[House Report 115-344]
[From the U.S. Government Publishing Office]
�
�
115th Congress } { Report
HOUSE OF REPRESENTATIVES
1st Session } { 115-344
======================================================================
FITARA ENHANCEMENT ACT OF 2017
_______
October 10, 2017.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Gowdy, from the Committee on Oversight and Government Reform,
submitted the following
R E P O R T
[To accompany H.R. 3243]
[Including cost estimate of the Congressional Budget Office]
The Committee on Oversight and Government Reform, to whom
was referred the bill (H.R. 3243) to amend title 40, United
States Code, to eliminate the sunset of certain provisions
relating to information technology, to amend the National
Defense Authorization Act for Fiscal Year 2015 to extend the
sunset relating to the Federal Data Center Consolidation
Initiative, and for other purposes, having considered the same,
report favorably thereon without amendment and recommend that
the bill do pass.
CONTENTS
Page
Committee Statement and Views.................................... 2
Section-by-Section............................................... 5
Explanation of Amendments........................................ 5
Committee Consideration.......................................... 6
Roll Call Votes.................................................. 6
Application of Law to the Legislative Branch..................... 6
Statement of Oversight Findings and Recommendations of the
Committee...................................................... 6
Statement of General Performance Goals and Objectives............ 6
Duplication of Federal Programs.................................. 6
Disclosure of Directed Rule Makings.............................. 6
Federal Advisory Committee Act................................... 6
Unfunded Mandates Statement...................................... 7
Earmark Identification........................................... 7
Committee Estimate............................................... 7
Budget Authority and Congressional Budget Office Cost Estimate... 7
Changes in Existing Law Made by the Bill, as Reported............ 8
Committee Statement and Views
PURPOSE AND SUMMARY
H.R. 3243, the FITARA Enhancement Act of 2017, reauthorizes
several provisions in the Federal Information Technology
Acquisition Reform Act (FITARA).\1\ These provisions relate to
requirements aimed at increasing transparency and improving
risk management of major federal information technology (IT)
investments and establishing agency reviews of IT portfolios to
reduce duplication and realize savings. This bill also extends
requirements related to goals and deadlines for the agency data
center consolidation initiative from 2018 to 2020.
---------------------------------------------------------------------------
\1\National Defense Authorization Act for Fiscal Year 2015, Pub. L.
No. 113-291, Title VIII, Subtitle D, 128 Stat. 3292, 3438-3450 (2014).
---------------------------------------------------------------------------
BACKGROUND AND NEED FOR LEGISLATION
In fiscal year 2017, the Federal Government will spend more
than $89 billion on IT.\2\ Over 75 percent of this spending is
on operating and maintaining legacy IT systems.\3\ Legacy IT is
often inefficient, costly to maintain, and can have greater
security vulnerabilities. The taxpayer's return on IT
investments is often at risk with an acquisition system plagued
with delays and rising costs. Generally, the IT acquisition
system does not reward innovation and excellence. Large
government IT investments can take years while the private
sector rewards speed and innovation. Given this state of
affairs, Congress recognized the need for reform to address IT
management and acquisition challenges.
---------------------------------------------------------------------------
\2\U.S. Budget Fiscal Year 2017, Analytical Perspectives:
Information Technology 287 (Feb. 2016).
\3\Gov't Accountability Office, GAO-16-468, Federal Agencies Need
to Address Aging Legacy Systems (2016).
---------------------------------------------------------------------------
In December 2014, Congress passed the Federal Information
Technology Acquisition Reform Act (FITARA) to address some of
these challenges.\4\ FITARA represented the first serious IT
acquisition and management reform effort since the Clinger-
Cohen Act of 1996.\5\
---------------------------------------------------------------------------
\4\National Defense Authorization Act Fiscal Year 2015, Pub. L. No.
113-291, Title VIII, Subtitle D (Dec. 19, 2014).
\5\40 U.S.C. Sec. 11101 et seq.
---------------------------------------------------------------------------
In February 2015, the Government Accountability Office
(GAO) added ``Improving the Management of IT Acquisitions and
Operations'' to its annual High Risk List for the first time,
confirming the need for the reforms codified in FITARA. As of
January 2015, only 23 percent of the 737 recommendations were
fully implemented.\6\ GAO designates areas as ``high risk due
to their greater vulnerabilities to fraud, waste, abuse, and
mismanagement or the need for transformation to address
economy, efficiency, or effectiveness challenges.''\7\
---------------------------------------------------------------------------
\6\Gov't Accountability Office, GAO-15-290, 2015 High Risk Report
39 (2015).
\7\Id. at i.
---------------------------------------------------------------------------
FITARA provides a vital tool for Congress to conduct
oversight of federal IT management and acquisition. Key FITARA
provisions include clarifications related to Chief Information
Officer (CIO) authority, requirements for agency CIOs and the
Office of Management and Budget (OMB) related to the management
and acquisition of IT, and directives to the GAO for further
oversight.
First, FITARA enhances existing CIO authorities by ensuring
the CIO has a significant role in the budgeting, execution,
management, and governance processes related to IT management
and acquisition.\8\ Second, FITARA establishes key requirements
to enhance transparency and improve risk management for federal
IT investments. FITARA does this by requiring OMB to publish on
the IT Dashboard a list by agency of major IT investments with
data on cost, schedule, and performance, and requiring agency
CIOs to certify the accuracy of this data.\9\ This provision
expires on December 19, 2019. Third, FITARA requires OMB and
agency CIOs to review annually agency IT investments and
evaluate their entire IT Portfolio.\10\ Specifically, CIOs must
identify: (1) ways to increase efficiencies and effectiveness
of IT investments; (2) potential duplication and waste; and (3)
cost savings. This provision expires on December 19, 2019.
Fourth, FITARA requires agencies to develop implementation
plans to inventory and consolidate data centers and to report
to OMB on their performance under these plans.\11\ OMB is also
required to develop metrics, including cost savings, for
government-wide data center consolidation and optimization
plans. Further, GAO must review and verify agencies' data
center consolidation efforts. This provision expires on October
1, 2018.
---------------------------------------------------------------------------
\8\Pub. L. No. 113-291, Sec. 831.
\9\Id. at Sec. 832; see https://www.itdashboard.gov.
\10\Pub. L. No. 113-291, Sec. 833.
\11\Id. at Sec. 834.
---------------------------------------------------------------------------
These provisions were established with sunset dates to
evaluate the effectiveness of the requirements. These
provisions have proven valuable in the Committee's IT oversight
activities and improving federal IT management and operations,
and therefore should be permanently authorized. The Committee
has furthered the goals of FITARA with vigorous oversight,
including the development of a FITARA Scorecard to evaluate
agencies' FITARA implementation activities and holding several
FITARA-related hearings since the law was passed in 2014.
The Committee, with technical assistance from GAO,
developed the Scorecard to assess implementation of four key
FITARA provisions.\12\ The Scorecard relies on agency self-
reported data and GAO verification of such data. The Scorecard
assesses the following areas: (1) CIO authority enhancements;
(2) enhanced transparency and improved risk management; (3) IT
Portfolio review; and (4) federal data center consolidation
initiative. For Scorecard area one (CIO authority
enhancements), the Scorecard assesses agencies' use of
incremental development, which is a preferred approach to IT
development, and requires agency CIO certification of its use.
For area two (enhanced transparency and improved risk
management), the Scorecard rewards agencies that are reporting
more risk on major IT investments because GAO found agencies
were typically under-reporting risk; thereby putting the
success of these IT investments at risk. For area three (IT
Portfolio review), the Scorecard calculates a grade by dividing
agency's reported savings through the IT Portfolio review
process by the agency's total IT budget for the most recent
three fiscal years and assigns a grade relative to other
agencies' performance in this area. For area four (data center
consolidation), the Scorecard grades generally are based on the
percentage of planned savings realized through data center
consolidation.
---------------------------------------------------------------------------
\12\The Federal Information Technology Acquisition Reform Act
(FITARA) Scorecard 4.0: Hearing Before the Information Technology and
Government Operations Subcommittees of H. Comm. on Oversight & Gov't
Reform, 115th Cong. (June 13, 2017), available at https://
oversight.house.gov/hearing/federal-information-technology-acquisition-
reform-act-fitara-scorecard-4-0/.
---------------------------------------------------------------------------
H.R. 3243 permanently authorizes areas two (enhanced
transparency and improved risk management) and three (IT
Portfolio review) of FITARA and extends the sunset for area
four (data center consolidation). This will ensure the
continuation of FITARA requirements that inform the Congress's
oversight of federal IT acquisition.
The Committee highlighted the results of the Scorecard and
the priority the Committee places on FITARA implementation with
hearings. Overall, the Committee has held five FITARA-related
hearings of the Subcommittees on Information Technology and
Government Operations:
June 10, 2015, hearing titled, The Federal
Information Technology Acquisition Reform Act's Role in
Reducing IT Acquisition Risk;\13\
---------------------------------------------------------------------------
\13\The Federal Information Technology Acquisition Reform Act's
Role in Reducing IT Acquisition Risk: Hearing Before the Subcomms. on
Information Technology and Government Operations of the H. Comm. on
Oversight & Gov't Reform, 114th Cong., Serial NO. 114-43 (June 10,
2015).
---------------------------------------------------------------------------
November 4, 2015, hearing titled, The
Federal Information Technology Acquisition Reform Act's
(FITARA) Role in Reducing IT Acquisition Risk, Part II:
Measuring Agencies' FITARA Implementation (first FITARA
Scorecard released);\14\
---------------------------------------------------------------------------
\14\The Federal Information Technology [Acquisition] Reform Act's
(FITARA) Role in Reducing IT Acquisition Risk, Part II: Measuring
Agencies' FITARA Implementation: Hearing Before the Subcomms. on
Information Technology and Government Operations of the H. Comm. on
Oversight & Gov't Reform, 114th Cong., Serial NO. 114-89 (Nov. 4,
2015).
---------------------------------------------------------------------------
May 18, 2016, hearing titled, The Federal
Information Technology Acquisition Reform Act Scorecard
2.0;\15\
---------------------------------------------------------------------------
\15\The Federal Information Technology [Acquisition] Reform Act
Scorecard 2.0: Hearing Before the Subcomms. on Information Technology
and Government Operations of the H. Comm. on Oversight & Gov't Reform,
114th Cong., Serial NO. 114-159 (May 18, 2016).
---------------------------------------------------------------------------
December 6, 2016, hearing titled, The
Federal Information Technology Acquisition Reform Act
(FITARA) Scorecard 3.0: Measuring Agencies
Implementation;\16\ and
---------------------------------------------------------------------------
\16\The Federal Information Technology [Acquisition] Reform Act
(FITARA) Scorecard 3.0: Measuring Agencies Implementation: Hearing
Before the Subcomms. on Information Technology and Government
Operations of the H. Comm. on Oversight & Gov't Reform, 114th Cong.,
Serial NO. 114-171 (Dec. 6, 2016).
---------------------------------------------------------------------------
June 13, 2017, hearing titled, The Federal
Information Technology Acquisition Reform Act (FITARA)
Scorecard 4.0.\17\
---------------------------------------------------------------------------
\17\The Federal Information Technology Acquisition Reform Act
(FITARA) Scorecard 4.0: Hearing Before the Subcomms. on Information
Technology and Government Operations of the H. Comm. on Oversight &
Gov't Reform, 115th Cong., Serial NO. 115-27 (June 13, 2017).
---------------------------------------------------------------------------
In light of the improvements agencies made and the
effectiveness of the FITARA Scorecard, the Committee recognized
the need to eliminate the sunsets and extend the original
expiration date for several key FITARA provisions.
Consequently, H.R. 3243 will: (1) extend the requirements for
agencies to publicly report schedule and cost information and
assess the risks of major IT investments; (2) extend the
requirement for each agency to regularly assess its IT
portfolio, looking for opportunities to reduce duplication and
find savings; and (3) continue to hold agencies accountable for
consolidating and optimizing their data centers by extending
these requirements through 2020.
In the June 13, 2017, hearing, GAO, which has been
instrumental in assisting the Committee with overseeing FITARA
implementation, expressed support for extending these
provisions.\18\ GAO has also reported that agencies have made
progress in addressing GAO recommendations to address the high-
risk status of the management of IT acquisition and operations.
In a March 28, 2017, hearing, GAO acknowledged that as of
December 2016, OMB and agencies fully implemented approximately
46 percent of about 800 related recommendations made by GAO
(compared to 23 percent in 2015).\19\ In sum, the tools
provided in FITARA and the Committee's vigorous oversight of
FITARA implementation by Federal agencies have resulted in
demonstrable improvements and focused the attention of agencies
on this high-risk area. H.R. 3243 will facilitate the
Committee's work in this area by eliminating the sunset
provisions and extending a deadline for key FITARA provisions.
---------------------------------------------------------------------------
\18\The Federal Information Technology Acquisition Reform Act
(FITARA) Scorecard 4.0 Hearing Before Information Technology and Gov't
Operations Subcommittees of the H. Comm. on Oversight & Gov't Reform,
115th Cong. (June 13, 2017) (Testimony of David A. Powner, Director of
Information Technology Mgmt Issues, Gov't Accountability Office).
\19\Gov't Accountability Office, GAO-17-494T, Implementation of IT
Reform Law and Related Initiatives Can Help Improve Acquisitions
(2017).
---------------------------------------------------------------------------
LEGISLATIVE HISTORY
On July 14, 2017, Representative Gerald Connolly (D-VA)
introduced H.R. 3243, the FITARA Enhancement Act of 2017, with
Representatives Darrell Issa (R-CA), Mark Meadows (R-NC), and
Robin Kelly (D-IL). H.R. 3243 was referred to the Committee on
Oversight and Government Reform. The Committee considered H.R.
3243 at a business meeting on July 19, 2017, and ordered the
bill reported favorably by voice vote.
Section-by-Section
Section 1. Short title
The short title is the ``FITARA Enhancement Act of 2017''.
Section 2. Elimination of sunset relating to transparency and risk
management of major information technology investments
Section 2 strikes a sunset related to section 11302(c) of
title 40, United States Code.
Section 3. Elimination of sunset relating to information technology
portfolio, program, and resource reviews
Section 3 strikes a sunset related to section 11319 of
title 40, United States Code, and makes a technical amendment.
Section 4. Extension of sunset relating to Federal data center
consolidation initiative
Section 4 extends a sunset related to section 834 of FITARA
from 2018 until 2020.
Explanation of Amendments
There were no amendments to H.R. 3243 offered or agreed to
during Committee consideration of the bill.
Committee Consideration
On July 19, 2017, the Committee met in open session and,
with a quorum being present, ordered the bill favorably
reported by voice vote.
Roll Call Votes
There were no roll call votes during consideration of H.R.
3243.
Application of Law to the Legislative Branch
Section 102(b)(3) of Public Law 104-1 requires a
description of the application of this bill to the legislative
branch where the bill relates to the terms and conditions of
employment or access to public services and accommodations.
This bill reauthorizes several provisions of the Federal
Information Technology Acquisition Reform Act (Pub. L. No. 113-
291, Title VIII, Subtitle D, 128 Stat. 3292, 3438-3450). As
such, this bill does not relate to employment or access to
public services and accommodations.
Statement of Oversight Findings and Recommendations of the Committee
In compliance with clause 3(c)(1) of rule XIII and clause
(2)(b)(1) of rule X of the Rules of the House of
Representatives, the Committee's oversight findings and
recommendations are reflected in the descriptive portions of
this report.
Statement of General Performance Goals and Objectives
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the Committee's performance
goal or objective of this bill is to eliminate the sunset of
certain provisions relating to information technology and to
extend the sunset relating to the Federal Data Center
Consolidation Initiative.
Duplication of Federal Programs
In accordance with clause 2(c)(5) of rule XIII no provision
of this bill establishes or reauthorizes a program of the
Federal Government known to be duplicative of another Federal
program, a program that was included in any report from the
Government Accountability Office to Congress pursuant to
section 21 of Public Law 111-139, or a program related to a
program identified in the most recent Catalog of Federal
Domestic Assistance.
Disclosure of Directed Rule Makings
The Committee estimates that enacting this bill does not
direct the completion of any specific rule makings within the
meaning of section 551 or title 5, United States Code.
Federal Advisory Committee Act
The Committee finds that the legislation does not establish
or authorize the establishment of an advisory committee within
the definition of Section 5(b) of the appendix to title 5,
United States Code.
Unfunded Mandates Statement
Pursuant to section 423 of the Congressional Budget and
Impoundment Control Act (Pub. L. 113-67), the Committee has
included a letter received from the Congressional Budget Office
below.
Earmark Identification
This bill does not include any congressional earmarks,
limited tax benefits, or limited tariff benefits as defined in
clause 9 of rule XXI of the House of Representatives.
Committee Estimate
Pursuant to clause 3(d)(2)(B) of rule XIII of the Rules of
the House of Representatives, the Committee includes below a
cost estimate of the bill prepared by the Director of the
Congressional Budget Office under section 402 of the
Congressional Budget Act of 1974.
New Budget Authority and Congressional Budget Office Cost Estimate
Pursuant to clause 3(c)(3) of rule XIII of the House of
Representatives, the cost estimate prepared by the
Congressional Budget Office and submitted pursuant to section
402 of the Congressional Budget Act of 1974 is as follows:
September 29, 2017.
Hon. Trey Gowdy,
Chairman, Committee on Oversight and Government Reform,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 3243, the FITARA
Enhancement Act of 2017.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Matthew
Pickford.
Sincerely,
Keith Hall.
Enclosure.
H.R. 3243--FITARA Enhancement Act of 2017
H.R. 3243 would amend the Federal Information Technology
Acquisition Reform Act (FITARA) to permanently extend some
expiring provisions. FITARA was enacted as part of the National
Defense Authorization Act for Fiscal Year 2015 and primarily
made changes to how the U.S. government buys and manages
computer technology. Specifically, the bill would extend the
Federal Data Center Consolidation Initiative (FDCCI),
PortfolioStat reviews, and the information technology (IT)
dashboard.
The FDCCI aims to reduce costs and save energy,
PortfolioStat reviews are face-to-face meetings between each
agency's IT officers and the Office of Management and Budget
(OMB), and the IT dashboard provides online details of federal
information technology spending. Information from OMB suggests
that implementing those efforts costs a few million dollars
annually for agencies to produce the necessary information;
however, OMB expects that much of this work would continue
regardless of the expiring authority to conduct them. Thus, CBO
estimates there would be no significant additional cost or
savings to continue those efforts under H.R. 3243.
Enacting the bill could affect direct spending by agencies
not funded through annual appropriations; therefore, pay-as-
you-go procedures apply. CBO estimates, however, that any net
increase in spending by those agencies would not be
significant. Enacting H.R. 3243 would not affect revenues.
CBO estimates that enacting H.R. 3243 would not increase
direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2028.
H.R. 3243 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act and
would impose no costs on state, local, or tribal governments.
The CBO staff contacts for this estimate is Matthew
Pickford. The estimate was approved by H. Samuel Papenfuss,
Deputy Assistant Director for Budget Analysis.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, and existing law in which no
change is proposed is shown in roman):
TITLE 40, UNITED STATES CODE
* * * * * * *
SUBTITLE III--INFORMATION TECHNOLOGY MANAGEMENT
* * * * * * *
CHAPTER 113--RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY
SUBCHAPTER I--DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET
* * * * * * *
Sec. 11302. Capital planning and investment control
(a) Federal Information Technology.--The Director of the
Office of Management and Budget shall perform the
responsibilities set forth in this section in fulfilling the
responsibilities under section 3504(h) of title 44.
(b) Use of Information Technology in Federal Programs.--The
Director shall promote and improve the acquisition, use,
security, and disposal of information technology by the Federal
Government to improve the productivity, efficiency, and
effectiveness of federal programs, including through
dissemination of public information and the reduction of
information collection burdens on the public.
(c) Use of Budget Process.--
(1) Definitions.--In this subsection:
(A) The term ``covered agency'' means an
agency listed in section 901(b)(1) or 901(b)(2)
of title 31.
(B) The term ``major information technology
investment'' means an investment within a
covered agency information technology
investment portfolio that is designated by the
covered agency as major, in accordance with
capital planning guidance issued by the
Director.
(C) The term ``national security system'' has
the meaning provided in section 3542 of title
44.
(2) Analyzing, tracking, and evaluating capital
investments.--As part of the budget process, the
Director shall develop a process for analyzing,
tracking, and evaluating the risks, including
information security risks, and results of all major
capital investments made by an executive agency for
information systems. The process shall cover the life
of each system and shall include explicit criteria for
analyzing the projected and actual costs, benefits, and
risks, including information security risks, associated
with the investments.
(3) Public availability.--
(A) In general.--The Director shall make
available to the public a list of each major
information technology investment, without
regard to whether the investments are for new
information technology acquisitions or for
operations and maintenance of existing
information technology, including data on cost,
schedule, and performance.
(B) Agency information.--
(i) The Director shall issue guidance
to each covered agency for reporting of
data required by subparagraph (A) that
provides a standardized data template
that can be incorporated into existing,
required data reporting formats and
processes. Such guidance shall
integrate the reporting process into
current budget reporting that each
covered agency provides to the Office
of Management and Budget, to minimize
additional workload. Such guidance
shall also clearly specify that the
investment evaluation required under
subparagraph (C) adequately reflect the
investment's cost and schedule
performance and employ incremental
development approaches in appropriate
cases.
(ii) The Chief Information Officer of
each covered agency shall provide the
Director with the information described
in subparagraph (A) on at least a semi-
annual basis for each major information
technology investment, using existing
data systems and processes.
(C) Investment evaluation.--For each major
information technology investment listed under
subparagraph (A), the Chief Information Officer
of the covered agency, in consultation with
other appropriate agency officials, shall
categorize the investment according to risk, in
accordance with guidance issued by the
Director.
(D) Continuous improvement.--If either the
Director or the Chief Information Officer of a
covered agency determines that the information
made available from the agency's existing data
systems and processes as required by
subparagraph (B) is not timely and reliable,
the Chief Information Officer, in consultation
with the Director and the head of the agency,
shall establish a program for the improvement
of such data systems and processes.
(E) Waiver or limitation authority.--The
applicability of subparagraph (A) may be waived
or the extent of the information may be limited
by the Director, if the Director determines
that such a waiver or limitation is in the
national security interests of the United
States.
(F) Additional limitation.--The requirements
of subparagraph (A) shall not apply to national
security systems or to telecommunications or
information technology that is fully funded by
amounts made available--
(i) under the National Intelligence
Program, defined by section 3(6) of the
National Security Act of 1947 (50
U.S.C. 3003(6));
(ii) under the Military Intelligence
Program or any successor program or
programs; or
(iii) jointly under the National
Intelligence Program and the Military
Intelligence Program (or any successor
program or programs).
(4) Risk management.--For each major information
technology investment listed under paragraph (3)(A)
that receives a high risk rating, as described in
paragraph (3)(C), for 4 consecutive quarters--
(A) the Chief Information Officer of the
covered agency and the program manager of the
investment within the covered agency, in
consultation with the Administrator of the
Office of Electronic Government, shall conduct
a review of the investment that shall
identify--
(i) the root causes of the high level
of risk of the investment;
(ii) the extent to which these causes
can be addressed; and
(iii) the probability of future
success;
(B) the Administrator of the Office of
Electronic Government shall communicate the
results of the review under subparagraph (A)
to--
(i) the Committee on Homeland
Security and Governmental Affairs and
the Committee on Appropriations of the
Senate;
(ii) the Committee on Oversight and
Government Reform and the Committee on
Appropriations of the House of
Representatives; and
(iii) the committees of the Senate
and the House of Representatives with
primary jurisdiction over the agency;
(C) in the case of a major information
technology investment of the Department of
Defense, the assessment required by
subparagraph (A) may be accomplished in
accordance with section 2445c of title 10,
provided that the results of the review are
provided to the Administrator of the Office of
Electronic Government upon request and to the
committees identified in subsection (B); and
(D) for a covered agency other than the
Department of Defense, if on the date that is
one year after the date of completion of the
review required under subsection (A), the
investment is rated as high risk under
paragraph (3)(C), the Director shall deny any
request for additional development,
modernization, or enhancement funding for the
investment until the date on which the Chief
Information Officer of the covered agency
determines that the root causes of the high
level of risk of the investment have been
addressed, and there is sufficient capability
to deliver the remaining planned increments
within the planned cost and schedule.
[(5) Sunset of certain provisions.--Paragraphs (1),
(3), and (4) shall not be in effect on and after the
date that is 5 years after the date of the enactment of
the Carl Levin and Howard P. ``Buck'' McKeon National
Defense Authorization Act for Fiscal Year 2015.]
(5) Report to congress.--At the same time that the
President submits the budget for a fiscal year to
Congress under section 1105(a) of title 31, the
Director shall submit to Congress a report on the net
program performance benefits achieved as a result of
major capital investments made by executive agencies
for information systems and how the benefits relate to
the accomplishment of the goals of the executive
agencies.
(d) Information Technology Standards.--The Director shall
oversee the development and implementation of standards and
guidelines pertaining to federal computer systems by the
Secretary of Commerce through the National Institute of
Standards and Technology under section 11331 of this title and
section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3).
(e) Designation of Executive Agents for Acquisitions.--The
Director shall designate the head of one or more executive
agencies, as the Director considers appropriate, as executive
agent for Government-wide acquisitions of information
technology.
(f) Use of Best Practices in Acquisitions.--The Director
shall encourage the heads of the executive agencies to develop
and use the best practices in the acquisition of information
technology.
(g) Assessment of Other Models for Managing Information
Technology.--On a continuing basis, the Director shall assess
the experiences of executive agencies, state and local
governments, international organizations, and the private
sector in managing information technology.
(h) Comparison of Agency Uses of Information Technology.--The
Director shall compare the performances of the executive
agencies in using information technology and shall disseminate
the comparisons to the heads of the executive agencies.
(i) Monitoring Training.--The Director shall monitor the
development and implementation of training in information
resources management for executive agency personnel.
(j) Informing Congress.--The Director shall keep Congress
fully informed on the extent to which the executive agencies
are improving the performance of agency programs and the
accomplishment of the agency missions through the use of the
best practices in information resources management.
(k) Coordination of Policy Development and Review.--The
Director shall coordinate with the Office of Federal
Procurement Policy the development and review by the
Administrator of the Office of Information and Regulatory
Affairs of policy associated with federal acquisition of
information technology.
* * * * * * *
SUBCHAPTER II--EXECUTIVE AGENCIES
* * * * * * *
Sec. 11319. Resources, planning, and portfolio management
(a) Definitions.--In this section:
(1) The term ``covered agency'' means each agency
listed in section 901(b)(1) or 901(b)(2) of title 31.
(2) The term ``information technology'' has the
meaning given that term under capital planning guidance
issued by the Office of Management and Budget.
(b) Additional Authorities for Chief Information Officers.--
(1) Planning, programming, budgeting, and execution
authorities for cios.--
(A) In general.--The head of each covered
agency other than the Department of Defense
shall ensure that the Chief Information Officer
of the agency has a significant role in--
(i) the decision processes for all
annual and multi-year planning,
programming, budgeting, and execution
decisions, related reporting
requirements, and reports related to
information technology; and
(ii) the management, governance, and
oversight processes related to
information technology.
(B) Budget formulation.--The Director of the
Office of Management and Budget shall require
in the annual information technology capital
planning guidance of the Office of Management
and Budget the following:
(i) That the Chief Information
Officer of each covered agency other
than the Department of Defense approve
the information technology budget
request of the covered agency, and that
the Chief Information Officer of the
Department of Defense review and
provide recommendations to the
Secretary of Defense on the information
technology budget request of the
Department.
(ii) That the Chief Information
Officer of each covered agency certify
that information technology investments
are adequately implementing incremental
development, as defined in capital
planning guidance issued by the Office
of Management and Budget.
(C) Review.--
(i) In general.--A covered agency
other than the Department of Defense--
(I) may not enter into a
contract or other agreement for
information technology or
information technology
services, unless the contract
or other agreement has been
reviewed and approved by the
Chief Information Officer of
the agency;
(II) may not request the
reprogramming of any funds made
available for information
technology programs, unless the
request has been reviewed and
approved by the Chief
Information Officer of the
agency; and
(III) may use the governance
processes of the agency to
approve such a contract or
other agreement if the Chief
Information Officer of the
agency is included as a full
participant in the governance
processes.
(ii) Delegation.--
(I) In general.--Except as
provided in subclause (II), the
duties of a Chief Information
Officer under clause (i) are
not delegable.
(II) Non-major information
technology investments.--For a
contract or agreement for a
non-major information
technology investment, as
defined in the annual
information technology capital
planning guidance of the Office
of Management and Budget, the
Chief Information Officer of a
covered agency other than the
Department of Defense may
delegate the approval of the
contract or agreement under
clause (i) to an individual who
reports directly to the Chief
Information Officer.
(2) Personnel-related authority.--Notwithstanding any
other provision of law, for each covered agency other
than the Department of Defense, the Chief Information
Officer of the covered agency shall approve the
appointment of any other employee with the title of
Chief Information Officer, or who functions in the
capacity of a Chief Information Officer, for any
component organization within the covered agency.
(c) Limitation.--None of the authorities provided in this
section shall apply to telecommunications or information
technology that is fully funded by amounts made available--
(1) under the National Intelligence Program, defined
by section 3(6) of the National Security Act of 1947
(50 U.S.C. 3003(6));
(2) under the Military Intelligence Program or any
successor program or programs; or
(3) jointly under the National Intelligence Program
and the Military Intelligence Program (or any successor
program or programs).
[(c)] (d) Information Technology Portfolio, Program, and
Resource Reviews.--
(1) Process.--The Director of the Office of
Management and Budget, in consultation with the Chief
Information Officers of appropriate agencies, shall
implement a process to assist covered agencies in
reviewing their portfolio of information technology
investments--
(A) to identify or develop ways to increase
the efficiency and effectiveness of the
information technology investments of the
covered agency;
(B) to identify or develop opportunities to
consolidate the acquisition and management of
information technology services, and increase
the use of shared-service delivery models;
(C) to identify potential duplication and
waste;
(D) to identify potential cost savings;
(E) to develop plans for actions to optimize
the information technology portfolio, programs,
and resources of the covered agency;
(F) to develop ways to better align the
information technology portfolio, programs, and
financial resources of the covered agency to
any multi-year funding requirements or
strategic plans required by law;
(G) to develop a multi-year strategy to
identify and reduce duplication and waste
within the information technology portfolio of
the covered agency, including component-level
investments and to identify projected cost
savings resulting from such strategy; and
(H) to carry out any other goals that the
Director may establish.
(2) Metrics and performance indicators.--The Director
of the Office of Management and Budget, in consultation
with the Chief Information Officers of appropriate
agencies, shall develop standardized cost savings and
cost avoidance metrics and performance indicators for
use by agencies for the process implemented under
paragraph (1).
(3) Annual review.--The Chief Information Officer of
each covered agency, in conjunction with the Chief
Operating Officer or Deputy Secretary (or equivalent)
of the covered agency and the Administrator of the
Office of Electronic Government, shall conduct an
annual review of the information technology portfolio
of the covered agency.
(4) Applicability to the department of defense.--In
the case of the Department of Defense, processes
established pursuant to this subsection shall apply
only to the business systems information technology
portfolio of the Department of Defense and not to
national security systems as defined by section
11103(a) of this title. The annual review required by
paragraph (3) shall be carried out by the Deputy Chief
Management Officer of the Department of Defense (or any
successor to such Officer), in consultation with the
Chief Information Officer, the Under Secretary of
Defense for Acquisition, Technology, and Logistics, and
other appropriate Department of Defense officials. The
Secretary of Defense may designate an existing
investment or management review process to fulfill the
requirement for the annual review required by paragraph
(3), in consultation with the Administrator of the
Office of Electronic Government.
(5) Quarterly reports.--
(A) In general.--The Administrator of the
Office of Electronic Government shall submit a
quarterly report on the cost savings and
reductions in duplicative information
technology investments identified through the
review required by paragraph (3) to--
(i) the Committee on Homeland
Security and Governmental Affairs and
the Committee on Appropriations of the
Senate;
(ii) the Committee on Oversight and
Government Reform and the Committee on
Appropriations of the House of
Representatives; and
(iii) upon a request by any committee
of Congress, to that committee.
(B) Inclusion in other reports.--The reports
required under subparagraph (A) may be included
as part of another report submitted to the
committees of Congress described in clauses
(i), (ii), and (iii) of subparagraph (A).
[(6) Sunset.--This subsection shall not be in effect
on and after the date that is 5 years after the date of
the enactment of the Carl Levin and Howard P. ``Buck''
McKeon National Defense Authorization Act for Fiscal
Year 2015.]
* * * * * * *
----------
NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2015
* * * * * * *
DIVISION A--DEPARTMENT OF DEFENSE AUTHORIZATIONS
* * * * * * *
TITLE VIII--ACQUISITION POLICY, ACQUISITION MANAGEMENT, AND RELATED
MATTERS
* * * * * * *
Subtitle D--Federal Information Technology Acquisition Reform
* * * * * * *
SEC. 834. FEDERAL DATA CENTER CONSOLIDATION INITIATIVE.
(a) Definitions.--In this section:
(1) Administrator.--The term ``Administrator'' means
the Administrator of the Office of Electronic
Government established under section 3602 of title 44,
United States Code (and also known as the Office of E-
Government and Information Technology), within the
Office of Management and Budget.
(2) Covered agency.--The term ``covered agency''
means the following (including all associated
components of the agency):
(A) Department of Agriculture.
(B) Department of Commerce.
(C) Department of Defense.
(D) Department of Education.
(E) Department of Energy.
(F) Department of Health and Human Services.
(G) Department of Homeland Security.
(H) Department of Housing and Urban
Development.
(I) Department of the Interior.
(J) Department of Justice.
(K) Department of Labor.
(L) Department of State.
(M) Department of Transportation.
(N) Department of Treasury.
(O) Department of Veterans Affairs.
(P) Environmental Protection Agency.
(Q) General Services Administration.
(R) National Aeronautics and Space
Administration.
(S) National Science Foundation.
(T) Nuclear Regulatory Commission.
(U) Office of Personnel Management.
(V) Small Business Administration.
(W) Social Security Administration.
(X) United States Agency for International
Development.
(3) FDCCI.--The term ``FDCCI'' means the Federal Data
Center Consolidation Initiative described in the Office
of Management and Budget Memorandum on the Federal Data
Center Consolidation Initiative, dated February 26,
2010, or any successor thereto.
(4) Government-wide data center consolidation and
optimization metrics.--The term ``Government-wide data
center consolidation and optimization metrics'' means
the metrics established by the Administrator under
subsection (b)(2)(G).
(b) Federal Data Center Consolidation Inventories and
Strategies.--
(1) In general.--
(A) Annual reporting.--Except as provided in
subparagraph (C), each year, beginning in the
first fiscal year after the date of the
enactment of this Act and each fiscal year
thereafter, the head of each covered agency,
assisted by the Chief Information Officer of
the agency, shall submit to the Administrator--
(i) a comprehensive inventory of the
data centers owned, operated, or
maintained by or on behalf of the
agency; and
(ii) a multi-year strategy to achieve
the consolidation and optimization of
the data centers inventoried under
clause (i), that includes--
(I) performance metrics--
(aa) that are
consistent with the
Government-wide data
center consolidation
and optimization
metrics; and
(bb) by which the
quantitative and
qualitative progress of
the agency toward the
goals of the FDCCI can
be measured;
(II) a timeline for agency
activities to be completed
under the FDCCI, with an
emphasis on benchmarks the
agency can achieve by specific
dates;
(III) year-by-year
calculations of investment and
cost savings for the period
beginning on the date of the
enactment of this Act and
ending on the date set forth in
subsection (e), broken down by
each year, including a
description of any initial
costs for data center
consolidation and optimization
and life cycle cost savings and
other improvements, with an
emphasis on--
(aa) meeting the
Government-wide data
center consolidation
and optimization
metrics; and
(bb) demonstrating
the amount of agency-
specific cost savings
each fiscal year
achieved through the
FDCCI; and
(IV) any additional
information required by the
Administrator.
(B) Use of other reporting structures.--The
Administrator may require a covered agency to
include the information required to be
submitted under this subsection through
reporting structures determined by the
Administrator to be appropriate.
(C) Department of defense reporting.--For any
year that the Department of Defense is required
to submit a performance plan for reduction of
resources required for data servers and
centers, as required under section 2867(b) of
the National Defense Authorization Act for
Fiscal Year 2012 (10 U.S.C. 2223a note), the
Department of Defense--
(i) may submit to the Administrator,
in lieu of the multi-year strategy
required under subparagraph (A)(ii)--
(I) the defense-wide plan
required under section
2867(b)(2) of the National
Defense Authorization Act for
Fiscal Year 2012 (10 U.S.C.
2223a note); and
(II) the report on cost
savings required under section
2867(d) of the National Defense
Authorization Act for Fiscal
Year 2012 (10 U.S.C. 2223a
note); and
(ii) shall submit the comprehensive
inventory required under subparagraph
(A)(i), unless the defense-wide plan
required under section 2867(b)(2) of
the National Defense Authorization Act
for Fiscal Year 2012 (10 U.S.C. 2223a
note)--
(I) contains a comparable
comprehensive inventory; and
(II) is submitted under
clause (i).
(D) Statement.--Each year, beginning in the
first fiscal year after the date of the
enactment of this Act and each fiscal year
thereafter, the head of each covered agency,
acting through the Chief Information Officer of
the agency, shall--
(i)(I) submit a statement to the
Administrator stating whether the
agency has complied with the
requirements of this section; and
(II) make the statement
submitted under subclause (I)
publicly available; and
(ii) if the agency has not complied
with the requirements of this section,
submit a statement to the Administrator
explaining the reasons for not
complying with such requirements.
(E) Agency implementation of strategies.--
(i) In general.--Each covered agency,
under the direction of the Chief
Information Officer of the agency,
shall--
(I) implement the strategy
required under subparagraph
(A)(ii); and
(II) provide updates to the
Administrator, on a quarterly
basis, of--
(aa) the completion
of activities by the
agency under the FDCCI;
(bb) any progress of
the agency towards
meeting the Government-
wide data center
consolidation and
optimization metrics;
and
(cc) the actual cost
savings and other
improvements realized
through the
implementation of the
strategy of the agency.
(ii) Department of defense.--For
purposes of clause (i)(I),
implementation of the defense-wide plan
required under section 2867(b)(2) of
the National Defense Authorization Act
for Fiscal Year 2012 (10 U.S.C. 2223a
note) by the Department of Defense
shall be considered implementation of
the strategy required under
subparagraph (A)(ii).
(F) Rule of construction.--Nothing in this
section shall be construed to limit the
reporting of information by a covered agency to
the Administrator, the Director of the Office
of Management and Budget, or Congress.
(2) Administrator responsibilities.--The
Administrator shall--
(A) establish the deadline, on an annual
basis, for covered agencies to submit
information under this section;
(B) establish a list of requirements that the
covered agencies must meet to be considered in
compliance with paragraph (1);
(C) ensure that information relating to
agency progress towards meeting the Government-
wide data center consolidation and optimization
metrics is made available in a timely manner to
the general public;
(D) review the inventories and strategies
submitted under paragraph (1) to determine
whether they are comprehensive and complete;
(E) monitor the implementation of the data
center strategy of each covered agency that is
required under paragraph (1)(A)(ii);
(F) update, on an annual basis, the
cumulative cost savings realized through the
implementation of the FDCCI; and
(G) establish metrics applicable to the
consolidation and optimization of data centers
Government-wide, including metrics with respect
to--
(i) costs;
(ii) efficiencies, including, at a
minimum, server efficiency; and
(iii) any other factors the
Administrator considers appropriate.
(3) Cost saving goal and updates for congress.--
(A) In general.--Not later than one year
after the date of the enactment of this Act,
the Administrator shall develop, and make
publicly available, a goal, broken down by
year, for the amount of planned cost savings
and optimization improvements achieved through
the FDCCI during the period beginning on the
date of the enactment of this Act and ending on
the date set forth in subsection (e).
(B) Annual update.--
(i) In general.--Not later than one
year after the date on which the goal
described in subparagraph (A) is made
publicly available, and each year
thereafter, the Administrator shall
aggregate the reported cost savings of
each covered agency and optimization
improvements achieved to date through
the FDCCI and compare the savings to
the projected cost savings and
optimization improvements developed
under subparagraph (A).
(ii) Update for congress.--The goal
required to be developed under
subparagraph (A) shall be submitted to
Congress and shall be accompanied by a
statement describing--
(I) the extent to which each
covered agency has developed
and submitted a comprehensive
inventory under paragraph
(1)(A)(i), including an
analysis of the inventory that
details specific numbers, use,
and efficiency level of data
centers in each inventory; and
(II) the extent to which each
covered agency has submitted a
comprehensive strategy that
addresses the items listed in
paragraph (1)(A)(ii).
(4) GAO review.--
(A) In general.--Not later than one year
after the date of the enactment of this Act,
and each year thereafter, the Comptroller
General of the United States shall review and
verify the quality and completeness of the
inventory and strategy of each covered agency
required under paragraph (1)(A).
(B) Report.--The Comptroller General of the
United States shall, on an annual basis,
publish a report on each review conducted under
subparagraph (A).
(c) Ensuring Cybersecurity Standards for Data Center
Consolidation and Cloud Computing.--
(1) In general.--In implementing a data center
consolidation and optimization strategy under this
section, a covered agency shall do so in a manner that
is consistent with Federal guidelines on cloud
computing security, including--
(A) applicable provisions found within the
Federal Risk and Authorization Management
Program (FedRAMP); and
(B) guidance published by the National
Institute of Standards and Technology.
(2) Rule of construction.--Nothing in this section
shall be construed to limit the ability of the Director
of the Office of Management and Budget to update or
modify the Federal guidelines on cloud computing
security.
(d) Waiver of Requirements.--The Director of National
Intelligence and the Secretary of Defense, or their respective
designee, may waive the applicability to any national security
system, as defined in section 3542 of title 44, United States
Code, of any provision of this section if the Director of
National Intelligence or the Secretary of Defense, or their
respective designee, determines that such waiver is in the
interest of national security. Not later than 30 days after
making a waiver under this subsection, the Director of National
Intelligence or the Secretary of Defense, or their respective
designee, shall submit to the Committee on Homeland Security
and Governmental Affairs and the Select Committee on
Intelligence of the Senate and the Committee on Oversight and
Government Reform and the Permanent Select Committee on
Intelligence of the House of Representatives a statement
describing the waiver and the reasons for the waiver.
(e) Sunset.--This section is repealed effective on October 1,
[2018] 2020.
* * * * * * *
[all]