Remotely. R by webex, appearing members are in person, let me remind everyone that pursuant to the house attending physician and guidance come all individuals attending this hearing in person must wear a face mask. I am dropping mine only to speak. Members who were not wearing a face mask will not be recognized. Let me also make a few reminders to those members appearing in person. You will only see members and witnesses appearing remotely on the monitor in front of you when they are speaking in what is actives webex speaker view. A timer is directly in front of you. Remotely,s appearing let me remind everybody that first, you will be able to siege person speaking during the hearing whether they are in person or remote as long as you have your webex set to active speaker view. If you have any questions, Contact Committee staff. They will try to be helpful. A timer thatve should be visible on your screen when you are in the active speaker with thumbnail view. Members who wish to pen the timer to their screens should ortact Committee Staff assistance. The house rules require that we see you, so please have your oneras turned on if you are remotely on webex during this hearing. Members appearing remotely who are not recognized should remain muted to minimize the ground noise and feedback. I will recognize background noise and feedback. I will recognize members verbally. Members will be recognized otherwise in senor new order for questions. Leslie, if you want to be lastly, if you want to be recognized, you can use the chat function, you can send the name of to the majority stuff, or you unmute airsoft a state recognition. We dont want people talking over each other. Yourself to get recognition. We dont want people talking over each other. I will begin with our Opening Statements. I know you are in selfquarantine. I know you prefer to be here physically, but i am really glad we have the hybrid remote options you can participate fully in this hearing and hopefully as everything is going to be ok. I will call upon you as soon as i finish my Opening Statement for any remarks you may have. Today, march 10th, hearing examining agencies and limitation of the federal Technology Acquisition reform act. Progress andcies procurement. I am happy to announce this oversight has produced the first report card in which all agencies received a passing grade. Testamentvement is a to the hard work of federal agencies, chief Information Officers council and a testament to this committee and subcommittees steady and bipartisan oversight of the act since we enacted it in 2014. This isnt just about passing grades. These grades represent , betters Dollars Mission delivery, and serving the nation more effectively and efficiently. During this pandemic, we have come to realize how vital good i. T. And strong i. T. Governance are to federal governments and the people we serve. We have seen limitations because likeof i. T. In whic of i. T. Investment. Lack of i. T. Investment. We have also seen limitations in the unemployment system. Core howve their important recent i will underscore how important these investments really are. This would be the second in a series of hearings are subcommittee holds to gauge Agency Progress in realizing the transformative nature of the reforms. Five years later, the benefits of continued oversight are clear. One would be hardpressed to find sustained bipartisan congressional oversight initiatives on its 10th installation. Agencies have made real improvements on the scorecard. I think we are putting it up over there on that screen. Of time. Riod average grade was a d across all agencies. This year, no agency received a d or f. These improvements represent vital services, dollars saved. This process enables agencies to reduce spending and demonstrate how i. T. Investments align with the mission and business function. From helping went the agencies save 3 billion in fiscal 2015 to 20 billion this fiscal year. When the software was first added to the scorecard in june of 2017, 21 out of 24 agencies received an f grade for that metric. Now, 23 out of 24 agencies have an inventory of Software Licenses and use that inventory to make costeffective decisions and avoid duplications. Federal agencies are also in more data centers, resulting in significant savings. Reported 4. 7ave billion in cost savings for fiscal years 2012 through 2019. Those agencies have also reported plans to save more than 264 million in this fiscal year alone. At the very first hearing, our witness stated ideas no longer just the business of the cio. I. T. Is no longer the business of just the cio. It is everybodys business. Clearer thanen during the coronavirus pandemic. We have seen firsthand how the agencies continue to use outdated i. T. During the pandemic. Preventing the delivery of Government Services when the public needed it the most. Back in 2015, i cautioned the scorecard was not to be considered the scarlet letter, but a point in time snapshot to be able to measure progress and incentivizing. Later,ars of scorecards allegiances have received passing grades. The first time ever. The scorecard included Data Center Consolidation, i. T. Portfolio review savings, incremental project development delivery, and Risk Assessment transparency. Since then, the scorecards success has led the subcommittee to incorporate other aspects of federal i. T. Into the grades. Is not rigid, but like the best of id, it of all. We augmented and changed the ecard today, the scorecard incorporates grades adapted from three additional pieces of the legislation. Including the megabyte act, the modernizing technology act, and the federal Information Security management act. Thebottom line is that scorecard continues to hold showies accountable, and the American People they deserve the best i. T. Has to offer. Yet all agencies still have work to do. Today, two thirds of agencies head of report to the the agency. It is true more cios are getting a seat at the table with other sweet positions. But we will hear from none of the 24 agencies with established policies that fully address the role of the cio as called for by federal law and guidance. We must continue to work to excuset all cios me have the authorities and policies in place to be able to probably properly do their jobs. This hearing will discuss which metrics have achieved their goals and which need to be considered for retirement. We are also starting careful discussion about what metrics might be incorporated in future scorecards to improve the government. In other words, continue the scorecard. Today, i hope to hear from witnesses about what it takes to continuously improve and use efficient acquisition and Management Practices to do that. What powers and authorities might cios need to improve government i. T. In return, what transparency and oversight will be provided to arere those policies effective and efficient. We must continue to see the dividends for putting resources toward modernizing legacy systems, migrating to the club, and maintaining a strong cyber posture. ,ith the coronavirus resurging the stakes are higher than ever. When executed well, modernization can ensure the delivery of critical services, improve the governments knowledge, and save lives. When executed poorly, it can unfortunately lead to outright failures and serving the American People when they need the government the most. Simply put, the fate of the Worlds Largest economy it is no exaggeration to say rises and falls with the ability of government i. D. Systems i. T. Systems to deliver in an emergency. I. T. Is tooe use of great to ignore. The subcommittee will continue its oversight of agencies i. T. Acquisition and management as we move forward. I call upon the Ranking Member. Thank you, chairman. Thank you for holding this hearing. As you all know, this has been a bright spot of bipartisan work for this committee. I look forward to continuing to see the development of scorecards usefulness as it relates to federal i. T. Reform. Also, i would like to take a moment to give a shout out and thanks to the outgoing federal chief Information Officer. Dedicated. Extremely its deeply appreciated. As you well know, enhanced cio authority is one of the pillars, literally, of the whole system. Jobhas done an outstanding with her leadership and enthusiasm to really help drive some of the i. T. Modernization efforts that have been out lined in the agenda. I hope we continue to build upon the initiatives that she has championed. As you shared, we are here today 10th scorecard. Agencies have really made tremendous progress over the past five years. Onant to congratulate them their dedication to improve the idea procurement and management processes. A job well done. Some of the things we have seen accomplished over the last savings ofrs include literally billions of dollars, we have increased transparency for risque i. T. Investments, and of course, the elevation of the cio position and authority within the agencies. For all these successes, we are very grateful for what has been done, but obviously, there is work yet that needs to be accomplished. I would suggest some of those things, we need to continue to update the metrics so that they better and more effectively match the i. T. Management and implementation practices that are actually being used today. I also think it is imperative that we, as a committee, but in place the right kind of incentives to bring about i. T. Modernization as it relates to the pandemics scale. This has really highlighted and exposed to us the heavy reliance we have on some legacy systems and some longstanding we needgy problems, and to find ways to get agencies to move the needle on some of these crucial issues. Need somestly, we forwardlooking metrics to help modernize government as a whole. Some of those things would , moving forward, as it relates to citizens experience, i think you have actually referred to that, mr. Chairman. It is important we move in that direction. Enhancing the skills of federal i. T. Workforce. I think we need to continue looking toward that. Also just overall, moving towards a more agile and secure Cloud Computing environment. All the things are extremely important that we continue to move towards. I look forward to hearing from our witnesses today. I want to say thank you to each of our witnesses for being here today. We appreciate your time and expertise that you will bring to the table. With that, i will yield back. Thank you. I also want to thank you personally. The subcommittee has always had a strong bipartisan process, especially on the subject. I worked closely in writing this act and expanding on it. On the scorecard, as well as with mr. Meadows, now the chief of staff to the president of the u. S. You pledged to do the same. I very much appreciate that and look forward to continuing to work with you. Helping inare ok in georgia. Thank you for your remarks. Harris, if you would and unmute yourself in order to be sworn in. Or affirm that the testimony you are about to give is the truth and nothing but the truth so hope you got . God . Let the record show all of our witnesses answered in the affirmative. Your written statements will be part of the record. Carol harris, director of i. T. Management issues and government at the government and Ability Office to give us some of her testimony. Harris. Ms. Thank you. I would like to thank you and your excellent staff for your continued oversight of federal i. T. Management and cybersecurity with this tends set of grades tenth set of grades. Your scorecard has served as a good barometer to measure progress of this implementation. During this time, the agencies have made significant progress. In this latest scorecard, there 14 cs. , 9 bs, and this is the first scorecard in which all 24 agencies received a passing grade. This is huge, considering only seven agencies had passing grades and the past in the last scorecard. The greatest chance for mission has been the department of education, moving from an f to a b . First Agency Progress made. I will start with incremental development. The number of major i. T. Projects has increased from 58 76 . 58 to the level of transparency has improved with 61 of Major Projects in reported as red or yellow as compared to 24 with the first scorecard. We have also seen dramatic improvements in the agencies management of Software Licenses, going from two as, to 23. Has increased from 11 to 16 . Today, the agencies have closed more than 6300 data centers and saved shy of 20 billion through stat initiative. The progress made in all of the areas would not have happened to this extent without your scorecard and oversight. Aree these are compliments noteworthy, significant actions remain to be completed to build on this progress. This brings me to my next point on where we are at. ciosird of the agencies are not reporting to the agency head. Cios have told us this is critical to kerry at the responsibilities. It gives cios a seat at the management table and will likely help to attract more qualified individuals to these positions over time. About half of the agencies have not established working capital transitioning from systems. Roughly 80 of the over 90 billion spent annually on federal i. T. Is on operations and maintenance, including aging legacy systems. Establishing these funds are so critical, so that the and optimization can be reinvested in priorities. If each of these agencies did these things, the great would be and 5 cs. s, this is achievable by the next scorecard. We remain concerned about these current guidances, which revises classification of data centers and Data Center Optimization metrics. The definition excludes more than 2000 facilities that agencies previously reported on. Many of these excluded facilities represent what omb has identified as possible Security Risks. The changes will likely slow down or even halt important progress agencies should be making to consolidate, optimize, and secure data centers. Finally, regarding where we need to go, scorecard wise, the preview of the federal transition will draw urgent attention to one area that has historically been neglected by the agencies. For example, at the fire at the prior , agencies could have saved millions of dollars. Scheduleies are behind and could again be missing out on hundreds of millions in savings. The scorecard will be an effective means for Holding Agencies accountable and ensuring a timely transition. This concludes my comments. I look forward to your questions. I look forward to those questions, as well. M. Ire you are recognized for five minutes. Thank you for the opportunity to discuss the status of the Information Technology at the office of Personnel Management and to provide thoughts on the future of the act. I joined opm in february of 2019 is the seventh cio in seven years. I entered an agency with several key challenges. Vacancies,affing antiquated and fragile technology, and a charge to fully transition the id system d to theystem, now department of defensetsa, now dtsa, to the department of defense. This is a complex operating environment. Meeting and balancing numerous executive, legislative, and oversight requirements while working in an uncertain and inflexible budgetary cycle is quite challenging. I would like to focus on what is possible, however, because that is what opm employees and the American People deserve. One of the first authorities i rned about was for was the act to make Strategic Investments that make the best use of taxpayer dollars. I have received a steady stream leadership. Rom opm im sorry i have received a steady stream of support from opm leadership to meet the provisions of fitara idestablishing an agencywide strategy. We anticipate working with Program Offices and enabling organizations as we move forward in this direction. Proud oftremely raising the fitara c . E to a a we have been able to make significant progress and show people within opm what is possible, like rolling out new laptops across the organization and moving to cloudy mail. Cloud emailed. This has allowed us to continue meeting our mission while employees anda contractors in a maximum telework environment during the pandemic. Just a few weeks ago, the dedicated cio Team Successfully migrated our mainframe platform from the Teddy Roosevelt welding here in d. C. To a commercial data center. Opm and dcsa systems are fully new modern in a environment with continuity of operations in place. Once we transition the daily i. T. Operations of this Important National Security Mission to our colleagues at the department of defense this fall, opm will be able to focus on opms mission and begin our digital modernization journey. Funding flexibility. Model with seven funding streams for cio creates incredible complexity and inflexibility to address i. T. Challenges. Working capital fund with authority dedicated to the i. T. Enterprise investment and cio Oversight Authority over this funding, we will create enterprise efficiencies and measurable cost avoidance. Becausedern technology, federal employees deserve the tools ive had the benefit of using in the private sector. Attracting, retaining, training, and rescaling our workforce with the Customer First mindset utilizing agile development, modern tools, and modern technology is essential. Our modernization strategy begins with upgrading our existing paperbased processes and workflows with modern equivalents, allowing us to retire in the flight systems. All of these retire and the flight systems. All of this is possible, giving ops customers a 21st century experience they deserve. I look forward to working on this digital modernization journey together. Thank you for the invitation. I look forward to your questions. You. Ank thank you. For this opportunity to appear before you today to talk about the progress the department has made in implementing fitara. I appreciate the support i received from secretary devos. It has been critical to the ofartments implementation fitara. I want to thank everyone in my office for their continued hard work and dedication. I would like to briefly share an update on our i. T. Modernization efforts and described the impacts fitara has had. In my june 2019 testimony before this committee, i shared the department has just had just completed a modernization for id infrastructure. This effort transformed the way my Office Delivers i. T. Services to the department. Within five months, we migrated over 450 terabytes of data into a secure cloud environment and replace approximately 5000 laptops with newer, highperforming models. Our users want from experiencing 20 minutes of laptop boot up time to less than one minute. Which translates into a return on investment of more than 1500 hrs of previously lost productivity per day. The cloud environment enabled us to reduce the departments cost from one dollar 43 perp gigabyte to . 12 per gigabyte. To . 12 per gigabyte per gigabyte. While the department will realize cost savings, the true value of the Modernization Initiative was in our ability to quickly adapt and respond to the departments needs throughout the pandemic. Do a large part to the modernization we have been able with minimal impact. Rave will to quickly evaluate and implement within days, not months, a solution to virtually on board more than 300 new employees and contractors to date. We were also able to complete a Massive Technology refresh of 28 major systems, more than 700 servers, and over 500 terabytes of data over a single weekend with no impacts to i. T. Services. In a traditional environment, this would have taken us weeks to accomplish. Without fitara, we would not have been able to complete the Initiative Last year, not within the timeframe i described. It was through the reporting relationship i had with secretary devos and the relationships we build a cross areas that i was able to drive the departments i. T. Priorities to achieve modernization goals. The initiatives was a cornerstone of our fiveyear i. T. Modernization plan and strategic roadmap. I would let to thank you for providing us with the opportunity following my testimony last year to brief representatives of this committee on it. Shadow i. T. And duplicate of systems and obsolete processes. Fitara and the process has provided me with the mechanisms to continually assess and our i. T. Ize portfolio and plan accordingly. From the requirements of foundations for the policymaking act of 2018, to prioritizing thestments, to evaluating use of shared services, to the Rapid Response required to address emergency cybersecurity directives from dhs. I am able to achieve a level of visibility necessary to understand the impact to the i. T. Resources. Seedepartment continues to k congress assistance to obtain appropriations line which that would allow us to transfer funds and included the 2021. T for both 2020 and i respectfully request your assistance with obtaining this transfer authority to further enhance the departments ability to achieve the goals of fitara. The department has established a framework and demonstrated our ability to leverage it in support of the departments mission, but we recognize fitara and i. T. Modernization is a journey to continually improve. I look forward to your questions. Thank you. Thank you. It is good to have you again. Giving us your progress. We certainly will try to work with you on that transfer authority. Work with us on that. Next person is maria w. Federal chief Information Officer at the office of management. Thank you. Thank you for the opportunity to discuss fitara. And how we can continue to drive and sustainable governmentwide modernization. I joined eight weeks ago was a eight weeks ago, bringing a career of military Technology Experience and an overall perspective to my role. Have experiences as a cio a spotlight on Digital Transformation and the need to adapt quickly. Every agency worked at never before levels of telework and capabilities already in place. There was a sense of agency. Cios or entrepreneurial, creative, and agile. Since the fitara first scorecard, investments and cloud, infrastructure enabled a seamless transition to telework. Cios were positioned to rapidly deploy and leverage scalable platforms for Service Delivery for Covid Response activities. They leveraged micro services to quickly stand up new public facing portals and switched to video teleconferencing for telehealth and engaged with customers. Cios deployed virtual desktops to replace the purchase of urgely hardware for s employees. They identified areas of future investments and improvements where we need to address gaps and move faster. We must keep the momentum. Agencies were able to move fast, innovate, and implement changes for more digital operability. Theres a shared interest across all levels of government. Congress, the executive branch, and the administration. To continue technology improvements. The Technology Modernization fund and i. T. Working Capital Funds and their multiyear funding approaches are two programs instrumental in dmproving retiring an replacing legacy systems. We must do more and in short Digital First as we add value and Service Delivery. Throughout my career, ive had the honor to lead and work sidebyside with amazing innovators and technologists, Public Servants working for the federal government. Today, over 2 million civilian personnel use technology to carry up their job. , we shouldortantly also remember that the people charged with using those Solutions Must also be skilled in the use of technology. As the pace of capability and threat continue to accelerate, when must invest in our workforce to keep skills relevant. Cio council can continues to invest in the workforce to launch a similar training program. This summer, we are Holding Annual women 3rd in i. T. Event. Sharing stories and providing on the spot mentorship and career advice to emerging leaders. Cohorts. Ted two in september, we will graduate 20 people. As we focus today on the 10th edition of the scorecard, we must adapt to the everchanging Technology Landscape and adapt the scorecard. I look forward to collaborating with you to further refine the scorecard to drive innovation. Thank you for the opportunity to speak with you today. And look forward to your questions i look forward to your questions. Thank you. I appreciate that. With respect to retiring legacy systems, i found needing a robust request in the budget if we are going to make progress. The chernow calls on the distinguished congresswoman from the district of columbia for her five minutes of questions. Welcome, miss norton. Norton. Ms. Norton, are you there . Ms. Norton . Mr. Lynch, are you there . Im here. Ok, great. Sorry about that. Eleanor, just speak up a little bit. Im sorry. I punched the wrong button. Thank you very much. Thank you for this annual hearing. It is very important. What fitara says, i am quoting it now, cios have a significant role in the decision process of the management, government, and all the processes related to Information Technology. They have a major role to play in an agency overall. Our is now baked into design and implementation. This question is for ms. Harris. Ceos that do not report to agency heads. If they dont, they are likely to play that key role who doesnt him and why why dontsnt, and they report . The testimony of one of you mentioned one third do not report to the agency head. I would like to know why. People ared reporting, but i dont erstand what the what determines what this committee has long said would be helpful. About one third of the do not haveos direct reporting mechanisms to the agency head. And that is a problem, because agency cios have reported to us that reporting structure is very critical to allowing them to. The responsibility to carry out their responsibility. Resistance, so we can work with agencies . In large part, it has to do with agency culture. And being able to change that culture so that the cio does have that seat at the table is vitally critical. It is going to take work with the Senior Leaders within those ,gencies to empower those cios change those organizations so cios have direct reporting capabilities, and work with you all, as well, to ensure that happens. I would like to work with the chairman on making sure that there is no resistance. In the 21st century, you would have thought that having the cio at the table would just be a given. I dont understand the resistance to it. We, as a committee, could be in requiring through ghgislation or throu regulation that the cio be at the table. Are these i. T. Staff valuable outside of the Public Sector . Thesere competition for staff . I would like to discuss that. I would like you to tell the committee what we could do to help attract and keep federal i. T. Workers. Thank you for your question. For the workforce, it is hard to attract workforce to the federal government. In turn, folks we do train in the federal workforce due do go to the private workforce and make more money. It is the ability to focus on a mission, whether youre working for the department of energy or transportation, or dhs, or nasa. People are excited about the mission. That is what draws people to the federal government. As a cio, i have had experience with that, people want to come on board. Ive had incredible talent. Have had the same experience. But it is hard to get people in. Once you get them in, the folks that want to come in, they want to stay, they love what they do. When people leave the federal government, they may go back to private industry and get more experience. Maybe they make more money and turn around and come back to the federal government. But again, we continue to explore possibilities in hiring, compensation, looking at ways to build skills. Lot soid, we have done a far through the cio council on data science, cybersecurity, and we will continue to build on those skill sets so that we can maintain that workforce. It is not only just attracting new workers, but maintaining our current workforce. Moment. Ld just like a there is an issue here in keeping people in the federal i. T. Workforce. For people that are working in the i. T. World coming in to the federal government, they can get compensated much more on the private sector. Thank you. Thank you very much. Thank you, congresswoman. Let me just say, in response to your query, could not agree with you more. When we wrote fitara, the were 250 people spread out over 24 agencies with the title cio. Asked the private sector, how many cios do you have come almost 100 , the answer is one do you have . Almost 100 , the answer is one. We have allowed it to w we have allowed it to a we have allowed it to evolve. To strengthen that, we will. We are making progress, and listening to testimony today, youve got relationships with the head of the agency, and that makes all the difference. The empowerment from the boss. Something we are very mindful of. I think the congresswoman for bringing further attention to it. The chernow recognizes the distinguished Ranking Member for his five minutes the chair now recognizes the distant wished Ranking Member for his five minutes. Distinguished Ranking Member heres five minutes. One of the current metrics measures how much of an agencys portfolio was highrisk is iris. I have found there is no definition of what high risk is. When i think of high risk, i think of things like vulnerability to cyber attacks. But what i found out is that high risk means Something Else to others. It may mean whether or not a system is able to be delivered isall time, budgeted, and it at high risk. Is there any uniform and comparable kind of way for agencies to define what we all mean by high risk . So we are all on the same page. Thank you for the question. As you look at the programs and portfolios across the federal government, those programs that are high risk, we look at programs that are highpriority. The programs. There are different definitions, including highvalue assets. When you are looking at those systems that are at high risk, are those the systems that are the oldest in the federal government that perhaps need to be modernized . They highpriority programs that are high visibility and have to be and are critical to the federal government . ,here are separate definitions whether it is highpriority programs, highvalue assets that are critical to the federal government, or those programs and systems that are high risk at the federal government. There are different characterizations that are used in different reports. Yeah, and to me, that is part of the problem. Is there a way to get a uniform understanding of what is high risk . Or even just a prioritize the highrisk categories, so we know if the high risk is any of the things you mentioned, or the cyber vulnerabilities, or whatever. Can we and should we kind of focus this definition a little more tightly . Yes, sir, we should take a look at that to make sure we are aligned on the definitions and we are all speaking on the same page, as we are looking at the definitions and programs across the federal government. I mentioned three with three definitions. I agree with you. We should take a look at that and make sure we are in alignment. I agree. Lets try to move forward on that. Another thing thats come up, when it comes to legacy it the current scorecard does capture, theher or not it, current scorecard does capture wether it modernizes old systems. Would kind of metrics can we add to the scorecard to incentivize agencies to make this kind of i. T. Overhaul . Weve got to make the transition. I agree with you. It is imperative we continue to modernize. The i. T. Working capital fund is one of those programs that allows agencies to have that longterm sustained investment in technology. That is critical to modernizing. The id working capital the i. T. Working capital fund, you can have multiyear dollars, that is the intent, to modernize legacy systems and really drive that modernization over multiple years. Where you have legacy systems and programs, being able to invest that over multiple years is the way you get out of that technical debt and you continue to move the ball forward on that. With the Technology Modernization fund and the i. T. Working capital fund, those are two critical programs for agencies to sustain longterm modernization. Deals withquestion the Customer Service aspect. More and more, we are having people were involved in coming to the government digitally. How can we put this type of , toic in future scorecards make sure we are providing the customers what they need . Thank you for that. With the idea act, theres an opportunity to really look at the Customer Experience. Idt was the 21st century act, the Customer Experience and how they interact with the federal government. Theres a number of requirements there, from esignatures, to enabling and is your Customer Experience with the federal government. I look forward to working with you on the committee on her on understanding what are good metrics on that. Example ofood a metric that could evolve over time as agencies improve their website and Customer Experience with the american public. Thank you very much. I yield back. I thank the gentleman. That is a good point. I call mr. Lynch for his five minutes of questioning. To harris, did you want address the question on what falls under the number of highrisk scorecards . Sure. I risk is defined by each of the individual agencies high risk is defined by each of the eight individual agencies. It could be a cost threshold. It could be a highvalue asset. Theres a number of ways agencies consider what is highrisk. I think having omb would play excellent role in having a uniform decision or perhaps a watchlist of the 1020 top, critical i. T. Investments across the government would be an Excellent Way to focus and hone down what those highrisk investments are. Have work in this committee looking at the top i. T. Acquisitions across the governments, where we have put together the list for you. That report is coming out in september. We would be happy to work with omb to use that list as a jumping up point to have another working list for omb and the executive Branch Agencies to work from. I would just say a word of caution. When we began this category, they were agencies that claimed they had no highrisk projects. Thate needed to get out of protectivedefensive mode am a for thesesaying, reasons, we are going to monitor them so they do not go awry. If they do, we take quick action. That was one of the problems fitara was trying to address. Nobody felt the power to pull if the milestones were not being met in the projects. There were not always milestones. We were trying to make sure we did not make a bad thing worse. In the private sector, if the ceog goes awry, pulls the plug. A little hard to do when the Public Sector. In the Public Sector. So highrisk really matters, getting it right really matters. We dont want unwittingly to change the definition so that we go back to the old days of, everythings fine. The point is to capture something going awry before it goes off the cliff. Thank you for raising it. Mr. Lynch. Im sorry to impose on your time. Welcome. Thank you very much, mr. Chairman. I want to follow up on that sentiment. Been a i know that its history of, we dont have any problems over here, we are good, until there is a blowup like we had at opm, 122 million records went out on people applying for security clearance, and others in government, as well. We saw the disasters. I approach this with a little bit of skepticism. Healthy skepticism. I am happy to hear the good reports, dont get me wrong, but i have been here too long to be to believe all of that. Ask, lets go to mr. Gray. I read recently a pretty good story in the Washington Post that talked about thousands and thousands of borrowers of Student Loans whose personal information, their Social Security numbers, there detailed Financial Information was left exposed by the department of education by six months. It had these are people looking for some relief. Either they had been taken advantage of or exploited by forprofit universities, those type of cases. Kimono,had to open the these applicants looking for relief, yet we left all of their Information Available to whoever would tap into it. So is one issue ive got, would like to hear from mr. Gray on that. Then, on opm, i noticed that the we all know what the history is, its horrific. And opm had not even encrypted Social Security numbers. Disaster unmitigated and we continue to suffer from that today because of all the people we exposed who had asked for security clearance. These are the people who do some of the most sensitive work in our government and they are all exposed because of the lack of Cyber Security at opm. So i would like to hear from mr. Gray and someone who could speak on behalf of of opm as to why they only have a c. Chair connolly we will ask mr. Gray to go first. We will i will share that that article is incorrect. The department did not leave that open for many months. We hadally happened was a situation where a file share was inadvertently left open to internal department only employees. This was briefed on friday. There was no external access, it was not open. It was one element. We did report as required through omb memo 2004. Its a low risk incident and as i briefed this committee on friday, its a situation like being in a bank. A bank has a vault. Every employee that can go into that vault is a trusted employee. Every person that works at the department is vetted, they have figure prints, they have user agreements, they have annual cybersecurity, Records Management training. This is a situation where an employee recognized a safety deposit box in that vault, external people could not get to was unlocked. A second. For did every Single Person have a need to know in each of those cases or was it looser than that . Vetted mployee is not every employee needed to access that. , you need to tighten that up right . Absolutely. And we did. It up, right . Ten we can and we have. Have a minute left. Let me go to opm, please. Thank you for the question. Diligently to work at opm to upgrade our ourastructure, upgrade overall cyber posture. We are struggling with our staffing. We are struggling to make sure we have appropriate staff levels to support all of the systems we are maintaining. One of the Biggest Challenges we do have is we are still supporting our department of defense colleagues as we are decoupling our system. We are still on a daily basis operating the csa, the national onund investigation system all of their daily operations as well as all of the lap tops and their desktop support services, etc. As we are able to hand that mission fully over to the department of defense and focus singularly on opm, that will give us the opportunity to be able to focus on opms core mission and upgrade all the services we deliver to our own mission. That is a fair answer. Thank you, mr. Chairman, for your indulgence. I appreciate the courtesy. Mr. Lynch, if i could follow up on that question, i understand the sequencing with the department of defense, but when we go back to the original breach and you were not there, part of it was we had software for cyber protection, einstein, and it was einstein to which had not been installed. That has nothing to do with the Defense Department stop that is a management issue about getting around to it, prioritizing. Awonder if you want to take moment to reassure mr. Lynch and the rest of the subcommittee that that attitude has changed. In fact, we are prioritizing cyber and protecting our databases at opm. I can assure you the rigor and discipline within the current opm team is extraordinary. Towould not have been able execute something as complex as our mainframe migration without having a disciplined management teamand extraordinary cio doing a diligent job on a daily basis. Can we do better . We can always do better. I. T. Is one of those areas where you can always improve. Extraordinarys and we work utilizing every single tool and asset available to us. Is extraordinary possible toerything safeguard every single asset within our environment. Tools of thee best federal government, including dhs to support us. The perimeter of opm. I think you can rest assured at this time that all safeguards and standards are being operated at the highest level. Chair connolly thank you, and enqueue mr. Lynch. You mr. Lynch. Recognizing mr. Palmer for five minutes. Mr. Palmer . Can you hear me now . We can. Nnolly is your video on . There you are. You got me . First of all, i want to complement mr. Lynch on his library. That is impressive. I hear he rents it. [laughter] there was a 2018 report submitted before the Economic Security review commission. The federal government the federal government top ic top i. T. Providers sourced its materials from china since 2012. I want to ask if you think this poses a significant economic and National Security risk . Yes, sir this is significant risk. We have work ongoing related to the i. T. Cyber supply chain and the vast majority of agencies have not instituted proper supply chain internal controls. This is a major issue. Were going to be making more than a hundred recommendations and associated with this, but it does pose a significant threat to our nation. I bring this up, mr. Lynch made the question about the breach at opm and i think there are still issues with that. With a personal identification information that is still out there. What would be the budgetary impacts of shifting federal Technology Acquisitions away from china . Toim not in a position answer that question. We have not done work specific to that, so im not in a position to answer that. Would you have an idea at omb about that . No, sir, i do not. Is something we need to get an estimate on. Theres a tremendous amount of talk about shifting the supply out of china, particularly when it comes to drugs and materials that are critical to our economy and national defense. Fact, i think ms. Harris, you were the one who said we spend 80 of our budget on maintaining antiquated systems. Is that correct . That is correct. 51 of that is sourced from china, i think. Im going to make this request and ms. Harris, that your agencies come up with that estimate. If i need to come i will put that in writing, but i think we need to know what it would cost us to shift our i. T. Supply away from china. I would appreciate if we could get a response from you and let us know when you start working on it. The Commission Also recommended angress establish comprehensive National Security supply Chain Management strategy and further recommended direct statistical agencies such as the Census Bureau to review methodologies for collecting and publishing deeply detailed supply chain to better document ,hey country of origin including imports related to the federal i. T. System. Aware of any actions the federal government is taking to implement these recommendations . Ms. Harris, we will start with you . I dont. That work is out of the scope of what i have been doing for this committee. I will have to take that for the record to see if there is a ater expert within gao to answer that for you. Mr. Gray . That would be outside your area of expertise. You know where we are on that . We are working very closely with agencies to take a look at their supply chain, currently breaking them out of the requirements of section 889. We are working to understand the workrint and what there is on that and we will continue. Is there specific work being done on the i. T. Systems . We are working with the agencies to understand what the impact is and understanding if there is equipment that needs to be replaced. The impacts on those systems, so we have kicked that off and it is underway right now. I thank the chairman and yield back. Chair connolly let me say to the gentleman i think he raises a good point about the need for coordination so we are not retiring legacy systems with 150 different systems that cannot coordinate or be encrypted or have different requirements. As much as we can in sure thaton to make we are making prudent decisions for the future both in the cyber realm and interoperability and coordination. Mr. Chairman, if i may respond to that . Chair connolly of course. You are absolutely right about interoperability among federal agencies but it should extend to the states. Experience on the oversight committee, we saw multiple examples of the inability because of the antiquated systems to have that interoperability between state agencies and federal agencies. I just wanted to add that and yield back. Chair connolly you are quite correct and we are seeing that in unemployment i. T. Systems across the country. There are at least a dozen. The only good news about that is i understand the chinese dont know how to hack in coble in cobol. We are seeing millions of americans not getting their payments in a timely fashion, which creates a Snowball Effect in their ability to cope during the pandemic. The chair recognizes the gentleman from maryland for five minutes. Mr. Raskin . Yes, mr. Chairman. Welcome. Nolly i thought i was unmute it already. Thank you for calling this very important hearing. Dayune of last year, the before the hearing, omd issued guidance which revised and narrowed the definition of a data center. Limitedised guidance oforting, including types facilities omb had previously risks. S cybersecurity removing the requirement to report on these facilities diminishes our abilities to rcise ms. Harris noted that the consolidation of data center has saved us billions in taxpayer dollars. Why would we discontinue efforts that save money and improve cybersecurity . Does gao remain concerned with ombs decision to change the data change the definition of a data center and no longer require agencies to no longer include smaller data centers and their inventories . Yes, sir, we remain very concerned about the new definition of data centers. Our concern in particular is when agencies stop reporting on these data centers, they will fall under the radars under the radar and will stop looking at them in general and thats where the Cyber Security vulnerability risk increases because they are not paying attention to these centers. To the newanges guidance no longer allow the subcommittee and gao to evaluate data centerard optimization and consolidation. Why omb woulds note the definition of the data center when it could bring increased costs to the taxpayer . Omb updated the definitions of data centers to better align with industry standards. When you look at the overall definition of a data center, those areas where it there was maybe just a router and switch in a closet somewhere, those are not classified as True Data Centers because they have come gear in it. Those types of things were changed as part of the definition. Optimization of the federal government enclosing data centers, they are taking big steps to rationalize their portfolio, upgrade their infrastructure, and address cybersecurity concerns across the entire environment. Centers,ut down data there are many steps behind to do that. Even as we change the definition of data centers, modernizing, closing, and shutting down data centers per the industry standards takes a lot of work and those application, rationalizations and infrastructure upgrades will continue as we close data centers. To working commit with a subcommittee that tracks data centers that are consistent and the laws recommendations to improve cybersecurity and maximize the saving of tax dollars . Yes, sir, we look forward to working with the committee on those data Center Metrics. Ok. Agencies required to implement 4. 7ata center reported billion in cost savings from fy 2012 through 19. Of these agencies, 23 reported in august of last year that they never had plans to meet the 2019 savings goal of 241. 5 million. Mete know where agencies their cost savings goals . If not, when will we have that knowledge . Omb on theork with data Center Metrics to make sure we have accurate information, but we continue to track what the agencies are reporting to make sure progress continues on the savings. Is there any more potential for cost saving through Data Center Consolidation . We believe there is stop thats why this should be a priority for the committee scorecard as well as the agencies. Why has the administration chosen to halted effort in this field . Unfortunately, i dont feel comfortable speculating as to why omb would make that decision. On identifying and including things like servers in closets and considering that to be a data center is something we disagree with omb on. That is something that should be counted because it may not be an opportunity for consolidation, but it still poses a threat from a cybersecurity standpoint. We believe having the more inclusive definition is the way to go. Describe the Cloud Adoption you are removing in those areas . The barriers to cloud, the number one barrier is agencies having it as a priority. In our work on cloud agencies dont necessarily have the robust processes in place to take a look at all the investments they whether or notf they would be eligible candidates for the cloud. So we made recommendations to the agencies in implementing those processes and we currently have work to look at whether those agencies are in the process of making the recommendations we made to them. I think i am out of time. Mr. Chairman, thank you for your indulgence. Chair connolly your point about Data Center Consolidation is very important and i agree with you. , i wrotey miss roat that section of the bill, so i care about it and im not going anywhere. Ourre going to insist robust definition of data centers that we continue the goal of consolidation to effectuate savings that can then be used internally for reinvestment because they are one of the big sources of savings and secondly, in the mission of cyber protection. But we work with you, are not going to count squishing us in the definition of people get off the hook and are the data centers we are trying to consolidate. I hope you will take that message back. Wisconsin is from recognized for five minutes. Do you see me . We can hear you, we cannot yet see you. You might have to put up with just hearing me. Chair connolly there we are. I got in a little bit late. Still around . Ana chair connolly she is right here. Good, good. I understand you spent a lot of your career in the private sector and focused on improving the digital experience. Commitment to the federal workforce, can you describe digital modernization . Is an enormous opportunity for us at opm to better serve our customers. Spectrum fromd theinuing to him prove opportunities for job seekers all the way through to retirees. There are numerous opportunities, but the most important place to start is on a firm platform. Starting with the foundational investments that are required in people and technology, to start that digital modernization journey. Ok. [audio gargling] gargling arbling. Chair connolly could you repeat your question, it sounds like you are in a railroad train. Im sorry i will speak up. Both of your agencies this is and mr. Gray. Rana both of your agencies get cybersecurity, which means you got improvement. Theres room for improvement. What steps are you taking to comply with this critical tool assuring Effective Security across the government . I will start. We have taken a four phased approach, focusing on our processes and making sure we are refining our processes to not only comply with says mom sma, but we have been focused on strengthening our policies and have a lot of tools that we continue to use with defense in depth. Importantly, as was mentioned earlier, education. Oursing on making sure staff understand that and the department as a whole understands the importance of cybersecurity. We have developed and implement with cyber risk scorecard near realtime metrics that show and align directly with the Cybersecurity Framework. Which is visible to our system owners to stash so they can see how they are doing, to the comment that we are measuring the risk and when something is red, its not necessarily a bad thing. Its an indication that something needs work and gets reefed to the deputy secretary and all assistant secretaries, so it is focused on process improvement, policy improvement, leveraging the tools we have in are educating everyone at the department on the role of cybersecurity. Ok. Can mimic we are probably a little bit behind where the department of education is. Footsteps,n those the people, the process, adding new technology and tools and significant training. We are consistently training our workforce to make sure the policies and processes we develop and the tools we are implementing our understandable and the entire workforce is comprehending that every single one of us are the best tools we all of ourping Information Systems safe and secure. Chair connolly i think the train left the station. Thank you. Recognize himself or his five bits of questions. You are back . You have one more question . Yes. Nearly all agencies have gotten as in the software metric. Do you think it is time to remove this metric and if so, how do we evolve the metric to capture some of the cost saving aspects like eliminating Unused Software . Question. A great given that all agencies except opm have received an a, it may be time to retire that particular metric or evolve it. Certainly when it comes to the evolution of the metric, one of the key things we will have to work with this committee on as well as with omb is the availability of governmentwide data that is publicly available because that is what is used to generate these scores or these grades. That would be a key factor in what we could use to potentially evolve the Software Licensing grade. Much. Nk you very great hearing and thank you for putting this together. Chair connolly thank you. Progresss, despite the in the scorecard, we really dont seem to have made progress in retiring legacy systems. Take toand what will it seriously incentivize agencies to do that . Mr. Chairman, i think what we need to see greater progress on is the working capital Fund Establishment because thats an important mechanism agencies can use to transform their i. T. And modernize it. We would like to see a more aggressive push by the agencies that have not yet implemented those working Capital Funds to do those as quickly as possible so that they are able to put those savings that they generate from Software Licensing, Data Center Consolidation into that fund so they can use those moneys and the flexibility associated with the working Capital Funds to be able to modernize their platforms. Chair connolly mr. Gray, you will forgive me, but i think you soft peddled the breach. Not have been huge, but this committee had a hearing on your agency, including your agency several years ago, and what came out was surprisingly, although maybe not surprisingly, the department of education actually has a huge database 40 million americans. You apply for a student loan, youve got my Financial Data. My checking account, my savings account, all kinds of other Financial Data that is sensitive thats a pretty big database and a juicy target for some people up to no good. Reachck that we have this raises the question about how secure is the bigger database . Given the fact you get a c minus in cyber, one of your lower grades, it underscores vulnerability. I want to give you an opportunity to talk about that. Appreciate the question. The incident that happened in 2017 is obviously very different than what happened here and what was briefed on friday was that we literally had a file share, one out of over 7 million voters. One where a user inadvertently allowed other people within the department permissions. If you have a situation where people have the ability to go through and say im going to allow people to have access to this, that sort of thing will happen. In this situation, the employee who identified that did not report it to the department. They reported externally to the department. To compare it to the tsa, this would be like a tsa individual at an airport seeing a suspicious package and instead of reporting it, seeing something, saying something, they took it externally which then went to the media. Agree your question, i that this was identified when we reported, when it was notified to me, we took care of it right away. Weve gone through and scrubbed rescrubbed and hired a company to make sure we relates to this incident, this is a low risk incident where an internal about the bank and safety deposit box, it was for trusted employees. In this case, we had a trusted employee who saw something and instead of doing what they were supposed to do, they took it. To get to your question about cybersecurity, i take cybersecurity seriously. Ive been at the department for years. This is the fifth agency i have been at an cybersecurity is one of the core focus areas i have had. Through what processes can we improve . Are there additional tools . We have Network Access controls, data loss prevention, so we are taking a lot of necessary steps to ensure we are protecting and defending the information we are entrusted to. You have legacy systems at the department of education. Yes, one. Chair connolly how old is that system . I would have to get you an exact number, but it has probably been around longer than i have. Chair connolly wow. I have two conclusions from that. One is you are younger than i thought or the other is gosh, that puts an exclamation on it. From your point of view, and you have had experience in other agencies, lets stipulate we need a working capital fund. Other than that, what is it going to take . My experience is management needs to put a priority on something if its going to happen. There has to be a multiyear commitment if that is what it is going to take. Youve got to back it up with a budget commitment every year. From your point of view, what is it going to take to retire that legacy system . To continue on the path we are on, there is a next gen student aid system which is well underway. Entirequisition, that group of projects requires illuminating that system eliminating that system. It is actually on the roadmap of where we are going. Enroll mark brown has been doing a great job working closely, both of our teams working closely together from an oversight standpoint to make sure what is fed into our governance process. We have the support. Funding is something we can always use, but we have the absolute support from the thattary and to address legacy system, because we do recognize it is old and needs to be improved. Chair connolly it is an enormous opportunity cost not owing to you but the rest of the federal government. If we are spending 80 its not a line item, but that is roughly our budget for i. T. Every year and 80 is going just to maintain legacy systems. Of theer weve got some problems weve got. , you areorana relatively new to opm. Where did you come from . May i ask . The United States digital service. I spent two years at the department of Veterans Affairs prior to joining. Private sector experience before that . Yes. Opm got a c or c minus overall grade. That you are the hr agency for the entire federal government and, as mr. Lynch mentioned, really Sensitive Data on federal employees, on people , a breachcurity there, what could go wrong with that . Sadly, we had the biggest single breach in the history of the federal government with your agency several years ago. Youe was a sense, not about personally, but that the agency less thenrprisingly driven by a mission to make sure wet never happens again and are the exemplar for the federal government as opposed to a lay guard. Like your team and they are committed and you feel good about where you are headed, but a c minus is not a great overall grade given your mission and maybe put more positively, as we look to the future, what will it take to get to an a from your point of view . Plus, so a slight correction. Mainframe platform migration we just completed and the coming data Center Closures aat that will trigger, we had failing grade in software inventory, but through the covid supplemental, we were able to procure software that will allow inventory. Software we will be able to check that off of our list which should get us to approximately a b score within the next six months. So we are making pretty significant progress. Security is our primary focus. Every single day, we keep those systems safe, secure, and operational. One of the Biggest Challenges we have is funding and personnel. To the question earlier about risk, one of the biggest risks we are facing in addition to those systems, the legacy systems, is we have many, many people in our workforce that are retiring. Retiring and as lot of these systems documentation, systems being old and not being very properly documented, a lot of the knowledge of those old, complex legacy systems is retiring with the subject matter experts. I think we have multiple levels of challenges we have to face together. Soding multiyear funding that we can retire those legacy systems and put in more modern technology, that will reduce risk. Continuing to up and train our federal workforce and inspire younger and different people to come into the federal workforce is a critical part of what is going to be needed for us to continue to secure and maintain and operate the systems. Chair connolly i certainly agree with you, and i would agree freezing wages, threatening to cut back in compensation, disparaging the work of the federal workforce, making it harder for people in the work place to have appeals and representation, talking about extending a probationary time, none of that is particularly appealing to young people on the College Campus to come work for the federal government. Its almost designed to. Ccelerate the phenomenon some of us can delay because they are so driven with the mission and passionate about what they are doing, or they feel so discouraged and unappreciated and none of this is helped by a 35 day shutdown, the longest in American History. So you come from the private sector, i come from the private sector. I dont know a ceo that we get far with his or her board disparaging the workforce, slashing compensation, and talking about discrediting their value and their work. No ceo i know would keep the job. You praise your workforce, you motivate your workforce, you incentivize your workforce. [indiscernible] toir connolly i want enqueue for the observations, thank you for the work we have done. We will stay in touch stop congratulations on progress and we certainly need omb to keep the pressure on and be supportive. Weve got to come up with solutions to help agencies in addition to money, retire these legacy systems. They want to, they are motivated, but it is a big, big incision and a multiyear commitment in most cases. And quite disruptive in making that transition. So we have to have some creative solutions. As we see the people and abilities in our systems, they have to be addressed. Thank you to the first panel so much for being here today. Please stay safe and healthy. Were going to take a five minute break and convene the second and final panel of this hearing. Thank you. [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] chair connolly the subcommittee will reconvene. Are you with us . They are telling me to give them a second. Can you unmute and acknowledge that you are with us . I am here, mr. Chairman. Chair connolly if you would stay unmute it so i can swear you in. Miss counsel, are you with us . Yes, chairman. Chair connolly and mr. Spires . Yes, chairman. Chair connolly thank you. If all three of you would raise your white hand. You swear to tell the truth, the whole truth, and nothing but the truth or affirm the same, so help you god . Let the record show all three of our witnesses in the second panel have affirmed in the positive. Thank you. I will call ony, you for your five minute Opening Statement. And welcome back to our subcommittee. It is good to be back mr. Chairman. Chair connolly im sorry, i see you. Go ahead. I do not have an Opening Statement. I was told to do something in the previous panel, with unanimous consent to enter a document into the record on supply chain vulnerability. Chair connolly yes. If you didnt hear me, i said i would be glad to work with you on that issue of supply chain. I to gets a good point that you made. Little raise my hand button thing. Im getting used to all of this webinar stuff. I have a followup question that i will ask one of the panelists here. With no Opening Statement, i would yield back so we can move forward with questions for the panel. Chair connolly thank you, mr. Palmer. Anid not call on you for Opening Statement because there was an Opening Statement for the whole hearing and this is the second panel. Obviously if you had something you wanted to add, you are more than welcome. I thought you are asking if i had an Opening Statement. I do not, but i will have questions. Chair connolly of course and we welcome them. You are recognized for your five minutes. Connolly and numbers of the sub, thank you for the opportunity to testify. I have worked for a minor not perform not for Profit Corporation that operates in the public interest. We work across government in partnership with industry to tackle challenges for the safety, stability and wellbeing of our nation. Gaor to joining, i was at where i worked closely with this committee, helping with the creation of the score card and assisting with its oversight. I would like to start by thanking you, chairman, for your leadership, not only for youring it but followthrough with five years of oversight which has included 10 scorecards. The federal i. T. Community has benefited greatly from working with you and your bipartisan partners along the way. Today, i would like to address three areas. One, the results in the path, too, the reasons, and potential reasons to consider future scorecards. The progress resulted from the scorecard from your oversight are significant. Billions of taxpayer dollars saved in consolidating data businessnd reducing systems and licenses. It is also help to elevate the cio role. Agency ciosmpleted and strengthen. These enhance the relationship that will be critical that cio leads to more modernization and digital transfer. So why was the implementation successful . It was a collective, team effort from the legislative and executive ranch lets look at the specifics of this oversight. Your approach focused on critical sections of the law, established where metrics was the target, was measurable and datadriven. Every six months over five years , this is extremely important as it took at least two years to see significant progress in integrated areas. Also, omb played a critical role. Required selft assessment. Federal agency cios provided leadership and delivered results. Evident with is the scorecards. Where should it go from here . Some of the areas reached a level of maturity where perhaps waiting was no longer a necessity. This is not to say they are not important, just another area to benefit from the transparency and oversight the scorecard provided. For example, the hearing you held a few weeks ago on Mission Modernization and your march hearing would cover the gis contract were prime candidates. The written statement provides five recommendations to consider the scorecard is enhanced. These recommendations are consistent with the goals of the president s management agenda. Number one, enhance the cyber area him by enhancing the measures of cybersecurity. This should include patch and vulnerability management, Cybersecurity Framework and supply Chain Management. Number two, add modernization category that provides transparency to our nations most important i. T. Acquisitions and incorporate the Customer Experience measurement as well as legacy retirements. Number three, add an infrastructure category that highlights progress on eis so we have more modern and secure networks. Number four, at add an i. T. Workforce category that provides a comprehensive view of agency and tracksgency gaps the appropriately Skilled Workforce. Number five, and i. T. Budgeting category that works on working that i. T. Iso captured. We need to shed a light on the discipline agencies used on i. T. Budgeting so it reflects the actual needs for modernization. Be betterould conversations internally, the cfos and externally with omb and congress. In summary, these recommendations are about better secured agencies, tackling true mission enhancement, having a modern infrastructure, a Skilled Workforce to do it and the right resources. Help an enhanced scorecard . Absolutely. Future legislation would enhance omb policies would also. Theseorward important topics. Chair connolly and i thank you for being one of the key architects and establishing the scorecard. I think it has evolved in a way that we hoped it would, which is to incentivize agencies to evolve and modernize and understand the criticality of that mission. Leadership for your and allowing us i thank you for your leadership to be where we are five years later. Welcome. Chairman connolly and numbers of the committee, thank you for the opportunity to appear before you today to share my experience as assistance set assistant secretary cio at the department of veteran affairs where i served from 2015 to 2017. Im pleased to join you and provide my recommendations to support the continued effectiveness. Prior to joining v. A. , i spent 20 years as a Global Leader in operations and Technology Private industry. I led organizations as large and complex as the v. A. I had complete fiduciary responsibility and account ability for implementing worldclass processes and technology. However, during the preparation, i frequently heard about how difficult it was to execute i. T. Projects in the federal government. Of one or twoyear appropriations, complicated program budgeting, hiring delays, data center proliferation, Even Technology procurement decisions being made outside the i. T. Organizations. Obstacles mentioned, within a short time, we were able to make progress. How were we able to do it . We had one critical, strategic tool i could rely on. Regardless of whatever obstacles i might have encountered, i had a law that i could leverage. I want to thank the committee for giving us that law and therefore the authority to act accordingly. Let me share a figure with you. 74 of i. T. Modernization projects fail. That is a staggering figure and it is industrywide. The primary regent primary reason is the complexity and age. Many agencies obtain new technology to enable a new process or solve a problem well before they understand how the solution would be supported or how the process will work. Make your time to something new work on something old. Integrating new technology is always a risky proposition. The old infrastructure generally has not been well maintained, therefore, im seeing therefore, it leads to subsequent failure. [inaudible] i. T. Ame thing happens in the organizations culture and how a drives the use of agency haswithin an an impact on projects. We address the complexity by not focusing on just people bullet engaging leadership, being culturally and doinglding trust, this in the shortest possible time to take advantage of the new technology. Mind, i submit to the subcommittee several recommendations that i believe [inaudible] metric,an agencywide providing the support needed to with the restler of the leadership team. Add a metric that measures the lifecycle. His could be utilized the committee should consider a method to assess cultural readiness. To culture must be prepared adopt these technologies, not just endured. Organizational leadership should focus on user adoption by managing preparedness before tackling new technology. Finally, we must ensure the agencys physical reality supports mandates we impose. Many of our agencies continue to receive budgets that allow them to do a little more than maintaining or sustaining their outdated systems. There are positive steps forward by creating meaningful solutions, the committee can create a levered to modernize. We can no longer allow outdated and Legacy Technology to deliver vital public services. Ofirman connelly and members the committee, thank you for your time and opportunity to share my perspectives. Im happy to take questions at this time. Chair connolly really helpful observations from your own experience. We look forward to working with you as we proceed. Thanks so much. Back. E [indiscernible] welcome back. Im honored to testify in regards to the scorecard congress has been issuing over the past five years. Having served at homeland security, as well as the irs, and having served as vice chair the council, i have ample opportunity to understand the management efforts of i. T. I was pleased when it was enacted. It has been the oversight of congress that is been the driving factor of getting federal agencies to improve their management. The spirit of bipartisanship that is made of significant, positive difference, starting with the drafting of the torah. Even with the progress, much work remains to reach the state of best practices. The hearing showcased the need to get the focus onto modernization. Even if we had unlimited funds to invest in i. T. , many agencies would still struggle because they dont have the management and skill to deliver largescale lt largescale modernization. In 2015, the federal government was on the high risk list and operations. The latest report recommended that the latest agencies needed to update their systems, but three of the 12 agencies made progress to plan to modernize her legacy systems. Given the success of the scorecard, it should continue as a tool to measure progress. Focus on modernization that is provided in my written testimony. One, and niit planning category. This category should reflect the maturity and focus on 19 modern and focus on i. T. Modernization. Two, combined the incremental delivery and transparency and Risk Management categories into a broader delivery of i. T. Modernization occurs with the successful of programs. There should be a category that measures the ability of agencies to manage programs. Number three, of all the managing government categories or budget categories, they should keep the element of an agency having a fund. In addition, agencies should understand the cost element of the agencys budget. The federal government has tod the Technology Support this effort. They should be measured on their adoption, along with the use of best marketing of their i. T. Services muzzle they can compare themselves to other agencies and private sector corporations. Of all the cybersecurity categories from agency should be conducting many full enterprise Risk Management to ensure they are focusing their most Sensitive Data and critical systems. [inaudible] its use is mandated. Whether they are properly executing the steps. Add Customer Satisfaction category. A measure for all agencies to support the organization should be Customer Satisfaction. It would be best practice to administer a survey for all agencies so this category can be added to the fitara scorecard. To determine the specific measures of a category, Additional Data would be required so the category can be grated. I recommend congress convened an Advisory Group to develop recommendations to of all the fitara scorecard. This group should be headed by gao, but could include representatives from the council, the office and me the private sector. Such an Advisory Group to make recommendations to congress within three to six months. Given the scorecard, lets commit ourselves to evolve the scorecard to adapt best practices and move aggressively to modern news to modernize. Thank you for the opportunity to testify. Chair connolly thank you so much. Thank all three of you for your very thoughtful testimony. Will be glad to work with you to cognizant of the changes you proposed in the metrics and the scorecard itself. The chair now calls on mr. Paul more for his five minutes of questions. Mr. Palmer for his five minutes of questions. Mr. Palmer . Chair connolly i believe mr. Palmer is having a bandwidth issue. You a ask all three of series of questions. It thathow important is the cio have the ear of the agency heads . That is one of the categories we have added to the scorecard in terms of the reporting sequence because from our point of view, it is about empowerment. If you are going to make decisions and make them stick, the ranking file needs to see that cio is empowered by the agency. In your experiences, how important is that from your point of view . Thank you, chairman. I have a situation of reporting head, large bureau of the irs when i was cio. Seen both situations of government. It makes a significant difference. Theto take away from undersecretary, but that noividual i served under had i. T. Background, and there was a lot of lost translation. Frankly, not that i wasnt able to develop relationships with them, but it was not nearly as strong of a relationship i was able to develop with the irs commissioner. In my view, i was able to be more effective because i had a Good Relationship with the head of the agency. Yes, i agree with mr. Spires. During my time in v. A. , it wasnt the norm. Reportingrect relationship with robert mcdonald. We had a short period of time to get a lot of things done. He understood that i understood Large Enterprises and came from Johnson Johnson and he had been at procter gamble, and that allowed us to sink very quickly. That is away for the cio to have the kind of support enterprisewide that they need when the enterprise head is aligned with them. That does not mean you dont include others in the conversation. It just knows that this mandate is a mandate. I totally agree with that alignment. Chair connolly thank you. And mr. [indiscernible] will third the importance of reporting to the agency. Aboutimportant modernization and tackling cios hase relationships with the business leads, and a strong relationship with the cfo so that there was the budgetary support. Top sothe support of the they can be a Business Partner with the business unit, and also, having that strong relationship with the cfo is critical to tackling the big challenges that our government faces. ,hair connolly while i got you maybe you heard the previous panel, our conversation about data centers and be the attempt definitionilute the of data centers, which could have an unintended effect of losing savings, and even compromising security. Will you comment on that . Because you remember how important the premium we put on datacenter consolidation when we began this process with the scorecard. Yes. No doubt, mr. Chairman. Knew when the memo came out that there was going to be a rub between the old policy and where you were going with datacenter consolidation. I think we have had Great Success with datacenter consolidation. Think there was opportunity do i think there was opportunity to do more . Sure. What really needs to occur is i think there needs to be a really there needs to be some type of agreement between omb and what they are doing and what Congress Wants to do. Right now, we are at different ends of the spectrum. I think there was some coming together, where you could tackle some data centers. There is opportunity. I think the infrastructure category on the scorecard, you can still include data centers, but you also look at modern networks. It is a good way to pick more broadly about infrastructure grade and how we tackle that. Chair connolly you will remember, perhaps, the very first hearing we had on this subject was when john was chairman of the subcommittee. We have a field hearing in my district, and that forced people to look at how they were complying with the brandnew bill fitara on datacenter consolidation. What happened was we got much better at identifying thousands of data centers we did not know we had. But we made zero progress on consolidation. Out of that hearing actually grew the idea of a scorecard so we could create that in force action. I hope you dont go back to that. It is distressing to learn that this action all learn action alone would take 10,000 existing data centers and take them offline. That is not the language of the statute and not the intent of the statute. It is worth watching. And my time is up. You forest, i recognize five minutes. Thank you, mr. Chairman. And quickly to each of you, i dont want a long answer, just get at your basic [inaudible] i want to hear how you think has it beend successful in driving change within agencies . From your perspective, is this thing working, why or why not . I will start, sir. Yes. It is definitely working. As i have mentioned in my testimony, we have always had good people, good cios and people who want to do the right thing, but the environment in many agencies, the culture, makes that difficult at times. You shining the light on aspects of i. T. And i. T. Management and congressional oversight is really critical. Question forther the others, yes or no. I think it is working. I think it is working very well, is managementit plus measured. It gets people focused on the right thing. I agree with ms. Council. I think what is important to look at is your consistency. It took four scorecards in two years to see significant change. You have to stick with it to drive change with the cultural issues as ms. Council mentioned. I dont know which one of you is most equipped to hit on this, but couple of you brought this up with the cios. What is the biggest challenge that cios are facing in the attempts to try to deliver largescale, i. T. Modernization . What is the wall they are running into . I can take that one. Large implementations are highrisk and they are costly and they include people. When you put all of those together, you end up with a situation where you cannot control all the aspects, and you are really focused on all hands on deck. One of the biggest issues you even withespecially the working council fund you may have multiple sets of these symptoms of these systems in a same environment. Youre dealing with the most complex environments in the world. When you go after trying to respectively change one of these, you gotta realize you are impacting an entire enterprise. None of these things are in isolation. None of these things are easily changed without engaging the entire whole. They are tough, but can they get done . Yes, they can get done, but they require a lot of focus in everyones intent. That is one of the reasons we think the alignment needs to be at the top of the house so everyone understands they have to have a stake in making this successful. Ok. Mr. Spires, are you there . I am. You mentioned in your testimony, recommendations regarding next steps for the scorecard and brought up trying to phase in the metrics, and obtain a buy in from the stakeholders. Can you walk me through that . Sure. I believe we need to try to get , trying to gett Congress Working effectively with omb, effectively with gal and coming up with a set of metrics we agree with. They will never be perfect, but we can come up with a good set of metrics. We have to figure out how to measure them. That and get federal alignment this is a bipartisan issue. We can work to do that. I think we could make significantly more progress in driving i. T. Modernization. Often, we are some of the big modernization efforts that require the whole of agency efforts, agencies are scared to go after and we need to change that dynamic because it is important gets done. Thank you, and i agree. , butetrics have been great looking foward to getting more to the bottom line of what we need to get to. I think we can get there as well. I yield back. Think theolly i Ranking Member. Movenk our hope is to eventually to a scorecard that is a digital hygiene kind of scorecard, but it is important reason that the only that we have made the progress in because we have stubbornly insisted on the metrics contained in the scorecard for five years. It took five years to get deryone finally better than a and fs. Five years. We want to be cautious about sliding back, or assuming progress, where it is not been completely achieved. All of ouro thank panel for being here. There are so many other areas we can expand upon. Still with are you us . Mr. Palmer i swiped myself out. Sorry. Chair connolly welcome back. You are recognized for five minutes, mr. Palmer. Mr. Palmer thank you, mr. Chairman. I want to go back to something mr. Spires said about additions to the scorecard. With security. The federal acquisition waylations are written and are written in a way. It goes back to the fact we are dealing with antiquated legacy systems, and 51 of what we are buying is sourced from china. Sensendering if it makes to add to the scorecard, and to encourage agencies to avoid buying to avoid buying as much as possible, from china . Mr. Spires, since you raised the issue of adding to the scorecard . Mr. Spires in the cybersecurity area, certainly, im a huge believer of looking at enterprise risk. There was no doubt today that cybersecurity supply chain risk is a very significant risk we need to address. Say youin a position to should not buy anything from china related to i. T. , but i think it is something that agencies need to take seriously as a look at their enterprise risk strategy. I know that is something dhs is looking at from the whole of government right now. Mr. Palmer yeah. I am not saying they can source everything outside of china, but we ought to encourage them to do as much as they can because i think there is a gap, particularly when it comes to security around this multi tiered supply chain. It is addressed nowhere in these acts. Let me ask it this way, does it make sense to amend fitara to assess the Global Supply chain Security Risk tied to the federal i. T. Acquisitions . Maybe that is where we start, and we put that in put that into the scorecard. Does that make sense . Covid19. Ca. Gov it is a key mr. Spires it is a key risk for an agency and should be addressed as such. Whether or not they needs to be legislation, or apart of the scorecard, i think that is why you should have an Advisory Group with experts that study this particular field. What would be best for the federal agencies and how to handle this particular enterprise risk . Mr. Palmer ok. Im not totally familiar with , but i knowgencies there are a number of areas considered high risk. In the galw if assessment if that includes highrisk for Security Breaches in the context of where they source the materials. Know . This question about high risk as come up a couple of times. I think one of the key things we need to do, whether it is supply chain or highrisk in regards to other aspects of highrisk, where there is risky acquisitions out there, sounds like there was some clarification that omb needs to look at in terms of their policies they have in place so we are all going off of the same sheet because there seems to be a lot of confusion. I would recommend omb take a hard look at this high risk and look at their policies, and perhaps clarify that. Mr. Palmer that is a great point. We will follow up on that. I have been on oversight since day one, took a leave for most of this congress, but i have done a lot of work with the gao and the thing i want to commend the chairman and the Ranking Member on is, we continue to Work Together in a bipartisan andto improve the quality, in the previous panel, some of the panelists some of them are working off of cobalt. My concern is that there are not many people left who could correct it if something went wrong with that. There are a lot of vulnerabilities that could exist. But we are trying to do and a bipartisan ways not only enhance our security, but improve the product. F the work we need to replace antiquated systems. Not only at the federal level, but the state level, too, so we have it inoperative ability that we desperately need. I think you, chairman, for recognizing being back on the committee, and i yield back. Chair connolly thank you so much, mr. Palmer. If me ask one last question, i may, among all the panelists given your experience. One of the things that concerns many of us, especially those of us who are also in the private sector in i. T. Is that there is this gap, knowledge gap, experience gap between the federal government and let say and lets say the private sector. I gap is almost growing that gap is almost growing. To try to reverse that, we got technologyto attract specialists and experts, who can its the government manage not, procure its i. T. , and so simple, even writing the terms of reference for a complex i. T. Contract. I would love to hear is the final part of this hearing, your observations briefly about that problem, if you agree it is a problem, and what you think we ought to do about it . Ms. Counsel, why dont you start . Mr. Palmer ms. Council ms. Council thank you for the question. This impacts the governmental aspects as both private industry. We dont have enough technologists anywhere. We dont have enough data scientists anywhere, not enough architects anywhere. The need for technology, the need for people who understand Information Technology and how to make it scale has constantly been tenfold. As you see the now normal we go through since covid, technology is everywhere and everything that allows us where we need to be, even when we are not there physically. Often. Talked about this i would not know how to get a top of the federal government. It is not a straight line. It is not sending in a resume and you Start Talking to someone as you would in the commercial industry. It also requires to understand how to navigate. I will tell you some of the best and brightest in our universities today, they are interested in working in technology and want to work on the newest things and hardest things possible. And so, in that kind of environment, the faster we can get up on technology, the faster [inaudible] the more excited young people will be, as well as old people dont count us all out because some of us know how to program we will be more than willing to come in and help the federal government. No doubt about it. Chair connolly thank you. Mr. Spires . Mr. Spires yes. Thank you. Great answer by ms. Council. I will build on that by saying, midcareer and the irs first. The sense of mission is palpable. I dont think i think we could do a much better job of enticing younger people if we would market ourselves better as federal agencies. I recognize that sometimes you dont have the latest technology offered in all of them, but i will tell you the opportunities that younger people can have that are talented, that really want to build a career, i think we are missing a big opportunity to be able to entice people. If we marketed this more effectively, we could attract people. You will lose a lot of them, no doubt. Maybe you have a program where you try to keep them for four or five years. A lot will go back into the private sector in me that is ok, but we need to do something different. I dont think we will be able to buy our way out of this with increased salaries but i think you have a wildcard here we need to play in me that is the opportunities we can offer younger people. Chair connolly thank you. Mr. Khan are, final word mr. Pounder, final word. Pounder the compliance focus will not attract anyone. Who doesnt want to help the veterans in our country . Who doesnt want to secure the homeland were mr. Spires work . Those are the types of missions we really need to get out in front and talk about the challenges that we face as a government, and attract those young, hard chargers out there. It wont be easy because of the salary differences, but i think we have seen it when you have this missionfocus. How come some folks that are seasoned come back . They do because they are sold on the mission. They want to actually help deliver on these missions. It is no different with the younger folks we need to attract. We need to sell the mission. There are a lot of things in government that are really important, and i think there would be a fair amount of people who get behind that. Chair connolly a little inspiration would not kill us . Absolutely carried [laughter] chair connolly thank you. Without objection, all members will have five legislative days in which to submit additional written questions to the chair, which will be forwarded to the witnesses to their responses. I ask all the witnesses to response as quickly as you are able, and i want to thank all three of you for really thoughtful conversation and for the scorecard on fitara, and with that, this hearing is adjourned. [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] [captions Copyright National cable satellite corp. 2020] President Trump will be aboutng everyone today the coronavirus. We will take that to you live when that gets underway, here on cspan. Tonight on the communicators, Ohio Republican congressman bob laugh him on the use of better masks to be delivered to underserved rural areas. Bedded that they had they admitted that we had a problem and had to look at this carried at this. We had legislation, which i was apart of from the getgo, and it is important we get it done, but ,gain, if the mask arent right we are going out there to get the dollars of the areas where you need to have them. That wont happen. In some cases, you might be putting money into areas that are ready have services and im getting dollars into the areas. 8 00b latta tonight at eastern on the communicators, on cspan2. Marks the 75th anniversary of the atomic bombings of hiroshima and nagasaki. What cspans washington journal, live thursday morning at 8 00 a. M. Eastern for a discussion about the bombings with ian toll and Clifton Truman daniel. Then sunday, watched American History tv and washington journal as we look at how the bombings ended world war ii and their legacy in the decades ahead. Join a discussion with your calls, text messages, facebook questions, and tweets pay washes 75th anniversary of the bombings of hiroshima and nagasaki, this week on washington journal on cspan, and American History tv on cspan3. Dr. Oining us is
comparemela.com © 2020. All Rights Reserved.