[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT (FITARA) SCORECARD 4.0 ======================================================================= JOINT HEARING BEFORE THE SUBCOMMITTEE ON INFORMATION TECHNOLOGY AND THE SUBCOMMITTEE ON GOVERNMENT OPERATIONS OF THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ JUNE 13, 2017 __________ Serial No. 115-27 __________ Printed for the use of the Committee on Oversight and Government Reform [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.fdsys.gov http://oversight.house.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 26-560 PDF WASHINGTON : 2017 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. Committee on Oversight and Government Reform Trey Gowdy, South Carolina, Chairman John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland, Darrell E. Issa, California Ranking Minority Member Jim Jordan, Ohio Carolyn B. Maloney, New York Jason Chaffetz, Utah Eleanor Holmes Norton, District of Mark Sanford, South Carolina Columbia Justin Amash, Michigan Wm. Lacy Clay, Missouri Paul A. Gosar, Arizona Stephen F. Lynch, Massachusetts Scott DesJarlais, Tennessee Jim Cooper, Tennessee Blake Farenthold, Texas Gerald E. Connolly, Virginia Virginia Foxx, North Carolina Robin L. Kelly, Illinois Thomas Massie, Kentucky Brenda L. Lawrence, Michigan Mark Meadows, North Carolina Bonnie Watson Coleman, New Jersey Ron DeSantis, Florida Stacey E. Plaskett, Virgin Islands Dennis A. Ross, Florida Val Butler Demings, Florida Mark Walker, North Carolina Raja Krishnamoorthi, Illinois Rod Blum, Iowa Jamie Raskin, Maryland Jody B. Hice, Georgia Peter Welch, Vermont Steve Russell, Oklahoma Matt Cartwright, Pennsylvania Glenn Grothman, Wisconsin Mark DeSaulnier, California Will Hurd, Texas John P. Sarbanes, Maryland Gary J. Palmer, Alabama James Comer, Kentucky Paul Mitchell, Michigan Jonathan Skladany, Staff Director Rebecca Edgar, Deputy Staff Director William McKenna General Counsel Troy Stock, Subcommittee Staff Director for Information Technology Julie Dunne, Senior Counsel Kiley Bidelman, Clerk David Rapallo, Minority Staff Director Subcommittee on Information Technology Will Hurd, Texas, Chairman Paul Mitchell, Michigan, Vice Chair Robin L. Kelly, Illinois, Ranking Darrell E. Issa, California Minority Member Justin Amash, Michigan Jamie Raskin, Maryland Blake Farenthold, Texas Stephen F. Lynch, Masschusetts Steve Russell, Oklahoma Gerald E. Connolly, Virginia Raja Krishnamoorthi, Illinois ------ Subcommittee on Government Operations Mark Meadows, North Carolina, Chairman Jody B. Hice, Georgia, Vice Chair Gerald E. Connolly, Virginia, Jim Jordan, Ohio Ranking Minority Member Mark Sanford, South Carolina Carolyn B. Maloney, New York Thomas Massie, Kentucky Eleanor Holmes Norton, District of Ron DeSantis, Florida Columbia Dennis A. Ross, Florida Wm. Lacy Clay, Missouri Rod Blum, Iowa Brenda L. Lawrence, Michigan Bonnie Watson Coleman, New Jersey C O N T E N T S ---------- Page Hearing held on June 13, 2017.................................... 1 WITNESSES Mr. David A. Powner, Director, IT Management Issues, U.S. Government Accountability Office Oral Statement............................................... 6 Written Statement............................................ 8 Ms. Beth Killoran, Deputy Assistant Secretary for IT, Chief Information Officer, U.S. Department of Health and Human Services Oral Statement............................................... 35 Written Statement............................................ 37 Ms. Sheila Conley, Deputy Assistant Secretary, Acting Chief Financial Officer, U.S. Department of Health and Human Services Dr. Rick Holgate, Research Director, Gartner, Inc Oral Statement............................................... 47 Written Statement............................................ 49 APPENDIX Questions for the Record for Mr. David Powner, submitted by Ms. Kelly.......................................................... 72 Questions for the Record for Dr. Rick Holgate, submitted by Ms. Kelly.......................................................... 75 THE FEDERAL INFORMATION TECHNOLOGY ACQUISITION REFORM ACT (FITARA) SCORECARD 4.0 ---------- Tuesday, June 13, 2017 House of Representatives, Subcommittee on Information Technology, joint with the Subcommittee on Government Operations, Committee on Oversight and Government Reform, Washington, D.C. The subcommittees met, pursuant to call, at 2:03 p.m., in Room 2154, Rayburn House Office Building, Hon. William Hurd [chairman of the Subcommittee on Information Technology] presiding. Present from Subcommittee on Information Technology: Representatives Hurd, Mitchell, Issa, Russell, Kelly, Lynch, Connolly, and Krishnamoorthi. Present from Subcommittee on Government Operations: Representatives Meadows, Jordan, Massie, Blum, Connolly, and Maloney. Also Present: Representative Gowdy. Mr. Hurd. The Subcommittee on Information Technology and the Subcommittee on Government Operations will come to order. And without objection, the chair is authorized to declare a recess at any time. And I think we are good on votes later in the afternoon, right, so that is a plus for once. Good afternoon. Thank you all for being here. You know, nearly two years ago today, we released the first FITARA scorecard, or what some refer to as Issa-Connolly, is that right, Mr. Connolly? This bipartisan committee product, produced with GAO assistance, has been intended to drive technology reform across all of our Federal agencies. Today, the committee released the fourth FITARA scorecard. And the committee, in coordination with GAO, has adjusted the calculation and added new metrics for each version of the scorecard since the beginning. For example, the FITARA Scorecard 3.0, the final grade included a plus to indicate that the CIO reports to the Secretary or Deputy Secretary of the agency and a minus to indicate if the CIO does not report to these officials. That system remains in place for Scorecard 4.0, and I strongly urge that all agencies with a minus to adjust their reporting structure. This is any easy fix that will help agencies continue to move towards 21st century IT practices. For Scorecard 4.0, the committee made two adjustments to the grading. First, we simplified the calculation for the incremental developmental area to capture more incremental projects. Second, we incorporated OMB data center optimization metrics into the data center grade so that half the grade is now based on savings as a result of consolidation, and half the grade is based upon meeting optimization metrics. OMB published these optimization metrics last year, so they should not be a surprise to agencies. And we did this based on feedback from the agencies. The committee is also previewing a new grading area related to the FITARA and MEGABYTE Act requirements on software license management inventories and the effectiveness of software licenses. There is absolutely no excuse for agencies not to have an accurate inventory of the software licenses they have. This is basic IT management. From Scorecard 3.0 to Scorecard 4.0, four agencies' grades have improved, 15 agencies' grades have stayed the same, and five agencies have declined. Notably, the Department of Defense grade declined from a D to an F. The committee reduced DOD's grade due to a lack of transparency on IT spending. DOD appears to have reclassified a significant percentage of its IT spending as national security systems, which are not covered by FITARA. This lack of transparency is unacceptable. My colleagues and I will be following up with the DOD on this issue. We also have our first ever ``A'' on this scorecard. USAID, after receiving D's on each of the first three scorecards, significantly improved its scores, particularly in the areas of incremental developmental transparency and risk management. I applaud the work of the office of the USAID CIO to address the score and encourage other agencies to look to them as an example in these areas. Today's hearing features witnesses from HHS, which has received D's on all four versions of the scorecard, and currently has 44 open GAO recommendations related to high-risk IT acquisitions and operations. I look forward to hearing HHS' plan to close out those recommendations and turn those grades around. Before I close, I want to take a moment to acknowledge and thank Chairman Chaffetz. The prioritization of IT and cybersecurity issues on the Oversight Committee has been an integral aspect of this committee's success, and I am thankful for Chairman Chaffetz's leadership on these issues. The Congress and the country are better off because of his service as chairman of the Oversight Committee. I thank Chairman Chaffetz for his service and leadership, and I look forward to working with Chairman Gowdy as he leads the committee forward. Thank you, and I look forward to hearing from all of our witnesses today. And now, it is my pleasure to recognize my friend and the ranking member of the Subcommittee on IT for her opening statement. Ms. Kelly, you are now recognized. Ms. Kelly. Thank you, Mr. Chairman. And thank you, Chairman Meadows and Ranking Member Connolly, for your leadership and the leadership you have shown our subcommittees continuing to work together to oversee Federal information technology systems. Key to this oversight has been the scorecard our committees have developed for grading agency progress and fulfilling the requirements of the Federal Information Technology Acquisition Reform Act, or FITARA, or Issa-Connolly. The latest FITARA scorecard shows that President Trump's hiring freeze and plan for imposing deep workforce reductions to agencies may have already begun to reverse the gains many agencies have been making under the prior administration. In January, President Trump ordered a freeze on the hiring of Federal civilian employees, preventing agencies from fulfilling vacancies or creating new positions. This past April, the Office of Management and Budget issued a new directive mandating that the agencies reduce their civilian workforce. Under the OMB directive, agencies are now required to, and I quote, ``begin taking immediate actions to achieve near-term workforce reduction,'' the President's plan for reducing the Federal workforce to make it even more difficult for agencies to hire the most skilled, tech-savvy workforce needed to fully implement FITARA. This past March, our subcommittees held a hearing on the challenges the Federal Government is facing in Federal IT acquisition and heard from some of the leading IT experts in the private sector. Many of these experts agree that one of the most critical challenges to modernizing government IT operations is the need to hire more IT professionals. As the new scorecard shows, several agencies have hit roadblocks, and some, like the Department of Health and Human Services, which is here today, continue to fall behind in meeting the requirements of FITARA. Forcing these agencies to make across- the-board cuts to their workforces on top of the hiring freeze can make it more difficult for them to fulfill the requirements. It wasn't always this way. Prior scorecards showed steady progress among agencies. But for the first time since our committee began measuring compliance, the new scorecard shows that overall agency progress has stalled under this administration. More specifically, the new scorecard indicates that the grades of only four agencies improved, 15 agencies had no improvement whatsoever, and the grades for five agencies actually went down. In contrast, when the subcommittees released their scorecard this past December, three times as many agencies showed improvement in their scores, and only one agency had a decrease in their grades. The new scorecard highlights the fact that the Trump administration's Federal workforce policies are harmful and counterproductive. As I pointed out at the hearing our subcommittee held this past December on FITARA, I hope there will be bipartisan interest in holding the Trump administration to the same high standards to which we held the last administration. I want to thank the witnesses for testifying and thank the chair again. Mr. Hurd. Thank you, Ranking Member. Now, I would like to recognize the chairman of the Subcommittee on Government Operations, the gentleman from North Carolina, Mr. Meadows, for his opening remarks. Mr. Meadows. Thank you, Mr. Chairman. I just want to say thank you for your leadership on this critical area. You have forgotten more about IT than I ever knew, and I appreciate your leadership. And certainly, for the Issa-Connolly law or, as the gentleman from Virginia would love to call it, the Connolly- Issa law, thank you both for your leadership as we look at moving forward. I want to thank all of you for being here. Some of this may be not so pleasant. At the same time, it is becoming critically important that we address these issues. And as you will see, in a bipartisan fashion, we are taking this extremely seriously, and it will have implications from a standpoint of appropriations in other areas that if our IT CIOs don't take it as seriously, they will see other areas that potentially could be impacted because of their inaction. And with that, I yield back, Mr. Chairman. Mr. Hurd. The chairman yields back. Now, it is a pleasure to recognize the gentleman from the Commonwealth of Virginia, Mr. Connolly, for his opening remarks. Mr. Connolly. Thank you, Mr. Chairman. And let me thank you and my friend Mr. Meadows and my dear friend Robin Kelly from Illinois for the bipartisan leadership of these two subcommittees. I think one of the big differences between this period--and of course my co-author is here with us today as well--we have handled this on a bipartisan basis. There is no daylight between us or among us on this issue. And I think sending that message to the executive branch is critical. What was lacking under Clinger-Cohen was any continuity or any robust follow-up because Mr. Clinger retired, Mr. Cohen became Secretary of Defense. That is not the case here. We are still here and we mean it. And we are going to continue to press for progress on the implementation of FITARA, also known as Issa-Connolly. We are also, I hope, going to introduce legislation shortly to extend the sunset provisions, which I think is one of the recommendations of the GAO, and Mr. Powner may elaborate on that today. But we don't want to lose progress by having those provisions expire prematurely, and we need more time for implementation, not forever, but we need more time. I echo all of the sentiments my colleagues have shared in their opening statements, and I want to first begin by citing what the chairman cited, which is the progress at AID. Here is an agency that began at a fairly low score and decided, you know what, we can't settle for that. What did they do? They reached out to GAO and they said what can we do to improve our performance? And you know what, they listened to advice, and they implemented it. And they now have the highest score and the greatest progress of any Federal agency, AID. So, when some agencies say, well, it is too complicated, et cetera, AID has proved that is not true. If there is the political way, if there is a managerial desire to self-improve and to come into the 21st century, you will have congressional support, you will have GAO support, and you will have a nice grade. On the other hand, at the other end of the spectrum is a recalcitrant, arrogant management style at the Department of Defense. Don't bother us with these troublesome requirements or standards, we are exempt from everything, we will police ourselves, and we will set our own goals and objectives and metrics. The fact that they, of course, fall short of everybody else's is immaterial. And what is so disturbing about that is they are the big budget. And I know when we met with GAO, we were very disappointed in DOD's performance, and all of us agreed, again, on a bipartisan basis, to insist that they improve their performance, that they come into compliance like every other Federal agency. And the burden is on them even greater because they have the dollars. They have the biggest budget of anybody, and they are about to get bigger. So, it is incumbent upon the Department of Defense to ``get right with the Lord,'' and we are going to help them along on a bipartisan basis. I believe the scorecard is a terribly important tool for measuring progress, and I thank GAO for working with us and coming up with it. I repeat what I have always said. It is not designed to be a scarlet letter on anyone's back. It is designed to prod senior management to provide the wherewithal for a CIO in a reporting sequence but also empowerment so there is accountability, there is transparency, there is responsibility. And it is the taxpayer who benefits. So, you know, we have set metrics against which we believe people can be fairly measured, and we think it is working, not as fast as we would like. And the slow pace of naming a permanent CIO with the transition and new administration has cost us some progress, and that is why we want to extend the sunset provisions, not the only reason, but that is a primary driver so that we can make up for that time and keep the goals in front of us. So, I look forward to this hearing. It is one of my favorite every year. I don't know why there aren't klieg lights and cameras all over the room, but I do think this is a terribly important subject, and I thank again my colleagues for their support and their commitment. I yield back. Mr. Hurd. I would like to thank the gentleman. And I am going to hold the record open for five legislative days for any members who would like to submit a written statement. And we are now going to recognize our panel of witnesses. I am pleased to welcome a repeat visitor of this chamber, I think one of the few people none of us have yelled at in the Federal Government, Mr. David Powner, the director of IT Management Issues, the U.S. Government Accountability Office; Ms. Beth Killoran, deputy assistant secretary for IT, chief information officer, the U.S. Department of Health and Human Services. Thank you for being here. Ms. Sheila Conley, the deputy assistant secretary, acting chief financial officer at HHS; and Dr. Rick Holgate, the research director at Gartner, Incorporated, and former CIO of the Bureau of Alcohol, Tobacco, Firearms, and Explosives. Welcome to you all. And pursuant to committee rules, all witnesses will be sworn in before they testify. Please rise and raise your right hands, please. [Witnesses sworn.] Mr. Hurd. Thank you. Please be seated. Let the record reflect that the witnesses answered in the affirmative. In order to allow time for discussion, we would appreciate it if you would please limit your testimony to five minutes. Your entire written statement will be made part of the record. And I would like to recognize Mr. Powner for his opening remarks for five minutes. WITNESS STATEMENTS STATEMENT OF DAVID A. POWNER Mr. Powner. Chairman Hurd, Meadows, Ranking Members Kelly, Connolly, and members of the subcommittees, I'd like to thank you and your staff for your continued oversight on the implementation of FITARA with this fourth set of grades. This is the first time we've seen overall grades not improve with only four grades higher, five lower, and 15 holding steady. I would attribute this in part to transitioning administrations and also to your expansion of the scoring methodology. For example, data centers now include how agencies report on five optimization metrics in addition to cost savings. This has resulted in data center grades going down because only EPA and SSA report good progress on these metrics. The transparent reporting on data center progress that FITARA requires needs to continue beyond the October 2018 date since there are significant expected savings beyond 2018. Extending FITARA's sunset date and realizing these out-year savings is especially important given the MGT Act and this committee's oversight on modernizing old, insecure legacy systems. Another change to the scorecard is on incremental development where we now capture more software development projects. This change was suggested by several CIO shops, and I'd like to add that we have had good scorecard discussions with almost half of the CIOs or their staff. Although we've seen progress in the areas scored to date--incremental development, data center optimization, and investment transparency--we think there is great room for improvement on reducing duplicative business or administrative systems under the PortfolioStat initiative. Your preview of agencies' efforts to better manage software licenses, a major area of FITARA not scored today, is eye- opening. Your preliminary grades would be two A's, one C, and 21 F's, and if this area was incorporated into the overall grades, we would have three agencies going up and 12 down instead of the four up and five down currently. Only three agencies--Education, GSA, and USAID--have complete inventories of their software licenses. This is completely unacceptable, especially considering this committee's follow-up on FITARA with the passage of the complementary MEGABYTE Act. We need better management and more cost-savings in this area. Again, this is another opportunity area to fill the working capital funds proposed in the MGT Act. Next, I'd like to turn, Mr. Chairman, to CIO authorities and our ongoing work to this committee on CIO budget visibility, contract approval, and incremental development. The good news is we are hearing that FITARA is improving the relations between chief financial officers and chief acquisition officers. But these improved relations are going to take time to resolve in the outcomes we need. We are still finding CIOs with limited visibility into IT spending, IT contracts and acquisitions not being approved by CIOs, CIOs not certifying that all major acquisitions are taking an incremental approach, despite all these areas being required in FITARA. We plan to have these reports ready for your fifth scorecard, Mr. Chairman. The reason these authorities are needed is simple: because we need CIOs governing over all IT. We recently found another example of a failed IT acquisition with the Coast Guard's electronic health record that illustrates why CIO authorities need strengthened. Tens of millions of dollars were wasted, nothing was delivered, and when I recently with the admiral in charge, I asked this simple question: Was the CIO involved? The answer: Not then, but they are now with the new EHR acquisition. This is exactly why FITARA and strengthening CIO authorities are so critically important to have better delivery of Federal IT acquisitions and to more efficiently manage Federal IT operations. Although there have been some encouraging efforts with the current administration that highlight the importance of delivering technologies more effectively--namely, the Office of Innovation and the American Tech Council--agency CIOs and the Federal CIO are key to carrying out these high-level agendas. In fact, history tells us that the best progress we've seen on managing Federal IT is when the Federal CIO takes an active and aggressive role. This was a major theme that also emerged from the comptroller general's IT forum that we recently held with current and Federal CIOs. Currently, the Federal CIO and eight Department CIO positions are vacant, and although we have seen several capable individuals filling in, this lack of permanent leadership will negatively impact the progress we are making on FITARA. Your scorecard, Mr. Chairman, highlighting these vacancies will hopefully help draw appropriate attention to these critical positions. Chairmen Hurd, Meadows, Ranking Members Connolly and Kelly, thank you again for your continued leadership and oversight of Federal IT. [Prepared statement of Mr. Powner follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, Mr. Powner. Now, I have been told that HHS has one statement, is that correct, in who will be delivering it? Ms. Killoran, you are recognized for your opening remarks. STATEMENT OF BETH KILLORAN Ms. Killoran. Thank you. Good afternoon, Chairman Hurd, Chairman Meadows, Ranking Members Kelly and Connolly. Thank you for allowing the Department of Health and Human Services to come before you today. Since the passage of FITARA, HHS has been committed to making sure that we are cost-effective, provide high-quality IT that benefits the American citizens and the services by which we provide. This is a shared commitment both by the HHS CFO, our chief acquisition officer, our chief human capital officer, our mission programs, and myself. Together, we understand HHS's IT budget totals $14 billion and that the spending across our entire portfolio compromises--consists of a number of major investments at our operating divisions and our staff divisions. The leadership team strives every day to make sure that we're strategically leveraging IT to fulfill our mission and to make sure that we're providing health and human services that foster advances in medicine, public health, and social services so needed by our nation. As a result of this effort, so far, our implementation plan, we are actually able to accomplish 34 of the 39 milestones set forward in our implementation plan and actually five additional ones just within the last month. One of the FITARA successes we've had is the establishment of a process and criteria for delegating authority to the operating division CIOs. As a large federated organization, we have to be able to identify, prioritize, validate, and verify our nonmajor IT acquisitions. I'm happy to say that, through the criteria that we've established, we've delegated 10 different delegations to those operating division CIOs, and on a year basis I am personally responsible for providing input into the performance of those CIOs, and we evaluate that delegation on a year basis. We also have been able to increase our use of agile development. We seek to deliver IT-enabled functionality every six months. And this has been able to be accomplished through a process of improving our governance and integration, solving collaboration efforts through development teams, and by making sure that we integrate at all aspects with our customers. Over the last two years, the CFO and I have jointly held IT budget reviews to review, approve, or reject the IT budgets across our organization. The purpose of these budgets is to review and discuss how each of our operating divisions is looking at their IT budget and how they're prioritizing, addressing risk within their programs, aligning those IT dollars to agency priorities, and making sure that we understand not just the operating division proprieties but the enterprise ones as well. Two key accomplishments in this area to date is being able to increase the ability to add funding for our cybersecurity initiatives, which we have been able to over the last three years increase and has dramatic success; changing our budget from 1 percent overall to 5 percent in cybersecurity since 2015. We also have been also making sure that we are looking at our legacy systems and making sure each of our organizations are prioritizing those legacy systems and how they are making initiatives and decisions to make the necessary changes to those systems to keep them secure and viable for those missions. Also in the stewardship, we're making sure that we are looking at planning, proactively managing our risk across our organization, and to continue to mature our risk management process and evaluation techniques as we update our IT dashboard. We conduct portfolio reviews at individual programs, and this year, we actually did one at Operating Division looking at the totality of their IT programs, which we will adopt and continue to improve and implement across the organization. For data center consolidation, we continue to make sure that we are looking at the outcome metrics, but we have a challenge around the continuing change in definition and the changing of the goals and requirements. We'll make sure that we are also adopting cloud technology as part of our strategy, and I will say that we have had success in this area, increasing our funding in cloud from $135 million in 2015 to $600 million last year, and we think we'll have three-quarters of a billion dollars in cloud this year alone. In addition, we have to make sure we're looking at our workforce, and so I have partnered with our chief human capital officer to make sure that we're looking at our requirements to make sure we are--have the ability to attract, develop, and retain IT talent. Currently, we have 1,400 positions in our organization, 3,000 of them overall, but we actually have an over-30-percent vacancy rate, which makes it critical for us to understand how to do this job better to have those resources. Finally, as HHS continues to move forward with implementation of FITARA, the Department has built a collaborative, integrated business foundation that promotes comprehensive governance across the Department where we can optimize our mission, make sure we provide secure IT services that meet the advances needed for effective and meaningful outcomes for citizens. Thank you. [Prepared statement of Ms. Killoran follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you. Dr. Holgate, you are up, five minutes. STATEMENT OF RICK HOLGATE Mr. Holgate. Thank you, Chairmen Hurd and Meadows, Ranking Members Kelly and Connolly, and distinguished members of the committee. Thank you for inviting Gartner to discuss the FITARA scorecard. As the former CIO of the Naval Criminal Investigative Service and the Bureau of Alcohol, Tobacco, Firearms, and Explosives, I'm keenly aware of the challenges faced by Federal agencies in managing information technology. Both through my involvement with ACT-IAC and most recently as a research director at Gartner, an IT research and advisory firm assisting 98 percent of the Fortune 100 serving over 10,000 global institutions and drawing on the experience of over 60,000 IT leaders in making smarter IT decisions, I've gained broad perspectives on more effective ways of using IT to further agency missions. Effective use of IT delivers strategic value and is viewed as a competitive differentiator. Successful organizations integrate their personnel and processes, including IT, to ensure the success of all of their initiatives, and they treat cybersecurity as part of an executive-level risk management program. With ever-accelerating changes and innovation, the commercial technology market, not to mention new and evolving cybersecurity threats, Federal agencies must get faster and better at acquiring, integrating, and maximizing the value of best-in-class technologies. FITARA is certainly a step in the right direction, but CIOs can only do so much on their own. First, the Federal Government must treat IT more strategically and engage agency leadership. Innovative and successful companies involve CIOs early and often on the front end of strategic planning to ensure that they are able to acquire the technology that enables their organizations to succeed. CIOs must be given the opportunity to shape and influence how IT enables the agency strategy early on. Second, improve acquisition, budget, and funding practices. Acquisition, budgeting, and funding can be impediments if they are too focused on inflexible compliance and risk aversion, as opposed to delivering business and mission outcomes. Adequate resourcing is also a concern. Transformational investments make up only around 21 percent of the Federal IT budget, while private sector firms spend about 30 percent. The average legacy system in the Federal Government is 14 years old compared with 10 years in the private sector. Accelerating adoption of new technology is essential. Modernizing acquisition practices is equally important. Federal agencies must stop thinking of their IT as simply a call center and reimagine it as an engine for innovation and transformation and have the discipline to avoid instinctive cuts during periods of austerity. Agencies must also be better at using available funds. CIOs, program managers, acquisition personnel, and budget offices must work together in a better and more unified fashion to avoid delays and bad outcomes. Government-specific reforms such as increased access to multiyear funding, shared accountability models under FITARA, and meaningful maturity model reports to OMB and Congress could also improve government outcomes. Third, achieve greater visibility into agency activities. CIOs need better visibility into the business and contracting operations of the agency. The committee should consider clarifying FITARA's scope. Using an objective, proven rationalization methodology at both the infrastructure and application levels can reduce system duplication, achieve economies in savings, and improve commonality and interoperability. Adding commodity IT measures to the FITARA scorecard and empowering CIOs to undertake these activities and work further with shadow or business unit IT could substantially optimize IT costs and manage security risks while enhancing productivity. Fourth and finally, improve organizational competence. There are many men and women working for the Federal Government who are doing their best to manage a variety of IT systems from multiple generations to achieve agency goals. Still, we must improve overall competence. Successful businesses rapidly discard outdated technologies while hiring and empowering smart IT managers. In the Federal Government, we often see legacy technologies operating far beyond their end of life, while talented IT managers rotate too quickly to make any appreciable impacts. Capitalizing on expanded and improved human capital flexibilities can provide greater access to talent and better cross-disciplinary development opportunities. In addition, CIOs in the IT workforce require a high- functioning team of finance, acquisition, H.R., security, and legal professionals for effective IT leadership. The absence of committed and skilled resources across all of these disciplines places an organization and its IT initiatives at elevated risk. Congress has a role to play here, too, in ensuring that agency planning, acquisitions, and funding are all unified. Initiatives such as the MEGABYTE Act, PMIAA, and the pending MGT Act all have productive solutions to offer, and I urge you to consider how each of these bills, as well as FITARA, integrate to make agencies smarter, more agile, and more cost- effective. FITARA is a positive first step, and I encourage its extension and expansion. I suggest three particular additional steps: encouraging agency heads to articulate a clear strategy for leveraging IT to improve business and mission outcomes, including optimizing enterprise, not just IT costs; adjusting scoring metrics and methods to incentivize desired behaviors, and creating an integrated and streamlined approach for assessing progress and across the diverse reporting demands placed on agencies. Thank you for the opportunity, and I look forward to your questions. [Prepared statement of Mr. Holgate follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, Dr. Holgate. I would like to now recognize the chairman, Chairman Meadows, for his first round of questions. Mr. Meadows. I thank you, Chairman. Thank each of you for your insightful testimony. Ms. Killoran or Ms. Conley, let me come to you. Out of the I guess it was $14 billion that you spend in IT, how much of that actually is grants to States? Ms. Killoran. Seven-point-two billion. Mr. Meadows. All right. So out of the $7.2 billion to States, which States are doing the best job of implementing that money? Ms. Killoran. So that--we would have to get back with you through our grants program because that is automatically done through our grants and is not actually part of what the CIO and CFO look at ---- Mr. Meadows. So, you have no idea which State is doing-- do you not see a problem with that? Ms. Killoran. Well, the way that the FITARA works--and we actually asked for clarification when the bill came out--is is whether agencies should be responsible for the grants funding or not. And the guidance we got from OMB is that grants would be excluded from the oversight. Mr. Meadows. I agree with that. So, you are not having to focus on this $7.2 billion according to FITARA, is that correct? Ms. Killoran. That is correct, sir. Mr. Meadows. All right. So, let me ask you the follow-up question because I thought that is where we were going. If you are only having to look at the remaining balance, why are we at D's across the board? Why are we not making better progress? Because, you know, I can understand if it is a big number. Why are we not making better progress? Ms. Killoran. So, within the large Federal agencies--so, this is my third federated agency--so started at Treasury and then spent nine years and 11 years at DHS and now here. When you're in a large federated agency, it takes us a little bit of time to establish those foundations. Mr. Meadows. So, assuming that it takes a little bit of time, when are we going to see an improved score? Ms. Killoran. So, you'll actually see--when we talk a little bit, we actually have some cost savings that we have. We actually have a plan for the data centers. So, we ---- Mr. Meadows. So, when are we going to see an improved score? Ms. Killoran.--expect--we're expecting to see some scores change within the next 12 to 18 months. Mr. Meadows. All right. So, Mr. Powner, let me come to you. Is their plan aggressive enough based on other agencies? Should we be expecting more? Mr. Powner. Yes, I think you should. So, I--clearly, they have a FITARA implementation plan they've made progress on, as Ms. Killoran has said. I think when you have the large Federal agencies, federated agencies, there's a real opportunity to go after that commodity IT because a lot of those components, there's an opportunity to look at duplication across those components. The other thing is when you look at the data for HHS on data centers, they've actually closed a lot of data centers and done a decent job on that, but there's not much in related savings. So, we need to look real hard at the related savings and also at their optimization ---- Mr. Meadows. So, Ms. Conley, what happened to the money? Ms. Conley. Thank you very much for your question. Thank you very much for your question. In terms of what's happened to the money, at HHS, Beth mentioned we're a large federated organization. Mr. Meadows. Yes, I have only got five minutes. Ms. Conley. Yes. Okay. Mr. Meadows. Just what happened to the money? Ms. Conley. In many cases with these data center consolidations we have gaps in IT spending, meaning there are things that we need to do within our IT portfolio, and oftentimes, the savings that are realized through these different consolidation efforts and modernization efforts are plowed back into those respective systems and infrastructure to provide things that we know need to be done to provide secure, reliable ---- Mr. Meadows. So, without oversight of Congress you are just reprogramming the dollars? Ms. Conley. So, many of those dollars are re-plowed into the very same systems and infrastructure ---- Mr. Meadows. So, let me understand. You close down a data center and you plow it back into the same data center? Ms. Conley. Well, if I might give you an example with our financial systems modernization effort that we just upgraded our financial management systems in 2016. We moved to the cloud implementation. As part of doing that, we saved some money, but at the--and maintained our operations and maintenance costs at the same level, yet we were able to provide things like disaster recovery ---- Mr. Meadows. All right. So ---- Ms. Conley.--and more to--better value to the government -- -- Mr. Meadows. So, Ms. Conley, Ms. Killoran, let me be specific. We are looking very closely at these numbers, and it is going to have implications from an appropriations standpoint. So, let me come back to you, Mr. Powner. How much does DOD spend on IT annually? Mr. Powner. So, it's about close to 45 percent of the spend, which is $95 billion, so it's well into $40 billion range. Mr. Meadows. So about $40 billion, and I notice they got an F on the transparency and IT dashboard. I mean, why is that? Mr. Powner. So, what happened recently is there were about $15 billion that was on the dashboard that just went away. And what we understand is that it's been classified, we believe, under the national security system umbrella. And it's okay because there is an exemption for national security systems, but to have $15 billion magically appear under that umbrella doesn't seem right and ---- Mr. Meadows. Well, it doesn't seem right to me either, and so here is what I would ask for you to do, and I will close with the chairman's indulgence. We are being asked to fund DOD above this $603 billion that the President has requested. In fact, some in our conference want it to be $640 billion. Take the message back to them, unless they get their heart right on this, there will be no support for increasing that. And I don't know how to make it any clearer. I will let my colleagues on the other side of the aisle talk about perhaps HHS and some of the others. But with DOD, it is going to require Republican votes to increase it, and I for one, unless they get their heart right on the transparency, am not going to be very supportive if you will take that to them if you would. Mr. Powner. Will do. Mr. Meadows. Thank you. I will yield back. Mr. Hurd. Ms. Kelly, you are now recognized for five minutes. Ms. Kelly. Thank you very much. In my opening statement, I talked about the hiring freeze that was ordered, and in April, the Office of Management and Budget issued a memorandum to all agencies requiring them to reduce their civilian workforces. The OMB memorandum fulfills a key objective of the President, and I quote, ``the long-term plan to reduce the size of the Federal Government's workforce through attrition.'' Mr. Powner, is retention a critical factor in maintaining an effective IT workforce, and how so if so? Mr. Powner. Yes, clearly, you need to retain the good employees we have, but also, too, we have significant gaps when you look at the IT workforce not only from a cyber perspective but also with some of the other key disciplines, systems engineers and architects and the like. So that's always been a big challenge in the Federal Government. Ms. Kelly. I know we have talked about that before, and do we attribute it to just the lack of a pool to pick from and also the salaries we might not pay? Mr. Powner. Yes, that's true, and I think that's why it's critical that when you look at your IT workforce as a whole and some of the challenges with the salary challenges the Federal Government faces, you need to supplement that appropriately and be really strategic about how you do that with contractors because that can be done with contractors, and that right mix is what you really want to obtain. Ms. Kelly. Okay. Thank you. Dr. Holgate, in your assessment, can agencies make the necessary improvements under FITARA if they don't have the flexibility to hire new employees or replace vacancies? Mr. Holgate. Well, certainly, it's highly dependent on the approach that agencies take in responding to OMB M-17-22. There's latitude given in that memorandum and actually an encouragement for agencies to explore technology-enabled operational efficiencies and effectiveness. If agencies are adequately creative about their response to that memo, they should have the flexibility to be more creative and use IT more effectively in their response. The danger, frankly, is if they take a more reactionary tactical approach and treat it more as a cost-cutting exercise, in which case it can result in relatively haphazard across-the- board reductions without that strategic foresight, without that projection for longer-term opportunities that they may be foregoing. So that's the danger in the memorandum itself is just the nature of the response by the agencies themselves. We haven't seen those responses yet in terms of how agencies are thinking about those challenges, but that's the key issue there is how are agencies going to actually shape their response. Ms. Kelly. Well, off the top of your head can you give an example of what being creative means, what that could mean or could look like? Mr. Holgate. Yes, so, for example, you know, leveraging the IT talent that they already have and possibly supplementing it with additional talent in the near term to enable them to automate traditional tasks or mission space, to be more creative across agency boundaries, to reimagine the way agencies deliver services. There are opportunities like that that require a certain amount of creativity and are critically dependent on IT to enable those types of opportunities. So, if agencies--again, if agencies treat this more as a cost-cutting exercise and in an across-the-board fashion, they may sacrifice those long-term opportunities just by virtue of, you know, reducing cost in the short term. Frankly, Gartner's written a lot of research on cost optimization at the enterprise level and the opportunities that IT can present with those opportunities. We've also written a fair amount about the risks of cost-cutting, in particular by taking a blanket approach and foregoing the future opportunities. Ms. Kelly. Thank you. Ms. Killoran, in your written testimony you state, ``Recently, HHS conducted an IT workforce inventory and we found that workforce shortages and ever- increasing workload often create an imbalance that hinders employees' ability to attend training or obtain certification.'' This seems like a serious problem because, as your written testimony states, many of HHS's 3,000 IT workers, and I quote, ``do not have the diverse expertise necessary to support current Federal IT needs, including IT project and program management, architecture, or cybersecurity.'' Did I hear you correctly? Ms. Killoran. That is correct. Ms. Kelly. What are some of the gaps in skills in staffing that you attribute to the shortage in IT expertise at your agency that you mention in your written testimony? Ms. Killoran. So, we have--as Mr. Powner indicated, we have significant decreases of our needs in cybersecurity, enterprise architecture, systems engineering are the predominant areas where we have the most significant shortfalls, and then obviously programmatics as well. We actually have worked with our chief human capital officer to start building true capability and roadmaps on competencies that needed to be done for each of these areas all the way from a GS-5 up to what an SES would be. We have identified over 25 different critical positions at this point and have roadmaps for 11 of them. OMB and OPM have determined that this is a great model. We are actually helping to do the Federal CIO workforce community at this, and OPM is trying to adopt that model Federal-wide at this time. Ms. Kelly. I see my time is up, so I yield back. Mr. Hurd. I thank the gentlelady. Now, I would like to recognize the gentleman from California, Mr. Issa. You are recognized for five minutes. Mr. Issa. Thank you, Mr. Chairman. And I am going to follow up maybe just quickly. My question is one of timing. I am hearing people say we don't have enough resources, we don't have enough time. You know, I came to Congress in 2000, or was elected in 2000, sworn in first January 3rd of 2001. Basically, I was elected when Amazon was founded. In 2006, you know--well, I will give you 2009 Uber was founded, Instagram in 2012, Snapchat in 2014. In 2014, we took an $82 billion spending and said we were going to deliver to the CIOs real authority to do a job that it had previously not had budget authority, often--and at least in the case of the Affordable Care Act--had three nonprofessionals each pointing at the other saying they didn't have the ability to stop a bad project. We did that after we had written off in Dayton $1 billion at the Air Force, the Department of Defense, on a project where they simply got to the end of $1 billion in spending and said it won't procure parts accurately. So, I think this first question will be for the GAO. Mr. Powner, tell me, why is it I should accept that companies today will launch on Amazon and be world-class, global with apps that allow for tremendous ability to take labor out and put efficiency into things as complex as a million cars around the world being there when you want one? Why is it I have to accept that it takes four years and the progress is minuscule? Mr. Powner. Well, we shouldn't accept it. I mean, we spend now for the fiscal year 2018 budget that's north of $95 billion on IT, and we all know that a lot of that goes towards the old O and M. But 20 percent of ---- Mr. Issa. We know the cost of a NOOK has gone down ---- Mr. Powner. Yes. Mr. Issa.--if you are buying a desktop. Mr. Powner. But 20 percent of $95 billion is a lot of money. And here's the interesting thing is we do see pockets where we do it right, so we don't--I don't--we don't want to hear that you can't do it right. I mean, we see pockets within DOD, within the intelligence community. The weather satellite that we just launched that provides great weather warnings, I mean, yes, it took a little longer and maybe a little more money, but there are these pockets of success, so we need to continue to replicate that, hold CIOs and the agencies and actually agency heads accountable. I think some of the CIOs need some help from the agency heads to write these CIO authorities. And going back to the DOD story, I think DOD is the last organization in the world that should be exempt from FITARA. If any organization needs a private sector-type CIO, it's DOD. Mr. Issa. Oh, trust me, we negotiated to try to get less exemptions, and they have their own little world. Quite frankly, they said they had already fixed it with their earlier bill. And yes, we need to have less exemptions. But, Ms. Killoran, let me ask you a question, having been with three agencies and now as a CIO of this one. We gave you budget authority; we gave you the ability to work with your peers to look for, if you will, interagency opportunities. Have you taken advantage of any interagency opportunities where you looked at your other CIOs and said let's do this together? Let's go up on an Amazon cloud and have one common software platform that we can share for certain types of uses, whether it's H.R. or other areas? Ms. Killoran. So, at this time, not across the Federal agencies, but we ---- Mr. Issa. But why not? Do you lack authority? Ms. Killoran. The--no, it's not a lack of authority. It's understanding what we have within our department first and understanding what we have and where those opportunities might be across the Federal Government. So, what we have done internally is trying to get our own house in order in understanding what we have first, and then that allows us to be able to start interacting better with the other Federal agencies. Mr. Issa. So, following up on that, cataloguing all the software and characterizing it is an element for CIOs to evaluate each other, right? Ms. Killoran. Yes, sir. Mr. Issa. And the potential cost savings if one agency is up on a cloud with a next-generation software that does something and the others are using, I don't know, a DEC Alpha or something, that means that you can get immediate savings if you only knew, right? Ms. Killoran. I think if there's a--that's a ``yes but'' because sometimes there are capabilities but then they have to be modified and altered based on security requirements and interfaces that different agencies need, but at least it would be nice to understand what's available. Mr. Issa. Well, once the student loan program gets fixed with its interface with the IRS, hopefully, it will be world- class, so I agree with you that sometimes there are security problems. Let me just close with one question. When I hear that $7.5 billion in grants and similar money at many other agencies were determined by the Office of Management and Budget not to be for the CIO to oversee in any way, shape, or form and thus, you know, basically avert the intention of FITARA, which was to give budget authority and financial control, just an opinion but I would like to hear your opinion. Should we speak to OMB and see if, in fact, they would rethink that? Ms. Killoran. I think understanding again that realm of possibility, and so just as you mentioned ---- Mr. Issa. Because the act doesn't say it. That is an interpretation. Ms. Killoran. That's correct. But, I mean, to your point of realm of possibility, there are a number of capabilities and services that the grantees are given that might also help not only our Federal agency but others that are doing similar-like services. So being able to have some, especially when you're interfacing and having some commonality of services, if each of them is doing them in silos, it makes it very difficult to show those capabilities. Mr. Issa. Thank you. And, Mr. Chairman, that is not an original though. Many of us remember when the Affordable Care Act gave many, many billions of dollars to various States, who essentially stood up the exact same platform but each one inventing it, some succeeding and some failing. This was part of the genesis for Mr. Connolly and I working on this. So, thank you for your indulgence. I yield back. Mr. Hurd. The gentleman from the Commonwealth of Virginia is now recognized. Mr. Connolly. I thank the chair. And just to follow up on Mr. Issa's point, obviously, if 100 percent of that $7.2 billion in grants were designed to support 50-year-old legacy systems, and that is all it did, we would be very bothered by that and we wouldn't want you to persist in that investment. We would want you to pressure those grantees to upgrade their IT. So, at some point we are concerned about that, and you need to be, too. So, I echo what Mr. Issa had to say. Mr. Powner--and by the way, Dr. Holgate, thank you. Your testimony was terrific. I mean, I think you laid out a very powerful strategic framework for why this bill was passed and what we intend for it to achieve. And I just want to thank you. I think it was one of the best articulations of what we are about from a witness in a long time, so thank you. Mr. Powner, and thank you for all of the work you and GAO have done. You have done a marvelous job in making this not only a high-risk item but at the very top of the agenda. It is not sexy, but, Lord, can it lead to savings and more importantly, make us so much more efficient in delivering services to the people we serve. That is really what this is about. Why is data center consolidation so important? From your point of view, why is it such a high priority in the Issa- Connolly bill? Mr. Powner. Well, we have very inefficient data centers that are out there. Remember, we got into this in 2010 because the average server in the Federal Government was utilized about 10 percent. That metric now, the target is 60 percent of our servers, so we have underutilized equipment, underutilized facilities, and frankly, some of them are so old we could do a lot to improve our security posture, too, by upgrading these centers. And I do think, back to your sunset comment earlier, I mean, there's at least $1.5 billion that we're aware of that is on the table beyond 2018, and I think if you really press DOD and some of the other large organizations, there's probably a lot more. Mr. Connolly. In your 2016 report on this subject, you said that the consolidation plans could save taxpayers more than $8 billion by 2019. Is that correct? Mr. Powner. That's correct. Mr. Connolly. How much has been saved to date? Mr. Powner. So, it's been about $3 billion of the $8 billion has been saved to date, so pretty good progress. Mr. Connolly. Real money? Mr. Powner. Real money. Mr. Connolly. Bigger than the entire grant program of HHS, $8 billion, I mean. Mr. Powner. That's right. Mr. Connolly. I mean, my colleague Mr. Meadows made the point that we got to get our arms around the savings. If you're effectuating savings but we're not accounting for it, you know, the risk is people call it zero. So, Mr. Powner, could you comment on Ms. Killoran's explanation for why we have underreported or underachieved data center savings at HHS even though they are, in fact, doing their job; they are consolidating? Mr. Powner. Yes, I--there's been consolidations. The dollars are minimal when you look at the millions of dollars that have been reported there. It sounds like there's probably more that's not reported that are getting reinvested. I think the important thing here is the transparency, and back to the MGT Act, you want to create these working capital funds at departments and agencies for reinvestment. Let's make darn sure that the reinvestment is on the priorities, and if you don't have transparency, there's no assurance that it's on the priorities. Mr. Connolly. I would hope, Ms. Killoran--and it sounds like you would--you might sort of following the footsteps of USAID and reach out to GAO so we have a better mechanism for capturing the actual good work you are doing and the savings they are effectuating, but also that we in fact--where we are reinvesting, we are reinvesting in the priorities that Mr. Powner just talked about. Are you willing to do that? Ms. Killoran. So, thank you for the question, sir. We actually talked before the hearing to do just that. Mr. Connolly. Okay. Great. My final question because I know I am going to run out of time, Mr. Powner, why is DOD so obstinate? Why are they so resistant? And you heard Mr. Meadows say from a Republican point of view take back a message. I don't speak for all Democrats, but I think most of us on our side of the aisle would echo his sentiments. The enormous frustration that that is the biggest single appropriation of the Federal Government and it is getting bigger, and they seem to inoculate themselves from all norms of accountability. And it is very frustrating. For example, OMB directed agencies to submit plans for detailing data center consolidations, is that correct? Mr. Powner. Correct. Mr. Connolly. And what is the Department of Defense's plan? Mr. Powner. They didn't get it in on time. It recently did come in, but they were very, very late. By the time we wrote that report, it was not in. Mr. Connolly. So, were there other agencies also failing to submit? Mr. Powner. No, they were the only remaining one. Mr. Connolly. They were the only agency. And aren't they also the only agency yet to achieve what is called an unqualified audit of their books? Mr. Powner. That's correct. The comptroller general has testified ---- Mr. Connolly. And don't they exempt themselves from what other civilian agencies subscribe to in terms of a GSA list of sort of off-the-shelf generic products that can be purchased at a lower cost? Mr. Powner. Yes, there's some of that. Mr. Connolly. Isn't this special? And didn't we have a hearing a few weeks ago in this committee about $125 billion, billion with a B, wasted by the Department of Defense that GAO uncovered? Mr. Powner. Yes. Yes. Mr. Connolly. A hundred and twenty-five billion, right? So, my final question, I am sorry, but why the resistance? Mr. Powner. I think when you look at the DOD accountability and organization structures, it's spread over too many organizations. You have the CIO shop, you got the management organization, you have the acquisition shop, and it's spread over those different organizations. And I think other than the CIO shop, IT doesn't get the right importance and visibility. When you look at the data center consolidation, at one time DOD alone was about $4.8 billion in savings. They backed off of that significantly. I think you really need to look at their IT spend. Look at embedded IT at DOD, weapons systems, satellite systems. I think a CIO type would really benefit some of those large acquisitions at DOD and help with the cost overruns and the lack of delivery. We've had some discussions recently with folks on the Senate side on--in terms of their authorization committee, and the--we just laid it on the table that when you look at embedded IT and other things at DOD, it would benefit from a private sector-like CIO type. Mr. Connolly. Thank you, Mr. Chairman. Mr. Hurd. The distinguished gentleman from the great State of Michigan is now recognized for his five minutes of questioning. Mr. Mitchell. Let me start, Ms. Killoran, as much entertainment as it would be to have the Department of Defense be here, and truly, I think everyone would be thrilled to have a discussion with them about their score, I would like to chat with you a little about your testimony. You indicated that 34 of the 39 goals that you had set up for your implementation plan had been achieved or were on target. Is that accurate? Ms. Killoran. Yes, sir. Mr. Mitchell. Then how is it that you still have a D-minus score? Ms. Killoran. So, the goals that we have go to the different elements that are in the FITARA guidance provided by OMB, making sure that we are putting forward the things such as establishing delegations of authority ---- Mr. Mitchell. Okay. Ms. Killoran.--reviewing our IT budgets. Mr. Mitchell. Mr. Powner, can you give me any guidance as to what you think that score will be shortly? Because a D-minus is not exactly stellar. Mr. Powner. Well, clearly, when you look--incremental development, they had a high score, so they're--HHS doing a good job there. The savings to--the two areas we score on savings, very low scores because of the reported savings on commodity IT and data centers. And then another thing, when you look at their dashboard, they're quite green. Only about 14 percent of their investment dollars is red or yellow. That's really--that's not a lot of risk when you look at their investments, and they've got a lot of risky investments there. That's why they get a low score there. Mr. Mitchell. So, what do we expect--I appreciate that. You didn't give me much indication of what we expect their score to be in a year from now. I think we need to have an idea where we expect these agencies--what they expect of themselves to be 12 months from now. Mr. Powner. Well, I would hope when we get the reported savings that within six months to a year we see an improvement in the score. Mr. Mitchell. I spent 35 years in private business. Only in government do we say things like we hope to see improvement, which, with all due respect, doesn't answer the question I asked, which was what do we think, what do we believe the score will be? I am talking about HHS; they are here. What do we believe it is going to be? Ms. Killoran, do you have an answer for me in what your target is for that score a year from now? Ms. Killoran. So, as I indicated, we are working to make sure that we are updating and working with GAO on our numbers. So, for example, one problem we have is around the savings. One is around the fact that, as Ms. Conley indicated, we are reinvesting those, so working with GAO how to capture the savings as we are reinvesting to show that at least we did save them in these particular areas. We are getting ready to post an $85 million savings in data centers onto the dashboard today. We are also working to make sure that we are modifying our investment capability to improve our acquisitions. Mr. Mitchell. Well, let me express this. I appreciate that. And it is obviously not just HHS. If this sheet came up at our monthly management meeting or my quarterly meeting with my board of directors, we wouldn't have been in business anymore. That much red and yellow--and we used the same scorecard, red, yellow, green--and obviously, paying attention to what is red and what is yellow was critically important. And we had goals in terms of when we were going to move those. And the problem I have across the board is we don't have dates, we don't have are we going to be green on this within the next year or yellow on this. It is we just hope to see improvement. And that is--in my opinion, to get improvement is wholly inadequate. Dr. Holgate, let me ask you a question real quickly because I am running out of time as well. You talk about cultural change needs that are needed in these agencies in order to see meaningful gains. One of the things I note in, again, the scoresheet is in many cases the agencies that have particularly bad scores--poor scores, let's put it that way--the CIO does not report to the Secretary or the Deputy Secretary. Now, let me explain to you, in my company the chief technology officer reported to me, and believe it or not, I knew where to find him 24/7 because we couldn't get hacked with student data records. We could not have that happen. Give me some examples of how you think we--what we need to do to get the culture changes from these agencies so in fact it gets the attention it warrants? Mr. Holgate. Well, so one aspect I alluded to in my testimony about inviting agency heads to come in to explain to the committee what their attitude is toward IT on behalf of their CIO as an important enabler of business and mission outcomes that IT represents. And the question is do agency heads fully embrace that as an opportunity that they need to capitalize on, or do they treat IT as an afterthought and expense that must be minimized? And that's the cultural change I'm referring to because, frankly, most Federal agencies treat IT not as a strategic asset; they treat it as a headache that they need to minimize. Mr. Mitchell. Well, and because of that, correlated to that is because they treat it as an issue like that, we also get inadequate cybersecurity. The two go hand-in-hand. The cost of acquisitions and how we efficiently acquire technology is one thing, but if you are treating it basically as a nuisance, guess what, we have security risks on our IT, and we have seen them across the Federal Government. Mr. Holgate. Absolutely. And contrary to the private sector that treats cybersecurity as an enterprise risk issue, as I alluded to, that's a distinct cultural difference that the Federal Government hasn't adjusted to yet. We've seen repeated encouragement that the Federal Government has gotten to treat cybersecurity as an enterprise risk issue. We've seen some recent evidence of that in the cybersecurity executive order that was just recently issued, but we haven't seen that fully adopted yet at the Federal level. Mr. Mitchell. Well, I thank you. My time is expired. And, Mr. Chair, I would like to have a conversation with you at some time about how it is we mandate some structural change to these departments so that the CIO gets the attention it warrants. Thank you. Mr. Hurd. I am going to recognize myself for a little bit of time. I would like to start off by thanking the minority staff for the suggestion of Dr. Holgate to this panel because I think it has been very valuable. And, Dr. Holgate, am I paraphrasing you correctly when I say that agencies can make their IT centers not a cost center but something that drives business and mission outcomes? Mr. Holgate. Yes. Mr. Hurd. And is it fair to say that in order to achieve that, that the agency head needs to recognize the importance of cybersecurity, of how their IT networks drive business and mission outcomes? Mr. Holgate. Absolutely. Mr. Hurd. And would that also mean that having the CIO report directly to the agency head, isn't that an important step? Mr. Holgate. It's certainly relevant. It's not necessarily necessary based on the relationship that the agency head has with the CIO, but it would certainly be an indicator that the agency head has taken that much more seriously. Mr. Hurd. An indicator, great. Ms. Conley, you are the deputy assistant secretary, and you are the acting CFO? Ms. Conley. I'm not longer the acting CFO. We have another individual that's come in as part of the new administration that is the acting CFO. I'm the deputy assistant secretary for finance, as well as the deputy CFO. Mr. Hurd. So that is the position you are going to be in for some time? Ms. Conley. I believe so. Mr. Hurd. And you had previous experience in the private sector in helping provide financial management strategies to private sector companies, public sector? Ms. Conley. That's correct. Mr. Hurd. And how long have you been at HHS? Ms. Conley. Eleven years at HHS now. Mr. Hurd. So, Ms. Killoran does not report directly to the deputy or the agency head. I think that is a problem. Would you agree or disagree with that? Ms. Conley. I--it depends I think I would say. How do you like ---- Mr. Hurd. Well ---- Ms. Conley.--that pause? But I would say--so if I may ---- Mr. Hurd. So, let me rephrase the question. Ms. Conley. Yes. Mr. Hurd. Why wouldn't Ms. Killoran report directly to you or the agency head? Ms. Conley. So, we actually--Beth and I are actually peers. We're both deputy assistant secretaries. She's in charge of information technology; I'm in charge of finance. And we have a suite of what we would call our CXO suite. So, it covers finance, it covers ---- Mr. Hurd. So, who is your boss? Ms. Conley. My boss is the assistant secretary for financial resources, who then reports ---- Mr. Hurd. And who is her boss? Ms. Conley. The assistant secretary for administration. Mr. Hurd. And who is the boss of the assistant secretary for administration? Ms. Conley. Both of those assistant secretaries report to the deputy secretary ---- Mr. Hurd. And then the deputy secretary's boss is? Ms. Conley. The secretary. Mr. Hurd. If my count is right, that is like three people ---- Ms. Conley. Right. Mr. Hurd.--right, in between the IT center and the C suite or the head of the organization. Would you have ever advised a private sector company to organize their organization that way? Ms. Conley. Well, it would depend upon the span of control. So, if you have an organization that's headed up and the deputy, you look at the span of ---- Mr. Hurd. Mr. Powner, does that make sense? Mr. Powner. I think if we want to have, as Dr. Holgate said, CIOs as strategic partners, you've got to report to the box at the top. And I think a key question is for the agencies at the head is what are the three things we're doing to transform our departments or agencies? Technology will be involved in that. And what's the role of the CIO in helping us get there? And I don't think you get the right answers to those questions, Chairman Hurd. Mr. Hurd. Ms. Killoran, $14.2 billion, that is the IT spend? Ms. Killoran. Thereabouts, sir, yes. Mr. Hurd. Seven-point-two billion is these grants ---- Ms. Killoran. Yes, sir. Mr. Hurd.--which you don't have to oversee, so that is $7 billion. How much control do you have of that $7 billion? Ms. Killoran. Of the grants, none. Mr. Hurd. No, the $7 billion. Ms. Killoran. Of the internal? Mr. Hurd. Yes. Ms. Killoran. So, through the delegation, I have authority over all of it. Mr. Hurd. So, you can stop any program ---- Ms. Killoran. Yes, sir. Mr. Hurd.--from happening, and you could buy anything that you need to put on your system? Ms. Killoran. They would have to go through the organizations to--the appropriations go directly to our operating divisions. Mr. Hurd. So why do you not know what all software you have on your system? Ms. Killoran. So, for example, just in prepping for this hearing, over the last year just in Microsoft alone we have over 170 contracts that bought Microsoft products. And as you go through them, you have to go through individual resellers. To fix that problem, we're using the cybersecurity continuous diagnostics and mitigation capabilities so that we can inventory ourselves ---- Mr. Hurd. So are you telling me that there is not software out there that would go out and figure all this out and spit back a ---- Ms. Killoran. Yes, sir. And that's what I'm saying. That's what we're actually putting in place, and we'll be in some ---- Mr. Hurd. Okay. And how long does that take? Ms. Killoran. So, we're putting that in place before the end of the year. So, we've done the hardware capability, and by the end of this fiscal year, we're putting in software ---- Mr. Hurd. And what is taking six months to do that, to implement it? Ms. Killoran. So, the reasons is that there have been challenges with working with DHS in getting the license we need and the capabilities because we far under-scaled what we thought we would need, and so making that gap so that we have the totality of the licenses we need to deploy. Mr. Hurd. Ms. Conley, does it make good financial sense to not know how many software licenses an organization has? Ms. Conley. No, sir, it doesn't, and that is something that we recognize the need to get control over so that we can make this a far more efficient process. It's very important. All the software we run in the Department is running off of software with licenses. That is a real opportunity for us to begin to consolidate and have greater sight across the organization to make better use of our licenses. Mr. Hurd. Ms. Killoran, how many times have you met with the good director of HHS? Ms. Killoran. The Secretary, sir? Mr. Hurd. Secretary, excuse me. Ms. Killoran. Since his appointment, three times. Mr. Hurd. And you have been in the position since 2014? Ms. Killoran. I started--in this position I started in December of 2015 and actually became the permanent CIO last July. Mr. Hurd. And how many times have you met with the number two? Ms. Killoran. Currently, obviously, our number two is vacant. The previous ---- Mr. Hurd. The acting number two? Ms. Killoran. I have not met with the acting number two. Previous, though, the previous acting deputy secretary, we met almost biweekly, and I did also go to the secretary's quarterly meetings with all of the operating division heads. Mr. Hurd. Have either one of you all suggested to the new leadership team of HHS a reorganization of HHS to ensure that the CIO reports closer than three layers down from the Secretary of HHS? Ms. Conley. Well, as you may know, agencies are going through and implementing this new executive order and giving thoughts to ways in which we can reorganize our organizations to make them ---- Mr. Hurd. Have you all come to a conclusion of where the CIO should sit? Ms. Conley. There has--it's still predecisional in terms of the results of those discussions. Mr. Hurd. Predecisional, I love that word. So, are you providing guidance, insight, perspective on where that should be? Ms. Killoran. So, the way that we're--the Department is looking at it is they actually looked at the totality of the work and how we do that better. I was personally involved in some of those working groups and made recommendations through that process. Mr. Hurd. And what were the recommendations? Ms. Killoran. So, they were around how to change the culture ---- Mr. Hurd. Let me rephrase the question. Ms. Killoran.--and how to change ---- Mr. Hurd. I am trying hard not to be like--your recommendation should be the CIO reports to the agency head or the true number two, all right? This is pretty standard practice in industry. It should be standard practice across the government. And if agency heads are supposed to be responsible for the ultimate protection of the digital infrastructure, the person that has the authorities to do that should be directly under them. So, this isn't complicated, so let's stop making it complicated. And since we are in a period of this new implementation with the perspective that the White House on this, which is right, suggests that you report directly to the person that is--where the buck stops. This isn't hard. This isn't hard. So forward it. And maybe we need to write a letter to them and say, hey, just everybody do this because this is ridiculous. And the fact that it is going to take six months to figure out all the licensing that you have makes zero sense. My last is--anybody else? Yes, Robin Kelly. Mr. Connolly. Oh, I am sorry. Ms. Kelly. This is not even really IT related, but, Mr. Powner, I know you have something to do with all the agencies under the Federal Government, and I was just saying to my colleague, it just sounds like there is just a lack of management structure, period, nothing to do with IT. Are all the agencies like this, like trying to decide who reports to whom or what the pecking order is? Mr. Powner. Well, it differs. I mean, there's--have of them report to the box, half don't, right? Some of them that report to the box still don't have authorities, some that don't report to the box do. I mean, it is so mixed, but I think the key is if you have a major--Chairman Hurd, back to your point. If you have a major cybersecurity breach at an agency, who are you going to call up in front of Congress for--to answer why. It's going to probably be that dep secretary, along with a few others. But I don't know why a dep secretary would not want to rely on a CIO to transform the agency and to secure an agency because if something happens, they're going to be the ones up here answering. Look what happened at OPM. It was the director of OPM that was up here answering questions, and it didn't fair very well for them. So, I think the focus on--keep pushing with your grades. I tell you what one thing that happened with your grades--I know you released them last night and there was some media articles--we have four agency CIO shops call GAO this morning and wanted to talk about the grades. That's good. That's a good thing. So, I'd say keep pushing. Ms. Kelly. And I am just asking because before I came here, I was the chief administrative officer of Cook County, and I know, you know, there were people that reported directly to me about what was going on. I had like 10 agencies under me. So, it just sounds so confusing. I am not blaming you. It just sounds so confusing and you need some advice from Dr. Holgate or something. It just sounds very confusing. Thank you. Mr. Hurd. Mr. Connolly. Mr. Connolly. I was just going to offer to cooperate with you, Mr. Chairman. I like your idea of maybe what we do is kind of inventory outstanding issues that could have been handled administratively and write a fairly comprehensive letter to our former colleague Mr. Mulvaney. He was a member of the committee. He is familiar with these issues. I think he would be receptive. And I would be glad to work with you, and I know Ms. Kelly would, too, I am sure on a bipartisan basis to get that done. Mr. Hurd. Yes, because when the next--thank you. I am going to recognize myself again. When the next cyber attack happens, right, and we have gone through all these conversations, guess what? We are dragging everybody up in front here. If we have to use subpoenas, we will. We have done it before; we will do it again. And I want to make sure that you have all the authorities you can. That is why we are working hard to get MGT because instead of putting some of that money back into some of--you know, buying services you may not need, why not use that money that you realize and that savings on the highest- priority issues within your organization? That is the point of all this. And, Mr. Powner, why are the grades so bad when it comes to software licensing? Mr. Powner. That's a tough one because--we issued a report several years ago that--we had 22 of the 24 agencies had complete inventories. We've only had one uptick with three. Now, to be fair to the agencies, like at NASA there's a partial inventory that Renee Wynn there, their CIO, has used to achieve some savings. I think a key thing why we don't have complete inventories is the CIO authorities. I think there's pockets within these federated agencies that CIOs cannot--they don't have good visibility into what's going on. And I think it's a direct reflection on the CIO authorities why we don't have comprehensive software license inventories. Mr. Hurd. Good question. Ms. Killoran, my last question. You have roughly 3,000 employees within the IT shop. Do we have job descriptions for all of them? Ms. Killoran. There are job descriptions, but they vary. That's one of the things that we're working with both internally within HHS and now at a Federal level to try to have standard job descriptions for the same types of work. It has been a potential issue. Mr. Hurd. I didn't write my note down. You named it something. Ms. Killoran. So, we actually have competency roadmaps for each of our workforce, and we've done 11 of these competency roadmaps for particular IT series from a GS-5 all the way to-- up to an SES, including what certificates and skills they should have at each step. Mr. Hurd. And you are comfortable OPM can take what you all are doing and export that to other agencies? Ms. Killoran. Yes. We're actually in the process of doing that as we speak. Mr. Hurd. Do you have an idea of when that process should be completed? Ms. Killoran. So, the first step of that they are expecting to have done I think it's the first quarter of 2018. So, they're taking those 13 and trying to requalify them, yes. Mr. Hurd. Okay. That is really helpful on the next project we are trying to work on, so we have got to know what our gaps are in our IT staff. So, seeing no further business, without objection, the subcommittees stand adjourned. Thank you all for being here. [Whereupon, at 3:21 p.m., the subcommittees were adjourned.] APPENDIX ---------- Material Submitted for the Hearing Record [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]