Without objection. This hearing really is what this committee is all about particularly on the Government Affairs portion. We have a Mission Statement that we developed last congress with my former Ranking Member, senator carper and my new ra Ranking Member had a very good addition to it. The original one was to enhance the economic and National Security of america. Senator mccaskill suggested we add and promote efficient and more efficient, effective and accountable government. Thats exactly what the gao does and Inspector Generals do. We certainly appreciate your work. I dont know how many times i have said and others have said, youre our favorite folks in government. You give us the information to make government more efficient and effective and accountable. Todays hearing is really on the gaos high risk series, their list, something prepared by gao since the early 90s. The facts speak for themselves. In the last ten years, they report about 2 240 million over that 10 year period by enacting their recommendations by making government more effective, 24 billion per year. Igs play a key role in that as well. Senator grassley and i sent a letter and requested the igs last Congress Give us a list of all their recommendations that are outstanding. They have been implementedn the result was 15,222 net potential sa savings, 87 billion. Even in the federal government, thats real money. Its really folks like you that can make a huge difference. Todays hearing, what we decided to do is we listened to mr. Dodaro testify beautifully without notes and he can speak an awful lot. Rather than have him completely on the hot speed, we decided to invite mr. Mitchell and mr. John roth, department of Homeland Security, to testify in terms of their department and the activity on the high risk list and invited mr. John thomson, director of the Census Bureau. We didnt invite you to be here to be in the hot seat. I really wanted to bring in a director under this committees jurisdiction. I wanted to bring in a director and get your viewpoint in terms of how a director of one of these agency is listed on the high risk list, how you view that, what you do, what are your challenges trying to get off the high risk list and how seriously you take it. I appreciate it. Well go easy on you here. We truly appreciate you coming. Looking forward to the hearing and i dont want to spend much more time. Ill hand it over to you senator mccaskill. Thank you, mr. Chairman. Know that mr. Dodaro knows this, i consider gao one of the most important entities in washington, d. C. Its an independent nonpartisan agency that investigates how the federal government spends nontax dollars. Your work supports us meeting our oversight obligations under the constitution and helps us improve accountability in the federal government. The important thing is you provide information objective, factbased, nonpartisan, fair and balanced. At the beginning of each congress, you release a report of Government Programs of high risk due to vulnerabilities and high waste and fraud and mismanagement. Shoreli shortly after the report we invite you to testify. I appreciate this hearing is one of our first full Committee Hearings of the 115th congress. Your report provides us with a list of priorities how this committee can target and root out waste, fraud and abuse. Your report says the federal government overseas more than 0 80 billion in taxpayer funds for Information Technology investments. Poor management, as we know leads many it contracts to fail or significant cost overruns. Contract oversight is not a new problem in government but remains one of the most important problems out there. While most Government Employees are dedicated public servants, the high risk report highlights that more work is needed to insure the federal breaks performance effectively and efficiently for the american people. This includes several skill gaps in the American Workforce that could pose risks to american tax dollars and american lives. It is alarming even after the large scale cyber breach at the office of Personnel Management and the medical wait list scandal at the department of veterans affairs, some of the federal skills gap identified still include cybersecurity and 234u nursing. This year, gao added the 2020 Census Program to its risk of high risk areas, knowing our next census is rapidly approa approaching, im grateful director thompson is here to provide a status update on the program. The cost has risen over the last few decades with 2010 being the costliest in history. Billions of dollars were wasted on programs that had to be scrapped at the last minute in order to insure the 2010 census was done on time. Given this challenge and the Important Role it plays counting our citizens as well as alloc e allocating precious taxpayer dollars to communities, im eager to learn how the bureau plans to effectively manage costs this time while simultaneously modernizing the Census Program. Im grateful to directors roth and missile for joining the director thompson here today to improve and discuss the homeland programs respectivrespectively. When theres ineffective oversight and accountability in government money gets wasted and mismanagement gets unaddressed. As a former state auditor i consider Government Accountability as the most important work in my time in senate. Last week President Trump signed into law the gao oversight act and i cosponsored to insure gao has full access to the National Database of new hires, a key tool for cutting waste and fraud in many of the governments largest programs as well as allowing states to aggressively pursue Child Support payments and the law also strengthens their ability to take legal action if they need it to perform its functions. This law is a great example what our committee can do when we Work Together to promote accountability in the government. It is a complex system of agencies spending more than 3 trillion annually on behalf of the american people. We are members of the public trust to insure those tax dollars are used well. Thank you for being here today and mr. Chairman for having this committee and ill look forward to questions. Thank you, senator mccaskill. It is the tradition of this committee to swear in newitness, if youll raise and raise your right hand . Do you swear to tell the truth and nothing but the truth so help you god . I do. Please be seated. Our first witnesses is mr. Eugene dodaro. He has been the comptroller general of the account Exhibit Office since 2010 and more than 40 years of experience at the agency including acting come paroler general and chief acting officer and head of the accou accounting division. Comptroller dodaro. Thank you very much, mr. Chairman. Good afternoon to you, Ranking Member senator mccaskill. Im very pleased to be here today to discuss the latest edition of gaos high risk program. Im pleased to report many of the 32 areas on the list in 2015 have shown improvement and in a position now they either meet or partially meet all five criteria from coming off the list. The five criteria are leadership, you have to have the capacity, a good action plan, mantoring effort and demonstrate some progress. This is the hardest to meet to show youre reducing the risk or making progress fixing the problems addressed. This progress is due to commitment and advice from the Agency Leaders as well as staff in the agencies, o achld b a. And congress addressed high risk areas and why were showing this progress. Congress had over 250 hearings on areas discussed in the high risk programs. Im very pleased this committee was sponsoring bills and holding a lot of hearings and im very appreciatedtive of that. Congress is key to making progress. We look at almost every area we identify as achieving progress, congressional actions been instrumental in achieving that degree of progress. One area met all the criteria coming off the list, managing the sharing of terrorism related information. This was a very important area to the safety of our country. I could assure this committee, while its coming off the list it doesnt mean its out of sight. We will keep an eye on it to make sure things stay on track in that area. Another area is the department of Homeland Security. Theyve continued to show steady progress and proved their ability to monitor the action plan they have in place. They really need to focus on acquisition programs, fixing their Financial Management systems and improving employee morale, those are the key things they need to continue to do. There are a number of areas on the list that need substantial attention. These, i would particularly cite to this committees attention. First is veterans heart attack. Veterans healthcare. Added that to the list in 2015 for a number of important reasons. That i can elaborate on in the k q a. Im concerned theyve made limited progress. Financial management, we talked about it a number of times, the only federal agency that hasnt been able to pass the test of an audit. Information technology and acquisitions and operations, senator mccaskill mentioned. Thats an area we have seen some progress needs circuit more oversight and attention to make sure that it gets fixed. Cybersecurity. Both Cyber Security as it rel e relates to federal governments own Information Systems but also Critical Infrastructure, like the electricity grid, Financial Markets, air Traffic Control system and others. We added cybersecurity across the federal government as a high risk area to the list in 1997. This is the 20 year anniversary. Weve been trying to get agencies to move on that area and despite even the breaches, we have a thousand recommendations still outstanding in the Cyber Security area. Then, reforming the Housing Finance system. This is one area that was not addressed coming out of the global good morning crisis. Fannie mae and freddie mac are still in conservatorship theyve been in since 2008. A lot of the risk has moved to the federal government either directly or indirectly, directly through the federal Housing Administration who had to get an infusion from treasury between 1 and 2 billion a few years ago. 70 of all the mortgages right now are either for Single Family homes or directly or indirectly supported by the federal government. We need to address fannie and freddie and get the private sector back into the Financial Market as well to reduce the risk on the federal government. Were adding three new areas this year. First is the Fort Lauderdale efforts the federal efforts to oversee programs to help Indian Tribes and their members. Were very concerned, we looked at the education programs, schools in poor conditions, not properly staffed, no quality standards for healthcare, a lot of vacant position, distributing funds to send people to private sector care if its not available in indian hospitals, theyre still using a formula they used in the 1930s. It needs attention. Also where the tribes want to exploit oil and gas on their lands but they need federal permitting and licensing explore oil and gas on their lands and its slow. Theyre not able to generate that revenue to help them deal with those issues. Secondly, both to dispose of waste from Nuclear Weapons complex as well as from commercial power plants. The liability right now is approaching 1 2 trillion dollars. I believe it to be understated because of problems we saw one example for d. O. D. And not properly estimating environmental viabilities for cleaning up after department op rehabilitations as well. The federal government spends millions of dollars every year to clean up this waste but it keeps growing, not enough Decision Making in those areas and we have a number of outstanding recommendations. The last is the census, as you mentioned. We added that to the list because the last census was over 12 billion, costliest ever. In order to contain costs they introduced a lot of novel concepts using the internet. Address lists from spatial and other means rather than doortodoor canvassing and using administrative records. All these things add to the risk. Final plans have not been put in place yet. We look forward to answering questions from this committee. Thank you. Mr. Thompson is the director of the Census Bureau. Before that he was president and ceo of norc, known as the National Opinion research center. Director thompson. Good afternoon, chairman johnson, Ranking Member, mccaskill and members of the committee. I appreciate the opportunity to update you on the 2020 census. Im proud to report today we remain on the Critical Path to rea readiness. The 2020 census has been added to the most recent high list risk from the Government Accountability office. Both the 2000 and 2010 censuses were also on this list a reflection of the complexity, scale and importance of condu conducting a fair and accurate census. This decade, the complexity is heightened as we replace the paper and pencilbased design with Innovative Technologies that will save taxpayers bill n billions of dollars. We already have robust controls in place to mitigate the risks of carrying out this constitutionally mandated task. As we plan and test the 34 operations and roughly 50 systems that comprise the 2020 census, were aware of the many risks the program faces. Thats why were working rigorously to moderate and manage and mitigate those risks. In the final years of the deca e decade, Risk Management is critical to our Operational Plan in 2020. Other important part is continuing to work with the colleagues at the gao and inspector of commerccommerce. I discuss it in greater detail in my testimony for the record including overarching risk of funding uncertainty. Today, i want to highlight following specific risk areas, were concentrating on. First, cybersecurity, fraud detection and insuring the publics trust. Were actively securing our sk m skims and devices for the went went census and 2020 census and field tests insuring we prevent Cyber Attacks and we will use a layered strategy. Second, insuring systems read readiness. We developed and field tested proof of concept systems and the design is supported by findings from the census tests. Now that weve awarded nearly all the key contracts for 2020, were finalizing our systems ahead of the 2018 end to end census test. Third, refine our field procedures through testing, fourth, managing the integrative master schedule for the 2020 census and its supporting progr programs. Lastly, documenting and valid e validating our 2020 census life cycle cost estimates. Census tests are key to final e finalizing our designs and reducing risks. Last year, we tested core census operations in texas and los angeles county, california. Additionally we tested our address canvassing procedures and systems in parts of North Carolina and st. Louis, missouri. We learned many lessons from these tests and were using those lessons to refine our operations and mitigate the r k risks of an innovative census. In addition, the Census Bureau has planned test operations in 2017, these involved Critical Systems in operations that must be tested ahead of the 2018 end to end census test. The 2018 end to end census test is the final major field test before the 2020 census. Field operations will begin on august, 2017 with a census day of 2018. Pierce county, washington, providence county, rhode island and blue field beckley oak hill area of west virginia. Collectively it will cover about 77,000 housing units. Well test and prove in nearly all of the 2020 census operat n operations, procedures and field infrastructure. We will also produce prototypes of our geographic and data release products making sure all of theisen sus systems work individually and in concert with each other is critical. Using the lessons from 2018 will make any necessary adjustments to insure were ready for the census and finalize our plans for operations. Weve been transparent how were approaching the redesigned census and held public Quarterly Program management reviews, we publicly documented and tracked our biggest decision and shared our master schedule with the gao every month. There are many challenges ahead. Were confident with appropriate funding levels we can success l successfully execute the 2020 census. I need to note 2017 and 2018 are critical years in the census cycle. The funding we receive in these years will have a great effect on the outcome of the 2020 census including achieving 5 million in cost savings. Wi were six months away from field work on the census but not yet clarity regarding the programs funding in 2017. In january, uncertainty about the fullback iscal 2017 budget us to make difficult decision s on scopes of the program and uncertainty funding lists. This will add to more work in 2019, to a delay in opening three of our six Regional Census Centers in 2017 and the elimination of advertising in the 2018 end to end census test. It will lead to deep cuts in program and Test Management operations despite the gao and our Inspector General deeming them critical for a program of this complexity. I must stress we need Adequate Funding to do development, validation and documentation and planning necessary for Risk Mitigation in which the gao has urged us to conduct. We are planning an innovative modern design for 2020 that will bring the census into the 21st century. Our approach takes advantage of new technology and data sources while minimizing risks. With the funding we requested we can execute the design that will save taxpayers billions of dollars. I thank the committee for your interest in our work. I look forward to discussing the challenges we face and how were addressing them and continuing a productive relationship with the gao in the years ahead. Thank you. Thank you, director thompson. My next witness is mr. Michael missile. He is the Inspector General of the department of veterans affairs, prior to services to Inspector General. He was a partner at the law firm where he led policy and regulatory practice groups. Thank you. Chairman johnson and ranking senator mccaskill. And the members of the committee. We seek to prevent and detect fraud, waste and abuse and make meaningful recommendations to drive economy, efficiency and effectiveness throughout vas programs and operations. Our goal is to undertake impa impactful work that will assist v. A. Providing appropriate and Timely Services and benefits veterans so desearchrvedly earn insuring proper distribution of taxpayer funds. I have had the privilege of serving since may 2nd, 2016. Since that time i fully immersed myself in the work, policies of the oig. We made a number of enhancements since i started including iss issuing a Mission Vision and value statement, increasing transparency, creating a Rapid Response team, expanding our Data Analytics capabilities, being more proactive in our review areas. I believe these changes will enable us to do additional impactful work in a timely manner. The oig shares a similar mission with gao. It is important we have a strong relationship with gao to insure we avoid dupetation of effort as much as possible. To that end, one of the first things i did when i started was to meet with comptroller general dodaro and his senior staff. Our offices have had a number of discussions and communication since that time to promote coordination and oversight of v. A. Gao added managing risks and improving v. A. Healthcare to its biannual high risk list in 2018 and remains on the list for 2017. The gao focuses concerns op on am biggie ounces policies am big gus you olympicss, oversight and accountability. Inadequate training for v. A. Staff and unclear resource needs and allocation priorities. While our work is determined by what we believe is the most effective oversight of v. A. , a number of our reports address concerns in these same five areas. As the Committee Requests i will highlight single of the work with gao placing v. A. Healthcare on the high risk list. It should be noted many of the reports could fit in more than one area. We issued a number of reports in the past few years that include v. A. s ambiguous policies and inconsistent processes, a review of the Health Eligibility center determined the v. A. Had not effectively managed its business processes to insure effectiveness creating maintenance of eligibility data. We made 13 recommendations in that report including one focused on controls to insure future enrollment data are accurate and reliable before being entered into the enro enrollment system. V. A. Concurred with the recommendations and provided sufficient information to close all recommendations in october 2016. Proper oversight by management would insure programs and operations would work effectively and efficiently. Our september 2016 report on the Denver Replacement Medical Center is an extremely costly example of the result of inadequate oversight. Through all phases of the project we identified various factor that significantly contributed to delays in rising costs. This occur due to a series of questionable Business Decisions and mismanagement by v. A. Senior officials resulting in a project years behind schedule and co costing more than twice the initial budget of 8 800 million. We made five recommendations and v. A. Management concurred with all recommendations. We recently requested information from v. A. On the implementation status of the recommendations and will keep them open until v. A. Provides satisfactory evidence of implementation. As we have reported in our list of v. A. s Major Management challenges within v. A. s annual million report we frequently identified v. A. s struggles to design, procur and or implement functional i. T. Systems. I. T. Security is continually reported as a Material Weakness in our consolidated Financial Statement audits. V. A. Has a high number of legacy systems needing replacement. Moreover, after years of effort of replacement of legacys Scheduling Software, a new scheduling system is still not in place. V. A. s issues with Scheduling Software are related to its inability to define requireme requirements, if a commercial solution is available or if it must design a system. Replacing systems has been a major problem cross the government and not unique to v. A. We issued a number of reports outlining access issues and our work in this area is continuing. One prevailing theme of the work related to wait times and scheduling issues were i inadequate lack of to provide training for v. A. Staff for scheduling appointments. We conducted extensive work for wait time manipulation through 2015 and 16 after the allegations at the Phoenix Healthcare system surfaced in 2014. As we reported in more than 90 administrative summaries of investigations and other reports that have been issued, the lack of training for schedulers and lack of understanding of the process by their managers created a system long wait times were not accurately portrayed to management. Swra needs to accurately v. A. Needs to accurately forecast services in the longterm and short term and they are required by the choice act to review v. A. Occupations with the largest staffing shortages. In our most recent reported issued in september 2016, we identified medical officer, nurse, psychologist, physician assistant, physical therapist medical technologists as the occupations with the largest shorta shortages. In conclusion, the oig is committed to providing effective oversight over the operations of v. A. A number of reports address the five broad areas of v. A. Placing v. A. Healthcare on its high risk list. We will continue to produce reports that provide v. A. , congress and the public with recommendations we believe will help v. A. Operate its programs and services in a manner that will effectively deliver serv e services to veterans and spend taxpayer money appropriately. This concludes my statement and ill be happy to answer any other questions you or the committee may have. Thank you, mr. Missile. Our final witness is mr. John roth, who served as Inspector General since march of 2014. In addition to doing previous work for the food drug administration, mr. Roth had 25 years as a federal prosecutor including chief of staff to the Deputy Attorney general. Mr. Roth. Chairman johnson, Ranking Member, mccaskill and members of the committee, thank you for inviting me to testify today. Homeland security faces long standing challenges and we at the office of Inspector General have focused on Major Management and performance challenges in november, we listed six. One, creating a unified department, two, employee morale and engagement. Three, acquisition management, four, grants management, five, cybersecuri cybersecurity, six improving management fundamentals. Additionally with the new administration the department will face new responsibilities. We understand the significant investment the department will be making to satisfy its obligations under the president s executive order to conduct a southern border area to do that efficiently and effectively. The department has historically performed very poorly in this area. Prior efforts to fortified the southwest border known as sbi net were cancelled in 2011 as being too expensive and ineffective. In a Pilot Program in arizona dnh spent about a billion dollars to build a system across by the way miles of the states border before abandoning the initiative. We must not allow that to be repeated. Given the risks involved our office will use a life cycle approach to physically insure the southern border. Lifestyle audit approach means we can audit the Program Throughout its life span rather than waiting for it to be completed or partially completed before looking at it. In this way we have an opportunity to stop waste and mismanagement before the money is spent rather than identifying it after the fact. Our first report will address Lessons Learned from the First Initiative and other acquisit n acquisitions to securing our borders. We hope to have this report out in the next six weeks. We plan to recrview the comprehensive review required within 180 days. Future audits will also address the planning, design, acquisition and construction phases of the southern border barrier. Similarly, the department will face a number of challenges executing the president s executive order directing the department to hire an additional 5,000 Border Patrol agents and 10,000 immigration officers. We recently completed and audit that highlighted the number of bottlenecks in federal higher. In 2015 it took an average of 282 kdays over nine months to hire a Border Patrol agent from the time the Job Announcement closed to the date the applicant was actually hired. Other positions likewise encountered similar significant del delays. Again, we think this is an unacceptable level of performance and look to make recommendations for improvement. As with the acquisition area, we have initiated the first in a series of audits to further review the departments Human Capital strategies to insure the department can quickly and effectively hire a day versefied workforce and will continue to do this throughout the process racer than waiting for the higher to be completed. Finally we will focus on the highly trowblt grants mana lly management program. In report after report we see fema holds them accountable and the ore sigversight to monitor assistance grants is ineffective, inefficient and vulnerable to fraud, waste and abuse. In 2015 we found a questioned cost rate of 29 unacceptably High Percentage and serves as an illustration of femas continual failure to adequately manage grants. We believe that the root cause of this problem includes a failure of leadership, inability or lack of desire to hold gra grantees accountable and syst systemic issues that may only be cured by systemic statutory fixes. We have started to explore with this Committee Staff potential solutions and we look forward to working with you on this important issue. Mr. Chairman, this concludes my testimony. Im happy to answer any questions you or the committee may have. Thank you, mr. Roth. Let me start with mr. Dodaro. In your testimony, you talked about cybersecurity, the 20th anniversary being on the high risk list. Others talked about challenges and cybersecurity. Can you summarize or give me the main reason why its so difficult to get agency heads or get the departments up to speed from the standpoint of cyb cybersecurity . Yes. This has been a long standing quest ive been on. When we first started this, we built a computer lab that simulated the operating environment of the agencies able to hack into their systems to show them how easy it was to get into their system. We still werent getting a lot of traction or attention. People thought, who is going to do that . You could see this coming years ago, as we became more dependent on technology. Even with the breaches now, theres not a sense of urgency yet as much as i think there should be across the fgt. Let me stop. Because of these high profile brea breaches, are you seeing any increase to attention . Theres some and a lot of scrambling going on but not resulting in meaningful improvements in as many cases as i think. Two cases going on. The government got a very slow start in this area despite our ur urgings. Secondly its saddled with a bunch of legacy systemings decades old where security wasnt built in up grafront and they cant patch them fast enough and they havent been replaced with more modern systems with technology built in the front. The workforce is not up to where it needs to be in order to be am in to to be able to take care of this issue and not enough follow through to see theyre impleme implemented. A lot is management, too. You need technical people. A lot of weaknesses can result in employees not being aware of anything and downloading Malicious Software into your system. Theres a welldefined best practices for having a comprehensive effective cyb Cybersecurity Program in place. Time after time we find agencies do not have this comprehensive program in place. Theyre not responding to incidences when they do happen as fast as they need to in order to reform the problem. This needs continual attention over time. These legacy systems are part of the millstone around the agencys efforts to improve cyb cybersecurity. We did a report recently, im happy to share with the committee, of the oldest systems in the federal government. Some of them one, at the department of defense was operating still on a floppy disc system, on the one hand they said, nobodys going to hack into it. On the other hand, you know cybersecurity. Its going to be not sustainab sustainable, over time. I cant emphasize how concerned i am about this and how vulnerable that we are. That extends in 2003, we extended to it the Critical Infrastructure protection across the country. Most of the Computer Resources are in the private sector hands. There needs to be sharing between the federal government and private sectors, a lot of reluctance to share information on this regard in security threats. The threats are evolving much faster than the agencys ability to keep up with it. We did finally pass the table stakes first step in cyb cybersecurity legislation here, the senate intel subcommittee and this committee, the cyber finance community enhance act. They gave a lot of authority in terms of imposing cybersecurity on the new einstein system of the agencies. Has that had any effect whatsoever or just slow implementation . Those things help. There have been five different bills passed, thats one of the most important ones you cite, gives a sense of importance and urgency to it, some progress but not enough. Not enough to match the threat, in my opinion. Inspector general missile, obviously weve had real problems and other senators have had problems as well, specific problems. One of the questions i have for you, in your office, i believe you took over with a pretty troubled office, i appreciate the fact youve instituted Mission Statements and trying to address that overall, what percent of your reports involve investigations on specific instances, either through whistleblowers or things you read in the news of course we referred a number of those to you, versus overall suspicions in general to address the problems in the v. A. Healthcare system . A very High Percentage. We have a number of different reports that come out. Our healthcare unit will do reports on specific cases much like you mentioned in toma and other facilities and we have a very vibrant suspiciinspection as well. Audits and we could focus on an individual situation. A healthy split of those. Almost a 5050 type of thing . Hard to estimate. Probably more than 50 right now. I was wondering if youre overwhelmed by individual instances taking up all our agi time versus concentrating on daytoday audits to improve the overall system. Thats one of my goals. Were trying to clean out a lot of the work that was there when i started, a lot of the more individual cases. What id like to move for is more impactful work, where were doing more National Healthcare revi reviews, were doing more audits of programs, et cetera, and were moving in that direction. Inspector general roth, you were talking about the challenges the department has in terms of the executive order implementing the reports, hig r highering the individuals. Hiring has been a real problem. You talked about hiring bottlene bottlenecks, can you describe those in the remaining seconds i have on my time . Certainly. We did an audit regard to secret service and cvp. We found bottlenecks were the result of lack of advance planning. They wouldnt have the kind of right personnel specialist available to work the systems they needed to work, one problem. The second problem they had was that the systems they had were antequated, they didnt talk to each other and the flow of paper and bodies through the system didnt work as well as it needed to. The third is the frankly the polygraph system that both secret service and cvp have in place creates significant bottlenecks with regard to getting people on board. Can you quick describe the bottleneck of the polygraph system . Lack of personnel or it is that. Ill use secret service as an example. Thats a collateral duty that a special agent would have in addition to the duties that he unfortuna normally has of investigation. Basically he gets to the polygraphs when ever he gets to them. That will always drop low on that priority scale and backs up the higher theyre able to do. What we recommended to the secret service as well as the cvp, enhance, have a number of specialized polygraph operators who could do that work as their sole job. It would seem to me these bottlenecks could honestly be easily overcome . Absolutely. It requires advance planning and why we want to do a life cycle approach on this higher, warn them about whats coming and have them prepare in ways that make sense. Good. Senator mccaskill. Thank you, mr. Chairman. Back in 2009, gao did a report that concluded Borders Protection had not completed a cost analysis of physical borders zplrngts borders . To yourlage h laglage knowledge knowledge, has that ever been done . A cost benefit analysis . Not to my knowledge. I dont think so. No. The answer is definitely no. Definitely no. In your opinion at gao, should something that is going to cost billions of dollars begin without a cost benefit analysis . No. And would it be typical to begin a multibillion project without any appropriated funds . That would be difficult to do. No. Sy undi understand the administration is relying on a previous authorization for border security. I support border security. Do we know how much this is going to cost based on what youve looked at . The last time we looked at it in the 2009 report, the estim e estimates given at that time was 6 6. 5 million per mile for fen e fencing or barriers that for Pedestrian Crossing and 1. 8 for vehicle cross iing at that time. Right now, theres about of the 2,000 mile border, theres about 650 miles where this fe e fencifence ing exists. Twothirds of the remaining where the federal government doesnt own. Its either state or private sector land. Its going to have to be either bought or publicly conde condemned . Yes. Part of that happened with the 650 miles as well. So the federal government would be taking land from the ranchers that live along the border . Or buy from them or whatever. Thered have to be negotiations. Theres ownership issue of the border. Theres a lot of rugged terrain along the border that would have to be dealt with as well and the acquisition area that both the Inspector General from dhs and gao have seen the departments ability to manage large acquisiti acquisitions, is one of the reasons theyre still on the high risk list. Part of that would have to be improving how they go about carrying out acquisitions. With regard to the Legal Authority about the prior expenditures, id have to go back and take a look at that. Maybe there is some authority there that hasnt been used yet. Generally speaking, youd have to get a new appropriation. Let me move now to census. Im trying to i looked at the contract, not the contract, i looked at the amount, we entered into a contract for about a billion dollars, a lot of money. 887 last summer to integrate. We had a lot of bad experience and mr. Dodaro can speak to that. Integrators have had a rocky history in terms of success. Youre asking them to integrate 50 different systems. Why do we need to make it that complicated, mr. Thompson . Why do we need to integrate 50 systems . Cant we count people without integrating all those different systems . Thank you, senator. We do need all we have 34 operations in place for the were planning to do for the 2020 census and supported by 50 systems, as we mentioned, we gave your staff copies of those systems yesterday. The systems have to talk to each other, which is why why 50 . Im somebody who just landed from another planet, explain to me what youre doing with 50 systems. Why do they all have to be combined for counting people especially since were going to be doing self reporting, i believe, for the first time on the internet . Yes. Why . I dont understand. Let me give you some examp examples. So we so we have one system tha we allow people to respond over the internet with. That has to be integrated and talked to our control system so we know how many people have responded over the internet so when we want to go out and collect the information okay. Theres one. Right. 49 to go. Right. Right. So then we have to be able to do the inperson response. So we have to have a control system for that, so we have to know okay. For people that dont answer, you got to go out and find them and talk to them. Right. There has to be an instrument that collects the information from the people that dont respond. So we have to give our interview the handhelds, hopefully this time. Handheld device. Which we had to scrap last time. I understand that. I mean, i could go i could go on, but there is a need for each one of these systems. Weve really, really carefully looked at the systems that we need because we dont want to make it overly complicated. Well, 50 sounds very complicated, mr. Thompson. It may be that you absolutely have to have all 50, but i dont think youre on schedule. I think youre having only solve some of it is funding, i agree, but you need to have an endtoend test, i believe youre planning for 2018. Yes. You were going to do like in spanishspeaking areas. I just worry that were going to have deja vu all over again, that were making this more complex than it needs to be. Are your confident that, i miea, it seems to me in this day and age, asking people to respond on the sbesrnt, internet, and on te briefly go to another item. People are going to reluctant to give their information over the sbes internet unless theyre reassured with the security. Are you working with dhs, Cyber Security so youre confident youre going to have the protection of that data that will reassure people . Because every person who responds over the internet is going to save us real money. Yes. We are working with dhs. We are working with the National Institutes of standards and technology. We are working with some private contractors to try to do Penetration Testing of seriously. We also, by the way, do employ the einstein software on our Internet Connections so we are protected by that, too. We work with dhs to get that in place so we take that very seriously. Thank you, mr. Thompson. Thank you, mr. Chairman. Senator carper . Thanks. Thanks so much. We appreciate more than you know the work thats done at gao on a lot of areas. But especially in preparing the highrisk list. And ive said for years that for me, for my staff and i, it is our todo list, and i think for this committee, democrats and republicans, its our todo list. You and i met early this week, we talked about areas where progress has been made. One of those is with respect to Property Management. Real Property Management. Would you explain why you think we finally got the ball in the end zone on that . Yes. First, the administration finally issued a National Strategy to deal with this, to lay out with some goals and some measures to really have a good plan. To make progress, you need that. Secondly, Congress Really helped a lot with the passage of two bills at the end of last calendar year. One, it would be creating an independent board to make recommendations to sell or dispose of some highvalue property that the federal government has. Thats a good step forward. I believe. And secondly, the second bill codified the federal council, Property Management council in place, gave it some todo lists, if you will, of Congress Giving it to them to improve the data, to regularly report. Hopefully it will result in a resulted reliance on leasing as well. Thats an area that still needs to be addressed. You know, federal government leases some property for decades that it would have been far cheaper to build rather than lease. So were trying to get the agencies to focus on some highvalue leases and doing a cost comparison in those areas. So, and theyre starting to improve the accuracy of the information and the Property Management database. So some leadership, some strategies, good support from the congress, all these are ingredients to the progress. Good. Thank you. The term called fizma, a law called fizma, federal Information Security management act, i believe thats what that stands for. Yes. Thats been around forever. Frankly not too effective in terms of realtime security for federal the dotgov do main. We passed fisma legislation, i think a number of us on this panel worked on it, dr. Coburn worked on this when he was with us as well. And general, do you all have any sense for how the passage of that legislation is being implemented and for good or for not . The idea is to make it realtime, not after the fact yes, Continuous Monitoring, i will will have to say from dhs point of view, we had a somewhat different experience than what mr. Dodaro recounted, think in the last year of the administration, there was a real sprint based on some of the highprofile hacks that had occurred in other agencies to try to get, for example, Continuous Monitoring online, to get all components to actually report the results to a central headquarters location. To get twofactor authentication on every machine and every user having two factors, in other words, a card that they stick in plus a password. Then lastly to get whats known as authorities to operate, which is basically a license, a certification by the chief Information Officer that those systems, in fact, are effectively locked down according to fisma stanstandard. We have seen, i think, some improvement, obviously with dhs, theres a long way to go, but particularly in the last year, we have seen some improvement. One of the things we did in this committee is to make it possible for dhs to compete for cyber warriors. In terms of the kind of pay and personnel policies that they could offer to compete, whether its against National Security agency or the private sector. And does anybody know whether or not thats making a difference yet . We did over a year anybody know . Anybody have a feel for that . Okay. I when jay johnson became the secretary, became the deputy secretary of the department of Homeland Security, i suggested to name them, go every month or two to gao, sit down, whether it was jean or top folks and liter go through the highrisk list that pertains to the department of Homeland Security. My sense is they did that and made a difference. Can yukon fiou confirm or deny . The relationship weve had with the department of Homeland Security is a model to dole weah the highrisk list. When i first met jane, she was puzzled as to why they were on the list. I sent a 20page letter over, heres everything you need to do. She said, i understand. She developed a plan and every so many months they report to us. We have quarterly meetings and they made real progress. We agreed on 30 things that needed to be done, needed to be measured. They fully met 13 of them now. They have a ways to go on the remaining piece. Ive suggested that model that could be used in place particularly at the v. A. With those areas as well. So that we just confirmed a new secretary of the v. A. , dr. Shulkin, whos going to be a good one. Yes. His predecessor certainly was, bob mcdonnell. We have the Inspector General for the v. A. , right . Correct. And one of my pieces of advice to dr. Shul kin, spend time with you and develop constructive relationship, good working relationship to figure out how you and your folks can help the v. A. Going forward, and the same idea with gao own the highrisk list. Right. Right. I try to meet with every cabinet official, talk about the highrisk area. Weve had series of meetings with omb, agency on the highrisk list and gao which i personally participate in and thats, i think, had some benefits and showing progress. Go ahead. Mr. Thompson, how are you doing . Im doing fine, thank you. Very nice to see you. Nice to see you. Give us one thing that we can do at our end in addition to what weve already done with respect to the census to make sure the next census comes in on time, on budget, maybe even under budget. What are one or two things this committee and the Congress Need to do to be a good partner . Thank you for the opportunity, senator carper. So as i said in my testimony, in my oorral testimony, one of the issues were dealing with is the uncertainty of our funding. I know this isnt appropriations, but i know that weve gotten good support so far from both the congress and from omb and the administration and if that continues, that will be very good. Like i said, we are in a very, very pivotal year right now, 2017, wed like to get uncertainty lifted there and we also are looking forward to working with the administration on the 2018 budget then with the congress. So support there. Also help with getting administrative records. I mean, i know weve talked before about getting access to the National Database. The new hires. Your support there would also be helpful . Good. Good to see you all. Thank you. Thank you, mr. Chairman. I appreciate you holding this hearing regularly and this is an opportunity for us, you know, to gauge progress on some of the highrisk areas and some of these topics youve already discussed with others, but the two that jump out to me are Real Property and you talk about in your report the need for us to move more rapidly from leases to ownership where theres a longterm lease, its not cost effective. You also talk about physical security at federal buildings. And i want to probe those a little further. The one that always troubles me is the number of federal facilities that are not being used or not fully used and yet we cant seem to transfer those to either cities or states or private sector or nonprofit needs. And this is where senator carper and i and the chairman and i and others have worked on this for years. Can you give us, mr. Dodaro, a report on that part of the Real Property high risk that you over the years have identified . Where are we on the disposal of these properties . One example we my understanding is they received a successful bid and theyll be transferring that so theres some progress but not a lot. Thats why i think this legislation that Congress Passed last year to set up this independent board to identify some high value real properties. Some of the properties arent worth a lot of need a lot of repair. The agencies havent had enough money in order to put in, to pick up the properties to make them appealing or attractive to sale. One area that hasnt been explored very much, another area on our list, the postal service. They have a lot of vacant space i think could be perhaps rented out to the other agencies and could create other vacant space that could be sold and transferred. So the bottom line to answer your question is theres been some progress incrementally, but not as much as id like one reason you say theres been progress, year end, we did pass those two bills finally. Right. They shouldnt have taken so long. One does provide for inventory, another does provide for this commission. Is that part of the reason you think things are going better just because we have set in place now some new laws in relationship to this and now i suppose our job is along with you to monitor the implementation of that, make sure its actually done right . Thats exactly right. In my opinion, in my experience over several decades now, that most Major Management improvements that succeed in the government have a statutory underpinning to them because it brings a degree of continuity and certainty over time and congress can hold people accountable. Yeah. Can you tell us this afternoon how many square feet, how many buildings or what the value is of those buildings that are either not being used at all or are only partly being used . Yeah, i dont have that information at the ready. Ill be happy to see whats available and provide it for the record. Its an extraordinary number and it is a great opportunity to save some taxpayer money, too. With regard to the Cyber Security, you talked a little bit about this earlier, wun bbu of the challenges you cite in your report is the agencies and departments having Cyber Security workforce with regard to dhs, working at mr. Roth, we have specific legislation that was meant to address that to try to attract some of the best and brightest and retain some of the good people. For both of you, hows that working . Hows the framework working . Are you pleased with it . Is it something that you think were making progress on or not . Go ahead. Anecdotallanecdotally, it se the chief Human Capital officer at dhs is trying some Innovation Solutions with regard to hiring sort of i. T. Specialists and cyber specialists. Our plan was to let this go for a little bit just to have them get their sea legs before we do a formal anecdotally, using this opportunity to try to hire as many as they can. The idea of the legislation, this was started back in 2014 with senator bennett, myself, it was established some common language and job codes specific to Cyber Security because we had identified that as a problem that it was difficult to hire people because we had not provided this sort of standardization as to what the job descriptions were and job codes and then we got some of the legislation passed as it relates to frankly i just dont know that were making the progress thate should be. Clearly when you look at whats happening with regard to the hacking not just in government but all over now, this is a huge priority and these people are in high demand, people who have Cyber Security skills to be able to push back or go on the offense. You think, mr. Roth, from your time at dhs that you see progress in this area, and if not, what do you think we need to do . The restfhe government is not subject to the same rules that you are under this legislation. So if its youre sort of the beta, youre like the test case here. Is it helping . Is it working . As i said, we havent done a formal audit of it, so its very difficult to make a forma conclusion, but anecdotally, we see dhs trying different things, for example, they had a job fair in which they broug a number of people who were qualified under that i. T. Specialist and, you know, were able to provide offers on the spot. So, you know, were hopeful, but, again, until we actually do a formal pieces of work on it, its difficulto conclude. Could you do that work on it and let us know how its working . One of the aspects as i recall was a central database to simply, which seems common sense but wasnt being done, is that being done to your satisfaction . Is there a central database now where people know what all the Cyber Security needs a and as you said, when theres a jobs fair, can people give an offer quhout havi quho without having to go through a long process . People wert patient enough to wait for the government response . They needed to know right away, theyre getting the job or not, they had oth offers in private sector . Right. My understanding is they recently held one of the first job fairs that, in fact, did that. This is anecdotal, what theyre telling me. We vbt evaluahavent voolevalua how long will it take y to audit it . Typically takes six to nine mont months to do a fullfledged audit. Can you speed that up and get back to us in six months . Well so quhdo what we can. Obviously an urgent issue to make sure we have the capability to be able to push back and go on the offense when necessary. Thanks very much. Senator langford. All of you, thank you, for the work thats ongoing. We appreciate it very much. We a d doesnusrohistions uctionettn to an nl anath th two olut the le eas esidump alpoke the reatioationa curiiser mel f