Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
House Hearing Transcript on Technology Challenges July 20
The House Subcommittee on Government Operations held a congressional hearing on July 20, hearing from four technology experts examining the need for the government to modernize legacy IT systems. Read the full transcript here.
Chairman Connolly: (00:00) Those in need have often had their misery exacerbated by broken IT infrastructures at the Federal and State level, that have prevented them from receiving timely support. The CARES Act, which was overwhelmingly passed on a bipartisan basis by this Congress, was signed into law on March 27th. It is now July 20th. We still do not have the full post-mortem on the failures of the Small Business Administration ETrans system, tasked with facilitating more than $750 billion in small business loans and grants. The Internal Revenue Service has yet to deliver tens of millions of economic impact payments. In my home state of Virginia, certain types of unemployment claims will not be available until August, due to the state's failure to update its IT systems. Chairman Connolly: (00:53) The public policy response was there, but our it systems often couldn't deliver. In other words, the fate of the world's largest economy rises and falls, often with the ability of government IT systems to deliver in an emergency. That should galvanize us all. Chairman Connolly: (01:14) It's been reported that 21 million people were unable to receive their CARES Act stimulus payments because IRS could not find accurate direct deposit information. Hundreds of thousands of small businesses were shut out of SBA's system for submitting loan applications. For every 10 people who successfully filed for unemployment, an additional three to four were unable to submit claims online. That's a big problem when we're looking at 31 million people, on an ongoing basis, who depend on the unemployment check every week. Chairman Connolly: (01:54) Issues with legacy IT systems are not news to us on this committee. We enacted the Federal Information Technology Acquisition Reform Act, FITARA, of which I was a proud coauthor to help federal agencies prioritize federal IT modernization. The modernizing government technology act, also coming out of this committee, was passed to enable agencies to establish working capital funds, to help them use savings from IT modernization, in order to further invest in upgraded agile systems and transition away from those legacy systems, legacy systems that are often 30 and 40 years old. Chairman Connolly: (02:35) The law also created, coming out of this committee again, the Technology Modernization Fund, which established a government funding source for agencies to remove and replace those legacy systems and upgrade their own. Yet the TMF remains chronically underfunded. Outgoing Chief Information Officer, Suzette Kent has identified this under funding as illustrative of the small bore thinking that unfortunately has prevailed when it comes to making IT investments. Agencies responsible for performing critical government functions operate on legacy systems with components, sometimes dating back even 50 years. Chairman Connolly: (03:15) The Government Accountability Office found that the 10 most critical federal IT legacy systems in need of modernization are maintained by 10 different federal agencies, each performing essential government operations. As they age, these legacy systems become more expensive to maintain, more vulnerable to cyber attacks, less effective in accompanying agency missions. Chairman Connolly: (03:42) If FEMA's public alert and warning system fails, millions of lives could be lost during a natural disaster, because lifesaving information was not delivered to the public in time. If the Department of the Interior system that monitors power plant stalls, thousands of communities could be left without power. Simply put, outdated and inefficient systems put American lives as well as livelihoods at risk. Chairman Connolly: (04:09) As we heard from organizations representing federal workers in a subcommittee hearing two weeks ago, agencies have been able to leverage telework, to ensure the continuity of government operations, while also protecting the health and safety of federal workers. Nonetheless, the large scale shift to telework exposed critical cybersecurity vulnerabilities underlying that outdated IT. Since the pandemic hit Igs, Inspectors General, have reported increased risks of data security breaches, disclosures of classified information, and targeted cyber attacks and fraud schemes affecting financial aid to small business and people affected by the pandemic. Chairman Connolly: (04:51) Going forward, Federal agencies will need to quickly retire their legacy systems and prioritize, modernizing IT, like adopting cloud-computing technologies through FedRAMP, a program that enables agencies to quickly secure and adopt new technologies. I'm grateful for the fact that in the Defense Authorization Bill we're considering today on the floor, in the first on block group of amendments, our FedRAMP bill that came out of this committee is included. Chairman Connolly: (05:23) In 2019, 13 agencies reported to GEO that they achieved at least $291 billion in savings from increasing their investments in cloud technologies. I hope we can continue to advance the bipartisan FedRAMP Authorization Act that passed the House by voice vote into law and signed by the President, on a bipartisan basis. Chairman Connolly: (05:49) Modern, reliable IT is not just a nice thing to have. Our federal government's consistent failure to prioritize IT modernization and program delivery prevented the public for receiving the assistance congress authorized to help the nation weather one of the worst global pandemics in a hundred years. We can no longer allow outdated and legacy technology to stymie the delivery of vital public services. We will need to rip out, root and stem, systems that have hung around for decades, because the replacement costs have been prohibitively expensive. Because if doing so is a matter of being able to save the American economy from collapse, almost anything is cheap by comparison. With that, I call upon the distinguished ranking member for his five minute opening statement. Mr. Hice: (06:48) Thank you very much, Mr. Chairman. I appreciate a great deal you working with us to make this hearing happen. I really am grateful for that. I would say, though, that we ... guidance to wear masks are one thing and committee rules are another. There's no question that in this room right here, we are well beyond the guidance that the CDC recommends. We have had some who are not here today because they feel as though we are too strict in the requirement of the mask. I would ask as we go forward that we would continue to work through this, to see how we can accommodate all members who would like to participate in hearings within the CDC guidelines as well. Chairman Connolly: (07:45) I will ... as I have on having a hearing physically, my friend knows I will work as diligently as I can with him. I will, however, note that the committee is following the guidance of the Capitol Hill Physician, who more than strongly recommends the wearing of a mask. It isn't just CDC guidance. We also, well, so we will try to work through that with you. I really appreciate all my colleagues trying to respect everybody's health and safety today. Mr. Hice: (08:19) I know you will. I look forward to those further conversations. But in behalf of others who feel a little bit differently, I would appreciate that continued conversation. Thank you very much. I'd also appreciate, Mr. Chairman, the fact that you holding this particular hearing on federal IT modernization. I think we are all very much aware of the need for modernization in this area. The lack thereof certainly exposes us to security risks as well as the inability for flexibility and scaling up. Ultimately our agencies are incapable of meeting the needs and the responsibilities they are required to do. Yet we as a government continue to spend the majority of our budget on maintaining these legacy systems rather than taking us into the new era of computer needs. Mr. Hice: (09:20) For example, from 2010 to 2017, over $450 billion was spent just to keep legacy systems running. Of course, that also represents $450 billion that was not able to be used for new technology. At the same time, of course, technology continues to move forward and improve while we are slow to procure any new capabilities whatsoever. Mr. Hice: (09:49) It's time for us to look at reform. It's time for us to look at changes. How do we go about getting up to date? There's no reason that we don't do so. I very much look forward to our witnesses today and appreciate you being here as we try to consider ways to reform the IT acquisition process and to prevent agencies from trying to reinvent the wheel, particularly when potential solutions already exist in the commercial marketplace. Specifically, this committee is interested, I believe, in learning how and what Congress needs to do to help agencies overcome some of the challenges that are presented by annual funding cycles that frankly makes it very difficult to tackle, as it relates to IT modernization. Mr. Hice: (10:45) I'm hoping today that our witnesses will be able to help this committee understand how we can improve this whole process, and particularly the Technology Management Fund, to help government replace legacy systems. We've got to become more modern and up to date, rather than continuing to rely upon agile, old systems. Mr. Hice: (11:14) Finally, I think there's got to be some accountability in this whole process to keep agencies responsible for the progress that they're making. Of course there have been many hearings we've already had on the FITARA score card. Somewhere along the way, though, there must, it appears to me, be some sort of incentive that must be the involved to help agencies come along and to improve. I look forward to hearing all these types of things as we move forward with the hearing today. I'm hopeful that you'll be able to supply some of those answers. I want to, again, thank all of our witnesses for being here today as we participate in this hybrid hearing. Mr. Chairman, with that, I'll yield back. Chairman Connolly: (12:01) I thank my friend. He makes some really good points. By the way, our next FITARA hearing is Monday. It is the 10th hearing we will have had on the implementation of FITARA. The good news is I think for the first time since we passed the bill, there are no F's and no D's in the scorecard. We've made some progress. But we still got to retire those legacy systems you were talking about and I was talking about. That's going to require some finesse. Chairman Connolly: (12:35) I thank the distinguished ranking member. I'd like to introduce our witnesses. Our first witness today is Gordon Bitko, who's senior Vice President of Policy for the Information Technology Industry Council. We're also joined by Matthew Cornelius who's here physically, who's the Executive Director of the Alliance for Digital Innovation. We'll also hear from Steve O'Keeffe, the founder of MeriTalk and somebody who actually was the inspiration for the FedRAMP legislation and has done a lot to try to translate the FITARA scorecard into more digestible ways that I think have been very helpful. Our final witness will be Hannah Shank, who's the Director of Strategy for New America. Chairman Connolly: (13:21) If our three witnesses who are remote and Mr. Cornelius, if you'd rise and raise your right hand. It is the practice of our committee to swear in our witnesses, and if the other three witnesses can raise their right hand? Can all of you confirm you are doing so? Chairman Connolly: (13:46) Do you swear or affirm that the testimony you're about to give is the truth, the whole truth and nothing but the truth, so help you God? Gordon Bitko: (13:53) [inaudible 00:00:13:58]. Chairman Connolly: (13:54) Let the record show that the witnesses have indicated in the affirmative. Thank you. Without objection, written statements will be made a part of the record. We ask all of our witnesses to try to summarize the testimony within the five minute time limit. With that, Mr. Bitko, you are recognized for your testimony. Gordon Bitko: (14:18) Good afternoon, Chairman Connolly and ranking member Hice and distinguished members of the subcommittee. Thank you for inviting me to testify today. It is a privilege to discuss federal IT modernization issues with you. My name is Gordon Bitko and I'm the Senior Vice President for Public Sector Policy at ITI, the Information Technology Industry Council. Previously, I was the CIO at the FBI for three and a half years. I have more than 25 years of experience as a technologist and technology manager across the public and private sectors. Gordon Bitko: (14:46) ITI represents more than 70 leading IT companies. We believe it is more important than ever for the US Government and our member companies to work together in supportive policies that promote effective government through technological leadership. The US public sector must leverage this innovation and leadership by adopting policies that enable easier use of commercial products and services that provide security, agility, scalability, and elasticity that supports an enormous growth demand for digital services and data. Gordon Bitko: (15:14) That imperative to modernize is true at every government agency. The ongoing pandemic, with the vast increase in remote work, has only accelerated the need for change. The ability for federal agencies to shift to large scale telework during the pandemic is the result of some of the transformative activities of recent years, such as migration to commercial providers for at least some critical infrastructure and services. Gordon Bitko: (15:36) But incremental change is insufficient in the face of exponential growth. When stressed enough, legacy systems fail catastrophic. We saw this in multiple state unemployment systems, but many federal agencies also provide critical services through decades-old systems. Providing the quality service that Americans expect and deserve means these systems must modernize. Technological transformation can only happen if there's consistency and a dedication to both providing funding and addressing the policies and practices that restrain innovation and modernization in government information technology. Gordon Bitko: (16:08) The Department of Justice Data Center Consolidation highlights many inhibitors of innovation. Starting in 2014, DOJ planned to consolidate to three core facilities, with two owned and operated by the FBI, including a newly funded center constructed at an existing facility in Idaho. An RFP was posted in February of 2016. Groundbreaking occurred in October of 2017. Building opened last November and full operation scheduled for this September. Gordon Bitko: (16:33) It will already be out of date. Two years ago, commercial providers consulted about providing services using the facility have declined, that already fell short of their technical requirements. A new facility enabling DOJ to close multiple data centers is progress. Data center metrics will improve and some applications will modernize. But it will never be a state of the art facility and will continue to host the legacy systems subsisting on O&M budgets. Gordon Bitko: (16:59) Meanwhile, systems able to invest in modernization will migrate to commercial providers with innovative technologies and resources that dwarf DOJs. Government's limited technical and contract expertise, risk aversion, process inefficiencies, unpredictable funding, and inflexible construction processes all contribute to timelines much longer than commercial best practices. Gordon Bitko: (17:19) At the same time, a lack of multi-year IT modernization funding means that legacy applications endure. Federal IT isn't held together by duct tape. There are excellent professionals throughout government delivering quality information technology capabilities. But the reality is it is still too hard for them to get to the front lines and focus on core longterm agency challenges. When government has defined unnecessarily complex requirements, based on data business process needs, the overhead of a customized solution has often made projects late, over budget, and underused. But when the government has well-defined objectives and smartly engaged with industry, the result has been successful and cost effective commercial services securely provided at speed and scale. Adopting this approach empowers industry to create world-class services for government, drive competition by leveraging standards, and encouraging innovation by opening markets to new companies, products and services. Gordon Bitko: (18:11) At the same time, IT budget and acquisition processes must evolve to allow and empower the federal workforce to leverage commercial capabilities. Transformational change requires longterm strategic and financial commitments. The annual budget cycle forces agency IT planning staff to spend too much time managing the budget process, and too little time ensuring projects and programs are well managed and well-funded. Gordon Bitko: (18:34) However, those same IT planning staff need to adopt a continuous delivery mindset. They shouldn't be managing projects on traditional schedules, but rather on outcomes like the delivery of capabilities that improve the mission and their use both within and outside the agency. Government processes and tools for managing investments, such as the FITARA scorecard and the Federal IQ dashboard need to be updated to reflect those modern realities of IT developing. Gordon Bitko: (18:59) Thank you again for inviting me. I look forward to your questions. Chairman Connolly: (19:04) Thank you very much. Mr. Cornelius, you're recognized for five minutes. Matthew Cornelius: (19:10) Chairman Connolly, Ranking Member Hice, and distinguished members of the subcommittee, thank you for the opportunity to testify today on the vitally important topic of federal IT modernization. My name is Matthew Cornelius. I'm the Executive Director of the Alliance for Digital Innovation. Matthew Cornelius: (19:23) We're a nonprofit organization made up of nearly two dozen of America's leading commercial technology companies, which focuses on empowering the government to deliver the effective digital experiences that citizens deserve. Our companies have a successful track record of modernization in large complex enterprises across both the public and private sector. We at ADI are keenly aware that the government's continued reliance on outdated, insecure legacy technology, fundamentally obstructs the creation of a modern secure digital government. Today, I will share our perspective on both the challenges and opportunities agencies face and will offer some recommendations to improve the speed scale and likelihood of success in modernizing legacy IT. Matthew Cornelius: (20:03) Prior to ADI, I had the privilege of serving in senior federal IT policy roles in both the Office of Management and Budget and the General Services Administration, where I led the creation and execution of several key government wide technology efforts, including the IT Modernization Cap goal in the President's Management Agenda and the Technology Modernization Fund. I highlight these additional experiences as I believe they provide me with a unique understanding of IT modernization that I can share with you today. Matthew Cornelius: (20:28) When I described the government's legacy problem, I want to note that it goes far beyond certain systems that are decades old. It is a cultural problem, both inside government and out. For starters, the government is averse to market pressures and often relies on woefully outdated business model that prioritizes building and owning technology solutions inside agencies. In addition, there is little alignment of agency procurement and financial management processes to commercial best practices. Agencies rarely have the appropriate incentives to modernize effectively and partner with truly innovative companies to drive mission outcomes. The recent report by the pandemic response accountability committee highlighted IT and cybersecurity as two major challenges faced by agencies during the response to COVID-19. However, the report also pinpointed numerous examples, such as the Department of Health and Human Services, the Nuclear Regulatory Commission, and the Department of Defense, who have been able to deal with the significant disruptions of COVID-19 because they were already investing significantly in cloud computing and had enhanced both their telework capabilities and digital workflows. Matthew Cornelius: (21:29) Such examples are possible because these agencies had a commitment to IT modernization from senior leadership, a workforce able to effectively buy and deploy these new technologies, and a culture that embraces innovation. Still, more can be done. Matthew Cornelius: (21:42) A second key to empowering and accelerating IT modernization is to ensure that agencies can easily and effectively acquire and use commercial capabilities to achieve mission outcomes. While some public sector agencies are embracing cloud and other emerging technologies, too many are hamstrung by technical debt and procurement paradigms that lead to wasteful spending and poor customer satisfaction. Matthew Cornelius: (22:04) ADI has written extensively on the need for government to follow current law, such as the Federal Acquisition Streamlining Act, which establishes a commercial-first framework. Government must prioritize the acquisition of commercial off-the-shelf solutions, which are easier to embed across the agencies IT enterprise, are more secure, and cost substantially less than bespoke agency-specific systems. Matthew Cornelius: (22:26) Third, successful IT modernization requires many years of sustained investment and the ability of agency leaders to make adjustments and address challenges that occur along the way. Unfortunately, the budgeting and appropriations processes rarely provide the necessary flexibility to try to drive true digital transformation. The current model restricts the ability of agencies to both plan and invest wisely in modernization. The expansion of IT working capital funds, as envisioned under the MGT Act, would allow agencies to make smarter longterm investments. Additionally, ADI supports providing significantly more money to the Technology Modernization Fund, so the government can support digital transformation across the federal enterprise. Matthew Cornelius: (23:08) Finally, there are several options Congress may consider to help accelerate IT modernization. For example, Congress should overhaul decades old laws, such as Clinger Cohen, and the E-Government Act to provide a current sustainable foundation for IT modernization, more aligned to today's technology environment. Congress should also build on its oversight successes made possible by the FITARA scorecard to update current metrics and include new ones, such as cloud adoption, fed ramp authorization and reuse, and the acquisition of commercial items. Additionally, Congress can continue encouraging agencies to prioritize training the federal workforce on current procurement, cybersecurity, and digital capabilities. Modernization is impossible without a highly skilled, capable workforce. Most importantly, Congress should consider should continue to make IT modernization a critical issue that unites both parties, both chambers of Congress, and both the Legislative and Executive branches. Matthew Cornelius: (24:05) In conclusion, IT modernization is vital not only because it saves money and enhance cybersecurity. It is the primary means for agencies to competently and capably deliver important citizen services to the American people. ADI is proud to highlight the modernization successes happening across the federal enterprise and to share our insights on eliminating costly wasteful legacy IT. Thank you again for the opportunity to appear here today. I look forward to your questions. Chairman Connolly: (24:31) Thank you very much, Mr. Cornelius. I can assure you, every single major vote on this committee, since I've been here, on this subject, has been bipartisan. We've never had a partisan vote. In fact, it'd be hard to tell the difference between us when we start talking about it. I'm very proud of that. Mr. O'Keeffe you're recognized for five minutes. Steve O'Keeffe: (24:53) Thank you. Chairman Connolly and distinguished members of the subcommittee, thank you for the opportunity to speak today. Chairman Connolly, thank you for your constant leadership on federal IT and workforce issues. My name is Steve O'Keeffe. I'm the founder of MeriTalk, the leading government IT publication research and conference company. Steve O'Keeffe: (25:13) We are here for one reason: the pandemic made the federal community and yes, cabinet secretaries, and for that matter, the American public, get the importance of federal IT. It's Rodney Dangerfield and Winston Churchill here. We don't get no respect. And as Churchill famously told us, "Never let a good crisis go to waste." A quick ironic flashback, I testified on this very topic, the urgent need for speed in federal IT modernization. Steve O'Keeffe: (25:45) A decade ago, on the Senate side, I testified against then federal CIO Vivek Kundra, who put forth a 25 point plan to modernize federal IT. I argued that it was far too complex. There are only 10 commandments. How can they be 25 points in the plan to fix federal IT? It proved true. Complexity is the number one issue of federal IT modernization. So what to do? Well, this is like a five minute Hamlet. Let's bid the players make haste. Steve O'Keeffe: (26:16) Action one, attack complexity. The time is right for FITARA and MGT to shine. However, these light House laws and federal CIOs are mired in the slings and arrows of complexity. We need to cut to the quick. Consider that complexity, it really is an alphabet pea soup. We have FITARA, we have MGT, we have TMF, we have FedRAMP, Decoy, COEs, Cap Goals. I'm just scratching the surface. This is madness. Just looking at cyber security, it's CDM, TIP, FISMA, Einstein. Now DHS gives us QSMO. Even Einstein could not fathom all of that. Steve O'Keeffe: (27:01) How about we simplify and rebrand these initiatives and give them names that describe the function they perform and fit them together into a coherent narrative that explains the value they deliver. What about we plug those programs all into FITARA with tangible outcomes and metrics associated. First off, let's attack complexity. Second FITARA for the future, it's time to evolve. As we approach the 10.0 FITARA scorecard, which I guess is it's coming out next week, the legislation has proved a huge success. Congratulations. But five years is an eternity in the IT space. It's time to modernize FITARA. Let's make the FITARA scorecard real time, plugging the scoring criteria into the IT dashboard. Let's make the FITARA IT dashboard the, "To be or not to be," of federal IT. This would kill confusion about what's measured in FITARA and make FITARA the real time epicenter in a radically simplified, federal IT governance landscape. Steve O'Keeffe: (28:12) As in Shakespeare's plays, relationships are very important. We need to wed for FITARA and MGT. As you know, TMF was part of FITARA's first act. Let's hardwire MGT-TMF funding into the FITARA scorecard. Agencies that score below a C simply are not available to get TMF funds. Steve O'Keeffe: (28:36) The next point is appropriations, appropriations, appropriations. Let's consider the ghost in the hearing room on TMF. When TMF was originally part of the first FITARA package, the draft legislation called for $3 billion in annual funding. TMF's never been capitalized with more than $25 million and most years has actually been zero funded. We need to engage appropriators. Back to Churchill, we will never have a better opportunity to seize appropriators' attention. And industry, here's an opportunity for you to get involved. Engage through the trade groups to talk to appropriators about this issue. Steve O'Keeffe: (29:15) My fourth point, danger ahead, IT sprawl and relief funding. A note of caution: as we look to reinforce and evolve FITARA, we see new warning signs that point to new IT sprawl ahead. CARES and other pandemic relief bills provide welcome funding for IT modernization. But in many cases, they [inaudible 00:29:37] round around the CIO's office, and indeed FITARA. America needs the relief, but be aware of sprawl and any subversive shadow it subplots. Steve O'Keeffe: (29:49) Lastly, the next federal CIO should come from inside of the government IT community. While I know that this committee does not pick the next federal CIO, I would be remiss if I didn't make a plea for the next administration to select a federal CIO- Steve O'Keeffe: (30:03) If I didn't make a plea for the next administration to select a federal CIO that knows government IT from the start, I would lord Ms. Suzette Kent and Mr. Tony Scott, who acquitted themselves very, very well as federal CIOs. However, bringing somebody in from outside government creates a massive learning curve. I already talked about the complexity. We should pick somebody that knows government IT. We have a lot of very qualified candidates. So it's a play in five acts: attack complexity, evolve FATARA forward for the future, appropriations, appropriations, appropriations, look out for IT sprawl as we see relief funding coming in, much needed relief funding. We want to make sure doesn't cut around the CIO's office in FATARA. And we need to choose wisely for our next federal CIO. Federal IT experience will be a huge plus. Chairman Connolly: (30:56) Thank you, Mr. O'Keefe. Steve O'Keeffe: (30:57) Last time- Chairman Connolly: (30:58) Thank you very much. Steve O'Keeffe: (30:58) Thank you. Chairman Connolly: (31:02) Hannah Shank, you're recognized for five minutes. Hannah Shank: (31:06) Thank you for the opportunity to speak today. My name is Hannah Shank and I am the managing director of the Public Interest Technology group at New America, a think an action tank, and I've spent over 25 years working in technology in both the public and private sectors. I want to start with a story. Lisa Charles lives outside of Charlottesville, Virginia. The 42 year old divorced mother of two typically qualifies for the earned income tax credit. She works when she can but spends the bulk of her time tending to her older son's severe medical problems. His endocrine system does not function properly and he spends a lot of time in and out of the hospital. Because Charles was below the filing threshold and had not filed 2018 or 2019 taxes, she was one of an estimated 12 million Americans who had to claim her stimulus check using the IRS has non-filer portal. Hannah Shank: (32:02) In March, sitting beside her son at the hospital, she filled out the form. She really needed the money because she was behind on rent and facing eviction. To date, she has not received the stimulus money for her children or the $2,148 she qualifies for under the earned income tax credit. What Charles didn't understand is that the non-filer portal prevents its users from claiming the EITC. As a workaround to allow non-filers to claim a stimulus check, the portal files simple tax returns for its users unbeknownst to Charles and millions of other Americans. So when she attempted to claim the EITC, because she had used the portal, the IRS said she had already filed taxes and couldn't do so again. To remedy the situation, Charles must mail a 1040 form to the IRS and wait for the agency to work through its backlog to get to her. In the meantime, Charles' bills won't wait. Hannah Shank: (33:05) When it comes to federal IT failures, we are used to hearing stories about websites crashing or huge cost overruns and delayed launches. But Charles' story is more and more what federal IT disaster stories will sound like. Unless the federal government changes its approach to technology, badly designed systems layered on top of a badly thought through process ending up in a total failure of service delivery for the people who need it most is our future. Yes, it is true that the federal government often relies on IT systems that date back to the 1950s, which doesn't help matters, but two bigger issues created the catch-22 that Charles and millions of others are caught in. And it's worth noting that while this example is specific to the IRS and The CARES Act, it could be happening with any agency and any new policy at any time. Hannah Shank: (34:02) The first issue is that these systems were built for a time when people didn't use computers from home. They're built for phone, mail, fax, or in person contact. The second issue is that when government implements a policy, that policy implicitly relies on existing IT to be delivered. But the policy creation process doesn't take delivery into account. Congress is used to enacting policy and having it then be a reality. In today's world, there is an entire technology component that must be put into place in order to make policy or reality. For something like The CARES Act, that money doesn't exist for the people who need it until they're able to successfully file for and receive it. This means that policymakers need to think about things like, how will people apply for this? What systems will this rely on? And what is the status of those systems? How will people track the progress of their applications just as they can track a package they ordered online? Hannah Shank: (35:04) This transparency into government processes is essential. Thinking about delivery means thinking about all the different types of people who might file for something, thinking about how they might file, and what might go wrong. Businesses would not survive without thinking this through yet it mostly doesn't happen in federal IT projects. So what's the solution? First, there needs to be a modern technology workforce inside the government and this starts from the top. There must be a very senior person at each federal agency who has a background in technology who can bring that experience to bear on policy decisions. Hannah Shank: (35:46) Second, all policy decisions must include a tested delivery plan that should start here in Congress. Finally, I want to touch on cost savings. When IT fails, it is expensive. We see cost overruns into the billions of dollars. Bringing senior tech talent in house, while potentially expensive as a line, item would likely lead to tremendous cost savings as there would be people who could advocate for building the right thing the right way the first time. There would be no need to patch unforeseen holes quickly as the IRS was forced to do with The CARES Act. Government would get it right, save money, and serve the people the way it is intended. Thank you. Chairman Connolly: (36:30) Thank you, Miss shank. Thank you. I would note before calling on the Miss Norton, if you look at the FATARA scorecard, Miss Shank, you will see that one of the categories for scoring is the empowerment of a CIO to make decisions at the top and to make sure that person reports to the boss so that we're empowering it and investing it with authority as well as responsibility. We also, as part of FATARA when we actually wrote the bill, were focused on the last point you made about bad projects or projects that go bad and being able to pull the plug quickly so that we minimize the fiscal damage. And again, FATARA encourages that and authorizes that. Okay. Miss Norton, are you with us? Delegate Congresswoman Eleanor Holmes Norton, are you with us? Eleanor Holmes Norton: (37:42) Can you hear me now? Chairman Connolly: (37:43) Yes, we can. Thank you. Eleanor Holmes Norton: (37:46) All right. Chairman Connolly: (37:47) There you are. Eleanor Holmes Norton: (37:48) Mr. Chairman, the first thing I want ... The first thing I want to do is say thank you for this hearing. It's a very important hearing. You and I both represent many federal employees so it's a special concern to us both. I do want to note that I've been concerned with the federal workforce for some time and have a bill in before we attained the majority aimed at recruiting new federal workers. I was astounded to find out that essentially only 20% of federal IT workers are under the age of 40, which meant that we were just losing out and losing all opportunities. And Mr. Chairman, I do want to say that I did get back a thoughtful letter from Director Dale Cabaniss indicating some of the things that the federal government has been doing in to help the federal IT workforce enter into the 21st century. Mr. Shank, this failure, I want to focus on this really abject failure to modernize the IT in the federal sector, whether that is simply resistance or failure to just keep up. Mr. Shank? Hannah Shank: (39:37) The question is? Eleanor Holmes Norton: (39:39) Miss Shank. I'm sorry. Miss Shank. Hannah Shank: (39:40) That's okay. To what degree is the lack of modernization due to resistance versus just lagging behind? Eleanor Holmes Norton: (39:52) Yeah. Active resistance as opposed to inhibitions on the agencies to move ahead. Hannah Shank: (40:07) I don't think that it is resistance so much as just not having a clear way forward. A lot of agencies have yet to see that the policy is reliant upon delivery and that delivery is reliant upon IT systems. So because that connection hasn't been made, there is sort of a lack of, I think, interest in or just understanding the importance of, why you'd want to bring people in to create a modern tech workforce or why that's relevant to the agency's mission. Eleanor Holmes Norton: (40:56) This a question for any of you. Mr. O'Keefe, I'll start with. Has funds been at the bottom of this? If we were to somehow come forward with an appropriation, would that be enough to get the attention of those in the federal agencies, or is it other kinds of resistance? Steve O'Keeffe: (41:18) Thank you. I think funding is definitely a factor and I talked about the requirement to fund the TMF as part of MGT and bringing that together with FATARA. But I do feel like the biggest challenge overall ... I don't think it's an active resistance issue to your question earlier. It's the complexity of what's going on. It is an acronym soup and it's a compliance culture. And so how do we simplify and provide greater transparency in order to move the ball forward? I think those are [inaudible 00:41:48]. Eleanor Holmes Norton: (41:49) Well, part of these workers who have been in the government for a very time ... Do you think that we need a wholesale retraining? You quoted statistics showing that young people don't even want to come into the IT workforce of the federal government. Is that the problem, or is it a retraining problem? Steve O'Keeffe: (42:10) I think it's a problem on multiple fronts. So yes, absolutely training is very important. I don't know that the federal government of late has been a particularly attractive employer for young people. Now with the pandemic and the downturn in the economy, we'll probably see government jobs being more interesting. Eleanor Holmes Norton: (42:30) I must say that this recruitment notion and they do say OPM, that they do recruit. I think there is a major issue of how you make the federal government jazzy enough so that these young IT professionals want to come in. Mr. Cornelius- Chairman Connolly: (42:53) I'm afraid the gentle lady's time has expired. Eleanor Holmes Norton: (42:58) Thank you very much, Mr. Chairman. Chairman Connolly: (42:59) Thank you, Miss Norton. Mr. Hice, you're recognized for five minutes. Mr. Hice: (43:04) Thank you, Mr. Chairman. Mr. Cornelius, as I understand it, one of the reasons federal agencies do not readily purchase commercial off the shelf items is because there's no incentive to prioritize those type of technologies over developed in house type of thing. So from that mentality, what kind of policy solutions do you think ought to be proposed in order to remedy that problem? Matthew Cornelius: (43:35) Thank you, Congressman. So there's a couple of things there, and I think both Congresswoman Norton's question and yours sort of dovetail together. So part of it is incentives and part of it is an understanding. And so the workforce that we should care about inside government is not just the IT workforce when it comes to modernization. Everyone is an IT worker in government. Everyone uses and leverages technology to deliver the programs, the products, the services they're there to deliver. Matthew Cornelius: (44:01) And so therefore we've got to make sure everyone has a relevant understanding of what's happening in the technology market so that when we actually do go out and try to procure the vast majority of the technology that is used in government, that the procurement executive, the technology executive, the finance executive, the HR executive there, they all understand why the technology is important to them. So understanding and creating a better sort of policy and understanding around how fast and how up to date the technology market is driving, that will create a better understanding so that when agencies are trying to either retire old bespoke systems or simply just acquire and use new technologies to pilot them or to try and scale them in government, that they actually understand what is happening in industry so that they can leverage it more effectively. Mr. Hice: (44:46) Okay. Well, Mr. Bitko, let me go to you right along this same train of thought here. During your time as the CIO at the FBI, what were some of your experiences trying to procure commercial IT solutions? And along those lines, to what extent were there incentives to purchase commercial? Gordon Bitko: (45:15) Congressman, thank you for the question. There definitely are incentives for the IT individuals to procure commercial products. But as Mr. Cornelius said, the issue I think is that everybody is an IT worker and the mission users of those systems, they know what they want. And what they frequently want is not the commercial product, but something that's been customized in some way. And the result when that happens is you take a lot of time taking the commercial product and customizing it into something that then becomes a legacy product that's difficult to maintain and support. I have a quick example that highlights that. For the FBI, the time and attendance system, you would think that that's a standard commercial product, that everybody tracks time and attendance in the government and wants to know how long everybody works. Well, the FBI had customized the time and attendance process over the years for a variety of reasons, some of them reporting to Congress or for internal management, but to the degree that the commercial product was no longer in sync with the customized version that the FBI was using. Gordon Bitko: (46:17) And the result of that, unfortunately, is that every time the vendor updated the commercial product, it was many months of work, sometimes years of work, to figure out how to back fit those upgrades to the version that the FBI was using in ways that would prevent it from catastrophically failing. And so the craziest thing out of all that is that the FBI time and attendance system still runs on a restricted network that's not accessible when you're out of the office. So if you wanted to record time and attendance, you have to physically be at an FBI location to do that. So the disconnect, sir, is between the incentive to buy commercial products and all of the business users, the mission users, who have their own needs and figuring out how do you balance the costs and benefits between changing the internal process so that you can use this standard product versus adopting it in order to meet some unique need of the mission. Mr. Hice: (47:11) It sounds like we are masters at complicating the issue of the bottom line, and it doesn't need to be that way. Let me ... Mr. Cornelius, I'm going to come back to you with this. But I would ask all of our witnesses if you could respond in writing to this question because I'd be interested in hearing from all of you. What changes would you make to the structure and process for awarding project funds from the TMF? Matthew Cornelius: (47:35) So there's a couple of things. Given the current amount of appropriations which is somewhere short of 150 million, which is all it's gotten over the past three years, the best we can do is make small bore project delivery decision. So the board has ... From my time at OMB, we had more than 50 projects that were submitted, costing I think more than about $600 million and we only had 150 million with which to try and dole out to that. In doing that you can only support sort of agency specific projects. I think the model needs to be flipped on its head. Matthew Cornelius: (48:07) First, I think Congress, including former ranking member Meadows, who was a big fan of the TMF, now the current chief of staff, should be pushing to make sure there's a billion dollars in TMF funding in the next phase four bill. And then OMB and GSA should be looking across the federal enterprise to figure out where those investments should best be, whether it's an individual agency or hopefully in multi-agency programs and process improvements and digital capabilities that agencies are learning about right now in the midst of the pandemic. So I think if they had more money, plus if they allowed for both individual agency projects while also sort of looking across the federal enterprise to make enterprise investments, that could lead to tremendous benefits both now to fight COVID-19 as well as well into the future and retire some of these legacy systems. Chairman Connolly: (48:52) Would my friend that allow me to just add to- Mr. Hice: (48:54) Yes, please. Chairman Connolly: (48:55) ... the point you're making. Just real briefly, so you call for a billion dollars in the TMF, the Technology Management Fund, which is in fact provided in The HEROES Act pending Senate action. I think you would agree and I think my friend would also agree that $25 billion as appropriated in the last appropriation is simply meaningless. Matthew Cornelius: (49:19) Yeah. Congressman, it is wildly inappropriate. I spent the past several years in OMB working through the budget process and working with appropriators, not to just talk about the value of the TMF, but also find ways to do it. And frankly, outside of an emergency situation like this, where Congress can go above and beyond the sort of 302B allocations that they have on the normal FY sort of appropriation cycle, you're never going to get that amount of investment that is necessary so that OMB and GSA and agencies can really, really start to transform the government IT license. Chairman Connolly: (49:50) Thank you. I took some of my friend's time if he wishes to... Mr. Hice: (49:53) No, thank you, Mr. Chairman. Just by way of reminder, I would like to hear from the other witnesses on this to get there answers as well. Chairman Connolly: (49:59) Certainly. Mr. Hice: (50:00) Thank you. And I yield back. Chairman Connolly: (50:00) Certainly. Thank you. Miss Shank or Mr. O'Keeffe, do you wish to comment? Steve O'Keeffe: (50:05) [inaudible 00:50:12]. Chairman Connolly: (50:11) Mr. O'Keefe? Steve O'Keeffe: (50:14) Yeah, I think that the gentlemen covered it down very well. I think that the last time I testified on IT modernization, GA told us that it was 777 supply chain systems and 622 HR systems in the federal government. That was 10 years ago. I would guess there are probably more than that. So it's this ability to build that Mr. Bitko talked about, which I think is the real enemy, customization. Chairman Connolly: (50:38) Thank you. Miss Shank, did you wish to comment? Hannah Shank: (50:43) Yes. Yes. So the customization piece versus buying, I think there we are working with a slightly outdated view of how tech gets built. It used to be that people would buy something and do a lot of customization. The example would be the FBI system. That sounds to me like that was a really old system that was customized and updated repeatedly. I mean, I'm guessing, but that sounds like a decades old system. I think that modern technology is a lot more flexible. And of course there will always be some degree of customization, but no technologist would ever start a project without first thinking about what exists on the marketplace. That's how you do it. Nobody is sitting there thinking, "Oh boy, I want to build something from scratch because it's fun." People will definitely look and see what's out there first. Chairman Connolly: (51:51) Thank you. I will say this. The FBI example is one I actually happen to know about wearing a different hat and I can tell you that part of the problem was FBI. They kept on changing the scope of work. They kept on adding to it. They didn't have experts who understood the limits as well as expansive potential of technology. And as a result, they absolutely designed something that could not work and would never work because they really didn't understand how to create the terms of reference for a real contract that could provide a real product that worked. So part of that problem is internal expertise in our federal agencies and even understanding the scope of their own needs. And having translation between the highly technical and the operative at the layman's level is a real challenge for the federal government. Especially as Miss Norton pointed out, as our workforce ages and is less technologically savvy than the generations succeeding us, that gap grows. Any rate, let me see. Mr. Lynch, are you with us? Steve Lynch. Mr. Lynch? Is Mr. Massey coming back, Mr. Hice? Mr. Hice: (53:24) I don't know. Chairman Connolly: (53:24) Okay, no. Mr. Hice: (53:24) No. Chairman Connolly: (53:24) Mr. Grothman, is he coming back? No. Miss Plaskett, are you with us? Miss Plaskett: (53:35) Yes, I am. Chairman Connolly: (53:36) Great. You're recognized for five minutes. Miss Plaskett: (53:40) Thank you very much, Mr. Chairman, and thank you to all of the witnesses who are testifying today. I have just a comment and then a couple of questions quickly. On March 16th, the Office of Personnel Management directed agencies to maximize use of telework in response to the coronavirus pandemic. Telework proved critical to ensuring the continuance of government operations during the pandemic. Nonetheless, the rapid shift to remote working exposed agencies to increased cyber security threats. So prior to the coronavirus pandemic, the FBI received about 1000 cyber security complaints a day. That number has since jumped to between 3,000 and 4,000 complaints per day. The Pandemic Response Accountability Committee reported that since the pandemic hit inspectors general have reported increased risk of data security breaches, disclosers of classified information, and targeted cyber attacks and fraud schemes. So wanted to ask, Miss Shank, how has outdated federal IT exposed the agencies to unique cyber security threats during the pandemic? Hannah Shank: (54:55) So I will preface this by saying I am not a cybersecurity expert. However, the combination of people working remotely and legacy IT, it does not surprise me that cybersecurity has been an issue. And it's really not my area, so I'll stop. Miss Plaskett: (55:18) Okay. Do any of the witnesses have any comments or questions on how the outdated IT exposes agencies during this time to cybersecurity threats? If not, Mr. Bitko, before joining ITI, you served as the Chief Information Officer at the FBI. At a high level, what cyber security vulnerabilities in federal IT systems did you detect? Gordon Bitko: (55:51) Congresswoman, thank you for the question. And I will wrap in a response to your prior question as well. Miss Plaskett: (55:57) Awesome. Gordon Bitko: (55:57) There's an obvious connection here between them. And I'm also going to caveat that by saying as the CIO, my responsibilities were not in the FBI cyber mission but in the management of the FBI's own internal IT resources. Nevertheless, just the nature of the organization and being an executive within the agency, there's certainly numerous opportunities to be exposed and work closely with our cyber investigative programs while I was at the FBI. The range of cyber incidents that are detected are too many to count. There are adversaries out there who will seek any opportunity that they can to take advantage of weaknesses in systems. Legacy systems are a very core part of that. You can look at both internally within the federal government. Gordon Bitko: (56:42) The OPM breach is a really good example of legacy systems that were vulnerable because since they were so dated, monitoring them is very, very difficult and it wasn't done at the level that it should be. And you can translate that to a lot of the vulnerabilities that the FBI saw at state or local governments that were subjected to ransomware attacks. Again, many of those ransomware attacks were not because there weren't solutions to mitigate against those things, but because those locations, those localities, were still running old outdated systems. They hadn't patched. They hadn't made investments in the cyber resources. And the result is that they were compromised. I think when you translate that to now to the pandemic, it's exactly the same, just magnified. It's an opportunity for adversaries who are seeing a more distributed workforce leveraging all sorts of their own personal technologies and other ways to connect back to federal information technology systems and that presents an opportunity. Gordon Bitko: (57:37) The need to tell work is clear. There's no doubt. But a lot of the security systems, the operation centers that are designed to monitor and collect all this data, they weren't built with the idea in mind that the workforce is going to be 20 or 30 or a hundred thousand agency users working from their home on a home computer and telecommuting in over a VPN or over a virtual desktop. And so I think that there is a real vulnerability there, and that we as a public sector are just not monitoring at anywhere near the same degree that we should. And so that's an additional complicating factor that makes the risk higher. Chairman Connolly: (58:19) Miss Plaskett, I wonder if you would have Mr. Cornelius respond to that as well if that's all right. Miss Plaskett: (58:25) Oh, sure. Mm-hmm (affirmative). Matthew Cornelius: (58:27) Thank you, Chairman. And thank you, Congresswoman. I think what has come out of the COVID response and the sort of maximum telework posture is that agencies that were already expanding the use of telework within their agencies already had a workforce that was trained and capable of using these commercial technologies or these distributed technologies like Mr. Bitko said, working through VPNs, virtual desktops, et cetera. So agencies that had digitized the workflows and not just tried to digitize their workforce were able to actually make this happen more effectively. And so I think, I believe the PRAC as well as GAO and their detailed response to the initial steps to deal with the COVID response both highlighted that agencies that were already working to expand telework had a trained workforce that knew how to do this so that they perhaps were able to better understand and spot phishing attempts that were trying to come through networks or trying to get them to click on suspicious links or were more capable of not having to make work arounds in order to meet their mission responsibilities and can instead work through the agency protocols and processes to do this securely and effectively. Thank you. Chairman Connolly: (59:39) Thank you. And than you, Miss Plaskett. Miss Plaskett: (59:40) Thank you, Mr. Chairman. Chairman Connolly: (59:42) What's that? Miss Plaskett: (59:43) Yes, Mr. Chairman. Thank you so much for the time. And I'm just hoping that at some point, the witnesses can give us not only best practices, but how should Congress structure funding to help the government best modernize IT and meet these challenges? But thank you for this great hearing where we can discuss these issues. Chairman Connolly: (01:00:01) You make a very great point, Congresswoman. Congresswoman Plaskett: (01:00:03) Discuss these issues. Chairman Connolly: (01:00:03) You make a very great point, Congresswoman Plaskett, and I would just say, I would hope that as part of the post-pandemic assessment, we look at what did not work well and what did work well, within the IT context, to your point. Because if we don't take away the relevant lessons, we're going to repeat the mistakes. And there have been some success stories, as well as failures. So, I think you're absolutely onto that, and I'd be glad to work with you in perhaps talking to GAO to get ready for that kind of analysis. And I assume, Mr. [Heiss 00:00:41], you'd join us in a bipartisan way, with respect to that. So thank you. Chairman Connolly: (01:00:46) Glenn Grothman, you're recognized for five minutes. Glenn Grothman: (01:00:49) Thank you. First of all, I'd like to make a suggestion. I always love this hearing. Chairman Connolly: (01:00:52) Certainly. Glenn Grothman: (01:00:53) But there was a little disagreement at the beginning about the mask policy. And I think as long as I've been alive, I've never been around a topic in which the experts so consistently get things wrong. I keep getting emails from different constituents saying, "Why do I have to wear a mask?" And while it's true, you find experts who think it's good when we're wearing a mask, there are experts out there who think we shouldn't be wearing a mask. So I'm going to suggest that we have a subcommittee hearing on masks. And it's certainly a hot topic back home. Nobody back home asked me about IT and the government, but they all ask about masks. So it'd be good for ratings. Chairman Connolly: (01:01:33) You intrigued me because I would say to my friend, because you could put it in the broader context of experts. Glenn Grothman: (01:01:43) We have experts on both sides. Chairman Connolly: (01:01:44) Right, right. And that might be a worthy hearing. So we'll file that away. Thank you. Glenn Grothman: (01:01:49) Good. Chairman Connolly: (01:01:49) Mr. Grothman. Glenn Grothman: (01:01:51) Now back to the topic at hand. This will be there for Mr. Cornelius or Mr. Bitko. The Technology Management Fund was intended to provide agencies with access to funding that was not bound by the annual appropriation process. Can you describe why funding IT modernization projects should not be bound by single year increments? Matthew Cornelius: (01:02:16) Thank you, Congressman. It's a great question. So most of the times we talk about retiring a legacy system, it means it's a system that's been built over years and years and years with subsequent years of funding and sort of more technology or products sort of glommed on top of it, which means that if there is an agency plan to retire that system, the likelihood is that it's going to take multi-year funding. It's going to take funding over multiple years to retire it. The system can't just shut off automatically. So you're going to need consistent funding in the out years to do that. Matthew Cornelius: (01:02:48) As we know, there's oftentimes disagreements between the executive branch and the legislative branch on sort of funding levels and things like that. So agencies are often at the whim of appropriators and the appropriations process to do that. So that's why an investment in the Technology Modernization Fund, those are know your dollars, and the money is flexible, so that if a project is going well, more money can be provided to help accelerate that modernization process and move it through more quickly. Matthew Cornelius: (01:03:17) And if it is going poorly, that the TMF board can help course correct or help that agency remediate some problems, or discontinue the project altogether. So that it's not a project where the agency is committed to years and years and years of a contract, when they already know the project is failing. Glenn Grothman: (01:03:36) Okay, thanks. I'll give you a kind of a follow up question, and Miss Schenk wants to weigh in, too. As more Americans continue to interact with the federal government, to understand benefits and receive critical information, understand the customer IT experience will be critical. What challenges do agencies face when trying to improve the design aspects of their systems? Matthew Cornelius: (01:03:59) I'm happy to let Miss Schenk go first, or I can start, her call. Glenn Grothman: (01:04:02) She can go. It's her turn, we'll give her a shot. Chairman Connolly: (01:04:05) Miss Schenk? Hannah Shank: (01:04:11) Thank you. One of the huge barriers for agencies, as they try to bring in customer experience into their systems, is that there is a lack of feedback loops that are currently in place. So traditionally, when you look to incorporate user research, there's an easy methodology. There's an easy way to do that. But a lot of agencies aren't collecting user feedback on specific pieces of how a certain agency is fulfilling its mission, and in a meaningful way that then plugs into the design of the system. Does that make sense? Glenn Grothman: (01:05:01) Yeah. Do you want to follow up, Mr. Cornelius? Matthew Cornelius: (01:05:02) Congressman, I think, again, it goes back to that issue I raised in my opening statement about the legacy being a cultural problem, is the dollars that any federal agency is using to spend on technology supports a system and a program that is there to serve the public. And so, the first issue before any agency thinks about a technology system or a program, is sort of how is the execution of that program and the underlying technology that makes it happen, how do we know that it's going to benefit the citizens whose taxpayer dollars are the ones funding it? Matthew Cornelius: (01:05:36) So I think of agencies can start with the, citizens are not just there to allow the government to execute on emission, but the citizens are the recipients of that mission, and they should be provided those benefits and those services effectively, the same way they get on their iPhone or with a package delivery or anything else. So I think that mindset of putting citizen, putting the customers first, would help sort of alleviate some of these bottlenecks we get, where agencies are just designing systems for themselves and not for the end user. Glenn Grothman: (01:06:06) Thank you. Chairman Connolly: (01:06:09) Thank you, Mr. Grothman. Mr. Raskin, you are recognized for five minutes. Mr. Raskin: (01:06:17) Thank you very much, Mr. Chairman, quick points on this subcommittee health protocols. If there are members, as the ranking member suggested, and I have no reason to doubt him in it, but if there are members who are not coming in because they so resent the rule that we've adopted, based on the Capitol physician's advice, there are also members like me who are here, who are in Washington, who are at the Capitol. And I'm in my office simply because I just can't subject people in my family to the risk of having members not wearing masks for whatever reason they might have. Mr. Raskin: (01:06:57) And I also think we should not be party to confusion and disinformation about masks. I am not seeing any dispute at all from the expert medical authorities that we follow, the Centers for Disease Control is recommending cloth masks for everybody who is in public, in public spaces, as well as social distancing. The World Health Organization is recommending masks. In fact, that if you look in the countries that have actually brought the virus under control, like in Europe, the masks have been central. And it has been the President's dereliction of duty in sending all kinds of mixed messages about masks that has made us now number one in case count and number one in death count around the world. So there's really no confusion about this, and we should not be spreading division. Mr. Raskin: (01:07:49) Now, Mr. Chairman, as to the matter at hand, obsolete IT systems have created a lot of headaches for our constituents seeking unemployment benefits and stimulus checks. At our hearing last month, we found that our government didn't shut down during the pandemic. It ramped up to deliver new and existing services, amid these extraordinary challenges. At many agencies that had modernized before, federal workers could continue operations and serve constituents effectively because their updated systems allowed for remote work. Mr. Raskin: (01:08:25) Not so for a lot of other agencies. We've been arguing for decades in the subcommittee that telework is important. And now the pandemic has finally forced government administrators to take remote work seriously. Some were ready, and others were not. We know the GSA was the federal government's biggest adopter of telework, and that made it a well equipped to continue its work during the pandemic. But many agencies failed to invest in IT and deferred digitizing. And now they're calling back employees, putting the health and safety of these workers in danger because their leaders had failed to prioritize IT. Mr. Raskin: (01:09:03) The IRS asked staff to return to perform tasks that could be digitized, automated, or perform remotely, like answering phones or processing mail. Mr. O'Keefe, your company conducted interviews with many of the CIOs on their experience and modernizing IT and transitioning to telework in the pandemic. What were some of the lessons learned and best practices that emerged from this study? Steve O'Keeffe: (01:09:29) So the CIOs, across the board, lauded telework. I think it's going to be very difficult to put the genie back in the bottle on telework. And I think, as Mr. Cornelius mentioned earlier, the idea of practicing telework before the pandemic struck, those agencies that have practiced and had systems in place were a lot more successful. And those that leant forward, in terms of cloud computing, also found their ability to telework and to be more agile, to be more customer centric, significant enhanced. Mr. Raskin: (01:10:03) Thank you. We also have said those who work with technology out in the field, there are those who inspect mine safety, who inspect poultry, who audit agency operations, and these employees rely on tech as well. Mr. Raskin: (01:10:15) Mr. Bitko, when you were at FBI as the CIO, you had to manage a lot of agents out in the field. How would you make sure today that your workforce could continue operations during a global pandemic? Gordon Bitko: (01:10:28) Thank you for the question, Congressman. There's no doubt that telework is essential to enabling that. It really comes back to again to the point that Mr. Cornelius was making. The agency needs to be planning for this sort of environment and building technology that enables it, that enables in the case of the FBI agents who were sitting up there in the field, to do the work. And one of our goals was to go even beyond that, not just in field offices, because they all have good connections, of course. But agents, their livelihood is out in the world, talking to people. And the more technology we can give them to actually be effective while they're doing that, the more effective they can be. So I think it's the agency cultural change to that mindset of using technology. Mr. Raskin: (01:11:07) Miss Schenk, how can the federal government do a better job ensuring continuity of operations during moments of national crisis that require rapid response? Hannah Shank: (01:11:21) [inaudible 01:11:21] and what we will potentially see again is what happens after decades of neglect. And what that looks like to us is that the technology is outdated. But if you dig into why the technology is outdated, what you come up with is that the federal government is short on internal technology teams and long on massive vendor contracts, which is not to say that building an internal agency team means an end to vendor contracts, but an internal agency team is certainly something that would be a lot more flexible and able to build the modern tech stack. Chairman Connolly: (01:12:01) Thank you. Mr. Raskin: (01:12:02) Thank you very much, Mr. Chair. I yield back. Chairman Connolly: (01:12:04) Thank you so much, Mr. Raskin. Mr. Norman, you're recognized for five minutes. Mr. Norman: (01:12:14) Mr. Cornelius, you mentioned in your opening statement, technical debt. And you said it leads to wasteful spending and outdated IT. Can you define exactly what that is? Matthew Cornelius: (01:12:27) Yeah. I think that the easiest definition is technical debt is the continuance of old and outdated technology inside agencies, or that agencies are reliant upon, that is not modern and sort of updated to commercial best practices. So agencies being reliant on old processes and old software or old systems, to do things where modern commercial sort of analogous practices and capabilities are already available and are already widely adopted by citizens and companies. Mr. Norman: (01:13:03) Could be a generational thing too, couldn't it? Matthew Cornelius: (01:13:06) I do think that a lot of the old technology... Again, there's a something I always bring up is everything is abnormal until it's normal. And I think COVID is a tremendous sort of example of that. No one would have been in here wearing masks and sitting this far apart under a normal hearing. And I think that's the same thing for agencies. And so I think to the chairman's point, there's going to be so many agencies and people inside agencies that are going to realize that they could have already done so much more and were so capable already because of the response that they've done, due to distributed telework and the Cares Act and everything else. So again, it's not just generational, but it's also sort of habitual. It's people are comfortable with what they're comfortable with, and they'll use old, clunky systems if that's all they know how to do, rather than try and pick up and leverage the newest sort of whizzbang technology. Chairman Connolly: (01:13:58) My friend, yield just for a second- Mr. Norman: (01:14:01) Yes, sir. Chairman Connolly: (01:14:02) Because I think you're making a really good point. It's also the cost. The cost of retiring a legacy system can be in the billions of dollars and take multiple years, and you've got to retrain everybody, and it's just easier, sometimes, to decide let's put that off this year. And that keeps on going. And I think that's a real factor in management's decision to defer these kinds of things. And suddenly they wake up and realize they're 30 years late. Chairman Connolly: (01:14:28) Thank you for yielding. Mr. Norman: (01:14:30) Yes, sir, Mr. Chairman. And I agree because I don't know how you get that, particularly with older generation, how you get that sunk into the heads that this pays off, it's keeping up with the times. And if you don't do that, then you're jeopardizing the whole system. Mr. Norman: (01:14:49) Mr. Cornelius, this is for you, too. The GAO found that many of the federal IT investments have suffered from a lack of effective project management. In the private sector, you can take care of that. If you get ineffective project management, you deal with it. Either you make it effective, or you get rid of that person or groups, so that it's effective. What's your opinion on the best way to tackle this and to get the problem solved and defined, from where you sit, what's your opinion of that statement is? Matthew Cornelius: (01:15:30) Thank you, Congressman. So I think it's a multifaceted answer, and I won't try to talk too long because I know you probably have some more questions, but it's a couple of things. One, the workforce needs to be well trained and well equipped to know how to actually manage projects effectively. Project management, just like IT, just like finance, just like HR, acquisition. They're not just the other person's job that you work with that are in an office. They're part of how you go about sort of managing your day to day and how you go about executing your mission. Matthew Cornelius: (01:15:58) Another thing I found when I was in government is a lot of the project management, as I think you defined it in the private sector, is outsourced to a lot of these vendors who will come in and say that, "I will build you whatever you want built, and then I will manage it however long you want me to manage it and update it." And all you have to do is just make sure that we're hitting some certain milestones or metrics that you've put out there. And that is certainly a way of doing business, but I don't think that is the most effective. I don't think anyone in the private sector would do it that way. Matthew Cornelius: (01:16:27) And I think Miss Schenk has referenced the fact that folks like the US Digital Service and others come in with that mindset and provide some good examples and opportunities for agencies to change. And they're not there to change it for them, but they're there to show them that there's a different way to leverage technology and to be more effective and to manage projects, to get lower costs and better outcomes. And I think to the extent that we can continue to proliferate and help all of the federal workforce understand that and be trained effectively would lead to a lot better outcomes, in both the use and management of technology. Mr. Norman: (01:16:59) And the bottom line is results. You get results. And it dovetails in with the technical debt that you were talking about. Matthew Cornelius: (01:17:05) Absolutely. Like I said, when Mr. Grothman was asking his questions, we have to treat the American taxpayers like customers because that's what they are. They are reliant on government benefits and services, but they should also be treated as recipients and as people that agencies are there to serve, and agencies aren't just there to sort of manage their own operations as they see fit. Mr. Norman: (01:17:26) Thank you. I think I'm out of time. I yield back. Chairman Connolly: (01:17:29) Thank you. Thank you, Mr. Norman. The gentleman from California, Mr. Khanna, is recognized for five minutes. Mr. Khanna: (01:17:36) Thank you, Mr. Chairman, and thank you for your continued leadership. I have a bill HR5901, which Matt Lira helped us with and with Senator Portman, to codify the centers of excellence at GSA. We've heard from testimony that they'll provide services to agencies, to improve federal IT across the executive branch. Mr. Khanna: (01:18:01) Mr. Cornelius, what role do you see these centers of excellence playing and help speeding up IT modernization throughout the federal government? Matthew Cornelius: (01:18:11) Thank you, Congressmen. And thanks for the call out to Mr. Lira. I had a great time working with him when I was at the office of management budget, and he was at the White House. I think to the extent that we can make it open and able for new ideas and new technical talent to come into the government, to help either individual agencies internally or agencies sort of across the enterprise, buy and use commercial technology to achieve mission outcomes. I think that should be celebrated. I think there have been conversations in Congress over the years on whether to codify things like the US Digital Service or 18F or now the COEs. And while I think those are steps in a direction, I also think it's a little bit like having your cake before eating your broccoli with your meal. I think you need to focus on getting the entire workforce up to speed and elevating the skills of all the people that are going to be around and are constantly managing these programs. And then we can think about the best way to sort of collect and manage and oversee and appropriate any of these digital services teams or other new types of business models inside government, to drive better outcomes. Mr. Khanna: (01:19:30) Thank you. If any other panelists want to speak to that or about the oversight role that Congress should play on centers of excellence? Gordon Bitko: (01:19:40) Congressman, if I could add in an additional point to that, I think that one of the big challenges with centers of excellence or centralized services being provided are the FISM challenges around reciprocity between different agencies. And if one agency delivers a service or a center of excellence delivers a service, as long as FISMA is making it the responsibility of another agency's CIO or another agency's senior leadership to accept risks, they're unlikely to feel comfortable just accepting the work of the center of excellence, and they're going to end up redoing a lot of it themselves. So I think that that is significant friction in the system for the idea of centralized services being provided. And that is something that needs to be looked at. Mr. Khanna: (01:20:23) What would you recommend [crosstalk 01:20:24] what would you recommend as a solution to that? Gordon Bitko: (01:20:26) I think, sir, FISMA has to be really modernized. I know that that's been touched on here a little bit. FISMA is important, no doubt. Infringement security is essential to all the work that's being done, but much as like we're talking about modernizing legacy systems, security practices have to be modernized as well. And today there is a lot that's done in the individual agency interpretations of [inaudible 01:20:47] and the individual CIOs get to make decisions about what levels they're going to accept and how they're going to do it. I think there has to be some work put into thinking about how to redo that and to provide for some consistency and interpretation of the [inaudible 01:21:03] standards and FISMA across the board. Otherwise, again, we're going to still have these conflicts. Mr. Khanna: (01:21:08) Do you or any of the panelists have a view of how our federal agencies, when it comes to technology proficiency, technology use, compared to the rest of the world? Are we one of the world's leaders? Are we lagging? Steve O'Keeffe: (01:21:22) If I might, to go back to the question about COEs, one point that I would raise [crosstalk 01:21:27] one I would raise is it's inconsistent. So the agencies that have been through the COE process, one would anticipate that they would do better on the FITARA scorecard than the agencies that have not been through the COE process. But that does not seem to be the way that it plays out. So there's kind of a head scratch on the COEs. Again, how do we simplify, and how do we understand how agencies are actually performing Mr. Khanna: (01:21:53) Well, if you have ideas on how we can strengthen it, as we work through this bill, we'd obviously welcomed that. Steve O'Keeffe: (01:22:00) Yeah, I think on the workforce issue, I think it's in pockets, but there is definitely a requirement for training at scale in the federal government. So when we talk about the cyber core and such initiatives, we're talking about 10s, 20s, 50s. We need to be talking about about thousands. So how do we create scale for IT workforce training in the federal government? That's really the big question. Mr. Khanna: (01:22:23) Very good point. Let me ask one final question. I had passed last Congress, the Idea Act. The President had signed it, 21st century Integrated Digital Experience Act. How would we benefit from agencies fully implementing the Idea Act? And do we have any sense of whether it's working or not? Matthew Cornelius: (01:22:47) May I, Congressmen? Mr. Khanna: (01:22:48) Please. Matthew Cornelius: (01:22:50) So first off, thank you for your leadership on the Idea Act. I think it's an incredibly important piece of legislation, and it goes back to some of the questions we've had from both the majority and the minority on sort of how we make digital services information websites more accessible, usable, and easier to understand for the public. And I think Miss Schenk's opening statement, when she told that very heart wrenching story of the lady who can not actually apply for benefits, is case in point for why something like the Idea Act is important. And frankly, I would request that my former colleagues at OMB hurry up and get the Idea Act guidance out there. I think there's a lot of agencies that might still be waiting on the office of management budget to really help push them in the right direction and kind of point them where they should go. And I think that that bill gave OMB a lot of deference when it came to guidance on the Idea Act. Matthew Cornelius: (01:23:40) But I will say at least from an industry perspective, no company that is worth its salt would be up and running if it was not able to easily and effectively convey what its mission is and what its services are to potential customers. And so I agree with you that we should continue leveraging the Idea Act. And frankly, I think that's one of the recommendations that my organization has made to Congressman Connolly and his staff on a sort of modernization of the FITARA scorecard. Chairman Connolly: (01:24:11) Thank you. And thank you, Mr. Khanna. and we will continue working with you on the modernization. It's not frozen in stone. We just wanted to make sure we get the basics right before we start branching out. Gentleman from Kentucky, Mr. Comer is recognized for five minutes. And congratulations on your selection as our new full committee ranking member. We welcome you. Mr. Comer: (01:24:32) Well, thank you very much. I appreciate that. Look forward to working with you in the future. Mr. Comer: (01:24:37) Mr. Cornelius, the Modernizing Government Technology Act and Associated Technology Modernization Fund have been important steps forward, but the task of modernizing federal IT systems is truly massive. It's my understanding that these take a very long time, are extremely complicated, and certainly costs a lot of money. They're similar to infrastructure projects like roads and bridges. Should we look at them in a similar manner as infrastructure project, that is multi-year appropriations? Matthew Cornelius: (01:25:13) Yeah, absolutely. And Chairman Connolly actually took my compliment away from me. I was going to congratulate you on also becoming the ranking member to the full committee, but I'm sure there's plenty of compliments to go around. Matthew Cornelius: (01:25:24) Absolutely is the simple answer to your question. Most of the money... So not all costs that go into the 90 plus billion dollars in federal IT every year is the same. About 75, 76 billion of that is just keeping the lights on, as all this O&M dollars, just keeping these systems afloat. And there's very little there for development, modernization, and enhancement. Matthew Cornelius: (01:25:45) So I do think, while the Technology Modernization Fund is incredibly ineffective and what has happened on FITARA has been impactful, when it comes to elevating the CIO and giving them authority, if most of the money is appropriated to individual programs or individual offices within agencies, and they come up with their own decisions, and it's just a sort of thumbs up, thumbs down from a CIO, it's very hard for them to really look at things across the enterprise and look at things for a multi-year perspective. Matthew Cornelius: (01:26:12) So to the extent that we can right size federal IT spending within agencies and make those monies perhaps multi-year or several year dollars, I think there's a trade agencies would make in getting more flexibility for the money and allowing Congress and OMB to have stronger oversight of that spending. Mr. Comer: (01:26:32) So if we're going to require agencies to reimburse the TMF, what's a more realistic timeframe than three years on the reimbursement? Matthew Cornelius: (01:26:42) Well, I think on the reimbursement, especially as part of the one billion dollars that I think Mr. Bitko and I have both joined a letter in supporting, I think repayment when it comes to COVID-related issues, perhaps should be looked at as sort of being done away with. If agencies are really trying to move fast to deal with COVID, and they've got to leverage the TMF to do it, and if Congress doesn't give more money for individual agencies, as they did in the Cares Act, then let's think about ways for projects that are relevant to COVID-19, to make that happen. Matthew Cornelius: (01:27:14) But I think broadly speaking, a lot of the agencies, at least the projects that were funded during my time at OMB, most of those were already well on their way to success, well on their way to repayment. So I think the model works, but we're also operating in a very different timeframe and a very different environment, especially in the middle of COVID. So I do think there are changes both Congress should be looking at, as well as OMB and GSA should be looking at, to improve the way that fund is leveraged and the impact that it provides. Mr. Comer: (01:27:40) Okay. Finally, how good a job are we doing at measuring what the associated savings from these projects are? Matthew Cornelius: (01:27:50) It's a very difficult question, Congressman. Mr. Comer: (01:27:53) Right. So not a very good job. Matthew Cornelius: (01:27:58) I would think that I would think that there's a place, if you're looking at agency legacy modernization plans, and I think GAO talked about that in their report. It's not just the plan that's important. It's the agency budget request that goes into that plan. It's the actual appropriations provided to that plan, and then it's the outcomes and then performance. So it's not just enough to have a plan. You have to know if there's enough resources coming in. You have to know if the resources that Congress provides meet that need. And even if not, how are you using the monies that are provided to actually get performance and outcome? Matthew Cornelius: (01:28:35) So I think that virtuous cycle between having a plan and being able to fund it, resource it, and acquire commercial technology effectively to retire old systems and move to new technologies. I think that that's something where there could be a lot of power in both savings and in performance, which I think are two sides of the same coin. Chairman Connolly: (01:28:54) Would my friend yield? Mr. Comer: (01:28:56) Please, go ahead. Chairman Connolly: (01:28:57) Because I'd like to just add on to that. I think there are two things here, based on my own experience of 20 years in the private sector. One is you can't have erratic budgets. So if you do get an agency head who says, "I'm going to make this a priority." And then that agency head discovers in the next budget cycle, his budget has been cut 30%, all of a sudden that priority collapses. Chairman Connolly: (01:29:22) Secondly, though, we need agency heads to show leadership. It's not that different. It is different, but in the private sector, the CIO says we're going to replace our entire legacy system. And you got two years, Mr. Cornelius, to get it done. Then if you don't, I'll find Mr. Comer. He'll do it. Guess what happens? Resources get marshaled. Because people follow the directive of the management, and management has to pay attention to it and make sure it is being done. So it's not only money. It's also about management will and leadership. If we're ever going to get some of these legacy systems retired, and- Chairman Connolly: (01:30:03) If we're ever going to get some of these legacy systems retired, and thank you for yielding and if you wanted to comment, Mr. Cornelius, feel free. Matthew Cornelius: (01:30:08) Both Chairman ranking member Comber, that is incredibly well said. I takes, and I mentioned this, I think, in my full written statement, not my opening remarks, which is it actually takes a commitment from leadership, agile acquisition authorities, multi-year funding, strong oversight, and a commitment from the workforce to get this done. And so, I think when you have those five pillars all together and you can look at things over a long period of time, not decades, but hopefully a few years to move the ball forward, I think that's incredibly effective. I want to commend a lot of the CIOs and even agency heads in this administration and in the previous administration who really understood that technology was the fundamental underpinning of how their agency functions and how it delivers services and really made IT a priority. So, we have a lot of great leadership in the executive branch and in Congress on that point. Chairman Connolly: (01:31:01) Thank you. Thank you, Mr. Comer for yielding. Mr. Lynch. I understand that you're back with us. Mr. Lynch: (01:31:09) Hello, Mr. Chairman? Yes, I am. Chairman Connolly: (01:31:11) Yes, you're recognized for five minutes. Welcome. Mr. Lynch: (01:31:15) Thank you, Mr. Chairman, and for the 20 years I've been in Congress, I can echo the Chairman's concerns as well. We've been dealing with this issue consistently year to year, year in and year out. If there's any one area that shows how slow our government responds to reality and technological change, it's this issue. And we're at a point where we not only need to catch up to and renovate some of the legacy systems, but even some of our systems that have been able to maintain some level of competency are being outpaced now, and I speak specifically to the blockchain network. Mr. Lynch: (01:32:09) So, there are a number of applications, I think, of blockchain that they could help us enormously. I have a bill right now that was offered several months ago to put the bio defense stockpile on blockchain, so it would be transparent, not an open blockchain, but a closed blockchain, a private blockchain with the government and some of our state partners. But I would just offer, to any of our witnesses, do we have the ability to, to try to leapfrog some of these legacy systems by adopting a blockchain type system to replace of the old bureaucratic ... Some of the outdated systems that we're using right now? Gordon Bitko: (01:33:11) Congressman, there's no doubt that there is the capability in government to deploy sophisticated technology. It happens across many federal agencies today. I think the question about whether blockchain should be used versus other technologies, it really comes into what's the specific process or problem that's trying to be solved? There are some cases where blockchain might be a really good fit. There are going to be other areas where not necessarily the right thing. I think that it's important for ... As IT investments are made, for Congress and for agencies to be careful about not being too prescriptive, right? Because there will absolutely be times where, yeah, we should use blockchain, but many of these legacy systems that we are struggling with now, they exist because there was some prescriptive requirement or some regulatory requirement or an agency process that was put in place years ago and that the agency is still complying with. And so, every time we do that, that builds onto the complexity that Mr. O'Keeffe was talking about before. So, I think what I'm saying is we need to find the right balance of encouraging investment in the right new technologists in the right cases without being so prescriptive that it limits other opportunities down the road. Matthew Cornelius: (01:34:21) Congressman, if I may- Mr. Lynch: (01:34:22) I appreciate that. I was actually stringing to the idea of a bio defense stockpile, where you do have 50 state partners. We've got a menu of items that we believe people necessary going from pharmaceuticals to PPE. And it's, I don't know, I just think it lends itself to that blockchain system where multiple parties would be able to have transparency of what is in the stockpile and whether the federal government and our states are actually prepared. Right now, the current system is it lacks all transparency. There's no accountability. If you use the Ethereum network, for example, you could have smart contracts that actually use the internet of things to actually order PPE as it reaches its expiration date. Those types of innovations that might be helpful in the bio defense stockpile application. I agree with you wholeheartedly. You can't just simply say, "Okay, use the blockchain for every application and every need." But I just thought that the bio defense stockpile, because it is rather static and well-defined, that it might be one of those functions that would actually help governments begin to explore some of the new technologies and actually find government applications that could be served by that technology. Chairman Connolly: (01:36:13) Mr. Lynch, did you want to invite other members of the panel to respond? Mr. Lynch: (01:36:21) Please. Chairman Connolly: (01:36:23) Ms. Shank or Mr. O'Keeffe? Hannah Shank: (01:36:27) Yes. Thank you. I want to reframe the conversation just a little bit, because we were talking earlier about the idea that you're tearing down a bridge and building a new bridge when you think about replacing a legacy system, and I'm not ... I think that's not exactly the right metaphor. And so, I just want to put in everybody's minds the way that technology typically is developed today is to build something small and test it, launch it, and then build on that, so that when we were talking previously about these multi-year contracts, yes, to ultimately replace everything that a legacy system does is likely a multi-year effort, but it could be a couple of months to replace a small piece of that, and another couple months to replace the next piece of that. Hannah Shank: (01:37:18) So, I think it's very overwhelming to think about taking an entire legacy system offline and replacing it with blockchain. So, I think that it is a little bit easier to think about what does this thing do and how do we make sure with the current technology we're doing that to the best of our ability? And the way that the technology that guides that may change. It likely will change. So, to echo what was just said [inaudible 01:37:52] being technology agnostic and not too prescriptive. Chairman Connolly: (01:37:57) Thank you very much. Mr. Lynch: (01:37:59) Thank you very much. I yield back. Thank you. Chairman Connolly: (01:38:01) Thank you, Mr. Lynch. Thank you for joining us today. Chair will now recognize himself for five minutes. Mr. Bitco, could I follow up on something you said about FISMA? Let me first of all invite your organization, as well as anybody else, to work with us in updating FISMA. I completely agree with you. I think the last time we even authorized FISMA or went through a reauthorization, I was a freshman. It was 10 years ago. And that's an eternity and technology. So, I would invite you very much to be in touch with our subcommittee in reviewing an update of FISMA. I think that's a great idea. Chairman Connolly: (01:38:45) Let me ask you, Mr. Bitco and you Mr. Cornelius, and the others could come in as well. We had a hearing last week on the solarium cyber commission, and one of its recommendations was effectively to create a cyber Czar and while in and of itself, that may be a great idea, I am concerned that we have a ... Okay, now we'll have a CTO, we'll have a CIO, we'll have an information security chief, we'll have a science technology advisor, and now we'll add a cyber Czar. We're trying to, through [inaudible 01:39:27] evolve into a Premus inter pares where there's one CIO vested with the responsibility for making these investments and making them work, including making sure they're cyber secure, and I just wonder if you would have any thoughts or concerns to share with us about that kind of management structure. Mr. Bitco, did you want to comment first and then I'll call on Mr. Cornelius. Gordon Bitko: (01:39:58) Certainly, sir. Thank you for the question. In general, I think we support the idea of a, of a cyber Czar. There is, I think, a need for somebody who's providing that coordination. The mission, as I understand, the cyber Czar is different from the CIO is different from the chief information security officer and there is a need and a role for all of those. I do think it's [crosstalk 01:40:22] Chairman Connolly: (01:40:24) Can I interrupt you, Mr. Bitco though? Gordon Bitko: (01:40:25) Please. Chairman Connolly: (01:40:26) I mean, all right. Let's stipulate. That makes sense. But would you not agree that the cyber Czar can't do a great deal if he's dealing with 40 year old legacy systems? That the upgrades we're talking about have to happen to create the predicate of a cyber secure environment and he or she is not responsible for those investments? The CIO is. Gordon Bitko: (01:40:53) Sir, there's no doubt that there is a close dependency between the cyber Czar's piece of the mission that is about cyber security and the investment in legacy systems and modernization and the work that's being done at the OMB CIO level and at the CISO level. Those things all have to work well together. I think though, sir, you're hitting on a point that in the private sector, this is an ongoing topic of discussion as well. Exactly how all these different entities should be reporting into an organization is ... The thinking on that continues to change and evolve, and you can look at some organizations today where the enterprise CISO, for example, in many large banks, doesn't report to the CIO, but reports directly up to the CEO or the chief operating officer, recognizing the importance of the security mission in of itself. Gordon Bitko: (01:41:39) And even though it's not a cost center in the same way that other parts of the business might be, it's so important to the mission. I think that some of what I'm saying here is that we need to raise the game of the entire federal government and the knowledge of all of our senior leaders about these technology issues, about cyber security issues across the board. I think that a way to do that is to have there be somebody who's responsible looking at across all those things. But another way to do it is to realize that the challenge and the mission is so broad here that it's more than a one person job. Absolutely, some work needs to go into figuring out how all those pieces work together, or they won't be successful. That is a [crosstalk 01:42:16]. Chairman Connolly: (01:42:16) I certainly agree with you, but when you ask yourself what could go wrong with that kind of non-hierarchical overlapping reset of responsibilities to something so important? One is somewhat concerned. It's not like it's worked well up to now, and adding one person vested with cyber has the risk, knowing the federal government, of creating a new ... With the best of intentions, a new silo. Oh, well that's her responsibility or his responsibility, not mine. And that is of concern. Mr. Cornelius, did you want to respond to that? Matthew Cornelius: (01:42:55) Thank you, Congressman. I generally echo Mr. Bitco's comments about the cyber Czar, and I would, as I understand the recommendation, one of the responsibilities of the cyber Czar would be to help sort of coordinate and understand and oversee budgets for individual federal agencies when it comes to their own cybersecurity posture, but to also do this sort of higher level cyber cybersecurity coordination across FBI, CISO, [DIC 00:13:21], other places, and I do think coordination across these agencies without what I will call ... Offense is not the right word, but sort of outward facing cybersecurity responsibilities versus agency CISOs, which have internal agency facing cybersecurity responsibilities. I do think stronger coordination there could lead to some better outcomes. Chairman Connolly: (01:43:41) Yeah, because we're so good at coordination in the federal government. Okay. Mr. Hice: (01:43:45) Mr. Chairman, Mr. Chairman. Chairman Connolly: (01:43:47) Yes. Mr. Hice? Mr. Hice: (01:43:48) Just real quickly, I would just like to say- Chairman Connolly: (01:43:50) Of course. Mr. Hice: (01:43:51) I think there were several on our side that would share some concerns. It's certainly an issue that needs discussion. It needs to be worked through, but there are certainly as well, some very serious concerns, and we'd be happy to work with you as we go through this. Chairman Connolly: (01:44:05) And as you know, Mr. Hice, I shared your concerns. It's not that it's a bad idea in and of itself, but how will it work in the context that exists? And we want it to work. We certainly agree all of us that cyber is a growing concern. We know there are cyber attacks right now as we speak on Western institutions that are trying to develop a vaccine, for example. So, we all understand that. The question is what's the best way to do it? And I want to make it work. And I know you do as well, Mr. Hice, so those are shared concerns. Chairman Connolly: (01:44:42) Let me end, if I may, with one more question put to each of you on the panel. Give us a grade for how well, from an IT point of view, the federal government has done during this pandemic and economic collapse? And who's your favorite example of either getting it right or kind of not getting it right? I'm not trying to flail anybody, but I think lessons learned are really important. And I gave some of mine. Etran, SBA, some of the IRS failures in terms of getting out the direct payment checks. Certainly at the state level, the collapse of unemployment systems on an IT basis is very painful to watch and experience. Mr. O'Keefe, would you like to start first? Steve O'Keeffe: (01:45:37) Thank you, Mr. Chairman. We executed a program called CIO Crossroads, where we interviewed each of the federal CIOs and ask them for their pandemic experience. And overall, I would give the federal CIOs an A for effort. Everybody was working around the clock to try and make things happen. At the overall level, Suzette Kent did a fantastic job bringing the CIOs together. Were there challenges in many of the legacy systems? Yes. And what we saw was those agencies that have already made the jump to the cloud were much more effective, and agencies like SBA, which had challenges, I would applaud the work of Maria Rote and Guy Kabbalah over at SBA who, in the middle of this storm and there were challenges at SBA, managed to have the authority to shut down legacy systems and make hard transitions. So, I think overall, the CIO core did very well. Agencies had their challenges and it reinforces their requirement to move to the cloud and also elevates the role of the CIO. And so, we need to double down over time. Chairman Connolly: (01:46:48) Thank you. Ms. Shank. Hannah Shank: (01:46:57) I was terrible student, so I don't want to give anyone grades, but I will say that [crosstalk 01:47:03]. Chairman Connolly: (01:47:03) Oh, come on. We're about to have a hearing next week where we give every federal agency a grade. You want a cop out? Hannah Shank: (01:47:17) I think that it's also an unfair assessment because when something isn't working well at a baseline level, going back to the bridge example, if you have a bridge and it does well with everyday traffic, but then suddenly there's 10 times the amount of traffic, it, in theory, should be built to sustain that, but a lot of our tech systems at the federal level are really only, and also at the state level, are really only keeping up with ... They're barely making it through just the every day, so then [inaudible 01:47:51] pandemic are tenfold. I will say that the IRS ... After the CARES Act passed, there was a ... Non-filers were not able to file, and we actually at Numerica did work to discover that hole, and as soon as we made that public, the IRS did very quickly spin up a tool for non-filers to be able to file for the stimulus. So, I will give them credit for that. Should it have occurred in the first place? No. I think that's ... Yeah. Thank you. Chairman Connolly: (01:48:32) Well, if I could just add to your point, I mean, we're not trying to lay blame. Let's take IRS. IRS had trouble in part because it experienced over a 10 year period at 20% cut in its budget and it was starved of resources, including IT resources. So how can one be surprised that when all of a sudden we are faced with a pandemic and an economic collapse of almost unprecedented proportions, IRS doesn't have the capacity to respond with the alacrity we would like? That's on us for the resources we deprived it quite consistently over a 10 year period. Chairman Connolly: (01:49:14) So, I'm not trying to give a grade. We're going to bring them and flog them before the public, we bear some responsibility, but we need to identify performance and we can all then argue about or debate about what contributed to that performance. Mr. Bitco, did you want to comment on what kind of grade you might give the federal government in terms of response to these twin crises and any candidate you want to praise or maybe highlight in terms of a significant concerns or failures? Gordon Bitko: (01:49:54) So I would agree with the A for effort coming from Mr. O'Keefe. I think lots of federal agencies put a lot of hard work in and managed to sustain operations and keep going, and that's, frankly, impressive and probably better than I would've anticipated at the very beginning of the crisis. I think where the grade is maybe a little bit less good is in the [coup 01:50:17] planning that agencies would have been doing beforehand, where the coup planning was based on post 9/11, or even going back to the cold war era, and you need to be out of the immediate DC area, and so agencies have warehouses out in West Virginia or out in Virginia, where employees would go work. And that obviously is not a viable situation today. And that highlights that some of those planning processes need to really be rethought. Gordon Bitko: (01:50:44) And I think this is a place where agencies and CIOs need to do a better job of integrating that thinking and together and understanding that technology is so fundamental to the mission that there are other better, different solutions than having a warehouse out in the middle of nowhere where you cram a thousand people into it with a bunch of computers. But I do think that agencies figured out how to get past that. And so, that was an impressive recovery, and I will use the opportunity to log my former agency who was not an agency that was disposed to tele work by any means. The mindset definitely was you've got to be in the office to do the job. And tele work was the exception only in extreme circumstances. They managed to deploy technologies, leveraging the cloud, leveraging virtual desktops, leveraging modern solutions, and from what I hear from a lot of my former colleagues now, they're sitting there saying, "Why are we ever going to even go back into the office? We're working so effectively remotely now." Gordon Bitko: (01:51:39) Which I think is a great thing. I think it puts a challenge on government agencies for longterm strategic planning when you've had capital budgets based on big facilities that rent a first base for the entire workforce. Is that the right model going forward? And I think that's something that is a question Congress should be asking. Do we need to plan for, if the agency has 50,000 employees, 50,000 desks that employees are going to come in and sit at? Or can we get by with a lot less than that because we've delivered successful remote work? Chairman Connolly: (01:52:09) Good point. And I think at some point, that's going to be a worthy study in terms of permanent, quasi-permanent changes post-pandemic, and certainly workplace changes are going to be considerable. And I agree with Mr. O'Keeffe. Tele work is absolutely going to be a permanent part of the future looking forward, whether it replaces all physical work, that's a different matter. I doubt it. But certainly it's going to be a tool in the kit bag and far more pronounced and commonplace than it has been in the past. Mr. Cornelius, you get the last word on that question. Matthew Cornelius: (01:52:47) Thank you, Congressman. And I will take your bait and say that I think Congress has actually done a pretty good job of dealing with the COVID response. I mean, you- Chairman Connolly: (01:52:55) Thank you very much. This hearing is adjourned. Matthew Cornelius: (01:52:58) But in all seriousness, I mean, when this happened, you didn't go and just build new hearing rooms. You used WebEx, which is a commercial capability to do this, and now you're kind of doing a little bit of both, this is what the hybrid hearings are, but I think that is a very salient point of how you shift from a legacy mindset of, "Well, we can't meet in person. Let's go find different ways to meet in person." to we've got this great commercial technology. Maybe we should use that to have hearings and build records and everything else. And to the executive branches credit, I think of something like the paycheck protection program. I mean, SBA was responsible for getting more money than was allotted in all direct spending in the American Recovery and Investment Act out themselves in less than agencies spent those recovery act dollars. Matthew Cornelius: (01:53:47) So, obviously doing that is going to cause some complications, but I think SBA acquitted themselves quite nicely, and I think it's because of tremendous leadership at the top of the agency with both their former and current CIO investing in cloud, investing in a lot of these modern commercial capabilities, they were able to do that. And the last point I'll make, and we've talked about this with the sort of funding and everything else is I think Congress ... I think there's a great analogy that is happening right now in the house of representatives. Matthew Cornelius: (01:54:18) It's my understanding that you all are considering the Great American Outdoors Act this week. And I think it's a perfect analogy to what we've talked about with legacy IT. I mean agencies, or the national park service has spent years being underfunded and cannot actually go back and invest in all of the upkeep and maintenance they needed to do on park lands, and now Congress has recognized it and said, "All right, we're going to find a way to make sure that this is funded going forward so that you can do that." And I think, one, I commend Congress on that, and I hope the bill moves forward. And secondly, I hope Congress takes that same position when it comes to legacy technology and it will be a different challenge and it will be more complicated because it crosses all agencies and it's not just about one individual government program or one agency. Matthew Cornelius: (01:55:07) But I think the only way that we're going to continue to learn from COVID and really take the lessons and, and the good and the bad that are happening right now as we sit here and embrace those challenges or overcome those challenges and embrace the opportunities that COVID has provided is to ensure that there's enough funding and enough accountability and enough flexibility for agencies to buy and use commercial technology to deliver better outcomes for citizens. Thank you. Chairman Connolly: (01:55:36) Thank you. And I would just say one of the questions that did not get asked often enough, quite frankly, in putting together the CARES Act or the HEROES Act for that matter is what's the capacity of the recipient agency to be able to do this? You mentioned SBA, we changed eligibility, we pump more money into SBA than at least 10 years of its budget in less than 10 weeks. We wanted them to expand financial institutions that could carry those portfolios. We changed ... Simplified the application, and we were willing to convert it under certain minimum circumstances from a loan to grant. Now, what's the capability of reprogramming your system, SBA, let alone also monitor this for fraud for yes, you're eligible, no, you're not, for determination of amounts, on and on and on. Chairman Connolly: (01:56:40) And same thing with unemployment insurance, we changed eligibility. We extended the time period. We added $600 a week. That all had to be reprogrammed in 50 individual systems. And then, we broadened the eligibility to gig workers, sole proprietors, self-employed. And of course, again, the volume was enormous. So, we've had 47 million people file for unemployment insurance in this time period. And what we found was individual IT systems in the states were simply not capable of handling the volume or reprogramming the eligibility and the terms. And many of them have legacy systems that still use COBOL to go back to the night late 1970s. And so, we need to pay more attention to both the federal recipients of federal money and the state recipients. If we're concerned about efficacy and making sure that we're minimizing the pain out there that we're trying to address. IY is integral to that. It's not kind of a sideshow that we can get around to. So any rate, I think all of my panelists. I thank my colleagues for making today possible. And Mr. Bitco, don't forget the invitation to talk to us about this FISMA. Gordon Bitko: (01:58:18) Intend do. Thank you, sir. Chairman Connolly: (01:58:18) Okay. All right. So without objection, all members have five legislative days within which to submit additional written questions or material for the witnesses through the chair, and we'll forward those to the witnesses and would ask for their speedy response. And with that, this hearing is adjourned.
Subscribe to The Rev Blog
Sign up to get Rev content delivered straight to your inbox.