Congress Wants Answers on Government IT Modernization

On March 16th, the House Subcommittee on Information Technology hosted several witnesses in a hearing to examine the state of federal information technology. In his opening statement, Rep. William Hurd stated that he feels modernization efforts have slowed in several areas and is concerned with the various GAO recommendations that have gone unaddressed. Likewise, Rep. Robin Kelly stated that the government spends $60B annually to sustain legacy IT, almost 75% of budgets going to operations and maintenance. Each invited witness testified on the issues surrounding IT modernization and other key aspects in IT such as acquisition, cyber protection and the IT workforce. Various solutions were presented throughout the hearing to address the concerns. Witnesses included:

• David Powner, Director of IT Management Issues at GAO
• Margaret Weichert, Deputy Director for Management at OMB
• Bill Zielinski, Deputy Assistant Commissioner of the IT Category at GSA
• Jeanette Manfra, Assistant Secretary for the Office of Cybersecurity and Communications at DHS

The Issues

Three broad areas were touched on as threatening the IT modernization landscape: human capital, acquisitions and operations. According to Powner, the Cyber and IT workforce still needs work, there are gaps throughout the government, a key area where contractors can play a great role. When asked by Rep. Kelly about the workforce in relation to legacy systems, Powner stated that the issue stems from those associated with the legacy systems now leaving left and right and the government must now pay a premium to contractors to keep operating those systems, which is becoming more costly each year.

With regards to acquisitions, IT shops must be aware of IT contracts that are available. A recent GAO review of procurements showed that one third of IT contracts were not OMB or FITARA compliant. Of the 100 contracts that GAO reviewed, only 10% were approved by CIOs or their designees. Powner also stated that OMB must have governance over top procurement programs such as FAA’s Next Gen acquisitions and VA’s EHR solution.

Operations must stay the course with FITARA. Agency reform plans are only 2-3 years out and do not address modernization, however, OMB must also have an active role in replacing and decommissioning critical legacy systems.

In her written testimony, Manfra stated that DHS discovered the security challenges legacy federal IT systems posed in implementing the agency’s operational directives. Some legacy systems can no longer be patched. Moreover, other systems are not supported by security vendors and some experience major performance issues if they are not re-configured in a security upgrade. When asked by Rep. Kelly why the cyber posture in the government has increased in vulnerability, Powner explained that in the past, government systems have gotten a pass as long as they were functioning in services. Thus, efficiency and security were overlooked. This can no longer take place and firm dates to decommission these types of systems is needed.

The Solutions

Powner stated that the Comptroller General held a meeting with previous CIOs in late 2016 to explore what has worked in the past to correct issues within IT acquisition and operations:  

Weichert also announced the President’s Management Agenda (PMA), released on March 20th which sets out the long term vision for long term government and enhancing key services. Weichert hinted that the PMA addresses issues such as data, data management, workforce, CIO authority and integration of agency components to tackle siloed functions. Moreover, Zielenski announced that the five teams set up under the Centers of Excellence will act as an execution function for agencies, providing consulting and strategic planning to stand up projects around cloud adoption, optimization, customer experience, service delivery analytics and contact center.   

According to Zielenski, GSA is working to develop shared services along the lines of business. Benefits to this would include cost savings as well as improved security posture. Specifically, the shared service is designed in a common management group setting, once something is updated or implemented in a shared services environment, all related systems are updated as well. When asked what shared services are currently set up, the GSA witness stated that payroll, financial services are among those in place. Most notably, the implementation of PIV credentials is an example of a matured shared service.

In an effort to turn the FITARA scorecard into more of a “digital hygiene measure,” according to Rep. Hurd, the congressman asked for feedback on additional areas that can be added to the IT report card. At the prompting of Manfra, time to patch a critical vulnerability may be one area that can be measured. She explained that in 2014, the average government time to patch was 200 days. After DHS directives were in place, agencies are now averaging patches in 10-15 days.

Next Steps

Per Rep. Kelly, “the next few months will show how the MGT Act will spur modernization.” Weichert stated that agencies plan to share their implementation plans for MGT working capital funds with OMB on March 27th with those plans publicly shared in the early summer time frame. Moreover, GAO announced there is a review underway to identify the most critical systems across the government that must be modernized. With the administration and OMB, GAO and Congress all working towards IT modernization, the promise of change towards updating legacy systems is beginning to look promising!