STATEMENT OF RICHARD A SPIRES FORMER CHIEF INFORMATION OFFICER OF THE U S DEPARTMENT OF HOMELAND SECURITY AND THE INTERNAL REVENUE SERVICE BEFORE THE SUBCOMMITTEE ON GOVERNMENT OPERATIONS OF THE HOUSE COMMITTEE ON OVERSIGHT AND REFORM AUGUST 3 2020 Good afternoon Chairman Connolly Ranking Member Hice and members of the Subcommittee on Government Operations I am honored to testify today in regards to the Federal Information Technology Acquisition Reform Act FITARA and the FITARA Scorecard that Congress has been issuing over the past five years My testimony will first reflect back on FITARA and the use of the scorecard as a means to ensure there has been proper oversight of agencies as they have worked to implement the tenets of FITARA I then follow with my views regarding the current state of Federal IT and the value it is bringing in supporting agencies to operate both effectively and efficiently The majority of my testimony will provide a forward look on Federal IT and recommendations to the Subcommittee on how best to evolve the scorecard I hope my testimony is of value to Congress as a means to help keep the FITARA Scorecard a valuable oversight tool Having served as the Chief Information Officer CIO of a major department the U S Department of Homeland Security DHS as well as the CIO for a large bureau the Internal Revenue Service IRS in the Department of Treasury I had ample opportunity to understand the management dynamics inherent in federal government IT I also had the honor to serve as the Vice Chair of the Federal CIO Council for three years working to help drive improvements in the management of IT across the federal government During the time the FITARA legislation was being drafted I was the DHS CIO and provided both testimony and input to Congressional staff regarding issues I found with IT management and recommendations for its improvement I hope these efforts were at least in some small way helpful to Congress as the FITARA legislation was being developed Reflections on FITARA and the Scorecard I was pleased when the FITARA legislation was passed by Congress and signed into law But I also had trepidation as past legislation notably the Clinger-Cohen Act of 1996 attempted to address a number of issues regarding IT management but there was no substantial impact on improving agencies FITARA however has had a significant positive impact on agencies While the text of the legislation itself has been of aid I believe it has been the oversight of Congress that has been the driving factor in making improvements And I note that the passage of FITARA and August 3 2020 1 subsequent oversight efforts particularly by this Subcommittee have been handled in a bi-partisan and unified approach That has made a significant positive difference in how seriously both President Obama’s Administration and now President Trump’s Administration have handled implementation of FITARA This spirit of bi-partisanship started with the drafting of FITARA with the legislation being cosponsored by Chairman Issa and at the time Ranking Member Connolly And over the past five years we have continued to see consistent oversight with the development and evolution of the FITARA Scorecard Representatives Hurd Meadows and Kelly all have played leadership roles during this time And today Chairman Connolly and Ranking Member Hice continue to provide bi-partisan leadership on FITARA—it is heartening to see this level of dedication from Congress to help ensure better use of IT in government agencies In reflecting on the impact of FITARA and related oversight the improvement in grades on the FITARA Scorecard over time tells part of the story But in addition we have seen tangible improvements in federal IT to include • Greater use of strategic sourcing vehicles and enterprise licensing agreements that for some of the larger agencies save them hundreds of millions of dollars a year • Significant consolidation of data centers resulting in billions of dollars saved • Improved management of IT programs through the use of incremental delivery methods and now the burgeoning use of Agile and even DevOps methodologies • Improved CIO authorities with more CIOs reporting to the head or deputy head of agency and CIOs having greater insight to and oversight of agency IT spending Certainly some credit goes to the agency CIOs themselves for the good work they do every day And I have been impressed with the leadership from OMB with Tony Scott and Suzette Kent both bringing significant experience and good leadership to the Federal CIO position But I reiterate that the significant difference from past efforts is consistent and sustained Congressional oversight Current State of Federal IT While we have made progress in Federal IT over the past five years much work remains to reach a state of “best practice ” Two weeks ago in a hearing of this Subcommittee on IT Modernization Chairman Connolly stated in his opening statement “Our federal government’s consistent failure to prioritize IT modernization and program delivery prevented the public from receiving the assistance Congress authorized to help the nation weather one the worst global pandemics and economic crises of our lifetime We can no longer afford to defer upgrades We can no longer August 3 2020 2 allow outdated and legacy technology to stymie the delivery of vital public services ” At the same hearing Ranking Member Hice stated “I think we are all very much aware of the need for modernization in this area The lack thereof certainly exposes us to security risks as well as the inability for flexibility and scaling up Ultimately our agencies are incapable of meeting the needs and the responsibilities they are required to do Yet we as a government continue to spend the majority of our budget on maintaining these legacy systems rather than taking us into the new era of computer needs ” Yes we do have a more work to modernize our IT systems But even if we had unlimited funds to invest in IT the federal government would struggle because many of our agency IT organizations even with the progress made during the past five years still do not have the management maturity and skills to effectively deliver large-scale IT modernization In 2015 the United States Government Accountability Office GAO placed the whole federal government on its High-Risk List for “Improving the Management of IT Acquisitions and Operations ” In GAO’s latest report on its High-Risk List published in January 2019 GAO provides an update on this particular highrisk item While GAO gives OMB credit for demonstrating leadership commitment to address weaknesses in management of IT acquisitions and operations the report goes on to state the government has only partially met requirements in the capacity monitoring action plan and demonstrated progress elements of this high-risk item For instance in terms of capacity the majority of the 24 CIOs of the major federal agencies acknowledged they were not fully effective at implementing IT workforce responsibilities In terms of monitoring GAO reported that the majority of 22 agencies reviewed did not identify all of their IT contracts leaving about $4 5 billion in IT-related contract obligations beyond those reported by agencies Finally in the action plan element GAO had recommended that 12 agencies identify and plan to modernize or replace legacy systems As of December 2018 only 3 of the 12 agencies had implemented GAO’s recommendation and made progress in planning to modernize their legacy systems Recommendations to Evolve the FITARA Scorecard Given the existing challenges in Federal IT active bi-partisan Congressional oversight is vital to continued progress And given the success of the FITARA Scorecard over the past five years the scorecard should continue as the means to measure agency progress over time The FITARA Scorecard has evolved augmenting the original four categories with categories related to software licensing working capital funds cybersecurity and CIO reporting to the head or deputy head of agency Given the precedent for evolving the scorecard and the continued challenges agencies face in IT modernization now is the right time to once again evolve the scorecard I recommend the following changes August 3 2020 3 Add an “IT Planning” Category – Meaningful IT modernization starts with good planning and support by agency leadership Hence this category should reflect the maturity of an agency’s planning function and enterprise architecture In terms of planning the agency should have a strategy that recognizes the importance of IT modernization and retirement of legacy IT systems with specific IT modernization objectives included in the agency strategic plan These IT modernization objectives should be driven by agency mission program priorities and be integrated into agency budgets and performance plans and measures Such IT modernization plans should be captured in and be supported by an agency’s enterprise architecture EA Included in an agency’s EA should be the definition and use of functional portfolios target “to-be” business technical and data architectures that drive modernization and governance that effectively allocates requirements from enterprise to portfolio to program or project for implementation All of this should be captured in an agency EA transition strategy that is aligned with the agency strategic plan and is tracked and updated on a yearly basis Combine the “Incremental Delivery” and “Transparency and Risk Management” Categories into a broader “Delivery of IT Programs” Category – Good planning while necessary is certainly not sufficient Agency IT modernization occurs through the successful delivery of IT programs and projects and as such there should be a category that measures the maturity of agencies in being able to manage such programs and projects Such a measure would ultimately include the compilation of agency measures in the following sub-categories • • • • • • Demonstrated use of appropriate program and project management disciplines Professional development approaches to develop staff to fill critical roles in a program management office PMO Comprehensive approach to stakeholder engagement and program governance Development and use of a systems development life-cycle SDLC that can be readily tailored for all types of IT programs Commitment to incremental delivery and demonstrated use of Agile and DevOps techniques in programs when appropriate Proper and timely program status reporting While this measure may appear complex there are well understood and documented best practices in each of these sub-categories that can be measured to arrive at a composite grade regarding how well a government agency is able to manage its IT programs Evolve the “Managing Government Technology” Category to a broader “IT Budget” Category This category should keep the element of an agency having an IT working capital fund Yet one of the issues that most federal government agencies face is not having good insight into the cost elements of the agency’s IT budget On a positive note the federal government has adopted the August 3 2020 4 Technology Business Management TBM taxonomy which is an industry-standard taxonomy for categorizing IT costs enabling agencies to capture IT cost detail and determine what it costs to deliver its IT services With such information agencies are then able to benchmark themselves in the provision of commodity IT services such as standard desktop applications collaboration tools to include e-mail access services such as remote access for employees and basic compute and networking capabilities Agencies should both understand the cost to provide such services but also have insight to how they stack up with benchmarks from other similar-sized agencies and private-sector corporations Add an “IT Workforce” Category – While more difficult to measure there is hardly a more important category regarding the ability for an agency to properly manage IT I recommend a measure be created that combines the following elements • • • • • The agency CIO partnering with the agency CHCO have developed a set of competency models for the key positions in the IT organization these models include the knowledge skills and abilities KSAs for each key position along with expected behaviors for the position The agency based on these competency models has developed career development paths for the more senior IT positions with such development paths outlining approaches for developing the needed KSAs to include formal training work assignments and mentoring All IT staff in the agency have as part of their annual review process formal individual development plans IDPs that support an individual in his or her career aspirations over at least a five-year period Many of the IDPs would leverage the use of KSAs from agency position competency models and associated career development paths The agency has a current IT workforce plan in place showing where the agency has current workforce talent gaps along with projections of gaps over a three-year period This plan should outline employee development and recruiting needs to address the agency talent gaps over the three-year period The agency demonstrates it has a comprehensive recruiting approach to address key IT workforce gaps using all of its special authorities and government-wide recruitment efforts to be able to recruit individuals into IT positions Only with this level of workforce development can agencies build over time a capable IT organization needed for sustained success Evolve the “Cybersecurity” Category – I was pleased when a cybersecurity category was added to the scorecard as cybersecurity is such an important part of a CIO’s set of responsibilities However we should recognize the FISMA measures even with the modifications to the law made in 2014 along with the cybersecurity cross-agency priority CAP goals do not address the full scope of an agency’s cybersecurity posture For instance as agencies deploy cloud computing identifying whether federal agencies have developed reference architectures for secure cloud deployments—understanding what security capabilities are provided by public cloud providers August 3 2020 5 infrastructure security and what data application security capabilities lie with the agency data security —provides a more meaningful view of agencies’ cybersecurity risk posture This points to the need for agencies to use an enterprise cybersecurity risk management framework to ensure agencies are focusing on protecting their most sensitive data and critical systems The good news is NIST has developed such a risk management framework called the NIST Cybersecurity Framework CSF and its use by federal agencies was mandated by President Trump in his 2017 Executive Order on Cybersecurity Hence the cybersecurity category should be revisited starting with measuring whether an agency is properly executing the seven process steps of the NIST CSF Evolve the “Data Center Optimization” Category to an “IT Infrastructure Category” – The data center optimization category has been a resounding success highlighting the need for and reporting on the status of agencies making progress in data center consolidation The measure for data center optimization should be kept but now is the time to evolve this measure by capturing additional measures of agencies properly leveraging cloud computing along with modernizing their networking infrastructures Evolving this category will require the development of a cloud computing measure which should entail how well an agency is implementing the use of cloud computing as an enterprise capability working to ensure it does not perpetuate additional stovepipes In terms of network modernization all of the agencies on the scorecard should be leveraging the GSA Enterprise Infrastructure Solutions EIS contract to modernize their networking capabilities A measure regarding how quickly an agency is migrating to the use of EIS should be incorporated into this category Combine the “Software Licensing” Category into the “Portfolio Review” Category – The portfolio review category focuses on how agencies achieve savings in their overall IT budget with a particular focus on reduction of commodity IT spend One element that should be added to this category is application rationalization in which an agency as part of its IT modernization efforts looks to both modernize legacy systems but also when possible reduce systems duplication Regarding licensing I found at both IRS and DHS that there were significant savings to be found in continuing to pursue enterprise license agreements with major IT suppliers for software hardware and IT services such as cloud computing Given the current measure for software licensing I recommend this measure become an element of the portfolio review category and be revised to “raise the bar” so that agencies continue to explore how they can drive savings through improved supplier management practices and the use of enterprise agreements and category management concepts Add a “Customer Satisfaction” Category – Part of what FITARA addresses is working to ensure that an agency CIO has the proper standing and authority to effectively oversee all IT in an agency Yet IT organizations are service organizations providing capabilities and services that support other mission and business elements of an agency As such IT organizations have customers August 3 2020 6 typically citizens or other constituents external to an agency along with all employees of the agency A core measure for all agency support organizations should be customer satisfaction and it is common practice for customer satisfaction scores to be captured and reported for IT organizations in private sector corporations It would be a best practice to administer a standard customer satisfaction survey to all agencies so this category can be added to the FITARA Scorecard Such a survey should incorporate the tenets of the IDEA Act passed in 2018 which addresses some elements of customer satisfaction with a focus on the online customer experience for citizens using federal agency websites Keep the “CIO’s Boss is the Head or Deputy of the Agency” Category Congress should continue to shine a spotlight on to whom the CIO reports to in an agency Frankly given the utmost importance of IT and good IT management to all agencies in providing both effective and efficient mission services CIOs should be advisors to the head and deputy head of an agency and partners with the mission owner executives As such CIOs should report directly to either the head or deputy head of an agency ___________________________ The current FITARA Scorecard has eight categories If the recommendations I described above were all implemented the scorecard would then have nine categories so the scorecard could still be presented in a summary on one piece of paper Yet these revised measures based on my experience having been an agency CIO at a department and bureau would provide increased insight for Congress in ensuring each agency is driving toward implementing best practices in IT management Recommended Next Steps A number of the new or revised categories I recommend require more in-depth analysis to determine the specific elements that would make up the measure for a category and what additional data would be required for agencies to report to GAO so that the category could be graded If Congress agreed to evolve the scorecard to the degree I am recommending it would probably take two years to make all of the changes to the scorecard although the changes could be phased in over that period so that every six months the scorecard would evolve The scorecard is a tool to support Congressional oversight and as such it is Congress’ decision regarding the categories that will be included in the scorecard and the measures that constitute each category Yet given there is bi-partisan agreement of the need to continue to improve management of IT in our government and the value of the scorecard I recommend Congress convene an advisory group that would develop recommendations to evolve the FITARA Scorecard This advisory group should be headed by GAO but include representatives from the Federal CIO Council the Office of the Federal CIO within OMB and representatives from the private sector to ensure industry best practices are considered I recommend that the American August 3 2020 7 Council for Technology – Industry Advisory Council ACT-IAC a unique government and industry non-profit organization whose mission it is to support government through the use of technology be the means by which private sector input is obtained ACT-IAC has already played a role in FITARA providing support to OMB as they developed their guidance to agencies for FITARA implementation Such an advisory group would gather recommendations from those of us testifying today along with other interested parties Over a three-to-six month period the advisory group could provide Congress a set of proposed changes to the scorecard proposed phasing plan for the changes and a plan for implementing the changes in agency data collection necessary to support Congress and GAO to properly grade each category The passage of FITARA together with Congressional oversight most visibly demonstrated through the semi-annual publication of the FITARA Scorecard has had a very positive impact on Federal IT Yet it is also the case most agencies are still far from best practice for IT management and have significant modernization challenges Given the scorecard works let’s commit ourselves as the federal IT community to evolve the scorecard to support and drive agencies to more rapidly adopt IT management best practices and move aggressively to modernize agency processes and systems Thank you for the opportunity to testify today August 3 2020 8 Richard A Spires Richard A Spires is currently an independent consultant providing advice to companies and government agencies in strategy digital transformation operations and business development Mr Spires currently serves on the Board of Directors of MAXIMUS Federal a leading federal system integrator and RateReset Corporation a leading provider of loan reset products serving the banking and credit union industries He also serves on the Palo Alto Networks Public Sector Advisory Council and he recently served as the Chairman of the board of ACT-IAC a leading non-profit organization serving government IT From 2015 to early 2020 he served as the CEO and a Director of Learning Tree International a leading provider of workforce development and hands-on IT and management training services He was appointed and served as the U S Department of Homeland Security’s DHS Chief Information Officer CIO from 2009 till 2013 He also served as the Vice-Chairman of the Federal Government CIO Council and the Co-Chairman of the Committee for National Security Systems CNSS the committee that sets standards for the U S Government’s classified systems He held a number of positions at the Internal Revenue Service IRS from 2004 through 2008 He served as the Deputy Commissioner for Operations Support having overall responsibility for the key support and administrative functions for the IRS Mr Spires served as the IRS’ CIO with overall strategic and operational responsibility for a $2 billion budget and a 7 000-person organization Mr Spires led the IRS’ s Business Systems Modernization program for two and half years one of the largest and most complex information technology modernization efforts ever undertaken From 2000 through 2003 he served as President Chief Operating Officer and Director of Mantas Inc a software company that provides business intelligence solutions to the financial services industry Prior to Mantas he spent more than 16 years serving in a number of technical and managerial positions at SRA International He has won a number of awards for his leadership in IT including the 2016 ACT-IAC Leadership Award 2012 Fed 100 Government Executive Eagle Award TechAmerica’s 2012 Government Executive of the Year and Government Computer News 2011 Civilian Government Executive of the Year He was inducted into the George Washington University Engineering Hall of Fame in 2019 and named a Distinguished Alumnus of the University of Cincinnati’s College of Engineering in 2006 He received a B S in Electrical Engineering and a B A in Mathematical Sciences from the University of Cincinnati He also holds an M S in Electrical Engineering from the George Washington University August 3 2020 9 August 3 2020 10 August 3 2020 11