiting for long periods of time for email messages to 
load, if they were able to access email at all.
    Seven years ago, in February 2010, we realized that the 
status quo was not sustainable, and we began taking steps that 
ultimately gave USAID a cloud-based email system. And over the 
last few years, the Agency has developed into the leading 
Federal agency for cloud computing.
    So today, I would like to share with you what we view as 
the four keys to our success. First, we accepted that updating 
our IT system would be risky, that we would run into problems, 
and that we would not get everything right the first time. We 
knew that we needed to improve, and we were willing to take 
those risks. We embraced change.
    Second, we had real buy-in from agency leadership. We 
realized that for USAID to remain the world's premier 
international development agency, modernizing our technology 
had to be a top priority. We committed significant financial 
and human resources to this effort and championed it from the 
top down.
    Third, we continue to improve, plan for what we know will 
come, and deliver results. Today, we have embraced a culture of 
incremental progress. And we regularly make small investments 
in our information systems that keep them from going out of 
date or losing interoperability. And I'm proud to say that 
because of these investments, USAID is not operating a single 
legacy system.
    And fourth, we committed to hiring experts at a senior 
level who have the technical know-how to implement these 
changes and keep us ahead of the curve. We worked hard to 
recruit knowledgeable, experienced staff, and provide training 
and support for the staff we have.
    All of this hard work has led to important increases in 
efficiency for our workforce and significant cost savings that 
today we are using to reinvest in our platforms.
    Mr. Warren. Moving forward, we will ensure that we continue 
to remain ahead of the curve and lead the U.S. Government in 
our embrace and effective use of modern information technology.
    To further optimize data center operations, the agency is 
in the process of migrating our already outsourced data center 
to a cloud environment, and USAID is taking steps to actively 
manage the cybersecurity risks that we all are aware of today.
    So in conclusion, we are committed to maintaining our 
status as a Federal leader in IT space. We look forward to 
collaborating with you to address future challenges and new 
opportunities for reform.
    Thank you for your time, and thank you for your support of 
our efforts.
    [Prepared statement of Mr. Warren follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
     
    Mr. Hurd. Well, Mr. Warren, thank you for not taking all of 
your time, number one. And I also want to say thank you for 
what your organization does. I had the honor of serving 
alongside many of the men and women in USAID, and I know the 
work that you do and saw it up close and personal. And, Mr. 
Mitchell and Mr. Mahanand, you facilitate that activity. So 
what you do is very important, not only for our country, but 
for the countries that we are working in. So I am a supporter 
of your organization.
    That being said, Mr. Warren, my first question is why does 
Mr. Mahanand not report directly to you or Ambassador Green?
    Mr. Warren. Thank you. We have--in our agency, we have an 
assistant administrator for management, and she has 
responsibility for the CFO function, the CIO function, the 
facilities management, and the budget of the operational budget 
for the agency. She reports to me. But the CIO and the CFO both 
have a dotted line to the administrator. They are free to go to 
him directly when they have issues that are of concern to them. 
And that's the way we've been managing ourselves over the--over 
the last number of years.
    You may be aware, however, that we are in a redesigned 
effort with the State Department now to look at how the State 
Department and USAID work together and how we can change our 
procedures internally to make them more effective and looking 
at the reporting relationships of the CIO and the CFO was part 
of what we are looking at now.
    Mr. Hurd. Mr. Powner, do you have any opinion?
    Mr. Powner. I think clearly it's much better if you report 
up to the box. Right? And I think as long as there's access. 
We've seen sometimes where there's this management guru in 
between, and we've heard this. The key question is whether that 
access is consistent and enough to the top when you need to get 
the right decisions and the right support.
    Mr. Hurd. Mr. Mahanand, I'm going to assume that since 
there's only been two CIOs--since when Mr. Powner?
    Mr. Powner. Since 2009.
    Mr. Hurd. --since 2009, I'm assuming you have a positive 
opinion of your access to senior leaders within your 
organization.
    Mr. Mahanand. Yes, I do. I mean, I've--any time there's a 
need to escalate, I will do that. But in the current structure, 
there is no need. The--as far as the system administrator for 
management, I mean, my daily op--my daily interaction is with 
her. And so I've not--don't have the need to actually go to 
her--or go to the administrator. Most of my activities go 
through her.
    Mr. Hurd. Can you answer with 100 percent certainty that 
you know everything's on your network?
    Mr. Mahanand. Maybe 99.9 percent. On our network, we do 
have--we do have monitoring software. I'm talking about the 
physical network here. So we do have port security. We have--
anything that actually touches the network, we are notified of 
that.
    What we're not--what I'm not really sure about is really 
the services that's purchased outside and not necessarily 
connected in the network. That is something that we actually 
track in terms of looking into software, but there's--you know, 
there's a potential in shadow IT within the agency, and that is 
the only thing that I'm not positive about.
    Mr. Hurd. How do you do CDM?
    Mr. Mahanand. CDM, right now, we're in phase I, and it's 
scheduled to be deployed February of 2018.
    Mr. Hurd. Deployed in 2018. So complete within 4 months?
    Mr. Mahanand. Yes. I mean, we actually started about 2 
years ago. We've piloted CDM, and so the final deployment is in 
February of 2018.
    Mr. Hurd. So the pilot deployment, do you have the 
enforcement mode engaged?
    Mr. Mahanand. I believe so.
    Mr. Hurd. Can you get me an answer?
    Mr. Mahanand. Yes, I can.
    Mr. Hurd. Thank you.
    Mr. Mitchell, how are you going to help Mr. Mahanand create 
a Working Capital Fund once MGT is complete, so when he is able 
to get a complete insight into his network and saves money, he 
has access to that Working Capital Fund?
    Mr. Mitchell. We would--I will be able to support our chief 
information officer by setting up this fund and working with 
them to develop the procedures and policies governing the 
operations of this particular fund.
    I think it's important to note that the budget per se does 
not fall under my purview, but I do have budget execution. And 
I do work with Mr. Mahanand and his staff as far as providing 
them with real-time data, executional data, so that he can 
better have decision-making capabilities.
    Mr. Hurd. So if their budget doesn't fall under CFO, who 
does the budget fall under?
    Mr. Mitchell. The operation budget, including the capital 
investment fund, falls under the office of management policy, 
budget, and planning office, and that office is located in the 
Management Bureau.
    Mr. Hurd. And, Mr. Warren, that is this person you 
described----
    Mr. Warren. Yes. This assistant administrator for 
management has responsibility for the CFO, the CIO, and the 
operational budget.
    Mr. Hurd. So, Mr. Warren, in my remaining 15 seconds, what 
are you going to do to help to make sure Mr. Mahanand has the 
MGT Working Capital Fund so he can use that at the end of next 
fiscal year?
    Mr. Warren. Well, as I stated, the senior leaders of the 
Agency, both the career and the political staff, are very 
supportive of the IT function. We recognize that we can't do 
our work around the world without it. And we--I--Jay and Reggie 
and I work closely to ensure that our IT needs are met, so I'd 
be very supportive.
    Mr. Hurd. Ms. Kelly, you're recognized for 5 minutes.
    Ms. Kelly. Thank you.
    The IT Dashboard is a public website that allows Federal 
agencies, industry, and the general public to see the details 
about Federal information technology investments and their 
risks. Those risks are submitted by the CIO for those agencies.
    Mr. Powner, can you briefly explain why the IT Dashboard 
exists and what factors affect scoring?
    Mr. Powner. So the IT Dashboard is there to make sure we 
have visibility into the major investments. We look at the 
roughly $100 billion that we spend, so that's roughly half of 
what was on these major larger investments. So we know what 
they are, and we also have some costs and schedule performance. 
But a key part of that is the CIO rating.
    So, for instance, USAID has 87 major investments. 
Interestingly, they get an A in this area because they don't 
have a single green on the Dashboard, everything's red or 
yellow, where they acknowledge risk. You could do that 
different ways. We like to see the acknowledgement of risk 
because these things are typically difficult and you want to 
admit the risk so that they can be effectively managed.
    Ms. Kelly. And you talked about USAID, but the other 
agencies in general, are they doing a good job, accurately 
reporting, not doing a good job? And what are the implications 
for not accurately reporting?
    Mr. Powner. I think over time, especially with your 
scorecard, we see more risk acknowledged on that dashboard, so 
that's been a good thing. There's some agencies that had a 
complete flip. They were all green, and then all of a sudden, 
they're, you know, heavy on the reds and yellows, which that's 
a more accurate reporting.
    So we've seen improvements in these areas. There's still 
some concern.
    Yeah. The other area of concern is sometimes some large 
investments are categorized as nonmajors, and that's one way to 
hide visibility on the Dashboard. And again, we know who those 
agencies are, and we're kind of watching some of those larger 
nonmajors.
    Ms. Kelly. Okay. Thank you.
    Mr. Mahanand, in the category of transparency, USAID 
received transparency in risk management an A. Can you briefly 
explain how USAID goes about determining the levels of risk 
facing its major IT projects?
    Mr. Mahanand. Sorry. For us, we have five major business 
cases. Three of them is in operations. And so--but they provide 
critical function for the Agency. And so what we look--we take 
a look at--we start previously taking a look at the mid rating 
here, as far as the risk is concerned. So, you know, we look at 
the projects that's being executed. We looked at the overall 
importance of the specific program, and we make a determination 
of what is happening to--specifically in activities in those 
areas.
    And so when the--quarterly when the report comes to me, I 
take a look at it. We review it with the program staff. I make 
a determination exactly where we feel that the risk grading 
should reside. For the most part, we start with a three. We 
usually start with a five, because some of these business cases 
were in operations, and we didn't think necessarily that is 
something we need to really worry about.
    But given the fact, you know, we heard from GAO in terms of 
we want to see the risk grading realized, and actually we 
thought what we were doing and then started a three. And then 
we would make decisions based on where we are with those 
projects within those business cases or investments. We would 
make a decision whether or not the project is risky or not 
risky. But we continued this to start at a three and then we 
are way back and forth between a three, between a one and a 
five.
    Ms. Kelly. Just out of curiosity, because you have done so 
well with you're a ratings, do other agencies ever call and 
find out what you've done or what your secret is?
    Mr. Mahanand. Yeah. We've actually--we've gotten calls from 
three--about five agencies. We've spoken to them. We've 
actually spoken to the specific working group for GSA and some 
of the things we've done.
    I mean, just from a history perspective, some of the things 
we've done before previously, like the data center 
consolidation. We got rid of our data center NRB in 2011. We 
just didn't get credit for it as we move along, because we 
started really early in that. And from our perspective is that 
we just wanted to make sure that the data itself and the 
information and the reason behind the specific intent of each 
one of these scores.
    And so we looked at that--because I thought we did really 
well. We continue to do well, and I wanted to make sure that, 
you know, our progress, our performance reflects the scoring. 
That's where we actually found out there were some errors in 
how we were reporting. And so we--we basically worked with GAO 
and figure out what those areas are, corrected it, and 
basically provide the evidence that, you know, we are where we 
are with those scores. And that's why you saw from a D to an A.
    Mr. Warren. If I could just add a thought. Our approach and 
attitude about IT risk, I think, is part of a broader agency 
perspective on risk. And we work in some dangerous, risky 
places around the world. And so we try as an agency to be very 
aware of and forthright about the risk that we're facing. And 
Reggie and I actually lead an agencywide risk assessment 
process every year that looks at IT risks, financial risks, 
physical security risks. And so the sort of transparency that 
we bring to the IT risk, I think, is part of a broader culture 
in the agency about confronting risk.
    Ms. Kelly. I yield back.
    Mr. Hurd. The gentleman from Montana is recognized.
    Mr. Gianforte. Thank you, Mr. Chairman.
    Mr. Warren, I understand from your testimony that you've 
moved 100 percent to the cloud. Is that correct?
    Mr. Mahanand. I would say, again, maybe 99.9 percent.
    Mr. Gianforte. Let me congratulate you on your 
aggressiveness adoption of these newer technologies.
    I'm curious, in that transition, how much work was done to 
move from, let's say, more custom software to more commercial 
off-the-shelf software, and where would you be in that 
transition?
    Mr. Mahanand. So as far as moving to the cloud, there's 
specific things that we have in terms of infrastructure as a 
service, platform as a service, or software as a service. Every 
application we look at we basically make a determination. We go 
back to the cloud first policy. Any new application that comes 
up, we look at it, we basically said whether or not there is a 
surface--a service offering out there that we can actually use.
    So, for instance, we--when we were modernizing our internet 
on our internet, we basically look at the--look at the specific 
services, and we actually went with cloud services instead of 
going with, you know, commercial off-the-shelf software. So 
those are the types of decisions we make when we actually look 
at software or look at renewed software.
    Mr. Gianforte. And, Mr. Powner, is there, in your 
observations--I mean, we know that when we send a committee off 
to design a piece of software and we tell them we want a horse, 
we often get a camel as a result, because there's so many 
requirements that are included. And this--when we build custom 
software, it just drives up the cost and increases brittleness 
of integrations and these sorts of things.
    In your observations from working with the agencies, how do 
you--where are we in this transition from custom designing 
everything to the bias that Mr. Mahanand has expressed towards 
commercial off-the-shelf software?
    Mr. Powner. Collectively as a government, we still custom 
design way too much than we need to. And the problem there is 
in the government changing your business process to adapt to 
commercial products is, is we're way behind, especially when 
you compare that to the private sector. There's such an 
unwillingness to adapt those business processes and adopt to 
commercial software. So we need more and more of that going 
forward.
    Mr. Gianforte. But you believe that a bias towards 
commercial off-the-shelf would be a best practice and it would 
reduce cost?
    Mr. Powner. Absolutely. Absolutely. And change our business 
processes. Look at these financial management systems that we 
try to put in place. Why do some folks implement them right out 
of the box and others we try to modify 3 years to implement a 
commercial financial management system?
    Mr. Gianforte. Yeah. Mr. Mitchell, in this transition, how 
much money has been saved moving to the cloud?
    Mr. Mitchell. I would have to defer to our chief 
information officer.
    Mr. Mahanand. I think we'd have to look at each specific 
offering. For example, our data centers, we--from 2013 to 2016, 
we saved about $8 million, but each--we haven't--I don't think 
we have accumulated the number of our savings. I think it's 
about for the last--if we calculated, about maybe 60--I don't 
know, $50 to $60 million for the last 3 or 4 years.
    Mr. Gianforte. Just to put that in perspective, what 
percentage is that of your total budget?
    Mr. Mahanand. So our budget is about $100 million in OE and 
about $25 in DME, so that would actually be about 60 percent.
    Mr. Gianforte. Sixty percent savings from moving to the 
cloud?
    Mr. Mahanand. Yeah.
    Mr. Gianforte. Okay. And what have you experienced from a 
system reliability and security perspective? Has system 
reliability and security gotten better or is it harder in the 
cloud?
    Mr. Mahanand. I think its gotten better. I mean, I think, 
as Mr. Warren said, when we first moved emails to the cloud, I 
think we had outages daily. We moved to a cloud email system, I 
think we were the second in the Federal Government to do that. 
And I can't remember being down for more than an hour till now. 
And this happened in 2011, I think we started.
    Mr. Gianforte. And from a security perspective?
    Mr. Mahanand. You know, they go through the same controls 
as far as testing is concerned. So, you know, we look at their 
CNA packages; you know, we give it an ATO. So, you know, we 
have a part to play in of basically looking at the security 
profile of each one of these cloud vendors. So we are pretty 
confident the security is actually--I would say much better 
than, you know, having a system administrator in all these 
different places, not necessarily looking at what they're 
doing.
    So within the cloud, there's a single administrator. We 
control that administrator. So I think security is enhanced as 
well.
    Mr. Gianforte. Just to play back what I've heard, a 60 
percent reduction in costs, increase--dramatic increase in 
reliability, better security; sounds like it's a win.
    Mr. Mahanand. We think so.
    Mr. Gianforte. Okay. Thank you.
    I yield back.
    Mr. Hurd. Thank you.
    Now the gentleman from the Commonwealth of Virginia, you're 
on the clock.
    Mr. Connolly. Thank you.
    And congratulations to USAID. And I take a little bit of 
special interest. In my previous incarnation here on the Hill, 
before my 20 years in private sector, I spent 10 years on the 
Senate Foreign Relations Committee. And my job was to write the 
foreign aid bill. And I helped write the very last one to 
become law in 1986. That's how ancient I am. And it was so 
good, apparently, that we haven't passed one since.
    In any event, congratulations. And I think--well, let me 
ask you, Mr. Warren. What happened? You were getting a D and 
you moved it up to an A. I'm talking process and political 
decisions here, not we moved the grommet to the widget and the 
widget to the--what happened inside A that changed it--changed 
the will to want to do it differently?
    Mr. Warren. So two points to make, I think. The jump from 
the D to the A was largely from working with GAO to better 
report what we had been accomplishing over a longer period of 
time. So if you look at the scorecard, it looks like we had 
this quantum leap in 1 year. I think the quantum leap was 
really in better reporting. The changes to get from a D to an A 
took place over a longer period of time than that.
    But to answer the other part of your question, I think we 
were driven by the fact that we were having failures daily in 
the system as we were trying to manage it. And the fact that we 
have a worldwide workforce, and the only way we can communicate 
with our staff around the world and get our work done is 
through our IT systems. And if they are not working, we just 
can't do our job. And so it was kind of out of necessity that 
we realized we needed to make big changes. And then as I said, 
the political and the career----
    Mr. Connolly. Well, I would just say you say that as if, of 
course, we had to, we had no choice. I'm looking at a really 
big neighbor of yours in the Federal family, maybe the biggest, 
and it hasn't concluded that and it's got a worldwide 
enterprise too. And they're getting an F instead of an A.
    So something happened in A that galvanized you to do it 
differently, to make different decisions, to set goals for 
yourself, that, unfortunately, our Defense Department has yet 
to do. And it could bat you person for person and then some in 
terms of overseas bases, operations, personnel and the like. 
Bigger, much bigger, and maybe you could argue more difficult, 
but it's as far up along as you are, and it has yet to make the 
decisions or show the political will you've shown.
    And that's what I'm trying to get it, what--because I think 
that's how we all learn. You know, go talk to USAID in terms of 
how they did it, and I'm trying to get you on the record to get 
some of the elements of how did you do it.
    And, Mr. Powner, feel free to jump in here, because I know 
you had something to do with this as well.
    Mr. Powner. Yeah. I think it's a combination of both. I 
mean, clearly the data cleanup was a part, but also there was a 
focus on some of these areas, you know, going small and 
reporting more risk and that type of thing. We saw big 
improvements there.
    It was interesting, because a lot of this data's been 
reported to OMB for quite a while. And honestly, most agencies 
don't really focus on that adequately enough. This scorecard 
really helped. And this is important--this is important 
reporting because it's savings. It's things that we can use to 
reinvest in the Working Capital Funds. So this isn't just for 
the sake of reporting. It's real stuff that we need to actually 
get more efficient with our operational side of the house so 
that we can invest and modernize the government more.
    Mr. Connolly. Yep. And by the way, Mr. Mitchell, I hope 
your answer to Mr. Gianforte about savings was only on that 
one, because it's critical that the CFO understand what savings 
are being effectuated here because that's how we incentivize 
other agencies to do it too, right? Here's the--here's the 
carrot, here's the reward at the end of this process, and 
that's reliability, savings, freeing up capital, really 
worthwhile investment, and a happier, more productive 
workforce. But some of that we can measure in actual dollars. 
And I commend to you that the CFO, as well as the CIO, has to 
be monitoring those savings. I assume you are.
    Mr. Mitchell. Yes, I am.
    Mr. Connolly. Okay. Okay. Let me just say--end by saying 
this, and maybe, Mr. Warren, you take the lead working with Mr. 
Powner at GAO, but all of you, I really think it's important 
that this be written up electronically, but how did you do it? 
What were the key decision points? How low did you have to go 
before somebody said enough already? And show others that it's 
doable and replicable. Because when we don't really want to do 
something, we're going to isolate you as saying USAID's unique, 
no one else is like them, sure they can do it, but no one else 
can really--and we don't want--that doesn't serve our purpose 
at all and it's not true.
    And Dave--Mr. Powner, I would urge that in your spare time 
we help do this. And hopefully, Mr. Hurd and Ms. Kelly would 
agree, there's real value hearing your story, and we want to 
spread that good news to other agencies that it can be done in 
a reasonable timeframe and there's a reward at the end of the 
rainbow. So again, thank you, and congratulations.
    Mr. Hurd. I'd just like the record to reflect that that is 
the least grumpy line of questioning I've ever seen from the 
gentleman from the Commonwealth of Virginia, which is a pretty 
significant feat.
    So, Mr. Warren, Mr. Mitchell, Mr. Mahanand, these don't 
always go this way, and thank you for what you do and thank you 
for the support that you're showing our men and women that are 
putting themselves in some very difficult and extraordinary 
circumstances. Thank you for being here.
    And again, the subcommittees will now briefly recess for a 
few minutes for a third panel.
    The subcommittee stands in recess, subject to the call of 
the chair.
    [Recess.]
    Mr. Hurd. The subcommittees will come to order.
    I'm pleased to introduce our third panel. Mr. Powner, for 
the third time today, thank you for being here. Ms. Maria Roat, 
CIO for SBA; Mr. Tim Gribben, CFO for SBA; and Ms. Althea 
Coetzee Leslie, the deputy administrator at the Small Business 
Administration. Thank you all for being here. Welcome to you 
all.
    And pursuant to committee rules, all witnesses will be 
sworn in before they testify. Please rise and raise your right 
hand.
    Do you solemnly swear or affirm the testimony you're about 
to give is the truth, the whole truth, and nothing but the 
truth, so help you God?
    Thank you.
    Please let the record reflect that all witnesses answered 
in the affirmative.
    Again, to allow time for discussion--and we're racing 
against the clock, the votes are likely to be called soon--
please limit your testimony to 5 minutes. The yellow light 
means you have 30 seconds; red, time is up. And please turn on 
the microphone.
    Mr. Powner, you're recognized for an abbreviated time for 
your opening remarks on this panel.

                           PANEL III:

                    STATEMENT OF DAVE POWNER

    Mr. Powner. Thank you, Mr. Chairman.
    SBA spends about $98 million on IT this year. About 80 
percent of this is used for operational systems, leaving just 
over 20 million for new development. This new development 
includes important efforts, like its Disaster Credit Management 
Modernization, which automates processing and approval for 
disaster loan assistance. SBA reports having spent over $100 
million--$150 million on this modernization in prior years.
    SBA's grades have consistently been in the D range, but 
their current grade is a C-minus. They're one of only three 
agencies whose grade went up.
    SBA scores best in incremental development, receiving an A 
in this area. Also, despite receiving a C in the data center 
area, SBA has plans to eventually close all but one of its 43 
nontiered or smaller centers, and plans to install a necessary 
metering equipment by 2018. SBA also plans to exceed OMB's key 
server utilization metric of 65 percent.
    Turning to areas where SBA needs to improve, let's start 
with CIO tenure. Since 2004, there have been 10 CIOs at SBA, 
and the average tenure has been only 1.4 years. This is a major 
issue in why IT has not been effectively managed. Their 
software license inventory is not complete. They have a plan to 
complete this in early 2018.
    Finally, I'd like to note that our work for this committee 
on IT budgeting, contracting, and CIO authority shows 
additional areas where SBA CIO has challenges is in budget 
formulation and strengthening their IT workforce. However, 
regarding FITARA's requirement for CIOs to review and improve 
IT contracts, SBA's processes here are quite good.
    Mr. Chairman, this concludes my comments on the Small 
Business Administration.
    Mr. Hurd. Thank you, sir.
    And I believe Ms. Althea Coetzee Leslie will do the opening 
remarks for the SBA panel.
    You're now recognized for 5 minutes.

               STATEMENT OF ALTHEA COETZEE LESLIE

    Ms. Coetzee Leslie. Thank you.
    Mr. Chairman, ranking members, and committee members, thank 
you for the opportunity to discuss the SBA's implementation of 
FITARA.
    From July 2005 to October 2016, the SBA's OCIO leadership 
team experienced significant disruption with high turnover: 
eight different CIOs during that period. Further, prior to the 
current CIOs arrival in October 2016, the CIO position was 
vacant for over a year, from July 2015 to October 2016. 
Consequently, key programs like the Data Center Consolidation 
Initiative did not receive OCIO leadership attention.
    Immediately upon her arrival, the SBA CIO engaged in frank 
and honest conversations about the state of IT at the agency. 
The CFO responded in kind, and with the administrators and 
CFO's support, the CIO embarked on a fast-paced journey to 
change how the SBA builds, buys, and manages information 
technology to support small business entrepreneurs.
    Over the last 12 months, actions taken by the CIO, in close 
partnership with the CFO, are transforming SBA from an agency 
impeded by outdated technology and unstable infrastructure, 
stovepipes, duplication and significant gaps, no cybersecurity 
strategy or operational control, to a proactive and innovative 
provider of critical business technology services to the SBA 
program offices and small business entrepreneurs.
    SBA's governance model is maturing with a focus on creating 
and expanding strong enterprise-shared services. Program 
governance requires that all stakeholders are represented, 
engaged, and aligned to achieve program success. For example, 
the CIO and CFO co-chair the SBA Investment Review Board that 
met six times in fiscal year 2017. The IRB reviewed every major 
investment at least once, and the board recommendations 
resulted in tangible program improvements.
    Additionally, the CIO conducted four major investment deep 
dives to review milestones, technology capabilities, funding, 
and risks. During one of these deep dives, the CIO identified 
and provided direction to correct specific contractual and 
roadmap-related issues in time to prevent further 
complications. The SBA recognizes that transparency is critical 
for value creation, and the CIO promotes transparency in our IT 
procurements to prevent duplication, cybersecurity threats, and 
stovepiping.
    Last year, the CIO reviewed and approved all new IT 
contracts above $150,000. And this year, the threshold has been 
reduced to $50,000 to ensure we achieve our short and long-term 
modernization objectives.
    It is our responsibility to communicate our IT goals, 
vision, and strategy with acquisition professionals to ensure 
that the entire organization understands the technical 
ramifications of individual purchases. I am proud to report the 
SBA is leading innovation as the first agency to deploy DHS's 
CDM system in the cloud. This has resulted in a significant 
cost avoided by not investing in hardware that would require 
future recapitalization. Further, it sets the stage and puts 
SBA ahead of other agencies for future DHS cloud-based CDM 
solutions that will further strengthen SBA's cybersecurity 
posture.
    Along with our modernization efforts in technology, we are 
building our IT workforce and working to attract new IT staff 
to critical positions. We launched an IT strategic workforce 
plan to be able to support future technology initiatives. And 
thanks to congressional approval, we realigned our digital 
services team under the CIO to deliver improved mission-focused 
services and capabilities.
    Through the implementation of the authorities contained in 
FITARA, our CIO is leading the charge in the achievement of 
agencywide IT goals. The SBA's actions taken over the last 13 
months are laying the foundation for the agency's 
transformation into future enterprise objectives.
    As we proceed in executing our enterprise IT plan, we will 
continue to strengthen information technology to ensure a 
reliable, secure, and high-performing computing environment 
necessary to enable the SBA to efficiently and effectively 
perform its mission.
    Thank you again for the opportunity to share SBA's progress 
on FITARA implementation, and we are ready to answer any 
questions you may have.
    [Prepared statement of Ms. Coetzee Leslie follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
      
    Mr. Hurd. Thank you.
    And because votes have been called, we're going to limit 
our questioning time to about 2\1/2\ minutes. So, Mr. 
Gianforte, you're up first.
    Mr. Gianforte. Thank you, Mr. Chairman.
    So, Ms. Roat, sounds like you walked into a mess. And I'm 
just curious, what advice would you have for other Federal 
CIOs, given the experience you've had in trying to get your 
arms around it?
    Ms. Roat. Don't plan to plan, execute. Walking into a 
failing data center, our primary data center, we move very 
quickly. We had failing HVAC systems. Last November, I said 
very clearly to the team, no new hardware, period. And that's 
what embarked us moving forward on our data center, shutting 
down our primary data center, moving into the cloud very 
quickly, very fast. I brought in the right talent to do that, 
to be able to do that, and we executed. And it was driven by 
failing data centers, the gaps in technology, all of those 
things, and we executed.
    Mr. Gianforte. Okay. Just for my edification, where are you 
in the transformation to the cloud at this point, if you had to 
put a percentage on it?
    Ms. Roat. So for our primary data center, we've moved about 
40 systems already. We are not doing a lift and shift. We 
modernized everything first. So we did a migration, an actual 
architecture. We did a migration planning session, and we 
started execution of the migration in July of this year. So the 
200 systems that are in our primary data center, we've done 
about 40 right now.
    Mr. Gianforte. Okay. So what percentage would you say is in 
the cloud?
    Ms. Roat. That's roughly about 25 to 30 percent.
    Mr. Gianforte. Okay. And what success have you had in 
moving departments off of custom software compared onto 
commercial off-the-shelf software?
    Ms. Roat. To the extent that we're not building our own 
code, not doing our own coding, take advantage of commercial 
off-the-shelf software is a service, platform is a service, we 
are doing it. For one of our program offices, you know, they 
needed some investigation software. We're using a particular 
product, which is a software solution right in our cloud 
environment. So we are driving in that direction and getting 
away from actual hands-on coding.
    Mr. Gianforte. Okay. With that, Mr. Chairman, I yield back.
    Mr. Hurd. Robin Kelly, you're on the clock.
    Ms. Kelly. Mr. Powner, in GAO's assessment, I am assuming 
that you gave recommendations to SBA to improve their grades 
and software licensing. Is that correct?
    Mr. Powner. Yes. We've been working closely with SBA.
    Ms. Kelly. Okay. So, Ms. Roat and Mr. Gribben, do you 
believe you can implement these recommendations within the next 
year? And what do you think you can do? What do you think you 
can accomplish?
    Ms. Roat. For the software licensing, specifically there's 
three pieces to that we're taking into account. One is reducing 
the footprint of duplicative software. So that's the very first 
piece. We're reducing the number of licenses and providing the 
right level of software licenses to the users that need it.
    When you look at particular software platforms, you know 
there's different levels. We're making sure they're assigned. 
So we've already embarked on getting our arms around our 
licensing. In particular is we're moving into the cloud, 
getting our arms around that. We've put the monitoring tools in 
place.
    So we started a couple of months ago with this process in 
getting our arms around all of our software. And a year ago, I 
didn't have visibility into the entire enterprise; I do now. So 
that way that gives me the capability to be able to see what 
licenses are out there, what's deployed, not just on the cloud, 
but also on the desktop and the systems.
    Ms. Kelly. I don't know if you have any comment.
    Mr. Gribben. The only thing I would add to that is that as 
part of the budget execution process, the CIO has visibility 
into all of the IT requests of the program offices. And this 
year, we identified some offices that had some software 
licenses that would be better incorporated into an enterprise 
agreement that the CIO had already embarked on. So from that, 
we're reducing the software licenses, the one offsetter in the 
program offices.
    Ms. Kelly. Okay. It sounds like you're committed to making 
improvements, so we look forward to seeing your grades improve.
    I yield back.
    Mr. Hurd. Mr. Connolly.
    Mr. Connolly. I thank the chair.
    I just--gosh, at risk of destroying my reputation with the 
chairman, I think there's a lot of good news here. And a lot of 
it has to do, though, with having a CIO who, A, has the 
political will herself, but also a direct tie to the heavy 
agency so that she is empowered. And I assume you concur with 
that?
    Ms. Coetzee Leslie. Yes, we do. Our CIO has direct access 
to the administrator and myself as the deputy, and has also the 
authority to--or has control over authority to operate. And we 
have empowered her to do whatever is necessary to protect the 
agency and make sure that we are delivering the products as 
best we can.
    Mr. Connolly. Sounds like you were--before this CIO, Ms. 
Roat, it sounds like you were handing out glasses of hemlock of 
something, given the turnover that was occurring. So I don't 
know what you've done to make it a more pleasant and attractive 
place, but keep doing it.
    Ms. Roat, did you want to comment on that, not the hemlock 
so much?
    Ms. Roat. It's not the hemlock?
    Mr. Connolly. But the turnover and----
    Ms. Roat. While I can't speak to my predecessors, there 
were some very good people there. But I will say that I've got 
an incredible relationship with the CFO and then with access to 
the administrator and the deputy administrator. Myself and my 
deputy make the rounds informally about once a day in the front 
office. And we do have actual formal standard meetings and 
participate in many of the boards.
    Mr. Connolly. Just a final point. You actually met the 
metrics set by OMB on data center consolidation in terms of 
savings, as I understand it. Keep doing it, double down on it. 
I think that's really important, and that's how we reinvest in 
ourselves once the MGT legislation becomes law. Thank you, and 
congratulations on the progress you've achieved. Keep doing it.
    Ms. Roat. Thank you.
    Mr. Hurd. Thank you, Mr. Connolly.
    Mr. Powner, what do they need to do in order to get that N 
to a Y in the CIO reporting directly to the Secretary----
    Mr. Powner. It's just a lot of formal reporting. There's 
access, from what we understand, but in terms of the reporting, 
I don't see the direct reporting there to the dep secretary, to 
the assistant----
    Mr. Hurd. Ms. Coetzee Leslie, do you have any opinion on 
making that a more formal structure to ensure the CIO reports 
directly to you or Administrator McMahon?
    Ms. Coetzee Leslie. We have several changes that we're 
looking at with agency reform, and this is certainly one that 
we are considering.
    Mr. Hurd. That's great.
    Mr. Powner. And, Mr. Chairman, I would add, you know, I 
think what's really important here is we've got this history of 
1.4 years. Hopefully, Ms. Roat sticks around more than 1.4, but 
I think that change is important because, clearly, this is an 
executive team that we hear that is working well together and 
things are happening and there's great plans. But I think 
that's why that formality is important, the 1.4 history.
    Mr. Hurd. Ms. Roat, I'm sure you are expecting my question 
on your ability to answer whether you have 100 percent 
visibility of what's on your network.
    Ms. Roat. I do today. I did not a year ago.
    Mr. Hurd. And how are you deploying the CDM?
    Ms. Roat. We deployed CDM in the cloud. Last November when 
I said no new hardware on our data center, my team went back 
and they said but, but, but. And I said, but I want to put it 
on the cloud. And I said, why not? And I ask them that 
frequently, why not? And they went back to DHS and proposed it. 
DHS said let's go ahead and do it. And so we started small. 
Instead of buying 96 cores, spending all that money and all 
that hardware, we started small in the cloud, spinning up the 
virtual servers, adding on as we needed. So phase one we 
completed this summer. So, again, we're the first Federal 
agency to do it.
    Mr. Hurd. Awesome. Mr. Gribben, I'm sure you can expect 
what my question is going to be. How are you going to help Ms. 
Roat create the Working Capital Fund that MGT is going to give 
her, hopefully as early as tomorrow?
    Mr. Gribben. That is actually something that I'm going to 
have to work with the Office of Management and Budget and our 
appropriations committee. And how that would be implemented, 
currently what we do is any savings that are----
    Mr. Hurd. Let me stop you there. What conversations do you 
need to have with OPM--I mean OMB. Excuse me.
    Mr. Gribben. Most of the money we spend on information 
technology is 1-year money. And even with the reprogramming 
request into a Working Capital Fund, we'd still remain as 1-
year money.
    Mr. Hurd. But that's what the legislation is changing where 
the Working Capital Fund gives the ability to, once you program 
that money into a working capital fund, you have 3 years to 
gain access. So what you're going to ultimately need is 
guidance from OMB on the steps to making that happen.
    Mr. Gribben. Exactly.
    Mr. Hurd. I would welcome your suggestions on those kinds 
of guidance. We should be going to OPM in this--OMB, excuse me. 
And, Ms. Roat, your suggestions on how to do that would be very 
helpful as well to ensure that you have one more tool in your 
toolkit.
    Ms. Coetzee Leslie, do you have any final comments on 
creating a culture within the organization to ensure you have 
Ms. Roat staying there for more than 1.4 years?
    Ms. Coetzee Leslie. Well, I've been telling everybody on my 
road trips and every forum that I attend and where I speak 
that, other than Disneyland, the SBA is the happiest place on 
Earth, and we intend to keep it that way. With the current 
administrator and the leadership team that's there now, we have 
a very, very functional team, and look forward to continuing 
that relationship and keeping Ms. Roat happy.
    Mr. Hurd. Excellent.
    Mr. Powner, you're a prince. Your team is amazing. Thanks 
for all the effort and work that you do on the scorecard, the 
minority and majority staffs' work on this. I really do think 
it is a tool that we are starting to see real changes across 
the Federal IT infrastructure.
    And for all of our witnesses, thank you for appearing here 
today.
    The hearing record will remain open for 2 weeks for any 
member to submit a written opening statement or questions for 
the record.
    If there's no further business, without objection, the 
subcommittees stand adjourned.
    [Whereupon, at 4:29 p.m., the subcommittees adjourned.]

 
                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
               
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]