[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT (FITARA)
SCORECARD 4.0
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
INFORMATION TECHNOLOGY
AND THE
SUBCOMMITTEE ON
GOVERNMENT OPERATIONS
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
JUNE 13, 2017
__________
Serial No. 115-27
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://oversight.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
26-560 PDF WASHINGTON : 2017
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
Committee on Oversight and Government Reform
Trey Gowdy, South Carolina, Chairman
John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland,
Darrell E. Issa, California Ranking Minority Member
Jim Jordan, Ohio Carolyn B. Maloney, New York
Jason Chaffetz, Utah Eleanor Holmes Norton, District of
Mark Sanford, South Carolina Columbia
Justin Amash, Michigan Wm. Lacy Clay, Missouri
Paul A. Gosar, Arizona Stephen F. Lynch, Massachusetts
Scott DesJarlais, Tennessee Jim Cooper, Tennessee
Blake Farenthold, Texas Gerald E. Connolly, Virginia
Virginia Foxx, North Carolina Robin L. Kelly, Illinois
Thomas Massie, Kentucky Brenda L. Lawrence, Michigan
Mark Meadows, North Carolina Bonnie Watson Coleman, New Jersey
Ron DeSantis, Florida Stacey E. Plaskett, Virgin Islands
Dennis A. Ross, Florida Val Butler Demings, Florida
Mark Walker, North Carolina Raja Krishnamoorthi, Illinois
Rod Blum, Iowa Jamie Raskin, Maryland
Jody B. Hice, Georgia Peter Welch, Vermont
Steve Russell, Oklahoma Matt Cartwright, Pennsylvania
Glenn Grothman, Wisconsin Mark DeSaulnier, California
Will Hurd, Texas John P. Sarbanes, Maryland
Gary J. Palmer, Alabama
James Comer, Kentucky
Paul Mitchell, Michigan
Jonathan Skladany, Staff Director
Rebecca Edgar, Deputy Staff Director
William McKenna General Counsel
Troy Stock, Subcommittee Staff Director for Information Technology
Julie Dunne, Senior Counsel
Kiley Bidelman, Clerk
David Rapallo, Minority Staff Director
Subcommittee on Information Technology
Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair Robin L. Kelly, Illinois, Ranking
Darrell E. Issa, California Minority Member
Justin Amash, Michigan Jamie Raskin, Maryland
Blake Farenthold, Texas Stephen F. Lynch, Masschusetts
Steve Russell, Oklahoma Gerald E. Connolly, Virginia
Raja Krishnamoorthi, Illinois
------
Subcommittee on Government Operations
Mark Meadows, North Carolina, Chairman
Jody B. Hice, Georgia, Vice Chair Gerald E. Connolly, Virginia,
Jim Jordan, Ohio Ranking Minority Member
Mark Sanford, South Carolina Carolyn B. Maloney, New York
Thomas Massie, Kentucky Eleanor Holmes Norton, District of
Ron DeSantis, Florida Columbia
Dennis A. Ross, Florida Wm. Lacy Clay, Missouri
Rod Blum, Iowa Brenda L. Lawrence, Michigan
Bonnie Watson Coleman, New Jersey
C O N T E N T S
----------
Page
Hearing held on June 13, 2017.................................... 1
WITNESSES
Mr. David A. Powner, Director, IT Management Issues, U.S.
Government Accountability Office
Oral Statement............................................... 6
Written Statement............................................ 8
Ms. Beth Killoran, Deputy Assistant Secretary for IT, Chief
Information Officer, U.S. Department of Health and Human
Services
Oral Statement............................................... 35
Written Statement............................................ 37
Ms. Sheila Conley, Deputy Assistant Secretary, Acting Chief
Financial Officer, U.S. Department of Health and Human Services
Dr. Rick Holgate, Research Director, Gartner, Inc
Oral Statement............................................... 47
Written Statement............................................ 49
APPENDIX
Questions for the Record for Mr. David Powner, submitted by Ms.
Kelly.......................................................... 72
Questions for the Record for Dr. Rick Holgate, submitted by Ms.
Kelly.......................................................... 75
THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT (FITARA)
SCORECARD 4.0
----------
Tuesday, June 13, 2017
House of Representatives,
Subcommittee on Information Technology, joint with
the Subcommittee on Government Operations,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittees met, pursuant to call, at 2:03 p.m., in
Room 2154, Rayburn House Office Building, Hon. William Hurd
[chairman of the Subcommittee on Information Technology]
presiding.
Present from Subcommittee on Information Technology:
Representatives Hurd, Mitchell, Issa, Russell, Kelly, Lynch,
Connolly, and Krishnamoorthi.
Present from Subcommittee on Government Operations:
Representatives Meadows, Jordan, Massie, Blum, Connolly, and
Maloney.
Also Present: Representative Gowdy.
Mr. Hurd. The Subcommittee on Information Technology and
the Subcommittee on Government Operations will come to order.
And without objection, the chair is authorized to declare a
recess at any time.
And I think we are good on votes later in the afternoon,
right, so that is a plus for once.
Good afternoon. Thank you all for being here. You know,
nearly two years ago today, we released the first FITARA
scorecard, or what some refer to as Issa-Connolly, is that
right, Mr. Connolly? This bipartisan committee product,
produced with GAO assistance, has been intended to drive
technology reform across all of our Federal agencies.
Today, the committee released the fourth FITARA scorecard.
And the committee, in coordination with GAO, has adjusted the
calculation and added new metrics for each version of the
scorecard since the beginning. For example, the FITARA
Scorecard 3.0, the final grade included a plus to indicate that
the CIO reports to the Secretary or Deputy Secretary of the
agency and a minus to indicate if the CIO does not report to
these officials. That system remains in place for Scorecard
4.0, and I strongly urge that all agencies with a minus to
adjust their reporting structure. This is any easy fix that
will help agencies continue to move towards 21st century IT
practices.
For Scorecard 4.0, the committee made two adjustments to
the grading. First, we simplified the calculation for the
incremental developmental area to capture more incremental
projects. Second, we incorporated OMB data center optimization
metrics into the data center grade so that half the grade is
now based on savings as a result of consolidation, and half the
grade is based upon meeting optimization metrics. OMB published
these optimization metrics last year, so they should not be a
surprise to agencies. And we did this based on feedback from
the agencies.
The committee is also previewing a new grading area related
to the FITARA and MEGABYTE Act requirements on software license
management inventories and the effectiveness of software
licenses. There is absolutely no excuse for agencies not to
have an accurate inventory of the software licenses they have.
This is basic IT management.
From Scorecard 3.0 to Scorecard 4.0, four agencies' grades
have improved, 15 agencies' grades have stayed the same, and
five agencies have declined. Notably, the Department of Defense
grade declined from a D to an F. The committee reduced DOD's
grade due to a lack of transparency on IT spending. DOD appears
to have reclassified a significant percentage of its IT
spending as national security systems, which are not covered by
FITARA. This lack of transparency is unacceptable. My
colleagues and I will be following up with the DOD on this
issue.
We also have our first ever ``A'' on this scorecard. USAID,
after receiving D's on each of the first three scorecards,
significantly improved its scores, particularly in the areas of
incremental developmental transparency and risk management. I
applaud the work of the office of the USAID CIO to address the
score and encourage other agencies to look to them as an
example in these areas.
Today's hearing features witnesses from HHS, which has
received D's on all four versions of the scorecard, and
currently has 44 open GAO recommendations related to high-risk
IT acquisitions and operations. I look forward to hearing HHS'
plan to close out those recommendations and turn those grades
around.
Before I close, I want to take a moment to acknowledge and
thank Chairman Chaffetz. The prioritization of IT and
cybersecurity issues on the Oversight Committee has been an
integral aspect of this committee's success, and I am thankful
for Chairman Chaffetz's leadership on these issues. The
Congress and the country are better off because of his service
as chairman of the Oversight Committee. I thank Chairman
Chaffetz for his service and leadership, and I look forward to
working with Chairman Gowdy as he leads the committee forward.
Thank you, and I look forward to hearing from all of our
witnesses today.
And now, it is my pleasure to recognize my friend and the
ranking member of the Subcommittee on IT for her opening
statement. Ms. Kelly, you are now recognized.
Ms. Kelly. Thank you, Mr. Chairman.
And thank you, Chairman Meadows and Ranking Member
Connolly, for your leadership and the leadership you have shown
our subcommittees continuing to work together to oversee
Federal information technology systems.
Key to this oversight has been the scorecard our committees
have developed for grading agency progress and fulfilling the
requirements of the Federal Information Technology Acquisition
Reform Act, or FITARA, or Issa-Connolly. The latest FITARA
scorecard shows that President Trump's hiring freeze and plan
for imposing deep workforce reductions to agencies may have
already begun to reverse the gains many agencies have been
making under the prior administration. In January, President
Trump ordered a freeze on the hiring of Federal civilian
employees, preventing agencies from fulfilling vacancies or
creating new positions.
This past April, the Office of Management and Budget issued
a new directive mandating that the agencies reduce their
civilian workforce. Under the OMB directive, agencies are now
required to, and I quote, ``begin taking immediate actions to
achieve near-term workforce reduction,'' the President's plan
for reducing the Federal workforce to make it even more
difficult for agencies to hire the most skilled, tech-savvy
workforce needed to fully implement FITARA.
This past March, our subcommittees held a hearing on the
challenges the Federal Government is facing in Federal IT
acquisition and heard from some of the leading IT experts in
the private sector. Many of these experts agree that one of the
most critical challenges to modernizing government IT
operations is the need to hire more IT professionals. As the
new scorecard shows, several agencies have hit roadblocks, and
some, like the Department of Health and Human Services, which
is here today, continue to fall behind in meeting the
requirements of FITARA. Forcing these agencies to make across-
the-board cuts to their workforces on top of the hiring freeze
can make it more difficult for them to fulfill the
requirements.
It wasn't always this way. Prior scorecards showed steady
progress among agencies. But for the first time since our
committee began measuring compliance, the new scorecard shows
that overall agency progress has stalled under this
administration. More specifically, the new scorecard indicates
that the grades of only four agencies improved, 15 agencies had
no improvement whatsoever, and the grades for five agencies
actually went down. In contrast, when the subcommittees
released their scorecard this past December, three times as
many agencies showed improvement in their scores, and only one
agency had a decrease in their grades. The new scorecard
highlights the fact that the Trump administration's Federal
workforce policies are harmful and counterproductive.
As I pointed out at the hearing our subcommittee held this
past December on FITARA, I hope there will be bipartisan
interest in holding the Trump administration to the same high
standards to which we held the last administration.
I want to thank the witnesses for testifying and thank the
chair again.
Mr. Hurd. Thank you, Ranking Member.
Now, I would like to recognize the chairman of the
Subcommittee on Government Operations, the gentleman from North
Carolina, Mr. Meadows, for his opening remarks.
Mr. Meadows. Thank you, Mr. Chairman. I just want to say
thank you for your leadership on this critical area. You have
forgotten more about IT than I ever knew, and I appreciate your
leadership. And certainly, for the Issa-Connolly law or, as the
gentleman from Virginia would love to call it, the Connolly-
Issa law, thank you both for your leadership as we look at
moving forward.
I want to thank all of you for being here. Some of this may
be not so pleasant. At the same time, it is becoming critically
important that we address these issues. And as you will see, in
a bipartisan fashion, we are taking this extremely seriously,
and it will have implications from a standpoint of
appropriations in other areas that if our IT CIOs don't take it
as seriously, they will see other areas that potentially could
be impacted because of their inaction.
And with that, I yield back, Mr. Chairman.
Mr. Hurd. The chairman yields back.
Now, it is a pleasure to recognize the gentleman from the
Commonwealth of Virginia, Mr. Connolly, for his opening
remarks.
Mr. Connolly. Thank you, Mr. Chairman. And let me thank you
and my friend Mr. Meadows and my dear friend Robin Kelly from
Illinois for the bipartisan leadership of these two
subcommittees. I think one of the big differences between this
period--and of course my co-author is here with us today as
well--we have handled this on a bipartisan basis. There is no
daylight between us or among us on this issue. And I think
sending that message to the executive branch is critical.
What was lacking under Clinger-Cohen was any continuity or
any robust follow-up because Mr. Clinger retired, Mr. Cohen
became Secretary of Defense. That is not the case here. We are
still here and we mean it. And we are going to continue to
press for progress on the implementation of FITARA, also known
as Issa-Connolly.
We are also, I hope, going to introduce legislation shortly
to extend the sunset provisions, which I think is one of the
recommendations of the GAO, and Mr. Powner may elaborate on
that today. But we don't want to lose progress by having those
provisions expire prematurely, and we need more time for
implementation, not forever, but we need more time.
I echo all of the sentiments my colleagues have shared in
their opening statements, and I want to first begin by citing
what the chairman cited, which is the progress at AID. Here is
an agency that began at a fairly low score and decided, you
know what, we can't settle for that. What did they do? They
reached out to GAO and they said what can we do to improve our
performance? And you know what, they listened to advice, and
they implemented it. And they now have the highest score and
the greatest progress of any Federal agency, AID.
So, when some agencies say, well, it is too complicated, et
cetera, AID has proved that is not true. If there is the
political way, if there is a managerial desire to self-improve
and to come into the 21st century, you will have congressional
support, you will have GAO support, and you will have a nice
grade.
On the other hand, at the other end of the spectrum is a
recalcitrant, arrogant management style at the Department of
Defense. Don't bother us with these troublesome requirements or
standards, we are exempt from everything, we will police
ourselves, and we will set our own goals and objectives and
metrics. The fact that they, of course, fall short of everybody
else's is immaterial. And what is so disturbing about that is
they are the big budget.
And I know when we met with GAO, we were very disappointed
in DOD's performance, and all of us agreed, again, on a
bipartisan basis, to insist that they improve their
performance, that they come into compliance like every other
Federal agency. And the burden is on them even greater because
they have the dollars. They have the biggest budget of anybody,
and they are about to get bigger. So, it is incumbent upon the
Department of Defense to ``get right with the Lord,'' and we
are going to help them along on a bipartisan basis.
I believe the scorecard is a terribly important tool for
measuring progress, and I thank GAO for working with us and
coming up with it. I repeat what I have always said. It is not
designed to be a scarlet letter on anyone's back. It is
designed to prod senior management to provide the wherewithal
for a CIO in a reporting sequence but also empowerment so there
is accountability, there is transparency, there is
responsibility. And it is the taxpayer who benefits.
So, you know, we have set metrics against which we believe
people can be fairly measured, and we think it is working, not
as fast as we would like. And the slow pace of naming a
permanent CIO with the transition and new administration has
cost us some progress, and that is why we want to extend the
sunset provisions, not the only reason, but that is a primary
driver so that we can make up for that time and keep the goals
in front of us.
So, I look forward to this hearing. It is one of my
favorite every year. I don't know why there aren't klieg lights
and cameras all over the room, but I do think this is a
terribly important subject, and I thank again my colleagues for
their support and their commitment.
I yield back.
Mr. Hurd. I would like to thank the gentleman. And I am
going to hold the record open for five legislative days for any
members who would like to submit a written statement.
And we are now going to recognize our panel of witnesses. I
am pleased to welcome a repeat visitor of this chamber, I think
one of the few people none of us have yelled at in the Federal
Government, Mr. David Powner, the director of IT Management
Issues, the U.S. Government Accountability Office; Ms. Beth
Killoran, deputy assistant secretary for IT, chief information
officer, the U.S. Department of Health and Human Services.
Thank you for being here. Ms. Sheila Conley, the deputy
assistant secretary, acting chief financial officer at HHS; and
Dr. Rick Holgate, the research director at Gartner,
Incorporated, and former CIO of the Bureau of Alcohol, Tobacco,
Firearms, and Explosives. Welcome to you all.
And pursuant to committee rules, all witnesses will be
sworn in before they testify. Please rise and raise your right
hands, please.
[Witnesses sworn.]
Mr. Hurd. Thank you. Please be seated.
Let the record reflect that the witnesses answered in the
affirmative.
In order to allow time for discussion, we would appreciate
it if you would please limit your testimony to five minutes.
Your entire written statement will be made part of the record.
And I would like to recognize Mr. Powner for his opening
remarks for five minutes.
WITNESS STATEMENTS
STATEMENT OF DAVID A. POWNER
Mr. Powner. Chairman Hurd, Meadows, Ranking Members Kelly,
Connolly, and members of the subcommittees, I'd like to thank
you and your staff for your continued oversight on the
implementation of FITARA with this fourth set of grades.
This is the first time we've seen overall grades not
improve with only four grades higher, five lower, and 15
holding steady. I would attribute this in part to transitioning
administrations and also to your expansion of the scoring
methodology. For example, data centers now include how agencies
report on five optimization metrics in addition to cost
savings. This has resulted in data center grades going down
because only EPA and SSA report good progress on these metrics.
The transparent reporting on data center progress that
FITARA requires needs to continue beyond the October 2018 date
since there are significant expected savings beyond 2018.
Extending FITARA's sunset date and realizing these out-year
savings is especially important given the MGT Act and this
committee's oversight on modernizing old, insecure legacy
systems.
Another change to the scorecard is on incremental
development where we now capture more software development
projects. This change was suggested by several CIO shops, and
I'd like to add that we have had good scorecard discussions
with almost half of the CIOs or their staff. Although we've
seen progress in the areas scored to date--incremental
development, data center optimization, and investment
transparency--we think there is great room for improvement on
reducing duplicative business or administrative systems under
the PortfolioStat initiative.
Your preview of agencies' efforts to better manage software
licenses, a major area of FITARA not scored today, is eye-
opening. Your preliminary grades would be two A's, one C, and
21 F's, and if this area was incorporated into the overall
grades, we would have three agencies going up and 12 down
instead of the four up and five down currently.
Only three agencies--Education, GSA, and USAID--have
complete inventories of their software licenses. This is
completely unacceptable, especially considering this
committee's follow-up on FITARA with the passage of the
complementary MEGABYTE Act. We need better management and more
cost-savings in this area. Again, this is another opportunity
area to fill the working capital funds proposed in the MGT Act.
Next, I'd like to turn, Mr. Chairman, to CIO authorities
and our ongoing work to this committee on CIO budget
visibility, contract approval, and incremental development. The
good news is we are hearing that FITARA is improving the
relations between chief financial officers and chief
acquisition officers. But these improved relations are going to
take time to resolve in the outcomes we need. We are still
finding CIOs with limited visibility into IT spending, IT
contracts and acquisitions not being approved by CIOs, CIOs not
certifying that all major acquisitions are taking an
incremental approach, despite all these areas being required in
FITARA. We plan to have these reports ready for your fifth
scorecard, Mr. Chairman.
The reason these authorities are needed is simple: because
we need CIOs governing over all IT. We recently found another
example of a failed IT acquisition with the Coast Guard's
electronic health record that illustrates why CIO authorities
need strengthened. Tens of millions of dollars were wasted,
nothing was delivered, and when I recently with the admiral in
charge, I asked this simple question: Was the CIO involved? The
answer: Not then, but they are now with the new EHR
acquisition. This is exactly why FITARA and strengthening CIO
authorities are so critically important to have better delivery
of Federal IT acquisitions and to more efficiently manage
Federal IT operations.
Although there have been some encouraging efforts with the
current administration that highlight the importance of
delivering technologies more effectively--namely, the Office of
Innovation and the American Tech Council--agency CIOs and the
Federal CIO are key to carrying out these high-level agendas.
In fact, history tells us that the best progress we've seen on
managing Federal IT is when the Federal CIO takes an active and
aggressive role. This was a major theme that also emerged from
the comptroller general's IT forum that we recently held with
current and Federal CIOs. Currently, the Federal CIO and eight
Department CIO positions are vacant, and although we have seen
several capable individuals filling in, this lack of permanent
leadership will negatively impact the progress we are making on
FITARA. Your scorecard, Mr. Chairman, highlighting these
vacancies will hopefully help draw appropriate attention to
these critical positions.
Chairmen Hurd, Meadows, Ranking Members Connolly and Kelly,
thank you again for your continued leadership and oversight of
Federal IT.
[Prepared statement of Mr. Powner follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Powner.
Now, I have been told that HHS has one statement, is that
correct, in who will be delivering it?
Ms. Killoran, you are recognized for your opening remarks.
STATEMENT OF BETH KILLORAN
Ms. Killoran. Thank you. Good afternoon, Chairman Hurd,
Chairman Meadows, Ranking Members Kelly and Connolly. Thank you
for allowing the Department of Health and Human Services to
come before you today.
Since the passage of FITARA, HHS has been committed to
making sure that we are cost-effective, provide high-quality IT
that benefits the American citizens and the services by which
we provide. This is a shared commitment both by the HHS CFO,
our chief acquisition officer, our chief human capital officer,
our mission programs, and myself. Together, we understand HHS's
IT budget totals $14 billion and that the spending across our
entire portfolio compromises--consists of a number of major
investments at our operating divisions and our staff divisions.
The leadership team strives every day to make sure that
we're strategically leveraging IT to fulfill our mission and to
make sure that we're providing health and human services that
foster advances in medicine, public health, and social services
so needed by our nation.
As a result of this effort, so far, our implementation
plan, we are actually able to accomplish 34 of the 39
milestones set forward in our implementation plan and actually
five additional ones just within the last month.
One of the FITARA successes we've had is the establishment
of a process and criteria for delegating authority to the
operating division CIOs. As a large federated organization, we
have to be able to identify, prioritize, validate, and verify
our nonmajor IT acquisitions. I'm happy to say that, through
the criteria that we've established, we've delegated 10
different delegations to those operating division CIOs, and on
a year basis I am personally responsible for providing input
into the performance of those CIOs, and we evaluate that
delegation on a year basis.
We also have been able to increase our use of agile
development. We seek to deliver IT-enabled functionality every
six months. And this has been able to be accomplished through a
process of improving our governance and integration, solving
collaboration efforts through development teams, and by making
sure that we integrate at all aspects with our customers.
Over the last two years, the CFO and I have jointly held IT
budget reviews to review, approve, or reject the IT budgets
across our organization. The purpose of these budgets is to
review and discuss how each of our operating divisions is
looking at their IT budget and how they're prioritizing,
addressing risk within their programs, aligning those IT
dollars to agency priorities, and making sure that we
understand not just the operating division proprieties but the
enterprise ones as well.
Two key accomplishments in this area to date is being able
to increase the ability to add funding for our cybersecurity
initiatives, which we have been able to over the last three
years increase and has dramatic success; changing our budget
from 1 percent overall to 5 percent in cybersecurity since
2015.
We also have been also making sure that we are looking at
our legacy systems and making sure each of our organizations
are prioritizing those legacy systems and how they are making
initiatives and decisions to make the necessary changes to
those systems to keep them secure and viable for those
missions.
Also in the stewardship, we're making sure that we are
looking at planning, proactively managing our risk across our
organization, and to continue to mature our risk management
process and evaluation techniques as we update our IT
dashboard. We conduct portfolio reviews at individual programs,
and this year, we actually did one at Operating Division
looking at the totality of their IT programs, which we will
adopt and continue to improve and implement across the
organization.
For data center consolidation, we continue to make sure
that we are looking at the outcome metrics, but we have a
challenge around the continuing change in definition and the
changing of the goals and requirements.
We'll make sure that we are also adopting cloud technology
as part of our strategy, and I will say that we have had
success in this area, increasing our funding in cloud from $135
million in 2015 to $600 million last year, and we think we'll
have three-quarters of a billion dollars in cloud this year
alone.
In addition, we have to make sure we're looking at our
workforce, and so I have partnered with our chief human capital
officer to make sure that we're looking at our requirements to
make sure we are--have the ability to attract, develop, and
retain IT talent.
Currently, we have 1,400 positions in our organization,
3,000 of them overall, but we actually have an over-30-percent
vacancy rate, which makes it critical for us to understand how
to do this job better to have those resources.
Finally, as HHS continues to move forward with
implementation of FITARA, the Department has built a
collaborative, integrated business foundation that promotes
comprehensive governance across the Department where we can
optimize our mission, make sure we provide secure IT services
that meet the advances needed for effective and meaningful
outcomes for citizens. Thank you.
[Prepared statement of Ms. Killoran follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you.
Dr. Holgate, you are up, five minutes.
STATEMENT OF RICK HOLGATE
Mr. Holgate. Thank you, Chairmen Hurd and Meadows, Ranking
Members Kelly and Connolly, and distinguished members of the
committee. Thank you for inviting Gartner to discuss the FITARA
scorecard.
As the former CIO of the Naval Criminal Investigative
Service and the Bureau of Alcohol, Tobacco, Firearms, and
Explosives, I'm keenly aware of the challenges faced by Federal
agencies in managing information technology. Both through my
involvement with ACT-IAC and most recently as a research
director at Gartner, an IT research and advisory firm assisting
98 percent of the Fortune 100 serving over 10,000 global
institutions and drawing on the experience of over 60,000 IT
leaders in making smarter IT decisions, I've gained broad
perspectives on more effective ways of using IT to further
agency missions.
Effective use of IT delivers strategic value and is viewed
as a competitive differentiator. Successful organizations
integrate their personnel and processes, including IT, to
ensure the success of all of their initiatives, and they treat
cybersecurity as part of an executive-level risk management
program.
With ever-accelerating changes and innovation, the
commercial technology market, not to mention new and evolving
cybersecurity threats, Federal agencies must get faster and
better at acquiring, integrating, and maximizing the value of
best-in-class technologies. FITARA is certainly a step in the
right direction, but CIOs can only do so much on their own.
First, the Federal Government must treat IT more
strategically and engage agency leadership. Innovative and
successful companies involve CIOs early and often on the front
end of strategic planning to ensure that they are able to
acquire the technology that enables their organizations to
succeed. CIOs must be given the opportunity to shape and
influence how IT enables the agency strategy early on.
Second, improve acquisition, budget, and funding practices.
Acquisition, budgeting, and funding can be impediments if they
are too focused on inflexible compliance and risk aversion, as
opposed to delivering business and mission outcomes. Adequate
resourcing is also a concern. Transformational investments make
up only around 21 percent of the Federal IT budget, while
private sector firms spend about 30 percent. The average legacy
system in the Federal Government is 14 years old compared with
10 years in the private sector.
Accelerating adoption of new technology is essential.
Modernizing acquisition practices is equally important. Federal
agencies must stop thinking of their IT as simply a call center
and reimagine it as an engine for innovation and transformation
and have the discipline to avoid instinctive cuts during
periods of austerity.
Agencies must also be better at using available funds.
CIOs, program managers, acquisition personnel, and budget
offices must work together in a better and more unified fashion
to avoid delays and bad outcomes. Government-specific reforms
such as increased access to multiyear funding, shared
accountability models under FITARA, and meaningful maturity
model reports to OMB and Congress could also improve government
outcomes.
Third, achieve greater visibility into agency activities.
CIOs need better visibility into the business and contracting
operations of the agency. The committee should consider
clarifying FITARA's scope. Using an objective, proven
rationalization methodology at both the infrastructure and
application levels can reduce system duplication, achieve
economies in savings, and improve commonality and
interoperability. Adding commodity IT measures to the FITARA
scorecard and empowering CIOs to undertake these activities and
work further with shadow or business unit IT could
substantially optimize IT costs and manage security risks while
enhancing productivity.
Fourth and finally, improve organizational competence.
There are many men and women working for the Federal Government
who are doing their best to manage a variety of IT systems from
multiple generations to achieve agency goals. Still, we must
improve overall competence. Successful businesses rapidly
discard outdated technologies while hiring and empowering smart
IT managers. In the Federal Government, we often see legacy
technologies operating far beyond their end of life, while
talented IT managers rotate too quickly to make any appreciable
impacts. Capitalizing on expanded and improved human capital
flexibilities can provide greater access to talent and better
cross-disciplinary development opportunities.
In addition, CIOs in the IT workforce require a high-
functioning team of finance, acquisition, H.R., security, and
legal professionals for effective IT leadership. The absence of
committed and skilled resources across all of these disciplines
places an organization and its IT initiatives at elevated risk.
Congress has a role to play here, too, in ensuring that
agency planning, acquisitions, and funding are all unified.
Initiatives such as the MEGABYTE Act, PMIAA, and the pending
MGT Act all have productive solutions to offer, and I urge you
to consider how each of these bills, as well as FITARA,
integrate to make agencies smarter, more agile, and more cost-
effective.
FITARA is a positive first step, and I encourage its
extension and expansion. I suggest three particular additional
steps: encouraging agency heads to articulate a clear strategy
for leveraging IT to improve business and mission outcomes,
including optimizing enterprise, not just IT costs; adjusting
scoring metrics and methods to incentivize desired behaviors,
and creating an integrated and streamlined approach for
assessing progress and across the diverse reporting demands
placed on agencies.
Thank you for the opportunity, and I look forward to your
questions.
[Prepared statement of Mr. Holgate follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Dr. Holgate.
I would like to now recognize the chairman, Chairman
Meadows, for his first round of questions.
Mr. Meadows. I thank you, Chairman.
Thank each of you for your insightful testimony. Ms.
Killoran or Ms. Conley, let me come to you. Out of the I guess
it was $14 billion that you spend in IT, how much of that
actually is grants to States?
Ms. Killoran. Seven-point-two billion.
Mr. Meadows. All right. So out of the $7.2 billion to
States, which States are doing the best job of implementing
that money?
Ms. Killoran. So that--we would have to get back with you
through our grants program because that is automatically done
through our grants and is not actually part of what the CIO and
CFO look at ----
Mr. Meadows. So, you have no idea which State is doing-- do
you not see a problem with that?
Ms. Killoran. Well, the way that the FITARA works--and we
actually asked for clarification when the bill came out--is is
whether agencies should be responsible for the grants funding
or not. And the guidance we got from OMB is that grants would
be excluded from the oversight.
Mr. Meadows. I agree with that. So, you are not having to
focus on this $7.2 billion according to FITARA, is that
correct?
Ms. Killoran. That is correct, sir.
Mr. Meadows. All right. So, let me ask you the follow-up
question because I thought that is where we were going. If you
are only having to look at the remaining balance, why are we at
D's across the board? Why are we not making better progress?
Because, you know, I can understand if it is a big number. Why
are we not making better progress?
Ms. Killoran. So, within the large Federal agencies--so,
this is my third federated agency--so started at Treasury and
then spent nine years and 11 years at DHS and now here. When
you're in a large federated agency, it takes us a little bit of
time to establish those foundations.
Mr. Meadows. So, assuming that it takes a little bit of
time, when are we going to see an improved score?
Ms. Killoran. So, you'll actually see--when we talk a
little bit, we actually have some cost savings that we have. We
actually have a plan for the data centers. So, we ----
Mr. Meadows. So, when are we going to see an improved
score?
Ms. Killoran.--expect--we're expecting to see some scores
change within the next 12 to 18 months.
Mr. Meadows. All right. So, Mr. Powner, let me come to you.
Is their plan aggressive enough based on other agencies? Should
we be expecting more?
Mr. Powner. Yes, I think you should. So, I--clearly, they
have a FITARA implementation plan they've made progress on, as
Ms. Killoran has said. I think when you have the large Federal
agencies, federated agencies, there's a real opportunity to go
after that commodity IT because a lot of those components,
there's an opportunity to look at duplication across those
components.
The other thing is when you look at the data for HHS on
data centers, they've actually closed a lot of data centers and
done a decent job on that, but there's not much in related
savings. So, we need to look real hard at the related savings
and also at their optimization ----
Mr. Meadows. So, Ms. Conley, what happened to the money?
Ms. Conley. Thank you very much for your question. Thank
you very much for your question.
In terms of what's happened to the money, at HHS, Beth
mentioned we're a large federated organization.
Mr. Meadows. Yes, I have only got five minutes.
Ms. Conley. Yes. Okay.
Mr. Meadows. Just what happened to the money?
Ms. Conley. In many cases with these data center
consolidations we have gaps in IT spending, meaning there are
things that we need to do within our IT portfolio, and
oftentimes, the savings that are realized through these
different consolidation efforts and modernization efforts are
plowed back into those respective systems and infrastructure to
provide things that we know need to be done to provide secure,
reliable ----
Mr. Meadows. So, without oversight of Congress you are just
reprogramming the dollars?
Ms. Conley. So, many of those dollars are re-plowed into
the very same systems and infrastructure ----
Mr. Meadows. So, let me understand. You close down a data
center and you plow it back into the same data center?
Ms. Conley. Well, if I might give you an example with our
financial systems modernization effort that we just upgraded
our financial management systems in 2016. We moved to the cloud
implementation. As part of doing that, we saved some money, but
at the--and maintained our operations and maintenance costs at
the same level, yet we were able to provide things like
disaster recovery ----
Mr. Meadows. All right. So ----
Ms. Conley.--and more to--better value to the government --
--
Mr. Meadows. So, Ms. Conley, Ms. Killoran, let me be
specific. We are looking very closely at these numbers, and it
is going to have implications from an appropriations
standpoint. So, let me come back to you, Mr. Powner. How much
does DOD spend on IT annually?
Mr. Powner. So, it's about close to 45 percent of the
spend, which is $95 billion, so it's well into $40 billion
range.
Mr. Meadows. So about $40 billion, and I notice they got an
F on the transparency and IT dashboard. I mean, why is that?
Mr. Powner. So, what happened recently is there were about
$15 billion that was on the dashboard that just went away. And
what we understand is that it's been classified, we believe,
under the national security system umbrella. And it's okay
because there is an exemption for national security systems,
but to have $15 billion magically appear under that umbrella
doesn't seem right and ----
Mr. Meadows. Well, it doesn't seem right to me either, and
so here is what I would ask for you to do, and I will close
with the chairman's indulgence. We are being asked to fund DOD
above this $603 billion that the President has requested. In
fact, some in our conference want it to be $640 billion. Take
the message back to them, unless they get their heart right on
this, there will be no support for increasing that. And I don't
know how to make it any clearer. I will let my colleagues on
the other side of the aisle talk about perhaps HHS and some of
the others. But with DOD, it is going to require Republican
votes to increase it, and I for one, unless they get their
heart right on the transparency, am not going to be very
supportive if you will take that to them if you would.
Mr. Powner. Will do.
Mr. Meadows. Thank you. I will yield back.
Mr. Hurd. Ms. Kelly, you are now recognized for five
minutes.
Ms. Kelly. Thank you very much.
In my opening statement, I talked about the hiring freeze
that was ordered, and in April, the Office of Management and
Budget issued a memorandum to all agencies requiring them to
reduce their civilian workforces. The OMB memorandum fulfills a
key objective of the President, and I quote, ``the long-term
plan to reduce the size of the Federal Government's workforce
through attrition.''
Mr. Powner, is retention a critical factor in maintaining
an effective IT workforce, and how so if so?
Mr. Powner. Yes, clearly, you need to retain the good
employees we have, but also, too, we have significant gaps when
you look at the IT workforce not only from a cyber perspective
but also with some of the other key disciplines, systems
engineers and architects and the like. So that's always been a
big challenge in the Federal Government.
Ms. Kelly. I know we have talked about that before, and do
we attribute it to just the lack of a pool to pick from and
also the salaries we might not pay?
Mr. Powner. Yes, that's true, and I think that's why it's
critical that when you look at your IT workforce as a whole and
some of the challenges with the salary challenges the Federal
Government faces, you need to supplement that appropriately and
be really strategic about how you do that with contractors
because that can be done with contractors, and that right mix
is what you really want to obtain.
Ms. Kelly. Okay. Thank you.
Dr. Holgate, in your assessment, can agencies make the
necessary improvements under FITARA if they don't have the
flexibility to hire new employees or replace vacancies?
Mr. Holgate. Well, certainly, it's highly dependent on the
approach that agencies take in responding to OMB M-17-22.
There's latitude given in that memorandum and actually an
encouragement for agencies to explore technology-enabled
operational efficiencies and effectiveness. If agencies are
adequately creative about their response to that memo, they
should have the flexibility to be more creative and use IT more
effectively in their response.
The danger, frankly, is if they take a more reactionary
tactical approach and treat it more as a cost-cutting exercise,
in which case it can result in relatively haphazard across-the-
board reductions without that strategic foresight, without that
projection for longer-term opportunities that they may be
foregoing. So that's the danger in the memorandum itself is
just the nature of the response by the agencies themselves. We
haven't seen those responses yet in terms of how agencies are
thinking about those challenges, but that's the key issue there
is how are agencies going to actually shape their response.
Ms. Kelly. Well, off the top of your head can you give an
example of what being creative means, what that could mean or
could look like?
Mr. Holgate. Yes, so, for example, you know, leveraging the
IT talent that they already have and possibly supplementing it
with additional talent in the near term to enable them to
automate traditional tasks or mission space, to be more
creative across agency boundaries, to reimagine the way
agencies deliver services. There are opportunities like that
that require a certain amount of creativity and are critically
dependent on IT to enable those types of opportunities.
So, if agencies--again, if agencies treat this more as a
cost-cutting exercise and in an across-the-board fashion, they
may sacrifice those long-term opportunities just by virtue of,
you know, reducing cost in the short term.
Frankly, Gartner's written a lot of research on cost
optimization at the enterprise level and the opportunities that
IT can present with those opportunities. We've also written a
fair amount about the risks of cost-cutting, in particular by
taking a blanket approach and foregoing the future
opportunities.
Ms. Kelly. Thank you. Ms. Killoran, in your written
testimony you state, ``Recently, HHS conducted an IT workforce
inventory and we found that workforce shortages and ever-
increasing workload often create an imbalance that hinders
employees' ability to attend training or obtain
certification.'' This seems like a serious problem because, as
your written testimony states, many of HHS's 3,000 IT workers,
and I quote, ``do not have the diverse expertise necessary to
support current Federal IT needs, including IT project and
program management, architecture, or cybersecurity.'' Did I
hear you correctly?
Ms. Killoran. That is correct.
Ms. Kelly. What are some of the gaps in skills in staffing
that you attribute to the shortage in IT expertise at your
agency that you mention in your written testimony?
Ms. Killoran. So, we have--as Mr. Powner indicated, we have
significant decreases of our needs in cybersecurity, enterprise
architecture, systems engineering are the predominant areas
where we have the most significant shortfalls, and then
obviously programmatics as well.
We actually have worked with our chief human capital
officer to start building true capability and roadmaps on
competencies that needed to be done for each of these areas all
the way from a GS-5 up to what an SES would be. We have
identified over 25 different critical positions at this point
and have roadmaps for 11 of them.
OMB and OPM have determined that this is a great model. We
are actually helping to do the Federal CIO workforce community
at this, and OPM is trying to adopt that model Federal-wide at
this time.
Ms. Kelly. I see my time is up, so I yield back.
Mr. Hurd. I thank the gentlelady.
Now, I would like to recognize the gentleman from
California, Mr. Issa. You are recognized for five minutes.
Mr. Issa. Thank you, Mr. Chairman.
And I am going to follow up maybe just quickly. My question
is one of timing. I am hearing people say we don't have enough
resources, we don't have enough time. You know, I came to
Congress in 2000, or was elected in 2000, sworn in first
January 3rd of 2001. Basically, I was elected when Amazon was
founded. In 2006, you know--well, I will give you 2009 Uber was
founded, Instagram in 2012, Snapchat in 2014. In 2014, we took
an $82 billion spending and said we were going to deliver to
the CIOs real authority to do a job that it had previously not
had budget authority, often--and at least in the case of the
Affordable Care Act--had three nonprofessionals each pointing
at the other saying they didn't have the ability to stop a bad
project.
We did that after we had written off in Dayton $1 billion
at the Air Force, the Department of Defense, on a project where
they simply got to the end of $1 billion in spending and said
it won't procure parts accurately.
So, I think this first question will be for the GAO. Mr.
Powner, tell me, why is it I should accept that companies today
will launch on Amazon and be world-class, global with apps that
allow for tremendous ability to take labor out and put
efficiency into things as complex as a million cars around the
world being there when you want one? Why is it I have to accept
that it takes four years and the progress is minuscule?
Mr. Powner. Well, we shouldn't accept it. I mean, we spend
now for the fiscal year 2018 budget that's north of $95 billion
on IT, and we all know that a lot of that goes towards the old
O and M. But 20 percent of ----
Mr. Issa. We know the cost of a NOOK has gone down ----
Mr. Powner. Yes.
Mr. Issa.--if you are buying a desktop.
Mr. Powner. But 20 percent of $95 billion is a lot of
money. And here's the interesting thing is we do see pockets
where we do it right, so we don't--I don't--we don't want to
hear that you can't do it right. I mean, we see pockets within
DOD, within the intelligence community. The weather satellite
that we just launched that provides great weather warnings, I
mean, yes, it took a little longer and maybe a little more
money, but there are these pockets of success, so we need to
continue to replicate that, hold CIOs and the agencies and
actually agency heads accountable. I think some of the CIOs
need some help from the agency heads to write these CIO
authorities. And going back to the DOD story, I think DOD is
the last organization in the world that should be exempt from
FITARA. If any organization needs a private sector-type CIO,
it's DOD.
Mr. Issa. Oh, trust me, we negotiated to try to get less
exemptions, and they have their own little world. Quite
frankly, they said they had already fixed it with their earlier
bill. And yes, we need to have less exemptions.
But, Ms. Killoran, let me ask you a question, having been
with three agencies and now as a CIO of this one. We gave you
budget authority; we gave you the ability to work with your
peers to look for, if you will, interagency opportunities. Have
you taken advantage of any interagency opportunities where you
looked at your other CIOs and said let's do this together?
Let's go up on an Amazon cloud and have one common software
platform that we can share for certain types of uses, whether
it's H.R. or other areas?
Ms. Killoran. So, at this time, not across the Federal
agencies, but we ----
Mr. Issa. But why not? Do you lack authority?
Ms. Killoran. The--no, it's not a lack of authority. It's
understanding what we have within our department first and
understanding what we have and where those opportunities might
be across the Federal Government. So, what we have done
internally is trying to get our own house in order in
understanding what we have first, and then that allows us to be
able to start interacting better with the other Federal
agencies.
Mr. Issa. So, following up on that, cataloguing all the
software and characterizing it is an element for CIOs to
evaluate each other, right?
Ms. Killoran. Yes, sir.
Mr. Issa. And the potential cost savings if one agency is
up on a cloud with a next-generation software that does
something and the others are using, I don't know, a DEC Alpha
or something, that means that you can get immediate savings if
you only knew, right?
Ms. Killoran. I think if there's a--that's a ``yes but''
because sometimes there are capabilities but then they have to
be modified and altered based on security requirements and
interfaces that different agencies need, but at least it would
be nice to understand what's available.
Mr. Issa. Well, once the student loan program gets fixed
with its interface with the IRS, hopefully, it will be world-
class, so I agree with you that sometimes there are security
problems.
Let me just close with one question. When I hear that $7.5
billion in grants and similar money at many other agencies were
determined by the Office of Management and Budget not to be for
the CIO to oversee in any way, shape, or form and thus, you
know, basically avert the intention of FITARA, which was to
give budget authority and financial control, just an opinion
but I would like to hear your opinion. Should we speak to OMB
and see if, in fact, they would rethink that?
Ms. Killoran. I think understanding again that realm of
possibility, and so just as you mentioned ----
Mr. Issa. Because the act doesn't say it. That is an
interpretation.
Ms. Killoran. That's correct. But, I mean, to your point of
realm of possibility, there are a number of capabilities and
services that the grantees are given that might also help not
only our Federal agency but others that are doing similar-like
services. So being able to have some, especially when you're
interfacing and having some commonality of services, if each of
them is doing them in silos, it makes it very difficult to show
those capabilities.
Mr. Issa. Thank you. And, Mr. Chairman, that is not an
original though. Many of us remember when the Affordable Care
Act gave many, many billions of dollars to various States, who
essentially stood up the exact same platform but each one
inventing it, some succeeding and some failing. This was part
of the genesis for Mr. Connolly and I working on this.
So, thank you for your indulgence. I yield back.
Mr. Hurd. The gentleman from the Commonwealth of Virginia
is now recognized.
Mr. Connolly. I thank the chair. And just to follow up on
Mr. Issa's point, obviously, if 100 percent of that $7.2
billion in grants were designed to support 50-year-old legacy
systems, and that is all it did, we would be very bothered by
that and we wouldn't want you to persist in that investment. We
would want you to pressure those grantees to upgrade their IT.
So, at some point we are concerned about that, and you need to
be, too. So, I echo what Mr. Issa had to say.
Mr. Powner--and by the way, Dr. Holgate, thank you. Your
testimony was terrific. I mean, I think you laid out a very
powerful strategic framework for why this bill was passed and
what we intend for it to achieve. And I just want to thank you.
I think it was one of the best articulations of what we are
about from a witness in a long time, so thank you.
Mr. Powner, and thank you for all of the work you and GAO
have done. You have done a marvelous job in making this not
only a high-risk item but at the very top of the agenda. It is
not sexy, but, Lord, can it lead to savings and more
importantly, make us so much more efficient in delivering
services to the people we serve. That is really what this is
about.
Why is data center consolidation so important? From your
point of view, why is it such a high priority in the Issa-
Connolly bill?
Mr. Powner. Well, we have very inefficient data centers
that are out there. Remember, we got into this in 2010 because
the average server in the Federal Government was utilized about
10 percent. That metric now, the target is 60 percent of our
servers, so we have underutilized equipment, underutilized
facilities, and frankly, some of them are so old we could do a
lot to improve our security posture, too, by upgrading these
centers.
And I do think, back to your sunset comment earlier, I
mean, there's at least $1.5 billion that we're aware of that is
on the table beyond 2018, and I think if you really press DOD
and some of the other large organizations, there's probably a
lot more.
Mr. Connolly. In your 2016 report on this subject, you said
that the consolidation plans could save taxpayers more than $8
billion by 2019. Is that correct?
Mr. Powner. That's correct.
Mr. Connolly. How much has been saved to date?
Mr. Powner. So, it's been about $3 billion of the $8
billion has been saved to date, so pretty good progress.
Mr. Connolly. Real money?
Mr. Powner. Real money.
Mr. Connolly. Bigger than the entire grant program of HHS,
$8 billion, I mean.
Mr. Powner. That's right.
Mr. Connolly. I mean, my colleague Mr. Meadows made the
point that we got to get our arms around the savings. If you're
effectuating savings but we're not accounting for it, you know,
the risk is people call it zero. So, Mr. Powner, could you
comment on Ms. Killoran's explanation for why we have
underreported or underachieved data center savings at HHS even
though they are, in fact, doing their job; they are
consolidating?
Mr. Powner. Yes, I--there's been consolidations. The
dollars are minimal when you look at the millions of dollars
that have been reported there. It sounds like there's probably
more that's not reported that are getting reinvested.
I think the important thing here is the transparency, and
back to the MGT Act, you want to create these working capital
funds at departments and agencies for reinvestment. Let's make
darn sure that the reinvestment is on the priorities, and if
you don't have transparency, there's no assurance that it's on
the priorities.
Mr. Connolly. I would hope, Ms. Killoran--and it sounds
like you would--you might sort of following the footsteps of
USAID and reach out to GAO so we have a better mechanism for
capturing the actual good work you are doing and the savings
they are effectuating, but also that we in fact--where we are
reinvesting, we are reinvesting in the priorities that Mr.
Powner just talked about. Are you willing to do that?
Ms. Killoran. So, thank you for the question, sir. We
actually talked before the hearing to do just that.
Mr. Connolly. Okay. Great. My final question because I know
I am going to run out of time, Mr. Powner, why is DOD so
obstinate? Why are they so resistant? And you heard Mr. Meadows
say from a Republican point of view take back a message. I
don't speak for all Democrats, but I think most of us on our
side of the aisle would echo his sentiments. The enormous
frustration that that is the biggest single appropriation of
the Federal Government and it is getting bigger, and they seem
to inoculate themselves from all norms of accountability. And
it is very frustrating. For example, OMB directed agencies to
submit plans for detailing data center consolidations, is that
correct?
Mr. Powner. Correct.
Mr. Connolly. And what is the Department of Defense's plan?
Mr. Powner. They didn't get it in on time. It recently did
come in, but they were very, very late. By the time we wrote
that report, it was not in.
Mr. Connolly. So, were there other agencies also failing to
submit?
Mr. Powner. No, they were the only remaining one.
Mr. Connolly. They were the only agency. And aren't they
also the only agency yet to achieve what is called an
unqualified audit of their books?
Mr. Powner. That's correct. The comptroller general has
testified ----
Mr. Connolly. And don't they exempt themselves from what
other civilian agencies subscribe to in terms of a GSA list of
sort of off-the-shelf generic products that can be purchased at
a lower cost?
Mr. Powner. Yes, there's some of that.
Mr. Connolly. Isn't this special? And didn't we have a
hearing a few weeks ago in this committee about $125 billion,
billion with a B, wasted by the Department of Defense that GAO
uncovered?
Mr. Powner. Yes. Yes.
Mr. Connolly. A hundred and twenty-five billion, right? So,
my final question, I am sorry, but why the resistance?
Mr. Powner. I think when you look at the DOD accountability
and organization structures, it's spread over too many
organizations. You have the CIO shop, you got the management
organization, you have the acquisition shop, and it's spread
over those different organizations. And I think other than the
CIO shop, IT doesn't get the right importance and visibility.
When you look at the data center consolidation, at one time
DOD alone was about $4.8 billion in savings. They backed off of
that significantly. I think you really need to look at their IT
spend. Look at embedded IT at DOD, weapons systems, satellite
systems. I think a CIO type would really benefit some of those
large acquisitions at DOD and help with the cost overruns and
the lack of delivery.
We've had some discussions recently with folks on the
Senate side on--in terms of their authorization committee, and
the--we just laid it on the table that when you look at
embedded IT and other things at DOD, it would benefit from a
private sector-like CIO type.
Mr. Connolly. Thank you, Mr. Chairman.
Mr. Hurd. The distinguished gentleman from the great State
of Michigan is now recognized for his five minutes of
questioning.
Mr. Mitchell. Let me start, Ms. Killoran, as much
entertainment as it would be to have the Department of Defense
be here, and truly, I think everyone would be thrilled to have
a discussion with them about their score, I would like to chat
with you a little about your testimony. You indicated that 34
of the 39 goals that you had set up for your implementation
plan had been achieved or were on target. Is that accurate?
Ms. Killoran. Yes, sir.
Mr. Mitchell. Then how is it that you still have a D-minus
score?
Ms. Killoran. So, the goals that we have go to the
different elements that are in the FITARA guidance provided by
OMB, making sure that we are putting forward the things such as
establishing delegations of authority ----
Mr. Mitchell. Okay.
Ms. Killoran.--reviewing our IT budgets.
Mr. Mitchell. Mr. Powner, can you give me any guidance as
to what you think that score will be shortly? Because a D-minus
is not exactly stellar.
Mr. Powner. Well, clearly, when you look--incremental
development, they had a high score, so they're--HHS doing a
good job there. The savings to--the two areas we score on
savings, very low scores because of the reported savings on
commodity IT and data centers. And then another thing, when you
look at their dashboard, they're quite green. Only about 14
percent of their investment dollars is red or yellow. That's
really--that's not a lot of risk when you look at their
investments, and they've got a lot of risky investments there.
That's why they get a low score there.
Mr. Mitchell. So, what do we expect--I appreciate that. You
didn't give me much indication of what we expect their score to
be in a year from now. I think we need to have an idea where we
expect these agencies--what they expect of themselves to be 12
months from now.
Mr. Powner. Well, I would hope when we get the reported
savings that within six months to a year we see an improvement
in the score.
Mr. Mitchell. I spent 35 years in private business. Only in
government do we say things like we hope to see improvement,
which, with all due respect, doesn't answer the question I
asked, which was what do we think, what do we believe the score
will be? I am talking about HHS; they are here. What do we
believe it is going to be? Ms. Killoran, do you have an answer
for me in what your target is for that score a year from now?
Ms. Killoran. So, as I indicated, we are working to make
sure that we are updating and working with GAO on our numbers.
So, for example, one problem we have is around the savings. One
is around the fact that, as Ms. Conley indicated, we are
reinvesting those, so working with GAO how to capture the
savings as we are reinvesting to show that at least we did save
them in these particular areas. We are getting ready to post an
$85 million savings in data centers onto the dashboard today.
We are also working to make sure that we are modifying our
investment capability to improve our acquisitions.
Mr. Mitchell. Well, let me express this. I appreciate that.
And it is obviously not just HHS. If this sheet came up at our
monthly management meeting or my quarterly meeting with my
board of directors, we wouldn't have been in business anymore.
That much red and yellow--and we used the same scorecard, red,
yellow, green--and obviously, paying attention to what is red
and what is yellow was critically important. And we had goals
in terms of when we were going to move those. And the problem I
have across the board is we don't have dates, we don't have are
we going to be green on this within the next year or yellow on
this. It is we just hope to see improvement. And that is--in my
opinion, to get improvement is wholly inadequate.
Dr. Holgate, let me ask you a question real quickly because
I am running out of time as well. You talk about cultural
change needs that are needed in these agencies in order to see
meaningful gains. One of the things I note in, again, the
scoresheet is in many cases the agencies that have particularly
bad scores--poor scores, let's put it that way--the CIO does
not report to the Secretary or the Deputy Secretary. Now, let
me explain to you, in my company the chief technology officer
reported to me, and believe it or not, I knew where to find him
24/7 because we couldn't get hacked with student data records.
We could not have that happen.
Give me some examples of how you think we--what we need to
do to get the culture changes from these agencies so in fact it
gets the attention it warrants?
Mr. Holgate. Well, so one aspect I alluded to in my
testimony about inviting agency heads to come in to explain to
the committee what their attitude is toward IT on behalf of
their CIO as an important enabler of business and mission
outcomes that IT represents. And the question is do agency
heads fully embrace that as an opportunity that they need to
capitalize on, or do they treat IT as an afterthought and
expense that must be minimized? And that's the cultural change
I'm referring to because, frankly, most Federal agencies treat
IT not as a strategic asset; they treat it as a headache that
they need to minimize.
Mr. Mitchell. Well, and because of that, correlated to that
is because they treat it as an issue like that, we also get
inadequate cybersecurity. The two go hand-in-hand. The cost of
acquisitions and how we efficiently acquire technology is one
thing, but if you are treating it basically as a nuisance,
guess what, we have security risks on our IT, and we have seen
them across the Federal Government.
Mr. Holgate. Absolutely. And contrary to the private sector
that treats cybersecurity as an enterprise risk issue, as I
alluded to, that's a distinct cultural difference that the
Federal Government hasn't adjusted to yet. We've seen repeated
encouragement that the Federal Government has gotten to treat
cybersecurity as an enterprise risk issue. We've seen some
recent evidence of that in the cybersecurity executive order
that was just recently issued, but we haven't seen that fully
adopted yet at the Federal level.
Mr. Mitchell. Well, I thank you. My time is expired.
And, Mr. Chair, I would like to have a conversation with
you at some time about how it is we mandate some structural
change to these departments so that the CIO gets the attention
it warrants. Thank you.
Mr. Hurd. I am going to recognize myself for a little bit
of time.
I would like to start off by thanking the minority staff
for the suggestion of Dr. Holgate to this panel because I think
it has been very valuable.
And, Dr. Holgate, am I paraphrasing you correctly when I
say that agencies can make their IT centers not a cost center
but something that drives business and mission outcomes?
Mr. Holgate. Yes.
Mr. Hurd. And is it fair to say that in order to achieve
that, that the agency head needs to recognize the importance of
cybersecurity, of how their IT networks drive business and
mission outcomes?
Mr. Holgate. Absolutely.
Mr. Hurd. And would that also mean that having the CIO
report directly to the agency head, isn't that an important
step?
Mr. Holgate. It's certainly relevant. It's not necessarily
necessary based on the relationship that the agency head has
with the CIO, but it would certainly be an indicator that the
agency head has taken that much more seriously.
Mr. Hurd. An indicator, great.
Ms. Conley, you are the deputy assistant secretary, and you
are the acting CFO?
Ms. Conley. I'm not longer the acting CFO. We have another
individual that's come in as part of the new administration
that is the acting CFO. I'm the deputy assistant secretary for
finance, as well as the deputy CFO.
Mr. Hurd. So that is the position you are going to be in
for some time?
Ms. Conley. I believe so.
Mr. Hurd. And you had previous experience in the private
sector in helping provide financial management strategies to
private sector companies, public sector?
Ms. Conley. That's correct.
Mr. Hurd. And how long have you been at HHS?
Ms. Conley. Eleven years at HHS now.
Mr. Hurd. So, Ms. Killoran does not report directly to the
deputy or the agency head. I think that is a problem. Would you
agree or disagree with that?
Ms. Conley. I--it depends I think I would say. How do you
like ----
Mr. Hurd. Well ----
Ms. Conley.--that pause? But I would say--so if I may ----
Mr. Hurd. So, let me rephrase the question.
Ms. Conley. Yes.
Mr. Hurd. Why wouldn't Ms. Killoran report directly to you
or the agency head?
Ms. Conley. So, we actually--Beth and I are actually peers.
We're both deputy assistant secretaries. She's in charge of
information technology; I'm in charge of finance. And we have a
suite of what we would call our CXO suite. So, it covers
finance, it covers ----
Mr. Hurd. So, who is your boss?
Ms. Conley. My boss is the assistant secretary for
financial resources, who then reports ----
Mr. Hurd. And who is her boss?
Ms. Conley. The assistant secretary for administration.
Mr. Hurd. And who is the boss of the assistant secretary
for administration?
Ms. Conley. Both of those assistant secretaries report to
the deputy secretary ----
Mr. Hurd. And then the deputy secretary's boss is?
Ms. Conley. The secretary.
Mr. Hurd. If my count is right, that is like three people
----
Ms. Conley. Right.
Mr. Hurd.--right, in between the IT center and the C suite
or the head of the organization. Would you have ever advised a
private sector company to organize their organization that way?
Ms. Conley. Well, it would depend upon the span of control.
So, if you have an organization that's headed up and the
deputy, you look at the span of ----
Mr. Hurd. Mr. Powner, does that make sense?
Mr. Powner. I think if we want to have, as Dr. Holgate
said, CIOs as strategic partners, you've got to report to the
box at the top. And I think a key question is for the agencies
at the head is what are the three things we're doing to
transform our departments or agencies? Technology will be
involved in that. And what's the role of the CIO in helping us
get there? And I don't think you get the right answers to those
questions, Chairman Hurd.
Mr. Hurd. Ms. Killoran, $14.2 billion, that is the IT
spend?
Ms. Killoran. Thereabouts, sir, yes.
Mr. Hurd. Seven-point-two billion is these grants ----
Ms. Killoran. Yes, sir.
Mr. Hurd.--which you don't have to oversee, so that is $7
billion. How much control do you have of that $7 billion?
Ms. Killoran. Of the grants, none.
Mr. Hurd. No, the $7 billion.
Ms. Killoran. Of the internal?
Mr. Hurd. Yes.
Ms. Killoran. So, through the delegation, I have authority
over all of it.
Mr. Hurd. So, you can stop any program ----
Ms. Killoran. Yes, sir.
Mr. Hurd.--from happening, and you could buy anything that
you need to put on your system?
Ms. Killoran. They would have to go through the
organizations to--the appropriations go directly to our
operating divisions.
Mr. Hurd. So why do you not know what all software you have
on your system?
Ms. Killoran. So, for example, just in prepping for this
hearing, over the last year just in Microsoft alone we have
over 170 contracts that bought Microsoft products. And as you
go through them, you have to go through individual resellers.
To fix that problem, we're using the cybersecurity continuous
diagnostics and mitigation capabilities so that we can
inventory ourselves ----
Mr. Hurd. So are you telling me that there is not software
out there that would go out and figure all this out and spit
back a ----
Ms. Killoran. Yes, sir. And that's what I'm saying. That's
what we're actually putting in place, and we'll be in some ----
Mr. Hurd. Okay. And how long does that take?
Ms. Killoran. So, we're putting that in place before the
end of the year. So, we've done the hardware capability, and by
the end of this fiscal year, we're putting in software ----
Mr. Hurd. And what is taking six months to do that, to
implement it?
Ms. Killoran. So, the reasons is that there have been
challenges with working with DHS in getting the license we need
and the capabilities because we far under-scaled what we
thought we would need, and so making that gap so that we have
the totality of the licenses we need to deploy.
Mr. Hurd. Ms. Conley, does it make good financial sense to
not know how many software licenses an organization has?
Ms. Conley. No, sir, it doesn't, and that is something that
we recognize the need to get control over so that we can make
this a far more efficient process. It's very important. All the
software we run in the Department is running off of software
with licenses. That is a real opportunity for us to begin to
consolidate and have greater sight across the organization to
make better use of our licenses.
Mr. Hurd. Ms. Killoran, how many times have you met with
the good director of HHS?
Ms. Killoran. The Secretary, sir?
Mr. Hurd. Secretary, excuse me.
Ms. Killoran. Since his appointment, three times.
Mr. Hurd. And you have been in the position since 2014?
Ms. Killoran. I started--in this position I started in
December of 2015 and actually became the permanent CIO last
July.
Mr. Hurd. And how many times have you met with the number
two?
Ms. Killoran. Currently, obviously, our number two is
vacant. The previous ----
Mr. Hurd. The acting number two?
Ms. Killoran. I have not met with the acting number two.
Previous, though, the previous acting deputy secretary, we met
almost biweekly, and I did also go to the secretary's quarterly
meetings with all of the operating division heads.
Mr. Hurd. Have either one of you all suggested to the new
leadership team of HHS a reorganization of HHS to ensure that
the CIO reports closer than three layers down from the
Secretary of HHS?
Ms. Conley. Well, as you may know, agencies are going
through and implementing this new executive order and giving
thoughts to ways in which we can reorganize our organizations
to make them ----
Mr. Hurd. Have you all come to a conclusion of where the
CIO should sit?
Ms. Conley. There has--it's still predecisional in terms of
the results of those discussions.
Mr. Hurd. Predecisional, I love that word. So, are you
providing guidance, insight, perspective on where that should
be?
Ms. Killoran. So, the way that we're--the Department is
looking at it is they actually looked at the totality of the
work and how we do that better. I was personally involved in
some of those working groups and made recommendations through
that process.
Mr. Hurd. And what were the recommendations?
Ms. Killoran. So, they were around how to change the
culture ----
Mr. Hurd. Let me rephrase the question.
Ms. Killoran.--and how to change ----
Mr. Hurd. I am trying hard not to be like--your
recommendation should be the CIO reports to the agency head or
the true number two, all right? This is pretty standard
practice in industry. It should be standard practice across the
government. And if agency heads are supposed to be responsible
for the ultimate protection of the digital infrastructure, the
person that has the authorities to do that should be directly
under them. So, this isn't complicated, so let's stop making it
complicated. And since we are in a period of this new
implementation with the perspective that the White House on
this, which is right, suggests that you report directly to the
person that is--where the buck stops. This isn't hard. This
isn't hard. So forward it. And maybe we need to write a letter
to them and say, hey, just everybody do this because this is
ridiculous. And the fact that it is going to take six months to
figure out all the licensing that you have makes zero sense.
My last is--anybody else? Yes, Robin Kelly.
Mr. Connolly. Oh, I am sorry.
Ms. Kelly. This is not even really IT related, but, Mr.
Powner, I know you have something to do with all the agencies
under the Federal Government, and I was just saying to my
colleague, it just sounds like there is just a lack of
management structure, period, nothing to do with IT. Are all
the agencies like this, like trying to decide who reports to
whom or what the pecking order is?
Mr. Powner. Well, it differs. I mean, there's--have of them
report to the box, half don't, right? Some of them that report
to the box still don't have authorities, some that don't report
to the box do. I mean, it is so mixed, but I think the key is
if you have a major--Chairman Hurd, back to your point. If you
have a major cybersecurity breach at an agency, who are you
going to call up in front of Congress for--to answer why. It's
going to probably be that dep secretary, along with a few
others. But I don't know why a dep secretary would not want to
rely on a CIO to transform the agency and to secure an agency
because if something happens, they're going to be the ones up
here answering. Look what happened at OPM. It was the director
of OPM that was up here answering questions, and it didn't fair
very well for them.
So, I think the focus on--keep pushing with your grades. I
tell you what one thing that happened with your grades--I know
you released them last night and there was some media
articles--we have four agency CIO shops call GAO this morning
and wanted to talk about the grades. That's good. That's a good
thing. So, I'd say keep pushing.
Ms. Kelly. And I am just asking because before I came here,
I was the chief administrative officer of Cook County, and I
know, you know, there were people that reported directly to me
about what was going on. I had like 10 agencies under me. So,
it just sounds so confusing. I am not blaming you. It just
sounds so confusing and you need some advice from Dr. Holgate
or something. It just sounds very confusing. Thank you.
Mr. Hurd. Mr. Connolly.
Mr. Connolly. I was just going to offer to cooperate with
you, Mr. Chairman. I like your idea of maybe what we do is kind
of inventory outstanding issues that could have been handled
administratively and write a fairly comprehensive letter to our
former colleague Mr. Mulvaney. He was a member of the
committee. He is familiar with these issues. I think he would
be receptive. And I would be glad to work with you, and I know
Ms. Kelly would, too, I am sure on a bipartisan basis to get
that done.
Mr. Hurd. Yes, because when the next--thank you. I am going
to recognize myself again. When the next cyber attack happens,
right, and we have gone through all these conversations, guess
what? We are dragging everybody up in front here. If we have to
use subpoenas, we will. We have done it before; we will do it
again. And I want to make sure that you have all the
authorities you can. That is why we are working hard to get MGT
because instead of putting some of that money back into some
of--you know, buying services you may not need, why not use
that money that you realize and that savings on the highest-
priority issues within your organization? That is the point of
all this.
And, Mr. Powner, why are the grades so bad when it comes to
software licensing?
Mr. Powner. That's a tough one because--we issued a report
several years ago that--we had 22 of the 24 agencies had
complete inventories. We've only had one uptick with three.
Now, to be fair to the agencies, like at NASA there's a partial
inventory that Renee Wynn there, their CIO, has used to achieve
some savings. I think a key thing why we don't have complete
inventories is the CIO authorities. I think there's pockets
within these federated agencies that CIOs cannot--they don't
have good visibility into what's going on. And I think it's a
direct reflection on the CIO authorities why we don't have
comprehensive software license inventories.
Mr. Hurd. Good question. Ms. Killoran, my last question.
You have roughly 3,000 employees within the IT shop. Do we have
job descriptions for all of them?
Ms. Killoran. There are job descriptions, but they vary.
That's one of the things that we're working with both
internally within HHS and now at a Federal level to try to have
standard job descriptions for the same types of work. It has
been a potential issue.
Mr. Hurd. I didn't write my note down. You named it
something.
Ms. Killoran. So, we actually have competency roadmaps for
each of our workforce, and we've done 11 of these competency
roadmaps for particular IT series from a GS-5 all the way to--
up to an SES, including what certificates and skills they
should have at each step.
Mr. Hurd. And you are comfortable OPM can take what you all
are doing and export that to other agencies?
Ms. Killoran. Yes. We're actually in the process of doing
that as we speak.
Mr. Hurd. Do you have an idea of when that process should
be completed?
Ms. Killoran. So, the first step of that they are expecting
to have done I think it's the first quarter of 2018. So,
they're taking those 13 and trying to requalify them, yes.
Mr. Hurd. Okay. That is really helpful on the next project
we are trying to work on, so we have got to know what our gaps
are in our IT staff.
So, seeing no further business, without objection, the
subcommittees stand adjourned. Thank you all for being here.
[Whereupon, at 3:21 p.m., the subcommittees were
adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]