Chair connolly the subcommittee chair connolly the subcommittee will reconvene. Are you with us . They are telling me to give them a second. Chair connolly can you unmute and acknowledge that you are with us . I am here, mr. Chairman. Chair connolly if you would stay unmuted so i can swear you in. Ms. Counsel, are you with us . Yes, chairman. Chair connolly and mr. Spires . Yes, chairman. Chair connolly thank you. If all three of you would raise your right hand. Do you swear to tell the truth, the whole truth, and nothing but the truth or affirm the same, so help you god . Let the record show all three of our witnesses in the second panel have affirmed in the positive. Thank you. If you are ready, i will call on you for your fiveminute Opening Statement. And welcome back to our subcommittee. It is good to be back, mr. Chairman. Chair connolly im sorry, i didnt see you. Go ahead. I do not have an Opening Statement. I was told to do something in the Previous Panel, with unanimous consent to enter a document into the record on supply chains vulnerability. Chair connolly yes. If you didnt hear me, i said i would be glad to work with you on that question of supply chain. I think it was a good point that you made. I hit the little raise my hand button thing. Im getting used to all of this webinar stuff. I had a followup question that i will ask one of the panelists here. With no Opening Statement, i would yield back so we can move forward with questions for the panel. Chair connolly thank you, mr. Palmer. I did not call on you for an Opening Statement because there was an Opening Statement for the whole hearing and this is the second panel. Obviously, if you had something you wanted to add, you are more than welcome. I thought you were asking if i had an Opening Statement. I do not, but i will have questions. Chair connolly of course, and we welcome them. You are recognized for your five minutes. Chairman connolly and numbers of the subcommittee, thank you for the opportunity to testify. I have worked for a not for Profit Corporation that operates in the public interest. We work across government in partnership with industry to tackle challenges for the safety, stability and wellbeing of our nation. Prior to joining, i was at gao where i worked closely with this committee, helping with the creation of the score card and assisting with its oversight. I would like to start by thanking you, chairman, for your leadership, not only for creating it but your followthrough with five years of oversight which has included 10 scorecards. The federal i. T. Community has benefited greatly from working with you and your bipartisan partners along the way. Today, i would like to address three areas. One, the results in the path, too, the reasons, and potential reasons to consider future scorecards. The progress resulted from the scorecard from your oversight are significant. Billions of taxpayer dollars saved in consolidating data centers and reducing Business Systems and licenses. It is also help to elevate the cio role. More have completed agency cios and strengthen. These enhance the relationship that will be critical that cio leads to more modernization and digital transfer. So why was the implementation successful . It was a collective, team effort from the legislative and executive ranch lets look at the specifics of this oversight. Your approach focused on critical sections of the law, established where metrics was the target, was measurable and datadriven. Every six months over five years, this is extremely important as it took at least two years to see significant progress in integrated areas. Also, omb played a critical role. Guidance and it required self assessment. Federal agency cios provided leadership and delivered results. This progress is evident with the scorecards. Where should it go from here . Some of the areas reached a level of maturity where perhaps waiting was no longer a necessity. This is not to say they are not important, just another area to benefit from the transparency and oversight the scorecard provided. For example, the hearing you held a few weeks ago on Mission Modernization and your march hearing would cover the gis contract were prime candidates. The written statement provides five recommendations to consider the scorecard is enhanced. These recommendations are consistent with the goals of the president s management agenda. Number one, enhance the cyber area him by enhancing the measures of cybersecurity. This should include patch and vulnerability management, Cybersecurity Framework and supply chain management. Number two, add modernization category that provides transparency to our nations most important i. T. Acquisitions and incorporate the Customer Experience measurement as well as legacy retirements. Number three, add an infrastructure category that highlights progress on eis so we have more modern and secure networks. Number four, add an i. T. Workforce category that provides a comprehensive view of agency gaps and tracks the appropriately skilled workforce. Five, i. T. Budgeting category the focus is on working Capital Funds and i. T. Is better captured. Shed light on the agencies use that i. T. Budgeting so it reflects needs for modernization. This could spark better conversations internally with cfos and externally with congress. Securedrman, these are by agencies tackling true enhancement, having a modern infrastructure, the workforce to do it, and the right resources. Card an enhanced report help, certainly. Policies could also. Forward to working with you on these important topics for our nation. I thank you and i thank you for being one of the key architects of establishing the scorecard and i think it has evolved in a way we hoped it would, to incentivize agencies to evolve and to modernize and to understand the Critical Mission and i thank you for your leadership in allowing us to be where we are five years later. The chief executive officer of emerald one, welcome. Committee,of the thank you for the opportunity to appear before you today to share my experience as the assistant andetary of technology cio at the department of Veterans Affairs or i served from 2015 to 2017. Im pleased to provide my support for the further meant. During that time, i led organizations as large and complex as the v. A. , had complete fiduciary responsibility for implementing processes and technology. For my role,ation i frequently heard about how difficult it was to execute i. T. Projects in the federal government. One or two year appropriations, complicated program budgeting,iring delays, data Center Cultural nuances, Even Technology procurement decisions outside the i. T. Organization. While i did witness the obstacles mentioned, within a short time, we were able to make progress at the v. A. How were we able to do it . We had one strategic tool i could rely on. It is the law and regardless of what other obstacles i encountered, i had a law i could leverage. I want to thank the committee for giving us that law and the authority to act accordingly. Of all mainframe i. T. Modernization projects fall fail industrywide. The primary reason is complexity. Many organizations develop new technology to enable a process or solve a problem well before they understand how the solution will be supported or how the process will work. Trying toses, you are make something new work on something old. Integrating new technologies on top of old infrastructure is always a risky proposition. The old infrastructure is generally not well maintained therefore unforeseen risks often occur and lead to subsequent failures. Just like the stuff in your basement no one wants to get rid same thing happens in i. T. In addition to infrastructure age, but organizations culture and how it drives the use of impact on has a major project success. Discussald one, we complexity by not just focusing on people, process, and technology, but engaging leadership, being culturally aware, building trust, obtaining the full value of the solution, and doing it in the shortest possible time so we can take advantage of the new technology. This in mind, i respectfully submit to the subcommittee several recommendations i believe scorecard. Jus the it provides agency cios with the and is a Critical Agency asset. The second is a metric that measures the agencies average technology lifecycle. This could be utilized under standard risk of modernizing in that environment. The committee should assess cultural readiness. The culture must be prepared to adopt new technology, not just endure it. Thenizational leaders and focus on user adoption by managing the cultures preparedness before tackling any technology. Finally, it must ensure the agencys fiscal reality supports the technology mandates we impose. Agencies continue to receive Technology Budgets that allow them to do little more than maintain and sustain outdated systems. Both were positive steps forward, by creating more meaningful connections between the mandates, the committee can create the leverage many cios need to modernize. We can no longer allow outdated and Legacy Technology to stymie delivery of public services. Ranking connolly, member, and members of the committee, thank you again for the time and opportunity to share my perspective. I look forward to continued success and am happy to take your questions. You, reallyy thank helpful observations from your own experience. Very practical and we look forward to working with you as we proceed. Ires, welcome back. Good afternoon to you. Im honored to testify today in regards to the scorecard congress has issued over the past five years. Having served as cio of the u. S. Department of Homeland Security and irs, and having served as the vice chair of the federal council, i had opportunity to understand the management dynamics. I was pleased when it was enacted but the legislation itself, it has been the oversight of congress that has been the factor in getting agencies to improve. Significant policy difference starting with the drafting and it continues today with leadership from the subcommittee. Even with the progress, much work remains to reach the state of i. T. Management thus practice. The meeting held by the subcommittee two weeks ago showcased the need to continue to focus on i. T. Modernization. Funds, we had unlimited many agencies would still struggle as they do not have the skill to deliver largescale i. T. Modernization. 2015, the whole federal government was placed on a list for improving the management of acquisitions and operations. They recommended the 12 agencies plan to replace legacy systems yet only three of the 12 agencies had implemented the recommendations and made progress in even planning to modernize legacy systems. Given the success of the scorecard, it should continue as a tool to Measure Agency progress. I recommend changes that sharpen the focus on i. T. Management and modernization, all of which are provided in my written testimony. Ade recommendations include and i. T. Planning category. Meaningful i. T. Modernization starts with planning and support leadership and this category should reflect the maturity and focus on i. T. Modernization within the agencys planning function. Incrementald delivery and Risk Management categories into a broader delivery of i. T. Programs category. Agency i. T. Modernization occurs through successful delivery of i. T. Programs and as such, a category should measure the ability of agencies being able to manage such programs. Three, evolve managing government categories to a budget i. T. Category. It should keep the element of a working capital log. In addition, agencies should better understand the cost element of the agencys i. T. Budget. The federal government has adopted a Technology Business management support this effort. Agencies should be measured on their adoption, along with benchmarking of i. T. Services so they can compare themselves to similar sized agencies and private sector corporations. Evolve the cybersecurity category. Agencies should be conducting enterprise cybersecurity Risk Management to be focusing on protecting on their most critical systems. Develop such a framework called the Cybersecurity Framework and cybersecurity category should start by measuring whether in agency is executing the seven process steps. Add a Customer Satisfaction category. I. T. Organizations have customers. A core measure for all agencies should be Customer Satisfaction. It would be best practice to administer a standard Satisfaction Survey to all agencies so the category can be added to the fitara scorecard. To determine the measures for a category, i want Additional Data to be required so the category could be graded. I recommend congress convene an Advisory Group that would develop recommendations to evolve the fitara scorecard. This group should be headed by gao but include representatives from the federal counsel and private sector. Such a group would make recommendations to congress within three to six months. Lets commit ourselves at the federal i. T. Community to evolve the scorecard to support adapt best rapidly practices and move aggressively to modern processes and systems. Thank you for the opportunity to testify today. Rep. Connolly thank you so much, mr. Spires. Thank you three for your very thoughtful testimony and i assure you we will be glad to work with you and take cognizance of the changes you propose in the metrics and scorecard itself. The chair now calls on mr. Palmer for his five minutes of questioning. Mr. Palmer . Im informed mr. Palmer is having a band with issue bandwidth issue. Let me ask all three of you a series of questions. One is, how important is it that the cio have the year of the agency head . Thats one of the categories weve added to the scorecard in terms of the reporting sequence, because from our point of view, it is about empowerment. If you are going to make decisions and make them stick, the rank and file need to see that cio is empowered by the agency head. In your experience, how important is that from your point of view . Maybe we start with you, mr. Spires . I had the situation of reporting to the agency head at the irs when i was cio and not the case when i was undersecretary of management. I think it makes a significant difference. From the othery secretary of management that that individual i served under had no i. T. Background and there was a lot of lost translation and frankly, not that i wasnt able to develop relationship with the secretary at dhs, but it was not nearly as strong a relationship as i would later develop with the irs commissioner and i would say in my view, i was able to be more effective, significantly more effective because i had a Good Relationship with the agency head. Rep. Connolly miss counsel . Il illett ms. Counc agree with mr. Spires. In my time at the v. A. Had a Good Relationship and we had a short time to get a lot of things done, we understood Large Enterprises at johnson johnson, he had been a Procter Gamble and it allowed us to think very quickly. Way for the cio to have the kind of support enterprisewide that they need when an agency head is aligned with them. It doesnt mean you dont include others in the conversation. It just means everyone knows the mandate is a mandate so i totally agree with that alignment. Rep. Connolly thank you. Mr. Palmer . Mr. Palmer i will third the importance of reporting to the agency. To missiontant modernization and legacy where cios have relationships with the business leads and also a strong relationship with the cfo so there is the budgetary support for complex legacy modernization so having a Business Partner with the Business Unit and having that strong relationship with the cfo is critical to tackling these big challenges the government faces. Ive gotolly while you, maybe you heard the Previous Panel about data centers and the attempt to maybe dilute the definition of data centers which could have the unintended effect of losing savings and even compromising security. Would you comment on that, because you remember how important the premium we put on data consolidation when we began this process with the scorecard. Mr. Powner yes, no doubt, mr. Chairman. When that memo came out there was going to be a rub between policy there and where you were going with Data Center Consolidation. I think we have had Great Success with Data Center Consolidation. You have 4. 7 in savings. Do i think there is opportunity to do more . Sure. I think what really needs to occur is there needs to be a , there needs to be some type of agreement between omb and what they are doing at what Congress Wants to do so we get more on the same page. We are at different ends of the spectrum here. I think there is coming together where you could tackle some data center. There is a lot that is done but there is still opportunity. That is why in infrastructure category on a scorecard, you also look at modern Networks Like the eis vehicle as a good way to think more broadly about infrastructure grade and how we tackle that. Rep. Connolly you will remember perhaps that the very first hearing we had on this subject was when john mica was chairman of the subcommittee. A different configuration. We have a field hearing in my district, and that forced people to look at how they were complying with this brand new bill fitara on Data Center Consolidation and what happened was we got much better at identifying thousands of data centers we didnt know we had, but we made zero progress on consolidation. Out of that hearing grew the idea of a scorecard, so we could create metrics and force action. I hope we dont go back to that. This distressing to learn action alone would take 2000 existing data centers and basically take them off line. Is not the language of the statute, that is not the intent of the statute, so it is worth watching and my time is up. Mr. Heise, i recognize you for five minutes. Heise thank you, mr. Chairman. Really quickly to each of you, and i dont want a long answer, im just trying to get out your basically feel, but id like to hear from each of you how you think fitara, has it in successful in driving change within agencies . From your perspective, is this working and why why not . Start, sir. Yes, it is definitely working and as i mentioned in my testimony, the point is, weve always had good cios, people that want to do the right things, but the environment in many agencies, the culture as laverne was talking about makes that difficult at times. You shining a light on aspects ,f i. T. And i. T. Management congressional oversight, is really critical. Rep. Hice i like to hear from the others, yes or no. Is council yes, i think it working very well and i also believe people, manage plus measured. Is managed, measured, and clearly transparent, it gets people focused on the right onngs mr. Powner i agree measured gets done and what is important is your persistence and consistency. In both these areas, it took scorecards and two years. To see change. You have to stick with it to drive change. It takes time. I dont know which one of you is most equipped to hit on this but several of you, a couple of you have brought this up with the cios. What is the biggest challenge a attempts tog in the try to deliver largescale i. T. Modernization . What is the wall they are running into . Ms. Council i can take that one. Large implementations are high and and they are costly include people and when you put , you have agether situation when you cant control all the aspects you are on depth. To focus one of the first issues you run into, even with the working capital fund, is you may have in thee sets environment. I can only speak to the v. A. But you are talking about complex environments, not just in the u. S. Government but in the world. You go after trying to effectively change one of these, you have to realize you are impacting an entire enterprise. None of these things are in isolation. None of these things are easily changed without engaging the entire whole so they are tough, but can they get done . Yes they can get done. They require a lot of focus, they require intent and that is one of the reasons we think the alignment needs to be the top of the house so everyone understands they need a stake in making it successful. Rep. Hice mr. Spires, are you there . Testimony,ed in your recommendations regarding next steps for the scorecard and specifically you brought up trying to phase in the metrics and obtain a buyin from the stakeholders. Can you talk me through what you have in mind when you made those comments . Ms. Council mr. Spires sure. I believe we need to try to get better alignment. Mr. Powner mentioned this in answer to a question about Getting Congress working effectively with gao to come up with a set of metrics we all agree with. It wont ever be perfect but i think we can come up with a good set of metrics and figure out how we measure them and get the data, but i think we can get better alignment and this is a bipartisan issue so we can work to do that and i think we can make significantly more progress to drive true i. T. Modernization because too often, we are not going after we are doing things well, but some of the really big modernization efforts that require whole of agency efforts, agencies are scared to go after and we need to change that dynamic. You and i hopek you are right. I agree, we need the metrics have been great. Scorecard has been moving it forward to get more to the bottom line of what we need to get to. I think we can get there, as well. Thank you for your answers and appreciate it. Rep. Connolly i think the Ranking Member, thank the Ranking Member. Our hope eventually is to move to sort of a scorecard that is a general hygiene scorecard, but it is important to note what mr. Powner noted. The only reason weve made the progress we have made is we have stubbornly insisted on the metrics pertaining to the scorecard from five years and it took five years to get everyone finally better than a d and no fs. Five years, and we want to be cautious about sliding back or assuming progress where it frankly has not yet been completely achieved so i want to thank all of our panel for being here. There are so many other areas we could expand upon. Mr. Powner, are you still with us . Wipedwner yes, i just myself off a little. You are back and you are recognized for five minutes. Mr. Powner im wanting to go back to something mr. Spires said about additions to the scorecard and this has to do with security. The federal acquisition regulations are really written cheap is bestthat and it goes back to what we said in the first panel about the fact that we are dealing with antiquated legacy systems and about 51 of what we are buying is sourced from china so im wondering, if it makes sense to and tothe scorecard encourage agencies to avoid , as much as possible, to avoid buying from china. Mr. Spires, since she raised the issue of adding to the scorecard. Ms. Council in the cybersecurity area mr. Spires in the cybersecurity area, there is no doubt today that cybersecurity supply chain risk is a very significant risk we need to address, so im not exclusivelyn to say you shouldnt buy anything from china related to i. T. , but it is something agencies need to take seriously as they look at their enterprise risk strategy, and i know that is certainly something dhs is looking at for all of government right now. Rep. Palmer im not saying they can source everything outside of china, but we ought to encourage them to do as much as they can because i think theres a gap, particularly when it comes to security, especially around this multi tiered supply chain and it is really mentioned nowhere, addressed nowhere in these acts. Let me ask it this way. Does it make sense to amend fitara to assess the Global SupplyChain Security risk tied to the federal i. T. Acquisitions . Maybe that is where we start and we put it in the scorecard. Does that make sense . Ms. Council i go back to mr. Spires i go back to, it is a key risk for cybersecurity for an agency and should be addressed as such. Whether that means it become legislation or part of the that is why think you should have an Advisory Group that study this particular field, what would be best for the federal agencies on how to handle this type of risk. Im not totally familiar with all of the agencies, but i know there are a number of areas considered high risk. Gaost know if in the assessment that includes high in the Security Breaches context of where they sourced their materials. Mr. Powner, do you know . This question about high risk has come up a couple of times. Be of the key things would to hear whether it is supply chain or high risk in regards to other aspects of high risk, risky acquisitions that are out there. It sounds like there is some clarification they would need to look at in terms of policies in. Lace there seems to be a lot of confusion around this and i would recommend they look at high risk and what policies say. Rep. Palmer we will follow up oversight since day one took a lead, that have done a lot of work with the gao and the thing i want to commend the chairman and the Ranking Member on, we continue to Work Together in a bipartisan way to improve the quality and the previous that chairman connolly mentioned the fact that some agencies are still operating on cobalt. When i was in college, i was a cobalt consultant and my concern is there are not many people left who would know how to correct something if something went wrong with that so there are a lot of vulnerabilities that exist and i think what we are trying to do in a bipartisan way is not only enhance our security, but also improve the butity of the work product what i think we need to be doing is replacing antiquated systems and not only doing it at the federal level, but at the state level too so we have a drop ability interoperability. Appreciate you recognize me being back on the committee and i yield back. Rep. Connolly thank you, mr. Palmer. Very thoughtful. Let me ask one last question of the panel. That concernsngs many of us, those of us also in the private sector in i. T. Gap, is this knowledge experience gap between the federal government and, lets say, the private sector, especially vendors who provide services to the federal government in this sector and that gap is almost growing and to try to reverse that, weve got to be able to attract Technology Specialists and experts who can help the government manage its i. T. , incure its i. T. , and even terms of terms of reference for complex i. T. Contract. I would love to hear as the final part of this hearing your observations briefly about that problem, if you agree it is a problem, and what you think we ought to do about it. Why dont you start. Ms. Council thank you for the question. This is a question that impacts the governmental aspects as well as private industry. We dont have enough technologists anywhere. We dont have enough data scientists anywhere. We dont have enough architects anywhere. Theneed for technology, need for people who understand Information Technology and how to make it scale has constantly been, it is now even tenfold. As you see the now normally go through with covid, technology to be wherellows us we need to be and when we cant be there physical, allows our ideas to be there, so getting people to come work in the federal government is really hard. I talk about that often when i was in the role. Line. Not a straight it is not sending a resume and you Start Talking to someone. Youlso requires that understand how to navigate. Some of the best and brightest in the universities today are interested in working on technology, want to work on the newest things possible. They want to work on the hardest things possible, so the more we can give them that kind of canronment, the faster we get up on technology, the faster and theet technology more excited young people will be as well as some old people dont count us all out. To program. We would be more than willing to come and help the federal government, no doubt about it. Rep. Connolly thank you. Mr. Spires . Mr. Spires yes, thank you. Great announcer answer by ms. Council. In atly feel like, i came the irs first and the sense of mission is palpable. I think we can do a much better job of enticing younger people if we would market ourselves better as federal agencies. I recognize that sometimes you dont have the latest technology you can offer all of them but the opportunities younger people can have that are talented, that career, iuild a think we are missing a big opportunity to be able to entice people and if we marketed this more effectively, we could attract people. You are going to lose a lot of them, no doubt. Maybe you have a program where you try to keep them for four or five years. Stay, a lot will go back and the private sector and that is ok, but we need to do Something Different and i dont think we will be able to buy our, way out of this with increased salaries but i do we need have a wildcard to play which is the sense of mission and the opportunities we can offer younger people. Rep. Connolly thank you. Mr. Powner, final word. Mr. Powner i agree on the sense of mission. Many times, i. T. Departments in the federal governments have this compliance focus and that isnt going to attract anyone. If you look at where ms. Council was at, who doesnt want to help the vets in our country or secure the homeland where mr. Spires worked . Those are the types of missions we need to get out front and talk about the challenges we face as a government and attract young chargers out there. It is not going to be easy because of the salary differences, but i do think, and weve seen it, when you do have this mission focus, why do some folks who are seasoned come back into government . Ms. Council did it, mr. Spires did it. They came back because they are sold on the mission and want to help deliver on these missions. It is no different than the younger folks we need to attract. We need to sell the mission. A lot of things are really important and i think there would be a fair amount of people who would get behind that. Rep. Connolly so a little inspiration wouldnt kill us . Mr. Powner absolutely. Absolutely. Rep. Connolly thank you. With that, without objection, all members will have five legislative days to submit additional written questions for the witnesses, which will be forwarded to the witnesses for response. I ask all of our witnesses to respond as promptly as you are able and thank all three of you for the thoughtful contribution to the conversation and scorecard on fitara. With that, this hearing is adjourned. [gavel] [indiscernible] coming live tuesday at 10 00, the Senate ForeignRelations Committee looks at conditions in venezuela. Subcommittee on protecting free speech. Crew of space x discusses the recent mission. On cspan two, the senate meets at 10 00 a. M. To vote on the nomination of mark menzies to be on Deputy Energy secretary. A Homeland SecuritySub Committee on up on washington journal, david becker from the center for innovation and research talks about election security. And president trumps claims