[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
FITARA 8.0
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON GOVERNMENT OPERATIONS
OF THE
COMMITTEE ON OVERSIGHT
AND REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
JUNE 26, 2019
__________
Serial No. 116-40
__________
Printed for the use of the Committee on Oversight and Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available on: http://www.govinfo.gov
http://www.oversight.house.gov or
http://www.docs.house.gov
___________
U.S. GOVERNMENT PUBLISHING OFFICE
37-281 PDF WASHINGTON : 2019
COMMITTEE ON OVERSIGHT AND REFORM
ELIJAH E. CUMMINGS, Maryland, Chairman
Carolyn B. Maloney, New York Jim Jordan, Ohio, Ranking Minority
Eleanor Holmes Norton, District of Member
Columbia Justin Amash, Michigan
Wm. Lacy Clay, Missouri Paul A. Gosar, Arizona
Stephen F. Lynch, Massachusetts Virginia Foxx, North Carolina
Jim Cooper, Tennessee Thomas Massie, Kentucky
Gerald E. Connolly, Virginia Mark Meadows, North Carolina
Raja Krishnamoorthi, Illinois Jody B. Hice, Georgia
Jamie Raskin, Maryland Glenn Grothman, Wisconsin
Harley Rouda, California James Comer, Kentucky
Katie Hill, California Michael Cloud, Texas
Debbie Wasserman Schultz, Florida Bob Gibbs, Ohio
John P. Sarbanes, Maryland Ralph Norman, South Carolina
Peter Welch, Vermont Clay Higgins, Louisiana
Jackie Speier, California Chip Roy, Texas
Robin L. Kelly, Illinois Carol D. Miller, West Virginia
Mark DeSaulnier, California Mark E. Green, Tennessee
Brenda L. Lawrence, Michigan Kelly Armstrong, North Dakota
Stacey E. Plaskett, Virgin Islands W. Gregory Steube, Florida
Ro Khanna, California
Jimmy Gomez, California
Alexandria Ocasio-Cortez, New York
Ayanna Pressley, Massachusetts
Rashida Tlaib, Michigan
David Rapallo, Staff Director
Wendy Ginsberg, Subcommittee Staff Director
Yvette Badu-Nimako, Director of Policy and Counsel
Joshua Zucker, Assistant Clerk
Christopher Hixon, Minority Staff Director
Contact Number: 202-225-5051
------
Subcommittee on Government Operations
Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of Mark Meadows, North Carolina,
Columbia, Ranking Minority Member
John Sarbanes, Maryland Thomas Massie, Kentucky
Jackie Speier, California Jody Hice, Georgia
Brenda Lawrence, Michigan Glenn Grothman, Wisconsin
Stacey Plaskett, Virgin Islands James Comer, Kentucky
Ro Khanna, California Ralph Norman, South Carolina
Stephen Lynch, Massachsetts W. Steube, Florida
Jamie Raskin, Maryland
C O N T E N T S
----------
Page
Hearing held on June 26, 2019.................................... 1
Witnesses
Ms. Suzette Kent, Federal Chief Information Officer, Office of
Management and Budget
Oral Statement................................................... 3
Ms. Carol Harris, Director, IT Management Issues, Government
Accountability Office
Oral Statement................................................... 4
Mr. Gary Washington, Chief Information Officer, U.S. Department
of Agriculture
Oral Statement................................................... 18
Mr. Jason Gray, Chief Information Officer, U.S. Department of
Education
Oral Statement................................................... 20
Mr. Eric Olson, Chief Information Officer, U.S. Department of the
Treasury
Oral Statement................................................... 21
Written opening statements and statements for the witnesses are
available on the U.S. House of Representatives Document
Repository at: https://docs.house.gov.
No additional documents were entered into the record during this
hearing.
FITARA 8.0
----------
Wednesday, June 26, 2019
House of Representatives
Subcommittee on Government Operations
Committee on Oversight and Reform
Washington, D.C.
The subcommittee met, pursuant to notice, at 4:07 p.m., in
room 2154, Rayburn House Office Building, Hon. Gerald E.
Connolly (chairman of the subcommittee) presiding.
Present: Representatives Connolly, Norton, Khanna, Meadows,
Massie, Grothman, and Jordan.
Mr. Connolly. The subcommittee will come to order. And
without objection, the chair is authorized to declare a recess
of the committee at any time.
This subcommittee is convening our eighth biannual hearing
to assess FITARA, the Federal Information Technology
Acquisition Reform Act, and other information technology laws.
I want to recognize our two witnesses on the first panel.
Very brief--I'm going to recognize myself very briefly for an
opening statement.
FITARA, from our point of view, is a tool that can be used
for change agents within Federal agencies to come into the 21st
century to make ourselves more efficient, to achieve economies,
to improve productivity and morale while also better serving
the American people. Not doing that has huge costs including
compromising data, big data bases that we are charged as the
Federal Government with protecting. And so after we passed
FITARA, we wanted to make sure that what happened to FITARA was
not what happened with Clinger-Cohen, its predecessor law,
where both authors of the legislation left Congress, and there
was really nobody who felt they were vested in making sure that
law did what it was intended to do. We wanted to make sure that
did not happen.
And so I think by now it's pretty clear that our committee
is as committed as ever to insisting on implementation of the
law. We create a scorecard working with GAO that's designed to
incentivize that cooperation and that reform so that we can
achieve all of the valued goal, as I just enunciated. It's not
designed to burn a scarlet letter on an agency's back or a
CIO's back. It is designed to be a tool to incentivize change
for the good. And that's the spirit in which we are going to
have today's hearing.
We are glad that there are agencies that are showing steady
progress. And we believe that there are some agencies that
would show even more progress had they not fallen back on the
CIO reporting sequence in the organization chart or if they
had, in fact, adopted that as a reform. We want to see a
reporting sequence that makes sure that the chief CIO is
reporting to the boss. And that's our goal. And you get scored
on that if you're not doing it.
So anyway, we're going to get on with the hearing. I want
to thank everyone for their patience with the House schedule,
both this subcommittee and the floor votes. Sorry to keep
everybody waiting, but that was beyond my control or Mr.
Meadows' control.
And it now gives me great pleasure to recognize my friend,
the distinguished ranking member and the former chairman of
this subcommittee, and my partner in crime, Mr. Meadows.
Mr. Meadows. Thank you, Mr. Chairman. Thank you for your
leadership. I'm going to be extremely brief because of the
lateness of the hour.
Thank you both for being here. Some of you have made
recommendations in terms of direct reports on CIOs. I can tell
you that, having a conversation with NASA, I think they're
going to address that. And so the bottom line, we're paying
very close attention to it. We're working in a bipartisan
fashion. We want everybody to understand the score cards are
meaningful to us, and eventually they're going to be meaningful
to the agencies because we're working to attach dollars both as
penalties and rewards to that, because I believe that if you're
getting good responses, you ought to be rewarded.
I can tell you that I took a visit over to OPM the other
day. And the way that we're doing Federal benefits is archaic.
We have got to change that. And I am willing--you know, this
fiscally conservative Republican is willing to spend money to
get it done. So this is a critical piece.
And with that, thank you both for coming to testify. Thank
all the staff. Listen, I know the work gets done, many times
without a lot of applause. But I want to applaud everybody
who's trying to make this work. And I thank the gentleman for
his leadership on the Connolly Issa bill.
Mr. Connolly. My friend is too kind, and I thank him.
So for our first two witnesses, we have Suzette Kent, who
is the Federal chief information officer from the Office of
Management and Budget. I think this is your first time before
us, Ms. Kent; is that correct.
Ms. Kent. This is my second.
Mr. Connolly. Second. Okay. Well, welcome back.
And Carol Harris, who, of course, is the director of IT
management issues at the Government Accountability Office.
If you would both rise, please. We swear all of our
witnesses in here at the committee.
And if you'd raise your right hands, do you swear or affirm
that the testimony you're about to give is the truth, the whole
truth, and nothing but the truth, so help you God.
Let the record show that both of our witnesses answered in
the affirmative. Thank you.
Mr. Connolly. The microphones are sensitive, so please
speak directly into them. Without objection, your full written
testimony will be made part of the record, so I would ask you
to verbally summarize your testimony as best you can within the
five-minute window. With that, Ms. Kent, over to you.
STATEMENT OF SUZETTE KENT, FEDERAL CHIEF INFORMATION OFFICER,
OFFICE OF MANAGEMENT AND BUDGET
Ms. Kent. Thank you, Chairman Connolly, Ranking Member
Meadows, and members of the committee, thank you for having me
here today. I'm honored to be here to discuss FITARA and
technology topics that are of vital importance to empowering
agencies to achieve their missions. As you open, FITARA is more
than just a law and a scorecard; it serves as a vehicle for how
we communicate involving priorities and a measure to
demonstrate progress.
This administration continues to emphasize the FITARA goals
through the IT modernization goal in the President's management
agenda and in the executive order on CIO authorities. Our
government's ID policies must be as nimble and iterative as the
global technology industry and the changing nature of the
threat landscape we're addressing. This intent drove our policy
updates in 2018 and 2019.
Some of those policies had not been updated in almost a
decade. We also sought to update how we measure success, so the
council provided recommendations to GAO and to this Oversight
Committee around how we continue to enhance the FITARA
scorecard and continue to make it meaningful in driving
progress.
Additionally, we are focused on making metrics and measures
data driven, publicly available, and continuous through the
websites. We made great strides in IT modernization in the last
two years. I'll highlight a couple of quick examples.
Increasing adoption of commercial cloud email from 45 percent
to 72 percent. That's 1.8 million mailboxes now. We closed 150
enterprise datacenters.
All 23 civilian CFO act agencies have hit defined targets
for data ex-filtration detection and 21 have met targets on
mobile device security, and our technology modernization fund
projects have yielded playbooks and working strategies that can
be easy--easily replicated to accelerate agency systems
migrations.
We've updated policy on high value assets, identity and
credential and access management, cloud smart, datacenter, and
delivered for the first time a Federal data strategy with a
one-year action plan. And in May, various agency CIOs, OMB
policy leaders, and I met with congressional staff members of
this and other committees to walk through all of those policy
updates and how those actually drive progress forward for
enhancements. The recently released cloud smart strategy is a
great example of how we remove barriers.
Three key areas prevented adoption of cloud and
technologies that were addressed in the update. Security. How
we move from a perimeter-based model to a data-centric model.
Procurement. Agencies had to adjust to these new consumption-
based models, and most important, how we address and develop
the Federal work force to operate effectively in these new
paradigms.
It also includes a directive for agencies to develop an
application rationalization road map. This road map is critical
and it defines what can move to the cloud and helps inform the
datacenter needs and helps us define those targets for what
will be closed.
The CIO Council has recently released the application
rationalization playbook to help agencies achieve this task.
Since datacenter optimization is also important to this
committee, I'll briefly comment on a couple of pieces of
division in the new policy. We closely studied the data
collected under the original memo and working with agencies, we
identified ways to streamline the closure process and clearly
identify facility types that will continue to be needed for
agency mission specific reasons. We included these learnings in
the updated policy, which does focus on enabling aggressive
closure with specific targets by agency and ensuring efficient
operations where datacenters deemed to be a key mission
facility that's part of that agency's mission.
Last year when I testified to this committee, I highlighted
work force challenges and any technology transformation the
people that are charged with acquiring, deploying, and
operating in that new environment are ultimately the key to the
transformation success and we must invest in providing the
experiences that our work force needs to keep their skills
relevant.
Next month we will be celebrating the graduation of our
first Federal cyber rescaling academy and we will have kicked
off our second cohort. These initiatives are a way that we're
investing in our current, dedicated, and qualified Federal
employees to both enhance their careers, but simultaneously
address our work force gaps in the technology area.
As the reskilling model proves itself, we hope to replicate
it for other skill areas and we endeavor to make this approach
a standard operating procedure, not just a onetime special
project.
So in closing, our continued coordination with Congress is
key to making government modern, secure, and mission ready. We
know that the American people expect our Nation to be a world
leader on every front including technology and cybersecurity.
In this discussion today, we know that agencies are making
progress, but modernization and battling cybersecurity threats
are a continuous journey and there's much more to do. With the
support of Congress, we will continue to raise the bar in
agency performance, and overall empower agencies to leverage
technology to enable their mission, to improve the citizen
services and be effective stewards of taxpayer money.
Thank you for the opportunity today, and I look forward to
answering your questions.
Mr. Connolly. Thank you, Ms. Kent. And when you go back to
OMB, you're going to be able to say, I'm the one person in this
White House who went to a hearing on impeachment and subpoenas
and nothing like that was discussed at all.
Ms. Kent. Yes, sir.
Mr. Connolly. Ms. Harris?
STATEMENT OF CAROL HARRIS, IT MANAGEMENT ISSUES, GOVERNMENT
ACCOUNTABILITY OFFICE
Ms. Harris. Chairman Connolly, Ranking Member Meadows, and
members of the subcommittee. I'd like to thank you and your
staff for your continued oversight on IT management and
cybersecurity with this eighth set of grades.
Overall, five agencies' grades went up, four went down, and
11 remained the same. HHS and NASA's overall grades were
lowered because their CIOs no longer report to the head or
deputy of the agency. This is also the first time in which four
agencies received two grades, which we prepared at your request
in response to changes to OMB's datacenter initiative.
I'd like to briefly comment on this and other selected
areas of your scorecard. I'll first start with the dashboard
portfolio stat areas. Thirteen agencies' grades were increased
by this committee as a way to recognize a significant progress
made in these areas governmentwide since scorecard 1.0 4 years
ago. This progress would not have happened to this extent
without your scorecard in oversight.
I'll turn to FISMA next, which is now included in the
scorecard methodology. It's inclusion had a generally negative
effect as there were 12 agencies with either a D or an F. Only
one agency, NSF, received an A and four received a B.
Next, Incremental Development. This area now captures
projects that are not primarily software development in nature
such as a non-IT acquisition with the tech component. This
change, which was previewed in scorecard 7.0 was suggested by
the CIO Council and makes this area more comprehensive. As a
result, we saw ten agencies grades in this area decrease while
three agencies went up.
And last, with respect to datacenters, you asked us to show
a set of overall grades that use the datacenter grades from 7.0
as well as another set that excluded these grades entirely. If
datacenter grades were included, HUD and EPA's overall grades
would increase and VA and SSA's grades would decrease. The
reason for the two sets of grades relates to OMB's changes to
its datacenter optimization initiative.
Among other things, OMB's guidance revises the
classification of datacenters and datacenter optimization
metrics. For example, OMB will no longer require agencies to
maintain inventories of their smaller nontiered datacenters
which make up about 80 percent of the government's facilities.
If these changes are implemented as is, the committee will lose
the ability to track and measure progress in this area since
the initial scorecard because the baseline for comparison will
have changed.
Moreover, the changes will likely slow down or even halt
important progress agencies should be making to consolidate,
optimize, and secure their datacenters.
Mr. Chairman, this concludes my comments on the overall
scorecard. I look forward to your questions.
Mr. Connolly. Thank you so much. Let me begin. Ms. Harris,
we're here to talk about the implementation of a law, correct?
Ms. Harris. Correct.
Mr. Connolly. When it comes to datacenters, what is the
language of the law?
Ms. Harris. The language says that agencies should have a
comprehensive datacenter inventory.
Mr. Connolly. And what's the goal besides an inventory?
Ms. Harris. The goal is to consolidate.
Mr. Connolly. Correct. That's the verb. We say I believe in
the law, consolidation, and optimization, but consolidation
goes first and it means something presumably other than
optimization, would you agree----
Ms. Harris. Yes.
Mr. Connolly [continuing]. since we use both words?
Ms. Harris. Yes.
Mr. Connolly. Ms. Kent, one of the concerns we have,
although your memo delivered to us on June 25 adds some clarity
that may be reassuring, but since we got a hearing, our concern
is that when OMB gives guidance on optimization and exempts 80
percent of the datacenters from specific inventory plans, you
are--you're skirting the intent of the law.
The intent of the law was always to identify how many
datacenters we had, which was a struggle, and then cut them in
half and then cut them in half again. That was the goal. It was
set by your predecessor in the early years of the Obama
Administration, actually. In those days I think we thought we
had 1600, and so the goal was initially by the administration
cut it to 800 and my bill said, no, we're going to do that
again, cut it to 400. And that's what we put--we didn't put
that number, but that's--that was what we incorporated into
FITARA.
What we discovered was that, of course, what we got really
good at was identifying more. And so we didn't have 1600, we
had whatever it was, Ms. Harris, 12,000, 14,000, and so at some
point we thought, well, good that you're getting better at
counting, but the goal here is to be more efficient, move to
the cloud, don't have all these little stovepipes all over the
place, and I know you share that goal.
So I want to give you the opportunity to talk about, well,
what is it that OMB is doing in emphasizing optimization and
exempting from, sort of, our audit here 80 percent of the
datacenters that exist because we're afraid that whatever your
intent, the consequence is we won't capture that and we will
not effectuate the savings the law was intended to encourage.
Ms. Kent. Thank you for your question, sir, and the
opportunity to talk about it. And first statement of intent is
to comply with the law.
Mr. Connolly. We are relieved.
Ms. Kent. You referenced changing various numbers over
points and time, and that was one of the components of the
analysis was that there were things that had been included that
included rate things for printers and weather stations and
things that weren't necessary--MRI machines weren't actually
classified as a datacenter, so some of the things are trying to
address what actually operates as a datacenter and we intend to
close. And that is very specific in the new guidance.
But we also understand and very clearly from talking with
agencies, there are some reasons where we will continue to
operate a datacenter, a super computer site, something that is
needed for resiliency, special needs of agencies that we
believe are very important and we want to ensure those are
being operated efficiently and securely with the intent of this
committee.
But we also found out something else that's included in the
cloud strategy. One of the barriers to making progress from
closing those remaining datacenters and the IT dashboard has
the target, by Fiscal Year for each of the agencies that was
developed at the agency level, but in some cases, the
application rationalization work is not complete. So they don't
have an identified target for whether it's moving to the cloud
or what we're going to do with it, so that's the part of the
application rationalization playbook that's included in cloud
and you will hear some agencies, they've met their target,
they've done a fantastic job, but other agencies have more work
to do.
Mr. Connolly. How long have you worked in government?
Ms. Kent. Sixteen months today.
Mr. Connolly. All right. So sometimes with the best of
intentions and trying to be flexible, we send signals we did
not intend to send and that's our concern. We don't want a
rigid, mindless mentality, and you've--everything you said I
can agree with and I know Mr. Meadows could too, but both of us
come from private sector backgrounds and I also come from a
public sector management background and I'm a big believer and
I think--I know Mr. Meadows is too, in setting metrics because
that's goal setting.
So at the end of the day, yes, we want to be flexible, but
what we felt--and I still do feel, we've got to set metrics. So
Agency X, we all agree you've got 340 and after some
consultation and all that, the goal is to reduce a hundred of
them because the others you need or cut it in half.
Once we do that, let's set that and hold people to that
metric and we're willing to work with you on that. What we
obviously don't want is a circumvention and a dilution of the
goal and we're nervous optimization gives a lot of wiggle room.
And it's easy for somebody to say I have 3,420 of them and
I need every one of them. Every one is precious, and we're not
going to change a thing. Or wait you out because, after-all,
you've used this weaker word optimization, which doesn't really
require me to do something specific and so I know that's not
your intent, but you hear my concern and my experience is,
sometimes you've got to give very clear direction and set very
explicit metrics in order to accomplish something.
Ms. Kent. I hear your concern. I look forward to continuing
to talk with the committee because I think we are being
extremely explicit and actually in the opening of the guidance,
it specifically says, any plans to open new or expand have to
be approved by OMB as well as the closure intent is part of
their strategic planning and reporting in the capital planning
process.
Mr. Connolly. And as I said at the beginning, I'd be more
worried but I think your memo of June 25 does, I agree, it's
reassuring in some ways.
Ms. Kent. Thank you, sir.
Mr. Connolly. Not 100 percent, but maybe we're all on the
same page. So all right. I saw you shake your head in agreement
about the CIO reporting to the boss and I want to give you an
opportunity given your title and your position to maybe talk
about that. I think, again, both Mr. Meadows and I know Mr.
Hurd if he were here and Ms. Kelly if she were here, our
experiences, especially in bureaucracies--and I don't mean that
in a pejorative way, but big, large organizations who you
report to matters a lot.
Ms. Kent. Yes, sir.
Mr. Connolly. If you report to the deputy assistant under
widget manager in the bowels of the basement, everyone can
figure that out and it's how fascinating you've got an opinion
about what I should do with my IT, but I'm going to listen to
him because he's the assistant secretary or the secretary or
whatever he is.
When you report to the boss and everyone knows you report
to the boss, that carries weight and we want to empower a CIO
to have that relationship and to carry that kind of weight and
make those kinds of decisions. I think Ms. Harris indicated
that in the case of two agencies had they done that, they would
have had A scores. Is that correct?
Ms. Harris. Yep. That's correct.
Mr. Connolly. Yes. So we're missing an opportunity here.
How can we better encourage that org chart and that hierarchy
of efficient responsibility so that we're all doing better?
Ms. Kent. Thank you for the opportunity to comment on that.
We do share that concern and are very focused on not just the
reporting relationship from the perspective of reporting to the
boss, but ensuring that we have technology as a mission enabler
and they are absolutely clear with the direction from the top
about what the priorities are and what set out to be
accomplished by that agency.
We shared your concerns with the agencies that moved
backward, we had direct conversations with them as well, and
appreciate your continued support in emphasizing that both
through law, through guidance, and through an executive order,
directives have been issued. We're going to continue those
conversations and I do believe, though, that in--it's a
conversation with GAO and some of the scorecard reporting
relationships, there are agencies who have made recent changes.
They recognize the intent. I've had opportunity to be with at
least three of those agencies in conversations with the
Secretary and the CIO with clarity around priorities, budget,
and resource needs. So we will continue to focus on it, your
support in those that moved backward is much appreciated.
Mr. Connolly. Thank you, and I have overstayed my welcome.
So I know my friend, Mr. Meadows, has, in fact, directly
engaged in one of these questions to good effect. Mr. Meadows?
Mr. Meadows. Mr. Chairman, thank you for continuing to make
this a priority. I know this is not our first, second, or third
FITARA hearing. It won't be our last and for both of you, thank
you for your testimony.
Obviously Ms. Harris, thank you for continuing with your
fine folks at GAO to guide us through on what we believe is--
will ultimately be a good tool. I don't know that we're there
yet. I think my perspective is that it's a work in progress and
even with the way that we changed the grading just recently to
make sure that some of the unintended consequences are not
there.
So Ms. Kent, one of the areas that we've got to be aware of
is, as we start to see how agencies game the system, and I say
game the system in that, you know, it's basically figuring out
how the scorecard works and how you can either underreport or
overreport to create a better grade and so we're trying to
address that.
Getting back to the point that the chairman made just a few
minutes ago as it relates to datacenters, so I'll give you the
cheat sheet. There is nothing more important to him than
getting rid of datacenters and he can look at all the scores on
this FITARA scorecard and if you're messing up on datacenters,
you're going to have a problem. All right? So I just--Ms.
Harris, would you agree with that?
Ms. Harris. I would absolutely agree with that.
Mr. Meadows. And so in doing that, here's what I would ask
for greater clarification than what we have. The word
``optimization'' when we look at that, you know, you can
optimize this and it doesn't necessarily mean that we're
changing anything and so here's what I would ask is, if you
could provide this committee with some--and GAO with guidance
on what optimization actually means. I mean, are we looking at
70 percent capacity on servers? Are we looking at redundancy of
X percentage? What does it mean because what it means to one
agency will be very different than--and, actually, probably,
should be different for some agencies.
You certainly want redundancy in some areas of the
government with greater--with the need for greater reliability
than others. That being said, we need to define that and make
sure that Ms. Harris and her team has the proper input.
One of the concerns is that the quality of the data that we
continue to get is a hodge podge, and so I need to make sure
that that gets prioritized, if you can, and if you're running
into a problem, here's, I think, the chairman and I would
agree, you just call us, we'll be glad to raise it to the very
highest levels within those agencies.
I know when Ms. Harris the other day mentioned the direct
report for the NASA administrator, I'm one of the few that have
had the privilege of knowing the previous NASA administrator
under the previous administration and thinking incredibly
highly of him and what he was able to accomplish.
I also have a personal relationship with the new NASA
administrator and so I sent him a text and just said, listen,
this is not good. You're getting dinged on the scorecard. He
responded back promptly, we're going to take care of it and
those are the kind of things that I think all of us just want
to see, is just that willingness to say, golly, we didn't know
it was a problem, especially when you have a transition from
administration to administration, but that's the other key
point, I guess.
And what I would love to see from you, Ms. Kent, is the
processes in place that when we change an administration, we
don't go backward. I think there's a real--and it's not a ding
on this administration or the prior administration that have,
you know, been able to deal with FITARA, but it's a real
problem that we are going to have going forward is the minute
you get a new political appointee in there, if they don't
realize that it's a big deal, then we're going to have the same
thing with somebody that's here for 16 months saying, golly
gee, I didn't know it was a problem.
So is that something that you can work with the committee
in terms of establishing those for us?
Ms. Kent. Yes, it certainly is. And I appreciate our
ongoing discussions. The phone call from Members of Congress
certainly seems to assist in getting action and we would very
much like to talk through the details on the guidance on what
we are holding agencies accountable when we say optimization.
It's some of the things that have been part of the baseline and
been defined, and I would add one more point on the CIOs. We're
at a point today as reflected in the scorecard for the first
time where we have 22 of 24 that are actually permanent and not
acting, and that is--as you look over the history of the
scorecard, that's an important accomplishment.
Mr. Meadows. And that's to be applauded. It truly is.
Ms. Kent. And it let's us move forward as you have said and
have some consistency as we go forward, so I do look forward to
taking those followups back to this committee.
Mr. Meadows. I yield back.
Mr. Connolly. I thank my friend and I reiterate his offer.
Another way of putting it as, he and I are Alphonse Gaston and
I'm not going to say which is which, but it's all good.
The gentlelady from the District of Columbia, our friend,
Eleanor Holmes-Norton.
Ms. Norton. Thank you very much, Mr. Chairman. I think this
is a timely hearing given what we learn was the state of IT, of
technology in the Federal Government, how behind the Government
of the United States was, so I'm interested in how we're doing
in catching up.
Now it looks like we made a decent start, 90 million in
funds allocated during that first year, so the first thing I'd
want to know since this is so new is, examples of modernization
projects that have been done. What have you done with the money
particularly given reductions in appropriations which perhaps
we could help get if we could have some examples, good examples
that speak to the public and speak to the Congress about what
you've done with the pretty good start. You had $90 million in
the fund I'm interested in is the technology modernization
fund.
Ms. Kent. I'd be very excited to share some of those
successes with you and I'll frame a couple of things. Just in
the time since the board has started, so a little over a year,
we looked at over 50--or approximately 50 proposals that would
have totaled almost $600 million. Now, as you pointed out, we
only funded a very small set of approximately--that represented
$90 million and those were projects that had not only agency
benefit, but all of government benefit and I'd like to tell you
the--share the success stories of a couple.
You will hear later from USDA, one of the initiatives that
they undertook was consolidation of multiple portals for
farmers.gov to provide an enhanced services for things that had
been spread out and created an environment that was not only
the most effective from customer service, but from--or farmer
facing, but from a maintenance perspective, more costly and
less efficient.
In the case of HUD, they have eight applications that are
cobalt applications that are core applications to their mission
and they brought forward two of those as a pilot to learn both
the tools, the process, and the playbooks to convert that from
cobalt to java and not disrupt the business. And that's a
really exciting part of what they are achieving is, they've
been able to take 1.2 million lines of code and convert it and
not disrupt the business.
Ms. Norton. Is this a competitive process? Is this based on
who will cost you less while saving you some money in this
fund? How do you judge?
Ms. Kent. That's a great question.
Ms. Norton. They compete against one another, or how?
Ms. Kent. So in what was actually laid out in the law,
there were specific intents--modernization, implementation of
shared services, work force transformation, large broad scale
transformation. There was also a very important component that
the benefits from the initiative could pay back the funds that
they received, so not every project actually has--and they have
to pay it back in a very specified timeframe under a definition
of----
Ms. Norton. Are they doing that, by the way?
Ms. Kent. They are doing that. They are doing that. As I
said, we started a year ago and this is the first time we will
have money coming back on schedule as planned----
Ms. Norton. Your appropriations----
Ms. Kent. I'm sorry?
Ms. Norton [continuing]. fail, though, tremendously from
that healthy $100 million in that first year to only $25
million in 2019, so giving--excuse me?
Ms. Kent. Yes, ma'am. It certainly has moved.
Ms. Norton. That's a huge reduction. I'm not sure why, but
I'd like, since this was supposed to be a full cost recovery
fund, how does that work and are you concerned about the funds'
ability to remain solvent?
Ms. Kent. It is full cost recovery and I appreciate
Congressman--Chairman Connolly's support for the technology
modernization fund. We did request additional funds because we
saw the worthiness of all these projects coming forward and in
many cases with the agencies and I would invite you to speak
with our team at USDA in the next panel. The agencies were able
to accelerate things that they would not be able to do in
normal course of business and they have a payback plan.
And one of the other very large benefits that we saw and I
know that Department of Energy, USDA, HUD, and GSA have shared
is that it brought the CIO and CFO communities very close
together because they had to reconcile the spend and the
payback plan and what the benefits look like in a way that they
have never been tasked to do before to ensure that it is cost
recoverable, so we've very much appreciate----
Ms. Norton. Do you think you can remain solvent?
Ms. Kent. Yes, we can remain solvent with that amount. It
limits what we can do----
Ms. Norton. I see.
Ms. Kent [continuing]. and the projects we can--we
absolutely have the plan for solvency, but it limits the number
of projects and the acceleration of modernization that we can
do going forward.
Ms. Norton. That's my concern, Mr. Chairman. Thank you very
much.
Mr. Connolly. Thank you.
And if I could, just before I call on you, Mr. Grothman, if
I may, just quick, Ms. Harris, the fund that Ms. Kent and Ms.
Norton were just talking about Congress created. Originally we
had pretty large amounts of money in mind. That got whittled
down and whittled down and whittled down in order to be able to
sell the idea of the authorization.
Do you believe that we have critical mass that this fund as
currently funded is viable or, put differently, can actually
make a difference, be the catalyst we intended it to be for
people to retire legacy systems?
Ms. Harris. I don't believe so, Mr. Chairman. With fewer
funds to award, the TMF cannot recover as much in their
administrative fees. So when Ms. Norton is asking about
solvency, we have preliminary analysis that shows that the
office's operating cost through Fiscal Year 2020 will exceed
the administrative fees to be collected from these awarded
projects. So our suggestion and--is for the TMF fund to be
fully funded at that $438 million level to continue the good
work that Ms. Kent is elaborating on.
Mr. Connolly. I think that this is something we can find
some common ground on, and we need to work in the next budget
cycle hopefully together so we have a number we can all agree
on that is meaningful, gives us the criticality we need, and
that can incentivize agencies to do the very thing you were
describing, Ms. Kent.
And finally, just both of you, on--I know this is on behalf
of Mr. Hurd as well as all of us, but one of the things we
encountered was agencies saying, well, we're creating a fund
within our agency to be able to capture the savings effectuated
in FITARA, but our lawyers are telling us we can't use them, we
can't put money in them because that's an appropriations
function.
Now, some agencies I don't think seem to have that problem
but others do. Just real quickly, do you both believe that we
need to fix that legislatively, or can that be done
administratively with guidance from OMB?
Ms. Kent. We believe in some of the cases it has to be
fixed legislatively and there is wording proposed at the
committee level. We had proposed some blanket language that
would apply to all agencies. That has been turned down multiple
times. So we have gone very specifically to individual
agencies, and in some cases, through those committees, that has
been approved.
We have some requests and education is one of those
directly at the committee level for various technical
enablement of those funds for agencies who don't have a similar
vehicle or need to fund or operate out of that working capital
account.
Mr. Connolly. Ms. Harris.
Ms. Harris. Mr. Chairman, I think----
Mr. Connolly. Could you speak up?
Ms. Harris. Yes. Mr. Chairman, when MGT was passed, I mean,
the intent was that that transfer authority would be there. So
while I'm not a lawyer, it kind of boggles the mind that you
would need additional legislation in order to offer that
transfer authority so that MGT could be----
Mr. Connolly. I know Mr. Hurd would share your view and so
do I. And I don't speak for Mr. Meadows, but he's here. He can
speak for himself. But our view is the law is the law. We
passed the law. It's quite clear what the intent is. And to
have a sudden hurdle from inside agency attorneys saying, well,
no, you can't do that, certainly thwarts the intent of the law,
that that may not be their purpose but that's the effect. And
so we will do what we have to do, but we would share, I think,
your initial reaction, Ms. Harris.
Mr. Meadows, did you want to comment on that?
Mr. Meadows. Well, I just agree. And What I'd like to do--
--
Mr. Connolly. You do agree?
Mr. Meadows. I do agree.
Mr. Connolly. Yes.
Mr. Meadows. And, Ms. Kent, what I would like to do--I
think congressional intent was clear. I think general counsels
in different agencies maybe are a little unclear in what we
believe we were clear about. And so in doing that some guidance
I think would go a long way, and if we need to do a little
research and a little push on our end to support that, I'm
willing to do that.
Ms. Kent. I'd be happy to share the specific examples with
you and appreciate your support.
Mr. Connolly. Yep. That would be very helpful. I thank my
friend.
Mr. Khanna, the gentleman from California.
Mr. Khanna. Thank you. Well, first, Chairman Connolly, I
want to recognize your leadership for having the FITARA
guidelines become law and really bring some accountability to
technology in government. And I want to recognize our ranking
member, Representative Meadows, for also his understanding on
technology.
You know, I represent Silicon Valley, and probably the
biggest thing that surprised me when I got to Congress is some
of the technological illiteracy in this place. There was one
hearing, I'm not going to mention the Member, who held his up
his iPhone and started berating the Google CEO telling him how
he couldn't track the iPhone. And the Google CEO was patiently
explaining that Apple made the iPhone.
I appreciate, Ms. Kent, your leadership coming from a
technology background. When I'm pressed to say what part of the
administration I liked, I often cite you and Matt Lira. And I
appreciated your work on the IDEA Act, which coincides with
FITARA and was bipartisan legislation that we all passed. And I
would like to know what is the status of the implementation
guidelines for that legislation?
Ms. Kent. Thank you for your question, sir, and thank you
for your kind comments. I'd very much like to tell you about
where we are with the IDEA Act, and I was honored to be there
with you when that was signed at the end of the year.
Our immediate action with all of the agencies was to take
the specific items that were laid out in the IDEA Act and
determine both the timeline and what things needed to be done
centrally and what things needed to be done by the agency
specifically.
We met with the agencies and outlined those pieces. Some
components were actually part of work that was already
underway, things like the inventory that you required and the
definition or the intent for a plan for how those would be
handled. I know that the report for digital signature
acceptance has just come in.
So we aligned those things with what was already in place.
We also had some items that you will see in some of the budget
requests that are coming forward that has to do with those
forward implementation plans. And we look to do those in the
future.
I would share one really interesting outcome of the IDEA
Act. In inventorying the websites and determining a plan
forward, it was very enlightening because many of the agencies
said we need to consolidate this set of websites. So we
actually looked at them from priority and a user-centered
approach of what was highly used, what was highly valued. And
then those things that didn't have the user traffic, wasn't
delivering specific services, other reasons, we're actually
pursuing a plan to consolidate and close those.
So we are moving forward with many aspects of the
implementation, they are included in the activities going on
now. And there are some pieces for which agencies needed
additional resources, and you'll see those reflected in their
2020 budgets.
Mr. Khanna. Great. Let me ask you one final open-ended
question. I don't think anyone on the committee would disagree
that the U.S. Government is the most powerful institution
created in human history. And it was the U.S. Government
actually that helped fund a lot of Silicon Valley. And so it's
mind boggling me that this incredibly powerful institution has
technology platforms or acquisition platforms that aren't up to
now what many companies do in Silicon Valley.
What do you think Congress can do in supporting FITARA and
the IDEA Act to help continue to get us to a place where the
U.S. Government should be the model for innovation?
Ms. Kent. Your question actually aligns with part of the
reason that I'm here and actually believing that same thing,
that we should have the capabilities in the Federal Government
that are available across many other industries and set the
basis of expectations for our citizens.
So when we talk about particularly modernization and
cybersecurity as part of the FITARA Act those are the key
components of how we actually make this transformation.
Elements of the IDEA Act give us a prioritization to be able to
actually take action and shut down and close the websites and
rethink how we deliver services.
The connected government and delivering mobile and digital
services help make those things a priority. Those signals both
through the FITARA scorecard and specific legislation are
helpful. I would also say though when you look across at the
agency activity for IT budgets we do--and it's--this committee
has talked about it frequently--we spend quite a bit on
maintenance of those legacy systems.
So tools like the Technology Modernization Fund and
modernization initiatives that are outside of that basic
maintenance helps us drive faster and gives us a way--otherwise
agencies are moving in small increments for what they can
divert out of that maintenance path, and that's not a good
solution either.
Mr. Khanna. Thank you.
Mr. Connolly. I thank the gentleman.
And now the gentleman from Wisconsin, Mr. Grothman.
Mr. Grothman. Thank you.
And I'd like to thank both of you for coming over here. I
know you have such a busy day, but I know it's something
Congress has been waiting for, so thanks for coming over.
Health and Human Services and NASA changed their reporting
structures, right, so that the CIOs no longer report directly
to the head or even the deputy head of the agency. Can you
comment as to why that was done and what your general opinion
of it is?
Ms. Kent. I can comment from my conversations regarding
that. I would direct you specifically to the agency heads as to
why they made that decision. You know, what NASA shared had
decisions that were not necessarily related to the activities
of the CIO. I think that's in conflict with what we expected.
And as you may have seen in the HHS side they had lots of
different moves going on at the time. I am continuing my
conversation with them regarding that approach.
Mr. Grothman. It just seems odd.
Ms. Kent. And we agree, and that is not the intent. So we
will continue the conversations until we are back in a place
that is reflective of what is expected.
Mr. Grothman. Okay. Ms. Harris?
Ms. Harris. I mean, the only thing I would add, sir, is in
the case of HHS that reporting relationship was not codified in
their policy. So at the time the acting CIO also was dual
hatted as the acting chief or the chief technology officer, and
so in that role as a chief technology officer he had that
direct reporting relationship to the Secretary. And so when he
put on the hat of CIO he also had that relationship to the
Secretary.
But since he has now vacated that CIO position because that
relationship wasn't codified in policy it went away, and so
that really drives the important point that this relationship
needs to be set in stone in policy so that we can maintain that
continuity regardless of who is in the office.
Mr. Grothman. Okay. Let me give you kind of a broad-based
question here. From your perspective--first of all, how long
have you both had your positions? I should know that and I
don't.
Ms. Kent. Sorry. Could you repeat the question?
Mr. Grothman. How long have you had your position?
Ms. Kent. Sixteen months.
Ms. Harris. Since 2012.
Mr. Grothman. Okay. From your perspective what worries you
the most about IT management, say the last six months?
Anything?
Maybe nothing. It runs like a clock.
Ms. Harris. I think from my perspective when you take a
look at the spend of the $90 billion each year on IT, 80
percent of that spend is on legacy IT. We need to focus on
decreasing that number and reinvesting that money into
modernizing our aging systems.
Mr. Grothman. It's kind of a shocking number, isn't it?
Ms. Harris. Yes.
Mr. Grothman. If it was done right, how much do you think
you could save?
Ms. Kent. It is. And I think I just commented on
modernization that reflects a similar view. I would also state
that when you look at our entire set of modernization goals,
both transformation of the legacy systems and the ability to
sustain current environment while you're making that
transformation and then continued focus, you said, you know,
what are the priorities, it is always cyber, and ensuring that
we are prioritizing our activities there based on the changing
nature of the threat environment and where we see that volume
and where we see those types of threats and ensuring that we
are prioritizing that.
So when the majority of an agency budget goes to
maintaining status quo that means that agency CIOs have to be
incredibly crystal clear on the priority for those funds and
their internal resources that are focused on the transformation
in cybersecurity.
Mr. Grothman. When we talk about legacy systems what
percent of the systems that you're familiar with--I mean, you
said how much more money we're spending on the legacy systems,
but what percent of this--even compared to the private sector,
and you must deal with that somewhat, what percent do you think
we have in the government you'd call up to date or the same
type of systems you'd find in a modern American corporation?
Ms. Harris. Sir, we don't have that information. We have
not done work to look at the percentage of what's legacy and
what's development in the private sector. So I wish I could
answer it, but I don't have that information.
Mr. Grothman. You guys, can I ask one more question?
Mr. Connolly. Of course.
Mr. Grothman. That's a surprising answer. I feel I've got
to ask another question. Do you ever look into and see, you
know, compare like where you are compared to major American
corporations, you'd have people begin to work with you and say,
holy cow, I can't believe you still have this stuff sitting
around here? Does that thing ever go on? Or do you have people
leave your organization to the private sector and say, hey,
wow, you want--you can't believe what I found out here? There's
no comparison or no looking around or no comparing? You don't
do that?
Ms. Kent. I would comment, I don't know that there's an
exact number, a comparison per se to a single sector, but I
would mention two things that we are looking at. One of the
policies that we've used as a driver and a filter for how we
prioritize legacy system transformation as well as website
transformation has been high-value assets and looking at those
things that are of critical importance to agencies and insider
infrastructure and ensuring that we put resources there first.
The other thing that we've done is from a customer
experience perspective actually looked at the citizens that
we're serving and had dialogs around what they expect. And that
actually does give a comparison in many cases across industry
because their expectations are set on what they experience in
their normal lives, whether it's from their financial
institution or a retail business that they're shopping with.
So we have used that user-centered design and customer
expectations to drive back into the way that we are looking at
delivering services, both from a digital and mobile capability
standpoint.
Mr. Grothman. Okay. Well, again, thanks. Thanks for coming
over here. I appreciate the chair letting me take so much of
other people's time.
Mr. Connolly. Not at all. Thank you, Mr. Grothman.
And, Mr. Grothman, if I may followup on your question, I
think we could afford, Ms. Harris, to be a little more
forthright. I think you're letting yourself off the hook a
little bit by saying, I don't know, I mean, I'm not in the
private sector. I mean, there are things we do know.
For example, I always ask--and you probably do too, Mr.
Meadows--when I speak to a private sector group, it's a trick
question. I go, well, how many CIOs do you have? And they
always look at you no matter how big they are like what a
trick--well, what do you mean? We have one. Well, how many does
the Federal Government have?
When we began FITARA with 24 agencies we had 250 people
with the title CIO, and that means no one is in charge, no one
can be held accountable, nobody is exactly responsible. And
that's a big difference, I would say, Mr. Grothman, between the
private sector and the public sector where we can learn from
the private sector.
Likewise, we were celebrating a little while ago the
transition from COBOL. I can't think of a private sector
company that still has COBOL, let alone would be celebrating in
2019 the transition from it to something else. So I think there
are some things that we clearly can observe and learn from and
benefit from in the private sector. Moving to the cloud is
another one.
So it is instructive, and hopefully we cannot necessarily
entirely mimic the private sector, but there's a lot of
management practices we could learn from. And having the CIO
report directly to the Secretary of the agency is also
something quite common in the private sector. The CIO is not
buried in the bowels of the organization, somebody who is a key
part of the management team, because everyone understands the
key role of IT in the enterprise.
Ms. Harris. Yes.
Mr. Connolly. Well, I want to thank you both so much for
coming. We're going to continue this dialog. I am pleased, Ms.
Harris, that MeriTalk did a study--a survey rather of 200 CIOs
mostly in the public sector, and they found that 70 percent
said that FITARA was, in fact, from their point of view, a
useful kind of nudge for change within the agencies, and that's
kind of good to hear. And I see you shaking your head. Would
you confirm that yourself or----
Ms. Harris. Well, I think that's very encouraging because I
will say that the progress that has been made since the
inception of the score--well, the FITARA but then also with
your continued oversight with the scorecard 1.0 now to 8.0 how
it has evolved and how it has kind of raised the level of
improvements across the board has been tremendous from
transparency in the dashboard to portfolio stats in the
savings. It's all, you know, because of the tremendous
oversight from your committee.
Mr. Connolly. Well, we want to thank GAO also for always
being innovative in looking at how best we can make that
scorecard a useful tool. So thank you and to your colleagues.
Mr. Meadows.
Mr. Meadows. I just want to make one point. The staff just
let me know when we look at the transition fund, you know, it
passed the House today with only 35 million. And when we look
at this it's--you know, we may represent two different District
11s, but we are together on this particular issue, and so what
we need to do is work in a bipartisan way to get that up to a
number that actually is meaningful. Thirty-five million sadly
is a rounding error when it comes to addressing this problem.
Mr. Connolly. I'm so glad you brought that up, Mr. Meadows,
because I had an amendment to add $15 million to that $35
million to just get a respectable number. And unfortunately
that was not ruled in order. It was subject to a point of order
up in Rules, so we were not able to do it.
Mr. Meadows. You have better connections with the Speaker
than I do.
Mr. Connolly. But we will work on it together.
Thank you both so much for being here today. And, Ms.
Harris, I promised you'd make your plane. You're going to make
your plane.
Thank you.
Ms. Harris. Thank you.
Ms. Kent. Thank you.
Mr. Connolly. And now we're ready for our second panel:
Gary Washington, Chief Information Officer of the United States
Department of Agriculture; Jason Gray, Chief Information
Officer of the United States Department of Education; and Eric
Olson, Chief Information Officer from the Department of
Treasury.
If you would stand and raise your right hand, we'll be
sworn in. Thank you. Do you swear or affirm that the testimony
you're about to give is the truth, the whole truth, and nothing
but the truth, so help you God?
I thank you. And let the record show that our witnesses
answered in the affirmative.
The microphones, as I said, are sensitive, so if you can
speak directly into them like I'm doing, you can be heard.
Everybody has five minutes to summarize their testimony. Your
full statement will be entered the into the record as
submitted.
And, Mr. Washington, why don't we begin with you and your
five-minute statement. Welcome.
STATEMENT OF GARY WASHINGTON, CHIEF INFORMATION OFFICER, U.S.
DEPARTMENT OF AGRICULTURE
Mr. Washington. Thank you, Chairman Connolly, Ranking
Member Meadows, and the members of the subcommittee for the
opportunity to update you today on the United States Department
of Agriculture's progress on implementation of FITARA. I am
Gary Washington, the Chief Information Officer of USDA. I would
also like to thank you for your ongoing support and commitment
to improve information technology management across the Federal
Government.
Secretary Perdue's vision is to make USDA the most
efficient, effective, customer focused, and best managed
department in the Federal Government. Central to that goal is
focusing on enterprise-based approaches to management and
decision-making. We have taken many steps to achieve that goal
including the implementation of the FITARA Information
Technology Management Maturity Model, and we continue to make
progress.
As evidenced by the latest FITARA scorecard and the
progress we have made over the past year, I am pleased that
USDA have moved up an entire letter grade on the scorecard, and
I hope that we will be doing as well or better than our friends
here at Department of Education next year.
I know we have a lot further to go, but every day I am
seeing the positive impact that FITARA has on our Department,
and I would like to discuss some of that progress today. Since
my last appearance before the subcommittee, USDA partnered with
the White House Office of American Innovation and the General
Services Administration Center of Excellence to improve the
management of information technology at USDA.
This effort accelerated IT modernization across the
Department, improving leadership alignment, quality, and
efficiency of IT, including decreasing the number of chief
information officers, CIOs, from 22 to one, closing 28 to 39
data centers resulting in a cost savings and avoidance of $42.1
million and closing 2,255 data centers overall.
We have enrolled 13 agencies into USDA cloud program
resulting in a net cost avoidance of $12.1 million, improving
our megabytes score from an F to an A on the 7.0 scorecard by
implementing a number of effective processes and procedures to
improve software management.
We've also petitioned our existing working capital fund to
receive technology modernization funding and making significant
improvements in cybersecurity with 96 percent of USDA systems
having authorities to operate as opposed to 74 percent in
Fiscal Year 2017.
Additionally, end-user equipment and hardware will be
centrally managed by the Office of Chief Information Officer
using an IT service management system with asset management as
a core function. We will onboard the inventory for all the USDA
mission areas and offices as part of an enterprise end-user
consolidation initiative scheduled to be completed by the end
of Fiscal Year 2020.
And our Digital Infrastructure Services Center will be
responsible for the central inventory and management of all
infrastructure components of USDA, which includes network and
system hosting. The system hosting would be accomplished by the
end of Fiscal Year 2020 through the data Center Optimization
Initiative and Cloud Adoption Centers of Excellence.
The network transition to the new General Services
Administration enterprise infrastructure solutions contract
will ensure accurate inventory of our network infrastructure. I
would like to emphasize the strong engagement and support for
those efforts from our USDA leadership, namely the secretary
and deputy secretary who I report directly to on IT matters. I
believe we have an effective reporting structure and
involvement in IT management and modernization issues at the
highest level.
In closing, USDA has consistently proven itself as a leader
in embracing FITARA. We want to continue to implement FITARA
across USDA and integrate it into our daily processes and IT
modernization activities even further than we have today. We
recognize there is more work to be done, and we continue to
tackle those challenges.
I truly appreciate the attention the committee has brought
to this issue and your ongoing support of our efforts to change
the way the Federal Government thinks about and manages IT.
I look forward to answering any questions you may have.
Thank you.
Mr. Connolly. Thank you, Mr. Washington.
Mr. Gray.
STATEMENT OF JASON GRAY
Mr. Gray. Thank you, Chairman Connolly, Ranking Member
Meadows, and members of the subcommittee for this opportunity
to talk about the progress the U.S. Department of Education has
made in implementing the Federal Information Technology
Acquisition Reform Act.
I recognize the great privilege and honor of being invited
to appear here today. Never in my life could I have imagined
having opportunities I've had to speak before the U.S.
Congress. Thank you.
I'd also like to thank you for your continued commitment to
improving information technology management. My responsibility
is to ensure the availability of IT with appropriate controls
and to ensure the integrity in how we use it under the
leadership of Secretary DeVos and in collaboration with the
Office of Federal Student Aid and my office we have achieved a
number of improvements in recent years.
Mr. Gray. There are two areas that I would like to
highlight today, cybersecurity is one focus area of FITARA,
which encourages agencies to proactively address cybersecurity
risk and compliance with Federal Information Security
Modernization Act.
To address the cybersecurity challenge, OCIO developed our
own cybersecurity risk scorecard based on the National
Institute's of Standards and Technical cybersecurity framework.
The implementation of a scorecard improved our focus and
alignment with OMB requirements for sound risk management
practices for protecting our systems and networks.
The scorecard also provided a specific path for the
Department system owners and security officers to identify,
prioritize, and mitigate risks. From September 2018 to June
2019, the Department has mitigated and closed over 2,300 plans
of actions and milestones representing a 72 percent reduction
in vulnerabilities than the Department systems.
We use the scorecard to provide monthly briefings to the
secretary, deputy secretary, and senior leaders. With their
support and with the hard work off our system and security
personnel, we were able to raise our FITARA security score two
letter grades to a C in December 2018. The Department, along
with the majority of its peers, started with a FITARA
cybersecurity score of F in 2018.
Another area of focus is IT modernization, which is in line
with the Department's focus on creating and managing a more
modern and secure IT environment and is consistent with the
themes and principles outlined in the cross-agency priority
goal on IT modernization found in the President's management
agenda.
In 2017, we began an exhaustive review of our IT portfolio
to ensure that IT systems, applications, and services are
secure, appropriately governed, and modernized to meet the
needs of today's economy with an eye toward tomorrow
opportunities.
To this end, OCIO worked with key stakeholders across the
agency and industry experts to complete a comprehensive
analysis of our business missions and the IT assets supporting
them. As a result of those efforts, we developed a detailed
visualization or map of the Department's IT inventory, which we
analyzed to determine the Department's needs and to build our
five-year IT modernization plan and strategic road map.
The effort provides greater transparency across the
Department enabling us to work with business owners, to
identify opportunities, to leverage shared and cloud services,
automate manual business processes, reduce cybersecurity risk,
and consolidated cloud service providers. We are working with
the Office of Management and Budget and Congress to obtain
appropriations language that would allow us to transfer funds
to a working capital fund, which would support the Department's
future modernization initiatives and accomplish the goals and
objectives of the Modernizing Government Technology Act.
We requested this transfer authority in the Fiscal Year
2020 budget, and the Treasury Department has committed to
activating an account for the Department once the transfer
authority has been granted by Congress.
I recognize our areas for improvement, we must continually
monitor and assess our IT management and service delivery
practices and policies. We are taking actions in areas where we
are not fully meeting our milestones.
One such area is CIO and CAO collaboration on the review
and approval acquisition strategies and plans. OCIO is
partnering with contracts and acquisition management to
establish touch points between the IT life cycle management
process and the acquisitions process to ensure the CIO has the
opportunity to review all approve all acquisition strategies
and plans that contain IT.
Secretary DeVos and the Department take FITARA
implementation seriously, we believe our progress demonstrates
that. Thank you for your time today, and I look forward to
responding to your questions.
Mr. Connolly. Thank you so much, Mr. Gray.
Mr. Olson.
STATEMENT OF ERIC OLSON, CHIEF INFORMATION OFFICER, U.S.
DEPARTMENT OF THE TREASURY
Mr. Olson. Thank you, Chairman Connolly, Ranking Member
Meadows, and members of the subcommittee for the opportunity to
testify on Treasury's implementation of FITARA. My name is Eric
Olson and it is my honor and privilege to serve as the chief
information officer for the U.S. Department of the Treasury.
Information technology is at the core of what Treasury
does. We represent the third largest civilian agency in terms
of overall IT budget, and plan to spend approximately 4.8
billion on IT in Fiscal Year 2019.
Managing a large IT portfolio with the scale in complexity
of Treasury is a very challenging endeavor, and we are grateful
for the financial and human resources we have been provided to
accomplish our mission. We recognize our responsibility for the
stewardship of these resources, and we take this responsibility
very seriously. We appreciate that FITARA was enacted to assist
us to perform this responsibility.
Our key guiding principle for modernization is to drive the
greatest amount of resources toward mission enablement and
digital transformation. This requires pursuing enterprise
initiatives and shared services so that we can reduce
duplication and leverage economies of scale. At the same time,
we encourage our bureaus to focus on transforming mission
outcomes by adopting practices from the private sector that
have proven successful in delivering digital transformation,
such as cloud-based services, agile development, and low code
platforms.
I would like to briefly summarize some of our recent
accomplishments and how they fit into the larger approach for
Treasury IT modernization. On the heels of Congress' enactment
of the Tax Cut and Jobs Act, the IRS recently completed a
successful tax filing season that was annealed in large part by
the successful delivery of one of the largest and most complex
IT implementations every undertaken by the Treasury Department.
Implementation of tax form required the modification of
hundreds of applications across the IRS and the Bureau of
Fiscal Service. This recent accomplishment demonstrates
Treasury's ability to deliver change at scale on an accelerated
timeframe. Treasury continues its pursuit of enterprise-wide
services. Recently Treasury delivered an expansive upgrade to
its enterprise H.R. system, an enterprise-wide service that
supports the nearly 100,000 Treasury employees.
Treasury is also in the process of implementing a cloud-
based talent management system that will deliver a common
platform for employee training, performance management, and
succession planning. These initiatives demonstrate Treasury's
ability to use its franchise fund to achieve some of the
benefits of what an IT working capital fund might achieve.
In addition to the successes I mentioned earlier, I would
like to report on how Treasury is implementing FITARA. In some
areas of the FITARA scorecard Treasury has scored well, for
example, data center consolation and portfolio review. We have
worked hard in these areas and we are proud of our results. In
other areas, although we have worked hard, we recognized there
is room for improvement.
FITARA recognizes the importance of agency CIOs having a
substantial role in agency IT decisions. I meet regularly with
Secretary Mnuchin on major IT investments, cybersecurity risk,
and opportunities to pursue Treasury-wide initiatives. I
believe this increased engagement with Treasury senior
leadership has produced notable results in the delivery of the
IRS modernization plan and the delivery of technology to
support tax reform, among other things.
On cybersecurity, we fully appreciate the threat posed by
well-resourced and highly motivated adversaries and are
committed to mitigating risk posed by such actors. While we
cannot completely eliminate risk, we acknowledge our supreme
responsibility to proactively address cybersecurity risk to the
greatest degree possible. Toward that end, we operate a
comprehensive cybersecurity program focused on risk mitigation.
Our strategy is to make investments and capabilities that
materially reduce our risk and reduce the cost of our
compliance.
We are grateful to Congress for the support of our
cybersecurity enhancement account, which is focused on
identifying and funding projects that have the greatest
Treasury-Wide impact in these and other important areas.
In closing, we recognize and embrace our responsibility to
be a good steward of IT resources. We understand and embrace
the language intended in FITARA. We share the common goal of
Treasury IT modernization. And we value the collaboration with
Congress to jointly achieve these goals.
Thank you, once again, for the opportunity to testify
today.
Mr. Connolly. Thank you, Mr. Olson.
Ms. Harris, did you want to comment? And I'm sorry if I led
you astray, I was simply reassuring you, you're going to make
your flight at 10 o'clock.
Ms. Harris. I see. I apologize for----
Mr. Connolly. No, forgive me if I misled.
Ms. Harris. Mr. Chairman, Ranking Member Meadows, I'll now
turn my comments to the Departments of Agriculture, Education,
and Treasury. These agencies collectively plan to spend $7.5
billion on IT this year, for each of them, roughly 80 percent
of their IT spend is on operational systems. Both USDA and
Treasury have an overall C-grade on this scorecard, while
Education is at a B+. Education has also sustained this overall
B+ grade over the last four scorecards.
Some positive areas to highlight for all three, the vast
majority of their IT projects use an incremental approach. They
also have comprehensive software license inventories and use
them to make decisions and save money. USDA and Treasury have
also closed more than 50 percent of their total data centers
and exceeded their savings goals. Education closed all of their
data centers and moved to the cloud years ago.
For all three agencies, the progress to improve their IG
assessments of cybersecurity is rather low. In the case of USDA
and Treasury, they also self-reported low numbers in meeting
OMB's 10 cyber metrics. The combination of the two is a reason
for their low grades in this area. Education, on the other
hand, self-reported meeting all 10 of OMB's cyber metrics, and
as a result, raised their grade in this area to a C. I'd also
like to note that if USDA and Treasury CIOs reported to the
head of their agencies, their overall grade would increase to a
B.
Mr. Chairman, this concludes my comments on the results of
these three agencies.
Mr. Connolly. I thank you. Thank you so much. And it is
heartening to hear the progress. I would just say, and you can
confirm this, Mr. Gray. As I understand it, you now have zero
data centers?
Mr. Gray. That is correct.
Mr. Connolly. And that you went from paying $12 per
gigabyte of storage to a few cents?
Mr. Gray. Actually, sir, we are currently focused on
transition--or doing cloud consolidation, and we recently
within the last three months transitioned from $1.43 per
gigabyte to $0.12 a gigabyte.
Mr. Connolly. So there are savings to be had in data center
consolation and moving to the cloud?
Mr. Gray. Yes. Yes, Mr. Chairman. I think you're a poster
child for doing that, and I thank you.
Mr. Connolly. Let me ask, Ms. Harris, GAO looked at best
practices, and you identified FITARA requirements, one of which
was--in order to get to best practices, obtains support from
senior leadership.
Would it be fair to say that all three of the agencies in
front of us have achieved that?
Ms. Harris. Well sir, I think in the case of Education
that's clearly the case because of Mr. Gray's direct reporting
to the Secretary. In the case of USDA and Treasury, that direct
reporting is not as clear-cut. So I would say that in those two
cases that senior leadership support may not be as clear as
Education's.
Mr. Connolly. And I think that's really particularly
important in your case, Mr. Washington, because Secretary
Purdue has offered himself up as the pilot for the innovation
agenda that Mr. Kushner and Chris Little are organizing at the
White House. And if you're going to do that, the model here is
the CIO has got to report to the boss. There's kind of no
getting around that, and it is the desiring goal and objective
of FITARA, it's in our scorecard, and it is part of best
practices GAO established.
The second is--and you can comment on that if you wish. I'm
sorry, I didn't mean to not let you comment.
Mr. Washington. Thank you, Mr. Chairman. I have all the
access--I have extreme amount of access to the Secretary and
the deputy secretary, and I frequently meet with the deputy
secretary and speak with him about matters----
Mr. Connolly. But if I may, Mr. Washington. That's good,
but that could be personal.
Mr. Washington. Yes, sir.
Mr. Connolly. We're talking about an organizational chart
where you have the right to go in that office because you
report to him or her. And if the bureaucracy doesn't see that,
it diminishes your power or your successor's power. Power,
influence, the ability to make change get enforced because
everyone understands you've got the ear's boss--I mean, the
boss's ear. You know, that works in the private sector.
If I know, in the private sector, somebody has the ear of
the CEO, so when he or she calls me, I know who that is,
believe me, I'm paying attention and following up on that as a
priority. And so I think that's really what we're getting at.
It has to show on the organizational chart. It's great you have
access, but your successor may not. And we want to
institutionalize this in the formal structure of the
organization.
And, Mr. Olson, you indicated that you have access to Mr.
Mnuchin, but again, the same thing, is it not that we haven't
institutionalized this, though, so that your successors and his
successors will have the same kind of relationship?
Mr. Olson. Sir if I could elaborate a little bit on the
arrangement. So by Treasury policy, I do have a direct
reporting relationship to Secretary Mnuchin on all CIO matters.
I do also have an operational relationship to the secretary for
management, and I think that is sort of the element that is
causing some confusion or some concern here.
This is what I would offer up. I think Treasury has a very
robust, I'll say performance management structure. That
structure, which has existed for many years, is the purview and
the responsibility of the assistant secretary for management.
It has served actually as enhancer to my authorities as a CIO
to be plugged into that and not try to recreate, for example,
my own sort of set of oversight, if you will, with all the
Treasury bureau heads and Treasury IT leaders.
So it enables me actually to have very good interaction and
influence with bureau heads routinely. I have the opportunity
to meet with them and talk with them on technology matters.
It also brings me to the table when, for example, we're
talking about a particular bureau's budget or work force issues
with the bureau head, because IT doesn't live in a vacuum,
there are work force issues, there are budget issues, there are
procurement issues, and all those folks need to be at the
table. So, you know, I do feel like I have that.
The other thing I'll say, and I mentioned this in my
opening comments, is that we successfully delivered a tax
filing season, it was a very complicated heavy lift. Back a
year or so ago when we were sort of still interpreting the law
and creating specific requirements, I started to have some
concerns about our ability to deliver that on time, and I
expressed those to the Secretary.
The engagement with the Secretary led to the ability, for,
me to meet with IRS leadership weekly for the following year,
and I'm talking about the commissioner, the deputy
commissioners, the CIO, and we sat down and we reviewed the
progress of tax reform implementation weekly so that we would
get there. I don't believe that would have happened if the rest
of the organization didn't understand my reporting relationship
to the Secretary.
Mr. Connolly. Good feedback. And it's also heartening that
finally IRS is getting the attention it has long deserved. It
has been on a starvation diet for all too long, and especially
when it comes to technology, some of those legacy systems are
particularly characteristic of IRS. I mean, as a Democrat, I'm
sorry it took the tax bill to be the incentive to do it, but
I'll take it.
In any event, thank you.
Mr. Meadows.
Mr. Meadows. I'm going to be real brief. Obviously we're
looking at this. We're looking at detail. We're looking at what
is being said and then what is actually being done, and I think
there's a big difference between what is said and what is done,
and sometimes what is said here as witnesses is not what we're
hearing is being actually done at the agencies. So I guess what
I would encourage all of you to do is look at your FITARA
scorecard.
And, Mr. Gray, I want to say thank you. Obviously,
recognizing success is one of the things that we don't do a
good job of doing sometimes. And I know I've been to--I haven't
been to your agency, I've been to the other two agencies, and
many times it's the first time Members of Congress ever come to
say thank you, and shame on us. And so I just want to say thank
you for your work.
Thank you for truly the impact that you're making. And yet,
we will not spend any more money on any one item than we do IT.
I mean, Ms. Harris was talking about $90 billion, you know,
when you add all the factors in there, it's probably up to 110,
120 billion when you count in some of the agencies we can't
talk about. When you look at what all of those components--I'm
amazed at how archaic our IT system is. I mean, we're spending
more than any Fortune 500 company would spend on IT, and yet,
obviously--and, listen, I'm preaching to the choir, all of you
get this.
And I guess what I'm saying, the big thing for me--the big
thing for the chairman is data centers and making sure those
are consolidated. The big thing for me is if we continue to
spend operational money for COBOL and FORTRAN programmers and
legacy systems that--it's just mind-boggling that we would do
it and we continue to do it, not just in some of your agencies,
but in other agencies across this.
And so, for me, it is, you know, really critical, Mr.
Olson. I think about the IRS and the amount of data that you
have, and what I would call the big mainframe IBM systems that
are really programmed in such archaic language that we're
having to pay a premium for the programmers because nobody
programs in that language anymore.
So in terms of action items, for me, if you would get back
to this committee on what is your plan to get rid of legacy
systems, and what is the cost of doing it? And for some of you,
you know, you've got to make sure that you're up and running,
and you may even have to have a parallel system that gets built
so that you can do the transfer.
I realize there are logistical problems, Ms. Harris has
said sometimes it's like trying to change a tire while you're
driving 55 miles an hour. For some of you it's like your
driving 100 miles an hour trying to fix that flat tire, but I
need a plan.
And I guess the only frustration you will find is that at
the next FITARA hearing, if there is not a plan, not just from
the three of you, but anybody that is listening, on how we're
going to get rid of that, there's going to be a problem. I'm
tired of talking about it. And I'm saying that in the nicest
way that I can.
But thank you all for your work. We are making great
progress. Even the Cs and the C+s and D+s and all of that, do
not take the generosity of a modified scoring as oly oly oxen
free. It's time that we get serious about trying to get those
to at least the next level up. And I'll yield back.
Mr. Connolly. I thank the gentleman. The gentlelady from
the District of Columbia, Ms. Eleanor Holmes Norton.
Ms. Norton. Thank you very much, Mr. Chairman, I appreciate
your calling specific agencies so that we could look beneath
the surface and see how this is doing. So I'm interested in the
scorecard that evaluates agencies for implementation of what is
called the Federal Information Security Modernization Act,
that's what we mean when we say FISMA.
And I think that this metric is particularly important to
the Congress because it will enable us to evaluate agencies who
have a metric of their own and then to ask the agencies to
explain themselves, and that's what I'd like to begin with now.
I'm going to ask the Department of Education who received a
C, the Department of Treasury who received a D, and the USDA
who received an F, to explain why and what actions you can take
or have taken to improve these scores?
Mr. Gray. Thank you for the question. Specifically, as was
mentioned earlier, the Risk and Management Assessment, the RMA
piece, is where agencies are assessing against metrics. We meet
regularly to discuss cybersecurity as a whole. As I alluded to
in my opening remarks and my written testimony, we use a
cybersecurity risk scorecard that was developed that is aligned
with the new cybersecurity framework, and what that does is it
enables me to have near real time visibility into the
cybersecurity posture of each of our systems. It reaches back
to the Department of Justice in this case to pull information
about my systems and I use that as----
Ms. Norton. So did you know that--this is Mr. Gray from the
Department of Education--did you know that at the time that
your Department received a C? Is that what it would get today--
will continue to get?
Mr. Gray. We are striving to improve our cybersecurity
scorecard and have made significant improvements. To your
question about what have we done or what are we going to do?
Ms. Norton. Yes.
Mr. Gray. Within the last three months we have made a
massive IT transition to everything entirely new. When I got to
the Department about three years ago, a little over three years
ago now, we inherited a 10-year-old IT service contract. There
was a lot of legacy and old things. We have re-competed and
awarded, and within the last three months have transitioned to
entirely new--new equipment, new hardware, new software, new
systems, everything.
Ms. Norton. So if you were evaluated today, you think you
would do better than a C? If you were evaluated today, given
the improvements you just indicated?
Mr. Gray. We are currently stabilizing within the next two
months, but absolutely. Once the stabilization is done, I
absolutely expect for our scores to improve.
Ms. Norton. The Department of Treasury, that would be Mr.
Olson.
Mr. Olson. That's correct.
Ms. Norton. The Department of Treasury got a D. How do you
explain that, and what actions have you taken to improve that
score metric?
Mr. Olson. Sure. So let's talk about the metric itself.
Part of it is based on an IG audit----
Ms. Norton. Based on what?
Mr. Olson. IG audit that's done of our FISMA system, so we
scored three out of five.
Ms. Norton. Is that why you got a D?
Mr. Olson. So three out of five equates to a D, and that's
50 percent of our grade. And I would the first to tell you that
that's not where we need to be. It's a maturity model and, you
know, part of what we've been trying to do and part of what
we've been using, the cyber enhancement account, has been to
make investments where we get the biggest bang for the buck to
improve these kinds of things.
I actually sat down with Secretary Mnuchin to talk about
our scores in this area, and he said, Eric, what's it going to
take to get to four? So, four, we have 430 systems, it's a
random selection of systems in any given year. So it's like,
gosh, it's an extremely heavy lift, but how can we get to four
on the highest value assets. So he's asked me to put together a
plan, how can we get to four if we were to be audited on our
highest value assets.
The other half of the grade, which is the risk management
score, as you know, this is sort of like 10 individual items,
it's passed down. And some of these scores, if you don't get
100 percent, you fail. So I'm not at all quibbling with the
scorecard, but I mean to say that 9 out of 10 of them are well
into the high 90's, and we have a one or two percent delta,
which--you know, we have got to put it over the line and we
would get, you know, a much better grade.
The one area where we're doing the worst and is actually a
new element that was added to the scorecard in Q-3 of 2018, and
we have a lot of work to do. That has to do with bringing
strong encryption to legacy--well, to high value assets, many
of which in the Department of the Treasury, are legacy systems
which don't lend themselves sort of architecturally elegant
ways of doing that. But nonetheless, we understand the ask,
we'll figure it out. But that's how I look at raising my
scores.
Ms. Norton. So it seems that you are aware.
Mr. Olson. Very aware.
Ms. Norton. And are taking action. And, finally, to round
this out, Mr. Chairman, could I ask the Representative of USDA,
Mr. Washington, about what was the lowest score among the three
of you here, the F score. How do you explain that? Why that
score? And what actions have you taken to improve that score
since you got that score--that low score?
Mr. Washington. Well, ma'am, we were in an environment
where we had many different tools that weren't speaking the
same language in terms of configuration management and
patching. That's where we fell short on the----
Ms. Norton. Do you have a variety of tools, did you say?
Mr. Washington. Yes, we had a variety of tools that weren't
feeding the same information, that's where we fell short on a
FISMA metric because it wasn't feeding the metric data
properly. So what we've done since last year, we've organized
the end user consolidation that's very important to us across
USDA, and we're going to get down to one common tool. And all
of the end user support activities will be managed by the
Department. So they will have common images and patching will
be done the same way and standardized across the Department of
Agriculture. And we intend to have that completed before the
end of Fiscal Year 2020.
Ms. Norton. Thank you very much.
Thank you, Mr. Chairman. That's all.
Mr. Connolly. Thank you. And thank you for that line of
questioning because I think that really is something we got to
work on.
Mr. Olson, I just want to add, with respect to your answer.
Surely--I know you do--understand the part of our intention
was, if it can't be encrypted, it needs to be replaced and
we're trying to incentivize the replacement of legacy systems.
Mr. Olson. Yes.
Mr. Connolly. And that's another nudge.
Mr. Olson. Absolutely. And I think you're aware of a large
modernization plan we have put in for most of that portfolio.
Mr. Connolly. I would just say to all three of you, you
represent agencies that maintain very large data bases. And I
can recall, Mr. Gray, not to cite Education, but we had a
hearing on this subcommittee a number of years ago focusing on
different Federal agencies, and one of them was on yours. And
what really was striking was, you wouldn't think of Department
of Education being a particular target for bad guys in the
cyber world, but you have a data base of over 40 million
Americans. Because if I applied for a student loan, you got my
data. You got my financial data, my banking information, my
credit cards, my credit history, my mortgage, on and on. And
what could go wrong with that if that got breached?
So your being up to snuff in terms of cybersecurity is
actually pretty important to the American people, and that
would certainly be true--IRS has data on everybody. And USDA
has all kinds of data base, of course, as well. So, you know,
this cyber question is not an academic one, I know not for you,
but it isn't for us either. We're very cognizant of what can go
wrong if we don't accelerate this move toward updated systems.
Oh, I'm sorry, Mr. Grothman, the gentleman from Wisconsin.
Mr. Grothman. Thank you very much. I'd like to thank the
other three of you for coming over here, I know it's very busy
for you and we're keeping you here a little late. So appreciate
the extra effort.
We talked before about the huge amount of cost that goes
into what--I think it was Ms. Harris described as legacy
systems. And I wondered for each of your three agencies, if we
can start with Mr. Washington, could you let us know how many
of the systems in your agencies you would describe as legacy
systems?
Mr. Washington. Sir, in terms of legacy systems, is it
classified and is obsolete using outdate technology?
Mr. Grothman. Correct.
Mr. Washington. We have less than five systems that are
actually classified as old legacy systems. But we do spend
about 77 percent of our portfolio in terms of O&M.
Mr. Grothman. Seventy-seven percent of your money you spend
on the legacy systems? You said you have five legacy systems
left, of that, five of how many?
Mr. Washington. Oh, how many systems? We have--I'd have to
get back to you on the exact number of systems, sir.
Mr. Grothman. About.
Mr. Washington. We have about 129 systems in USDA.
Mr. Grothman. So you spend 77 percent of the money on five
out of like 150 systems?
Mr. Washington. On operation and maintenance. Of what we
spend on our IT portfolio.
Mr. Grothman. That's almost unbelievable. Could you give me
the dollar numbers that go with those fantastic figures?
Mr. Washington. Say again, sir.
Mr. Grothman. Like how many dollars are we talking about
here.
Mr. Washington. We have approximately a $2.3 billion IT
portfolio at USDA.
Mr. Grothman. Two point three billion.
Mr. Washington. Yes sir.
Mr. Grothman. And you spend like 72 percent of that on five
out of a 150 systems.
Mr. Washington. No not on five--that's on O&M. On the five
systems we don't spend that much money, sir.
Mr. Grothman. Okay. But you said you spent over 70 percent
on five legacy systems. Is that right.
Mr. Washington. I said for operations and maintenance. On
the five legacy systems, we plan to retire those this year--
those this year. And I don't have the exact numbers right now,
but it's not--it's a small amount of money.
Mr. Grothman. Okay. Well, it sounds kind of amazing
numbers. Mr. Gray, I'll give you the same question.
Mr. Gray. We have one legacy system at the Department,
which is currently planned to be modernized through the next
gen initiative that Federal Student Aid is leading.
Mr. Grothman. And when will that be done?
Mr. Gray. Excuse me.
Mr. Grothman. When will that be done? When will it be
modernized?
Mr. Gray. That is a wonderful question. We currently have
contracts that are under a protest, and as soon as those
contract protests are resolved, we will be proceeding forward.
Mr. Grothman. What's the nature of the protests?
Mr. Gray. There's quite a number of that. I'd be happy to
followup after.
Mr. Grothman. Okay. We'll give Mr. Olson the same question.
Mr. Olson. Sure. So I'm happy to sort of comment. Within
Treasury we have eight or so major bureaus, and I would
probably answer that question a little bit for each one. But at
the end of the day, the biggest rock in the Treasury Department
is the IRS. So let's sort of talk about that one, because I
think that one. It's roughly sort of an 80/20 split, maybe 85/
15, depending on the year.
Mr. Grothman. What is the 85?
Mr. Olson. Eighty-five is O&M versus what we call
development, maintenance, and enhancement DM&E, which is the
build piece. I would offer this--there's been a lot of
discussion earlier in--in the early panel about private sector
companies.
I spent a lot of time talking to private sector companies,
and in particular, financial services companies, and asked them
this question a lot about how much do they spend on O&M, which
is in the private sector they call run, and DM&E, which in the
private sector they call grow. And they have another--sort of
another category of spend that they call transform.
It's not necessarily bad in and of itself to have a big
number in run. But you have to have strategy for making the
business case to invest as much as you can in grow and
transform. And I will just say, as far as the IRS goes, and the
big banks that I've talked to, this particular fraction, if you
will, percentage, if you will, is not unlike what the biggest
banks in the countries see as far as the split between run and
build.
We have a big proposal and request for funding, you know,
that will be coming forward----
Mr. Grothman. When you talk to other people--and I'm
already past my time limit here. Do they feel you're up-to-date
or do they say this is where we were 15 years ago, or what do
they say?
Mr. Olson. They, like us, have an enormously complex set of
systems. So a GAO report just came out, we had, you know, the
honorary of a 51-year old system. A 51-year-old system, that is
the year it was put into production. It gets down to I think
what's the definition of legacy. I mean, we joke sometimes in
the IT business that legacy begins the day after you implement
the system for the first day. You know, so the definition of
legacy is something that there's a fair amount of debate on.
You know, if I were to take that 51-year-old system and
tell you it's running on a mainframe that's four years old, is
it a legacy system. There is a variety of----
Mr. Grothman. In general, though, when you talk to people,
because I'm way over, my subcommittee chair is being very
gracious. When you talk to people, where do they feel about
where you are?
Mr. Olson. Oh, absolutely, they say we need to make
significant changes, and we're committed to that.
Mr. Grothman. Do they say, like, we are where we were 15
years ago or something. I mean, you hear some of these stories
that the government is so far behind where everybody else is.
Mr. Olson. I'm not going to debate that, but I will tell
you that I met with a group of financial service CIOs from some
of the country's biggest banks, and it was amazing how similar
of the challenges that we have in terms of our portfolio of
applications.
Mr. Grothman. Okay. Thank you.
Mr. Connolly. I thank the gentleman. Mr. Olson, let me
followup on your answers to Mr. Grothman, however. I think it's
a little misleading to compare yourself to the private sector,
we're kind of roughly the same----
Mr. Olson. Absolutely.
Mr. Connolly. Same ratio. There is no private sector
company I know of----
Mr. Olson. There is not.
Mr. Connolly. [continuing]. that has a 51-year-old
operating system still operating and you're dependent on.
Mr. Olson. Well, yes. I'm not trying to defend that.
Mr. Connolly. I understand. But it goes deeper, doesn't it?
So I remember during the Obama years, the IRS was so starved
that the average computer, the average PC. For example, was in
the eight to nine year range. In the private sector any modern
company is replacing computers every two or three years.
Mr. Olson. Right.
Mr. Connolly. So already we're at a huge disadvantage, and
little wonder that we had a lot of hard drive crashes, because
it just was out living its life span, and we were really taxing
that hardware really behind its useful life.
We also had for IRS, if you wanted to archive material and
be able to retrieve it, the instruction was, print and save.
Now there is no private sector company that would accept that
as a standard. IRS has to because we weren't allowing them to
invest in their technology.
So I just wanted to clarify that in the case certainly of
at least your big constituent agency, IRS, it is a victim
directly of investment starvation.
Mr. Olson. Absolutely. And I don't mean to--I think I just
wanted to paint that it was a more nuanced picture, and we are
trying to look at what is a very large portfolio to identify
the places where we really need to make that investment and
move quickly, as opposed to just painting a broad brush to what
is almost a $300 billion dollars spend.
Mr. Connolly. As I said earlier, I've been on this case for
quite some time. And the IRS--I regret that my colleagues on
the other side finally got around to wanting to do something
only because they realized their tax bill was at jeopardy if
they didn't because you couldn't implement it. I wish we had
made those investments earlier for the sake of serving the
American public with or without a tax bill.
Mr. Olson. Agreed.
Mr. Connolly. And hopefully that will be the ethos going
forward. Ms. Harris, anything else for the good of the order?
Anything we haven't covered that we ought to at least mention?
Ms. Harris. I think we've covered everything.
Mr. Connolly. We've covered everything.
Ms. Harris. We have, sir.
Mr. Connolly. Let the record show, GAO believes we have
covered everything. But, again, I want to thank you for your
leadership and your incredible staff work from the very top. I
mean, you know, this item has been on the high risk list for a
long time.
GAO unequivocally got behind FITARA and supported the
legislation and exhorted Congress to pass it, and has been with
us every step of the way as we insist on its implementation.
And we couldn't have done it without you, and I think
you're really one of the great heros of--if this legislation is
transformative over time, GAO shares in the credit, and we
thank you.
Let me see, what am I doing here? I am adjourning. Okay. I
want to thank our witnesses. And without objection, all members
will have five legislative days within which to submit
additional written questions for the witnesses, and those
questions will come from us.
And if you can get back to us in a timely fashion, through
the chair, we'll distribute them to the members, should they
appear.
I want to wish you all a good day. Thank you again for your
patience with the House schedule. Good luck on your trip, Ms.
Harris. This hearing is adjourned.
[Whereupon, at 5:55 p.m., the subcommittee was adjourned.]
[all]