S Hrg 116–283 MODERNIZING TELEWORK REVIEW OF PRIVATE SECTOR TELEWORK POLICIES DURING THE COVID–19 PANDEMIC HEARING BEFORE THE SUBCOMMITTEE ON REGULATORY AFFAIRS AND FEDERAL MANAGEMENT OF THE COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED SIXTEENTH CONGRESS SECOND SESSION JULY 28 2020 Available via http www govinfo gov Printed for the use of the Committee on Homeland Security and Governmental Affairs U S GOVERNMENT PUBLISHING OFFICE 41–324 PDF WASHINGTON 2020 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS RON JOHNSON Wisconsin Chairman ROB PORTMAN Ohio GARY C PETERS Michigan RAND PAUL Kentucky THOMAS R CARPER Delaware JAMES LANKFORD Oklahoma MAGGIE HASSAN New Hampshire MITT ROMNEY Utah KAMALA D HARRIS California RICK SCOTT Florida KYRSTEN SINEMA Arizona MICHAEL B ENZI Wyoming JACKY ROSEN Nevada JOSH HAWLEY Missouri GABRIELLE D’ADAMO SINGER Staff Director DAVID M WEINBERG Minority Staff Director ZACHARY I SCHRAM Minority Chief Counsel LAURA W KILBRIDE Chief Clerk THOMAS J SPINO Hearing Clerk SUBCOMMITTEE ON REGULATORY AFFAIRS AND FEDERAL MANAGEMENT JAMES LANKFORD Oklahoma Chairman ROB PORTMAN Ohio KYRSTEN SINEMA Arizona MITT ROMNEY Utah THOMAS R CARPER Delaware RICK SCOTT Florida JACKY ROSEN Nevada MICHAEL B ENZI Wyoming CHRIS J WHITE Staff Director JAMES D MANN Senior Counsel ERIC A BURSCH Minority Staff Director JACKIE A MAFFUCCI Minority Policy Advisor MALLORY B NERSESIAN Subcommittee and Document Clerk II CONTENTS Opening statement Senator Lankford Senator Sinema Senator Carper Senator Rosen Prepared statement Senator Lankford Senator Sinema Page 1 2 11 14 31 33 WITNESSES TUESDAY JULY 28 2020 Sea´n Morris Principal Deloitte Consulting LLP Lane Wilson Senior Vice President and General Counsel The Williams Companies Inc Michael Ly Chief Executive Officer Reconciled John Zanni Chief Executive Officer Acronis SCS ALPHABETICAL LIST OF 4 6 8 9 WITNESSES Ly Michael Testimony Prepared statement Morris Sea´n Testimony Prepared statement Wilson Lane Testimony Prepared statement Zanni John Testimony Prepared statement 8 50 4 35 6 45 9 56 APPENDIX Statement from Cisco Responses to post-hearing questions for the Record Mr Morris Mr Wilson Mr Ly Mr Zanni III 64 67 69 72 74 MODERNIZING TELEWORK REVIEW OF PRIVATE SECTOR TELEWORK POLICIES DURING THE COVID–19 PANDEMIC TUESDAY JULY 28 2020 U S SENATE SUBCOMMITTEE ON REGULATORY AFFAIRS AND FEDERAL MANAGEMENT OF THE COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS Washington DC The Committee met pursuant to notice at 2 30 p m via video conference Hon James Lankford Chairman of the Subcommittee presiding Present Senators Lankford Scott Sinema Carper and Rosen OPENING STATEMENT OF SENATOR LANKFORD1 Senator LANKFORD Thanks for joining today This is the hearing before the Regulatory Affairs and Federal Management RAFM Subcommittee Modernizing Telework Review of Private Sector Telework Practices During Coronavirus disease COVID–19 Good afternoon everyone In 1990 Congress passed its first piece of legislation directly related to an employee’s ability to be able to work outside of their assigned duty station The most recent and significant legislation affecting the Federal workforce and teleworking was the Telework Enhancement Act of 2010 which set the current standards for Federal workforce requirements for telework With so many changes in the world over the last 10 years or in the case of just 2020 so many changes period this year it makes sense to be able to take a look at the current telework practices to see what is working what is not working for the Federal workforce and to be able to learn the lessons of what is happening in the private sector We have a responsibility to ensure Federal workforce strategies are relevant cost-effective and well thought out Even before this pandemic many private sector companies were giving remote work flexibility to their employees The Society for Human Resource HR Management reported a threefold increase in the number of companies offering remote work options between 1996 and 2016 Obviously that has accelerated dramatically since then The Office of Personnel Management OPM reported that in 2018 only 22 percent of the Federal workforce was eligible to 1 The prepared statement of Senator Lankford appears in the Appendix on page 31 1 2 telework With the March transition to maximum telework impacting many of these positions not traditionally considered teleworkeligible we need to reevaluate eligibility and how this is determined Clearly we have more than 22 percent of our Federal workforce that is actually teleworking now Since March of this year both the Federal workforce and many in private industry have been forced into a new remote work-centric reality Almost overnight Federal agencies and private companies were forced to deal with complex problems like cybersecurity remote performance management employee engagement hiring all these on a very grand scale The pandemic has been a great disruptor but it also shines a light on broken processes and shows an opportunity for real improvement There are some very important telework questions that I believe we need clarity on in order to trudge a clear path forward for the Federal workforce For example how do we best prepare employees so that during a future disaster or pandemic we can seamlessly transition to a Federal workforce posture How do we effectively train managers to stay engaged and to monitor performance of a remote workforce We want to make sure cybersecurity threats are seriously considered and telework policy conversation are protected Being good stewards of American tax dollars something I talk about often I believe future cost-savings from reduction in needed office space could be a key component to improving remote work opportunities for Federal employees I want to reinvent the wheel so today we will start a series of Federal workforce-related telework hearings by first reaching out to some individuals in private industry to see what they have learned Those outside Federal service understand very clearly that creating efficient cost-savings workforce strategies are less a luxury and more of a necessity I want to thank this panel for taking away from their business and their very busy schedules We really appreciate the opportunity to be able to hear about your views on telework and the lessons that you have learned With that I would like to recognize Ranking Member Sinema for her opening remarks OPENING STATEMENT OF SENATOR SINEMA1 Senator SINEMA Thank you Mr Chairman and thank you for holding this very important hearing I appreciate our witnesses joining us today and I am particularly grateful to have Mr John Zanni here He is the Chief Executive Officer CEO of Acronis SCS a cyber protection and edge data security company based in Scottsdale Arizona Also welcome to Mr Michael Ly He is an Arizona native who unfortunately left our State and now lives in Vermont I am not quite sure why but you are welcome back any time From the start of the coronavirus pandemic it was clear that the public and private sectors needed to embrace telework wherever it was possible It is why I co-sponsored the Emergency Telework Act 1 The prepared statement of Senator Sinema appears in the Appendix on page 33 3 of 2020 to ensure that agencies had the authority to permit maximum telework during the pandemic The ability of COVID–19 to spread is scary and the best way for us to reduce that spread is to follow the Centers for Disease Control CDC guidelines maintain social distance and wear masks But most office buildings and traditional workplace setups are not conducive for social distancing I know many companies in Arizona had to quickly transition their workforces to telework models There are inherent challenges to implementing telework Access to broadband ensuring security in a virtual environment providing the appropriate equipment and supporting employees who feel socially isolated or challenged by the lack of person-to-person contact are some of the hurdles that Arizona companies have had to overcome I look forward to discussing these topics with our witnesses so we can develop a better checklist to help both private and public sector entities be more successful with telework I also think it is critical that we recognize many jobs cannot be done virtually Many workers do not have telework options From first responders to health care professionals many workers in Arizona and across the Nation put themselves and their families at risk to support their communities I applaud their efforts and understand that telework is one part of the larger discussion regarding how we keep our communities and families safe With that I look forward to hearing from our witnesses and I yield back Mr Chairman Senator LANKFORD Thank you Let me introduce our witnesses for today Mr Sea´n Morris is a member of Deloitte’s Government and Public Services GPS Executive Committee and the U S firm’s Operating Committee He is Chief Operating Officer COO for Deloitte’s $4 billion U S Government and public services executive business Mr Morris has day-to-day operational responsibility for more than 16 000 U S and globally deployed personnel He has responsibility for a comprehensive future of work transformation across HR information technology IT Facilities Contracts Finance Security Security Compliance Marketing and Business Development The second person is Lane Wilson clearly the most important of the four because he is from Oklahoma so I am glad that you have joined us as well Mr Lane Wilson is Senior Vice President and General Counsel GC for The Williams Companies based in Tulsa Oklahoma Prior to joining Williams Mr Wilson served as a Federal magistrate judge for the Northern District of Oklahoma and served in private practice for Hall Estill in Tulsa Mr Wilson received his bachelor’s degree in electrical engineering from the University of Tulsa his juris doctorate with honors from University of Tulsa College of Law Lane thanks for joining us today Mr Michael Ly is a serial entrepreneur and speaker cloud accounting professional He is founder and CEO of Reconciled a nationally recognized online accounting firm based in Burlington Vermont Mr Ly speaks nationally on the topics of remote work company culture entrepreneurship cloud accounting and diversity in new leadership 4 Prior to Reconciled Mr Ly worked for a variety of companies in accounting and consulting roles in Arizona which has already been mentioned Washington State and Vermont Thank you Mr Ly for being here as well Mr John Zanni serves as the CEO of an American cyber protection edge data security company exclusively dedicated to meeting the unique needs of the U S public sector including Federal State and local government education health care and nonprofit institutions Prior to leading Acronis SCS Mr Zanni held senior positions at Acronis AIG Before joining the Acronis family Mr Zanni spent 4 years at Parallels and 16 years at Microsoft a tiny little company in the Northwest So I appreciate all of your engagement and for appearing today We typically have our witnesses stand and raise their right hand Since all of you are seated at your desks or tables I assume I will go ahead and have you seated there but I would like to ask you to raise your right hand because I do need to swear all of our witnesses in as is the custom of this Committee Do you swear that the testimony you will give before this Subcommittee will be the truth the whole truth and nothing but the truth so help you God Mr MORRIS I do Mr WILSON I do Mr LY I do Mr ZANNI I do Senator LANKFORD Let the record reflect both of them answered in the affirmative We are using a timing system today As we go through this process you will see the clock up there If you are in Grid view they will show a 5-minute countdown for your testimony time I would like you to be as close as you can to that to save as much time as we can for as many questions for this But we are very grateful for both your written testimony that you have already submitted and for your oral testimony as well We will recognize Sea´n Morris first for your testimony ´ N D MORRIS 1 PRINCIPAL DELOITTE TESTIMONY OF SEA CONSULTING LLP Mr MORRIS Chairman Lankford Ranking Member Sinema and Members of the Subcommittee thank you for the opportunity to testify today on the lessons the Federal Government can learn from the private sector regarding telework My name is Sea´n Morris I am a Principal in Deloitte Consulting’s Government and Public Services business and I have spent my entire life in and around the critical missions of our government first growing up in a U S military family and professionally for more than 20 years working with government clients Currently I am the Chief Operating Officer for Deloitte’s U S Government business with operational responsibility for more than 16 000 personnel I fundamentally believe that challenges pose opportunities to rethink orthodoxies and so it is my hope that the Federal Govern1 The prepared statement of Mr Morris appears in the Appendix on page 35 5 ment like Deloitte can use this challenging moment in history to rethink how and where its workforce performs their important roles for the American people Based on the investments Deloitte has made for the past decade in technology facilities and our people for this Subcommittee’s consideration I offer four recommendations Recommendation one is to continuously invest in IT infrastructure and cybersecurity Now there are a number of core aspects of this recommendation For example consistent investment in the latest cloud-based tools is a game-changer for an organization’s ability to rapidly pivot to numerous scenarios which means IT infrastructure and technology platforms must be a focal point for organizations Next any workforce requires access to reliable broadband to successfully perform their work which means organizations should provision for different forms of broadband connectivity Additionally critical to operational success in any virtual work environment the workforce must be equipped with the correct onthe-go hardware and software which means organizations need to have a secure supply chain to enable the provisioning of IT hardware and software And finally workplaces and supporting IT ecosystems have become more diverse and extended causing an increase in cyber risks Therefore cybersecurity programs require appropriate layers of technical defense But equally important is the nurturing of a cyber culture where employees understand and counteract everevolving threats For recommendation two real estate and location footprint we are seeing the evolution of location liberation the concept that the workplace is not limited to any one single physical space At Deloitte we are working toward supporting four unique types of workplaces First the traditional office is transforming into a community hub where employees come to collaborate Next the field is where employees are empowered to be productive no matter where their work may take them Then the home which is where employees can balance work and life while maintaining productivity and finally a growing set of third places which include alternative space types Recommendation three is centered around performance management An effective performance management approach is a foundational element for building trust Deloitte’s approach to performance management is grounded in frequent meaningful conversations These conversations when coupled with reliable data enable us to understand and recognize performance throughout the year The rapid transition to virtual work presents government organizations with an opportunity to challenge the orthodoxy that physical presence and visibility in the office equals a productive and a high-performing workforce Further shifting to measuring accomplishments and outcomes over activities and labor hours allows organizations to cultivate a work environment of high-performing teams And finally recommendation four employee engagement At Deloitte we invest heavily in an employee’s experience from the recruiting phase all the way through to our alumni program This 6 full life cycle investment is widely recognized as enabling our ability to attract and retain the most diverse and skilled workforce To reinforce this point since the onset of COVID–19 and so as not to lose momentum around employee engagement we have transitioned many of our learning social impact and team-building events to virtual platforms In conclusion the fundamental principle underlying all four of these recommendations is that an organization must consider its human capital to be its core asset and build its technology and facilities accordingly to achieve a successful work environment Thank you again for providing me this opportunity to share Deloitte’s perspectives and I look forward to answering your questions Senator LANKFORD Thank you very much Lane Wilson TESTIMONY OF T LANE WILSON 1 SENIOR VICE PRESIDENT AND GENERAL COUNSEL THE WILLIAMS COMPANIES INC Mr WILSON Good afternoon Chairman Lankford Ranking Member Sinema and distinguished Members of the Committee I thank you for the opportunity to testify regarding private sector telework policies during the COVID–19 pandemic I will focus my remarks on how Williams has pivoted and evolved our telework capabilities and policies to maintain operational effectiveness productivity and efficiency across our workforce of 4 800 employees in 26 States In light of our business we had to get this issue right Today we handle about a third of the natural gas in the United States It is used every day to reliably and affordably heat our homes cook our food and generate our electricity During the COVID–19 pandemic this reliable source of energy has been crucial to hospitals and the supportive infrastructure they need and the natural gas liquids we deliver continue to be used as feed stock to make the lightweight materials necessary for much of the equipment and supplies used by those hospitals None of this would have been possible without our dedicated employees who are doing their part during these unstable times and they are doing it almost entirely by teleworking from field locations and from home Williams’ success is also due to our commitment to safety reliability and responsibility With this in mind I will share some key best practices from our transition to 100 percent voluntary work from home in March These best practices can generally be categorized into three areas one the availability of tried and tested systems and process two cybersecurity and three technology deployment Going into the pandemic Williams had the advantage of a decade of experience with significant remote work Williams categorizes its employees as field workers and knowledge workers Field workers include field technicians safety specialists and operations supervisors and represent 60 percent of our employee talent Our knowledge workers representing our remaining employee 1 The prepared statement of Mr Wilson appears in the Appendix on page 45 7 talent include our corporate support functions like finance legal and human resources Though we have central offices in Tulsa Houston Pittsburgh and Salt Lake City Williams’ preference is for our field workers to be in the field so we have developed processes and tools to enable our field workers to telework Leveraging these processes and tools allowed us to smoothly transition our knowledge workers to remote work This underscores the first best practice—a tried and tested system is key for successful telework The second best practice is around cybersecurity and the need for multifactored systems as well as employee cybersecurity hygiene training Because of Williams’ critical infrastructure status and commitment to safety our networking systems already have a layered suite of cybersecurity protection software Further our existing infrastructure and protocol allow us to remotely push patches to laptops so we have continued to protect our devices from vulnerabilities With the doubling and tripling of virtual private network VPN activity and collaboration software use we did experience an uptick in malware and phishing but one that did not impact our business As a best practice we increased internal communication to employees with reminders about good cybersecurity hygiene and made the decision to always have one cybersecurity analyst onsite in case we need to invoke our cybersecurity instant response plan Third regarding technology deployment our rapid transition to remote work depended on effective collaboration software We saw the utilization rates of this software increase between 100 and 300 percent for online chats web calls and teleconferences Our transition also relied upon employees taking home their laptops and in some cases monitors headphones and other assets Also worth mentioning when transitioning large numbers of employees it is key to have ample IT support as employees acclimate to the new technology and tools Looking forward we recognize that for some workers telework may continue to be an option but we are also cognizant of the value of in-person collaboration and idea generation that happens organically in an office environment Balancing these two factors is important and while we have not made any final decisions around a long-term telework policy we will continue to track efficiencies and productivity measures to help inform our path forward We will also capitalize on lessons learned particularly around employee engagement and continue to build on these opportunities even after we are free to return to our office environments Thank you again for the opportunity to appear today and I look forward to your questions Senator LANKFORD Lane thank you very much Michael Ly 8 TESTIMONY OF MICHAEL LY 1 CHIEF EXECUTIVE OFFICER RECONCILED Mr LY Thank you Chairman Lankford and Ranking Member Sinema and the Members of the Subcommittee for inviting me to share about Reconciled’s approach to telework or what we at Reconciled refer to as ‘‘remote work ’’ My name is Michael Ly and I am founder and CEO of Reconciled I am joining you remotely from Burlington Vermont where I live with my wife and three young children Vermont is my wife’s home State but I still consider Arizona my home State Senator Sinema and visit every year with my family to see my mother and my siblings I was actually there at the beginning of the pandemic Remote work allowed me to continue to run my business Reconciled We are an online accounting firm started about 5 years ago Today we have about 30 employees working remotely from 8 States and serving almost 200 small businesses throughout the country handling their in-house accounting services remotely and online We are recognized nationally in the accounting industry by our innovative approach and we also speak regularly on the topic of remote work how to build a strong company culture as a remote work company and how to keep remote employees engaged Since we have been operating as a remote company and completely distributed before it was popular because of COVID–19 our operations have not been greatly impacted as much as our customers I want to highlight one primary challenge to remote work that will challenge everyone involved in remote work and then highlight a few key recommendations The challenge primarily being children at home school-aged children at home This is by far the biggest obstruction to our employees’ ability to be productive and successful with remote work Most of our employees have schoolaged children that attend public schools in multiple States Having children now at home requires us to be very flexible with our employees and their work schedules so that they can both take care of their families’ needs their child’s education as well as their work responsibilities In my prepared statement I highlighted six key proposals to remote work success I want to focus on just a few of those mainly defining role expectations and outcomes regular and consistent communication schedule flexibility and taking breaks Remote workers need to understand what is expected of them to accomplish their jobs successfully Clearly defining the expectations an organization has for each employee and the outcomes that should result when a job is done well is key for the success of the remote employee Often employers assume that their workers know what is clearly expected of them The reality is employees have one expectation communicated to them when they initially start with any organization but then those expectations change as their organizations change as their roles change and when the roles now shift to work from home So clearly communicating those expectations and outcomes are important 1 The prepared statement of Mr Ly appears in the Appendix on page 50 9 The other recommendation is regular and consistent communication Never underestimate the amount of social interaction that we receive outside of our home in a physical workplace and imagine you having to recreate those virtually with a remote work team now Time at the water cooler and spontaneous meetings occur 40 to 60 percent of the time at work and the rest of your time is done actually doing work and studies have been done in multiple workplaces across the country So creating those spontaneous interactions needs to be intentional in a remote work setting as well as taking regular work meetings and one-on-one interaction with your supervisors and coworkers also need to take place Flexibility is another proposal I have highlighted in my prepared statement Flexibility may be one of the key benefits of remote work especially during a pandemic Flexibility can be seen in multiple ways including work schedule flexibility how often employees can take breaks and from what location a remote employee is allowed to work or can work The key is articulating a remote work policy that provides standards for the majority of your staff while being broad enough to fit multiple individual scenarios and that is especially important in light of the fact that school-aged children are now at home And then finally breaks Taking short and regular breaks throughout the day for remote work employees is the key to their long-term success Remote employees often find themselves more productive in the short term but if they do not take regularly scheduled consistent breaks they find their productivity decreasing and their stamina burning out Thank you for letting me come and share and I am looking forward to helping answer questions Senator LANKFORD Mr Ly thank you very much Mr Zanni TESTIMONY OF JOHN ZANNI 1 CHIEF EXECUTIVE OFFICER ACRONIS SCS Mr ZANNI Chairman Lankford Ranking Member Sinema Members of the Committee it is an honor to join you today Ranking Member Sinema thank you for the invitation to come discuss the particular challenges associated with telework I appreciate the opportunity to share my insight informed by more than 25 years in the cybersecurity field and a remote worker myself since 2020 including in my current role as CEO of Acronis SCS an Arizonabased company dedicated to meeting the unique cyber protection needs of the U S public sector As COVID–19 spread IT teams had the unenviable job of enabling secure telework capabilities at an incredible breakneck speed Today’s typical home includes a mix of work and personal laptops smartphones and network-connected toys and appliances all sharing access to standard Wi-Fi router with basic security configurations With telework the IT help that we all take for granted in an office are greatly reduced With increased dependence on applications like Zoom Teams and WebEx that has presented new risks as well people tuning into calls from devices on unsecured networks 1 The prepared statement of Mr Zanni appears in the Appendix on page 56 10 However adhering to a layered ‘‘defense in depth’’ approach to cyber hygiene that adopts relatively simple processes and tools like ours significantly diminishes the dangers of remote work As the CEO of a cyber protection company when this pandemic started I had two priorities First ensure the physical and digital safety of my employees That was paramount Then continue providing solutions that help our public sector customers stay secure On the tech front we were well-positioned for telework Similar to how the medical field uses vaccines diagnosis medication surgery and research to treat illness we implemented a cyber hygiene plan underpinned by prevention detection response recovery and post-incident forensics a framework for digital resilience that I would recommend for any organization For Acronis SCS that plan includes zero-trust architecture leveraging next-gen firewalls segmented networks multi-factor authentication and certificate-based VPN for access to sensitive resources This posture helped us shift to telework without fear that an attack on one device would compromise the whole company Beyond technical factors we have taken a holistic approach to ensure the safety and productivity of our workforce We have reimbursed employees for at-home office equipment purchases disbursed monthly Internet stipends and ensured our health insurance supports telemedicine and mental health services We also host virtual town halls and social hours to keep our more isolated employees engaged and have flexible schedules for those balancing work with at-home family obligations We doubled down our commitment to provide software that meets the U S public sector needs whether keeping mission-critical assets running with our hard and backup software or protecting endpoints with Acronis SCS Cyber Protect Cloud While telework has certainly exposed new risks it has also spurred urgency and I want to thank the Committee for its work on this front Chairman Lankford Ranking Member Sinema you have been both instrumental in educating the American people on our nation’s cybersecurity vulnerabilities and have developed bipartisan legislation to address them bills like your Telework for U S Innovation Act and the Emergency Telework Act From this legislation to the cybersecurity-focused NDAA amendments under consideration to the Defense Department’s much-needed Cybersecurity Maturation Model Certification all signs point to even more urgency across government and a more secure nation and robust economy as a result To facilitate public-private collaboration I ask you to consider making the reporting of cyber attacks on Federal State and local government agencies mandatory Similar to testing for COVID–19 if we do not fully understand the scope or the pervasiveness of the problem we cannot appropriately address it Increased telework flexibility is in our nation’s long-term future America cannot afford to relegate cybersecurity to the back burner The risks of doing so are simply too high Chairman Lankford Ranking Member Sinema Members of the Committee thank you again for the opportunity to be here today and I look forward to hearing your insights and addressing your questions 11 Senator LANKFORD Thank you very much and I appreciate your testimony We will have lots of ways to be able to pick your brain as we go through this as well I would tell you on the technology side and the video side you are taking an exceptional risk Mr Zanni of standing in front of a green screen I have already imagined how many different ways people could use that green screen and how many places they could put you right now Mr ZANNI Yes That is a fair point But I keep my private life private and watch what I say but we will see Senator LANKFORD I will defer my questions to the end of our hearing Senator Sinema has also chosen to do the same thing as well to be able to defer her questions to the end So I recognize Senator Carper for his questions now OPENING STATEMENT OF SENATOR CARPER Senator CARPER Thank you Thank you Mr Chairman To all of our witnesses welcome In fact you all have some very interesting backgrounds You have made some significant career changes and moves that one would not have expected given your early start in life I am delighted that you are here to share your thoughts with us today I am going to start with a question for Mr Zanni In your testimony you state that the modern cyber threat landscape is more sophisticated and relentless than ever before—I would agree—but that many of these threats are not new Ransomware is one example of this as these attacks have continuously posed a threat across different sectors including State and local government Educational institutions as well More recently scam emails have been a way bad actors are affecting vulnerable systems Did you hear that That sound says we just began our next vote and maybe our last vote for the day We will see It will be over in a second Maybe There we go More recently scam emails have been a way bad actors are accessing vulnerable systems while folks are teleworking How has your organization Mr Zanni handled cybersecurity incidences with employees shifting to telework and how can Federal State and local governments learn from those incidences in identifying our vulnerabilities Mr ZANNI Thank you In the context of our company we took a ‘‘defense in depth’’ approach which means a layered approach to protection No single company can provide sufficient protection against ransomware or phishing attacks or other malware Unfortunately the weakest link is still humans We are taught and trained to trust and that trust is sometimes taken advantage of Also it is impossible for anybody to keep their systems up to date instantly So by having a multilayer approach in terms of VPN multi-factor authentication having a good antivirus software having good backup and recovery good anti-ransomware you really minimize the chances of anything bad happening And if it does you can recover quickly and if you take full advantage of encryption the likelihood of any data being compromised is very low The other part I would like to add here is education Unfortunately as a society we do not understand yet the seriousness of 12 these threats and the tools that the bad actors have Right This is not college kids in a dorm room having fun These are nationstates well-funded organized crime They have the same access to machine learning and quantum computing and artificial intelligence AI that we have access to And so without bringing in the experts and the professionals and the tools and the processes to protect ourselves we just become vulnerable And so education and awareness is an absolute key component and we spend a lot of time like me here just educating and driving awareness so that people really protect themselves and not make security an afterthought Senator CARPER Thank you very much and thank you for making time to do some of that educating with us my colleagues and me A question if I could for Mr Morris This deals with coordination with an agency we call Cybersecurity Infrastructure Security Agency CISA at the Department of Homeland Security DHS Mr Morris I understand that you are responsible for managing over 16 000 U S and globally deployed personnel Is that right Mr MORRIS That is correct sir Senator CARPER Boy How long have you been in your current leadership position Mr MORRIS Current role one year Senator CARPER OK I read in your testimony that Deloitte practically shared cyber threat intelligence with the U S Government agencies cyber threats before they can cause substantial harm One of those agencies I presume includes the Cybersecurity Infrastructure Security Agency which is at the Department of Homeland Security Is that correct Mr MORRIS Yes sir We share it governmentwide and actually within the industry as well We find it is a good way to collaborate on external threats Senator CARPER OK Over the years a number of my colleagues and I worked to give DHS the resources necessary to carry out its cyber mission We are especially proud of the bipartisanship in Congress that led to the passage of Cybersecurity and Infrastructure Security Act in 2018 2 years ago Could you take a minute and talk a little bit more about your relationship and that of your colleagues with CISA and the other relevant Federal agencies that you work with Tell us a little bit more if more needs to be done to improve that relationship between the Federal Government and the private sector in addressing the current threats that we face in light of this pandemic Mr MORRIS Yes Thank you for that great question I will just say that I spent a decade working with the Department of Homeland Security both pre-9 11 and post-9 11 so it is one of the agencies that I have had a lot of experience with and it is a fantastic organization What I would say is that our cyber professionals work across the Federal Government State and local governments higher ed and in commercial organizations and we share some of the best practices that we see with all of those organizations in addition to standard threats that are occurring on an almost real-time basis 13 One of the things that I would add about some of the uniqueness of the Federal Government and governments in general is just the multi layers that are associated with our IT systems And we are noticing a significant amount of success utilizing machine learning both in our own networks and then sharing that with other government agencies The reason that that is a game-changer is the volume that you have to go out and see on a regular basis and that must be monitored on a regular basis is quite frankly too much for a human to do in any realistic manner and so machine learning is starting to transform the way that we can interact with all of these layers of network going forward I think that is a game-changer for agencies in general to better utilize Senator CARPER All right Thanks very much My time has expired Thank you all Mr MORRIS Thank you Senator LANKFORD Stick the landing Senator Carper I appreciate that I am going to ask a couple of questions and then I am going to defer on to Senator Rosen and Senator Sinema because I will have to run and do a second vote just like Senator Carper is going to have to do here in just a moment as well So we will switch back and forth But I do want to ask Mr Ly you mentioned about school-aged children and flexibility Obviously that is a unique issue right now with COVID–19 with schools being closed I want to ask you as you are thinking about let’s say a year from now are there lessons to be learned And that is a lot of what we are trying to be able to pick your brain on for all of you is to pick your brain on what you are doing in the private sector or things we need to implement in the public sector in the days ahead For school-aged children do you anticipate for telework you will handle schedules differently for teleworkers not during summertime but during summertime that may be different Do you anticipate something is going to have to change when we are not in a COVID–19 world but still doing telework Mr LY Yes Right now we have been operating pre-COVID–19 world as a remote work and telework company and so we first set expectations with every employee that the majority of their work the predominant majority of their work has to be accomplished and done during the normal business hours of 8 a m to 5 p m Eastern time which is the time zone we generally operate in and what our customers generally operate in and want to receive responses from us from We also communicate with our employees that they need to be responsive to emails to communication to their customers as well as other coworkers that have questions related to work I think the really main disruption is the reality of school-aged children at home Besides that we have been able to have fairly efficient operations as a business and also set expectations of our employees on their productivity and work outcomes That work would normally be able to be accomplished during normal work hours between 8 and 5 p m local Senator LANKFORD Right Before I transition to Senator Rosen here for her questions what I am really trying to drill down on is 14 do you anticipate post-COVID–19 lessons learned that you are going to have one type of structure for your telework folks that have school-aged children let’s say January to May and another type structure that functions during the summer with those that have school-aged children or do you just for your managers you are just basically saying be more merciful to your folks that are managing when they have school-aged children Do you anticipate there are two different structure or just more mercy and flexibility during the summer Mr LY I think there is more flexibility during the summer but as long as you empower your managers and your employees to make decisions that work for their families but also allows them to accomplish their work outcomes and that those are clear for them then what we find is generally our employees are very flexible with their own lives because they appreciate the flexibility they are being given So with the responsibility of being able to work from home they take that seriously and they flex their own personal lives to be able to get their jobs done as well as the needs of their families Senator LANKFORD OK Fair enough I want to recognize Senator Rosen for her question time and then Senator Sinema will follow her directly after that OPENING STATEMENT OF SENATOR ROSEN Senator ROSEN Thank you Chairman Lankford for waiting for us to come back from votes I really appreciate it Thank you Ranking Member Sinema This hearing today of course it is such an important topic It is on the minds of every single person I know whether you are a worker a business owner This is one of the many challenges that we have today So I am so glad we get to come together in a bipartisan way to figure out how we are going to support businesses as employees migrate to some form or fashion of telework and what kind of flexibilities do we all need to be able to make this happen I want to focus a little bit on cybersecurity and of course the pandemic We have forced many small businesses now to transition their workforce to work remotely and we know the challenges it faces is sometimes you do not have the right Internet you cannot get on the phone signal whatever those things are Our companies had very little for planning before having to shift quickly from inperson work to telework So of course we know there is no shortage of hackers out there They see this as a prime opportunity to just pounce on and potentially steal information get inside someone’s place of business They want to exploit those gaps in security targeting individuals on secure devices or networks Many of them are now using things from home that are not secure in the same way their space may have been at the office And so Mr Zanni can you talk a little bit about the major cybersecurity challenges that small businesses are facing when they transition Are the current programs at DHS and Small Business Administration SBA do you think they are enough to help us get over kind of this hump of having to figure all of this out What can we do to help fill the gaps as everyone needs to navigate this 15 Mr ZANNI So I thank you for the question Prior to my tenure at Microsoft I was actually a small business owner a single restaurant for over a decade so I have a particular affinity and love for those people who work very hard day in and day out to support their families The first thing is that for small businesses it is still way too complex to figure out how to protect yourself against cyber attacks Part of that challenge is of course with the industry itself and that includes me Part of it with the government providing clear and concise guidance on how to protect yourself It is not that hard It is just very confusing today We are fortunate We follow a lot of the government guidelines But as you know if you have ever read a National Institute of Standards and Technology NIST guideline they are not twopagers right and it takes some expertise to really go figure that out So I think what the government could do better is first awareness and education on how this threat is real Just like none of us would leave our house with our door unlocked or even remove the locks and leave we need to show people that you need to have cybersecurity as top of mind And even the smallest business is not exempt In Arizona a small school district was attacked a K–12 school They said ‘‘Why did they attack us We are nobody ’’ They do not care And then the other one is really providing concise guidance right It really is just about keeping your system up to date having the right cyber protection tools and some people to make that happen Just like you have made it very easy for me to recycle trash which I know is more of a physical piece but it is that same concept and there is some work we could do together there Senator ROSEN I appreciate that I appreciate you being a former restaurant owner I would love to chat with you about that because in Nevada we love our restaurant and hospitality industry for sure But I want to thank you for your answer because 99 percent of businesses in Nevada are actually small businesses My office we have heard from hundreds of them We have connected with every Chamber of Commerce our small business directors done over 100 webinars I have been on many of those with them I want to really ask the business owners the businesses represented on the panel if you did not turn to the SBA or to NIST or some of those where did you turn for information to maintain your cybersecurity as you were transitioning So Mr Wilson I guess we will let you go first and then Mr Morris and then Mr Ly please Mr WILSON Thank you Senator Yes I mean we are not a very small business so fortunately we have a very robust IT department and they were able to transition us in the means that we needed to So probably not the best one to answer that question for you Senator ROSEN Mr Morris No response Mr Ly Mr LY Right Because we handle accounting work and we often have access to financial information related to our customers we from the beginning have implemented cybersecurity protocols that 16 are very secure The weakest link in most remote organizations is what we call ‘‘endpoints ’’ Generally they are mobile devices or laptops that are either provided by a company or brought in by an employee themselves And it is ensuring that the security protocols are set up as well as virus protection malware protection and Internet security suites are preloaded onto those devices as well as ensuring that employees’ homes and the networks that they are on are protected and secure and that they are using VPN software when they are entering into areas that are unsecured like public Wi-Fi settings if they are planning to do work from a location that is not their home location Also the more pure cloud-based technology you can leverage in our opinion the better mainly because then documentation or confidential documentation is no longer sitting on those devices but instead sitting in the cloud in the Internet and accessed through Internet software Internet-based software and that is primarily the practice we have used And so we leverage accounting journals technology journals and websites that allow us to ensure that we are setting the right security protocols for ourselves and consulting also our clients on the best practices as well Senator ROSEN Thank you I appreciate that I know I am just about out of time so I am going to submit this one for the record But I think about the costs associated with migrating to telework and I think about the capital investments that can make that may spur our economy Those are those one-time investments that we are going to do to bring all of our systems up to speed or create that personal protective space we might need even if people come in or buy laptops hardware software and the like versus the normal operating expenses And perhaps Congress can think about how we help you with the one-time capital expense so people’s businesses can continue to operate and that can take it off their daily books if you will So we will look forward to seeing those answers Thank you Mr Chairman Senator SINEMA Presiding Thank you Senator Rosen Hi It is Senator Sinema again and my first question is for Mr Zanni and Mr Morris Successful telework is dependent on reliable high-speed Internet and as a member of the Senate Commerce Committee I have repeatedly called for future coronavirus relief legislation to include a long-term plan to invest in broadband infrastructure ensure we have the appropriate regulatory framework develop better coverage maps and utilize Federal resources effectively My State in Arizona ranks 51st for rural fixed broadband deployment and three-fifths of rural residents have no access to ground-based broadband So folks in Arizona frequently tell me the service that exists is often unreliable Given that both of you highlighted these types of broadband challenges in your testimony what advice would you give to other employers seeking to expand telework those who face similar challenges Mr ZANNI This is John and I could take the first one if that is OK 17 Senator SINEMA Great Mr ZANNI OK Great Thank you So first I do want to emphasize that we do need to solve the lack of broadband access to rural populations because that is critical Today if you do not have access to broadband in most businesses you are at a competitive disadvantage Having said that there are ways around it until it becomes available There are products like ours that are optimized for low broadband situations where they are using smaller agents a lighter footprint combined solutions to not use as much of the network Even the teleconferencing software you will see a very big difference in low broadband situations if you are using Zoom for example versus Skype And so being able to make sure you identify the tools that work best in those situations you can still be quite productive We need to solve the problem of not having broadband access to everybody Mr MORRIS And this is Sea´n Morris Ironically you may have noticed my picture went away for a moment there about a minute ago and actually the power went out in my house and so it reemphasizes the importance of actually having a backup which I think is incredibly important Bad things do happen sometimes sometimes on a world stage I guess as well But in any event what I would say is I completely support John’s comments previously We have to invest in our broadband technology for all aspects of our country and not just the populated cities but the rural areas as well We put ourselves at a competitive disadvantage against other European countries for example that have made significant investments and are leaps and bounds ahead of us in many instances and are better able to take advantage of things like 5G in the future Backups are important at the end of the day as I proved just a moment ago From a Federal employee perspective one of the things that we have done while it is not perfect when broadband connectivity is down or not available in particular in one of four locations that I referenced in my opening remarks every one of our employees is issued a smartphone which enables a hotspot to work and provides some levels of connectivity It is actually very good These days it is 4G and moving to 5G Senator SINEMA Thank you so much My next question is for first Mr Ly—I apologize I think I pronounced your name wrong at the beginning of our hearing—and then also for Mr Morris Whether a company is a small startup or a large multinational firm individual employees are its backbone Social interaction in the workplace is not only helpful for professional development but also in cementing the relationships inherent in creating a team So what steps have you taken to ensure that your employees continue to feel fulfilled and supported while teleworking and have you discovered any tools available to help employers enhance and maintain that camaraderie amongst the workforce Mr LY Yes So thank you Senator Sinema The tools we use we leverage technology to allow for that consist connection to be recreated virtually that normally happens in an office It starts on day one when an employee begins and starts with their experi- 18 ence with onboarding into a company and their experience with HR We leverage video technology such as Zoom and then an internal communication tool such as Slack that replace traditional email but allow instant communication between employees and allows us to create spontaneous meetings and interactions and collaboration that normally happen within an office We also require that every employee has a touchpoint throughout the week with either a supervisor or a coworker so that they have regularly scheduled times in which they are connecting in with their team virtually Because again you are trying to compensate for as you said in-person times that happen throughout the day and we cannot overestimate the amount of social interaction that continues to occur and the health and well-being that helps with that So we are very intentional about that scheduling that throughout people’s calendars and making that a part of an employee’s work responsibility throughout the day and throughout the week Mr MORRIS I would just add I agree with those comments We have invested significantly in what we call the employee experience throughout the life cycle of an employee’s time at Deloitte and we did not want to lose all of that investment when we went into this full telework environment And so we have transitioned to almost everything we do for employee experience to a technology and online platform And what that has allowed us to do is not lose that culture of heavy investment in our employees One of the core aspects of our culture is to give back to our communities We give a significant amount of our time and money to pro bono efforts as an example across the country And we have moved our pro bono activities our social impact activities to those online platforms that we have many that are very similar to what was previously shared So at the end of the day the best practice here is do not stop investing in the employee experience Move it if you can to these platforms and that culture will continue to thrive and adapt Senator SINEMA Thank you Just a quick follow-up on this topic Are there specific actions you would recommend a company take regarding telework during a pandemic when feelings of fear and social isolation are often exacerbated Mr MORRIS Yes I will just add that what we did was we encourage our individuals to take time off That is a challenge that we see at the moment across industries The other thing that we did was recognize that well-being is both physical well-being and emotional well-being And so we gave 80 hours of time off in addition to sick leave and personal time off So there is a steady focus on that working from home does not equal working all the time Senator SINEMA That is an important point My next question is a follow-up on kind of building off the question that Senator Lankford asked earlier for Mr Zanni and Mr Morris I have heard from some Arizona companies that perhaps the chief challenge with teleworking right now is the closure of most of our schools Parents are managing their children’s education needs while also juggling their own work responsibilities And as we have seen this requires great flexibility on the part of companies and families 19 So what specific recommendations might you have for companies or for families on how to set up or expand a telework plan so that people can both manage being a good parent a home-school teacher and a good employee Mr MORRIS John do you want to start Mr ZANNI Sure Yes that is an incredibly hard problem to solve especially some of those families live in smaller homes And it is not just about the child or the dog coming in and interrupting you during a meeting It is the worrying even when you are in a meeting are they going to interrupt you When do I get a break The best we can do is first really send the message to these families that as an employer we are here to support them and support flexible work hours and take the time off that they need I have one my head of sales He came to one day and just said ‘‘John I need to take 3 days off I need to give my wife a break so that we do not go crazy ’’ And of course I said ‘‘Immediately ’’ Longer-term we have to think about how these workers can somehow segregate themselves or separate themselves enough to not be as distracted or find the right work-life balance I have seen hotels offering rooms during the day now for telework I am sure there are other options that will come up But we need to think together how to do it But the first thing is really—I have made sure for me one-onone calls from my head of HR that everyone in my organization knows family first If you need a break take it Senator SINEMA I appreciate that Mr MORRIS Thank you Senator I would just add that the training does start from the top and that is absolutely a lesson learned that we have had in Deloitte The other thing I would say here is that yes it is families with children My wife and I are certainly examples of that Yes it is very challenging But it is also other circumstances and I think it is important to note that in diverse employee networks that could be an aging parent that could be a pet that is sick There are a whole bunch of things that it could equal One of the things that we have focused on is this concept of courageous conversation So very open authentic conversations with senior leaders in the firm to really get the tone and the culture out there that you can actually ask for time off It is not looked down upon In fact we would like you to share what is going on in your life so that we can adapt our processes and our policies And we use various communications techniques as well as surveys as a way to get that information and feedback to tailor our programs and our processes Senator SINEMA I appreciate that Mr Chairman thank you and I yield back Senator LANKFORD Presiding Thank you All right So going back again to the basic of this whole hearing We are trying to gather ideas from you lessons you have learned so that when we are writing legislation or working through policies for the future for Federal agencies we need to learn what you have done We will gather obviously what they have experienced in the last couple of months and try to apply it to policies 20 So let me ask some very basic questions All of you have been through this in different forms for a while but this is a very different type of year I have heard quite a few companies say ‘‘Well you know what We are finding good success in teleworking more so than we thought we would ’’ and then they put this caveat in there ‘‘except when we are hiring new workers ’’ Because the people existing and teleworking now that you have added so many that are teleworking they have previous relationships they are used to collaborating But when you add a new person or a new group of people into this trying to learn from each other figure out how to collaborate integrating into the culture of your business that is a very experience when all of their experience has been telework and all the people that physically collaborated now do not know what to do with this new person that is teleworking So let me pick your brain on this a little bit For the long term are there lessons that we can gain from this on integrating new people into your culture when all of the relationships are telework relationship Any or all of you can answer that If you have input for that we need it Mr LY Yes I can start with that because we hire the majority of our employees in that way remotely employees I have never physically met or been present in the same room with So it first starts with thinking through your onboarding experience or your employee your day one experience And most important for us at Reconciled was what is an employee experiencing in the first day first week and first 30 days of being here and how do we set them up for success So we leverage technology to do that We created a dashboard where we literally outline all the different steps of what they are going to experience in those first 30 days what their different days are going to look like the training they have to go through online We require every employee to set up video meetings with others in the company even if it is not related to their work just so that they start interacting with other co-workers and other team members in the company We also have required meetings with different managers different leaders in the organization and they do go through a pretty thorough video orientation with the head of HR as well as their managers several times that week during the first few days So it is important to think through intentionally what is an employee experiencing what is it like what are things that they need to see on video what do they need to see in physical documentation what can be a quick email and really trying to create what I call like in a Disney-like experience How can you wow them even in a virtual setting And we often have employees say they feel more connected in that experience virtually than they do with most places they have worked physically So we know the results speak for themselves when we get that feedback from an employee So it is really that intentional investment very similar to what you would do to invest in the customer experience on how do you make a customer feel like they really are connected with you and can trust you You have to do the same if not more with a virtual employee Senator LANKFORD OK Very helpful Who else 21 Mr ZANNI This is John I will just second what Michael Ly said It really is about being intentional We have onboarded a number of employees since COVID First time in my life I have not met them in person quite disconcerting at the beginning But once they start we have a very robust onboarding session We have teams that keep Zoom sessions on all day so that people can interact ensure those video meetings I personally will send them a message on Teams to say ‘‘I am right here if you ever need anything ’’ So remove those layers that I am not the fake inaccessible guy And it has worked out very well for us Senator LANKFORD OK Mr MORRIS I will just add one other point I agree with everything that is being said We are being very successful in some unusual circumstances here But I would add that when we beat this virus and we get to our new normal my personal perspective is that the need for some level of in-person interaction is important for continuing to cultivate an employee experience and a culture which is why we think about our workplaces facilities in the four quadrants that I spoke about earlier It is this dynamic movement across those where you can have different experiences and different interactions Technology is a fantastic game-changer particularly right now in COVID–19 But I am a believer in some level of human interaction as well Senator LANKFORD So Sea´n you are saying that you are going to keep those four quadrants even after this that it is your expectation that you are going to have if I remember them correctly collaboration that you will have home alternative place and then there is one other the field was the fourth one if I recall correctly Do you anticipate you are going to still have those four quadrants even after this Mr MORRIS Yes Senator and it is recognizing that an employee may be doing different things at different stages in their careers so they can move around those quadrants And that we have taken all those into consideration as we are building the right platforms and we are building those platforms on that experience as opposed to the platforms first Senator LANKFORD All right Lane where are you as far as trying to be able to onboard people during this time period Any lessons that you have learned that could help us in the Federal workforce Mr WILSON Yes We are onboarding people as we speak I think this boils down to leadership frankly and intentional touchpoints So I lead a team that even before the pandemic was not on the same floor as I am here in Tulsa and the majority of the team was not even in Tulsa They were spread across four different States And being very intentional about getting them in front of leadership through town halls for example We are now doing monthly town halls as opposed to before we were doing quarterly town halls Making sure that they get a feel of the culture from the leadership and then as a leader making sure that you are having those intentional interactions with your team and also making sure that your 22 team members are having intentional interactions with themselves And then you cascade that down through your organization We probably have five six layers here at Williams So we have to make sure that our supervisors who might be managing a team of eight or nine people either out in the field or in an office are doing the same thing that they are talking to and visiting with and having collaboration sessions with their teams and also making sure that their team members are doing that And when you bring somebody new on board that is even more critical that you build in an expectation that hey you have a new team member Have you reached out to them Have you had a videoconference with them Have you talked to them Do you know anything about them Have you gotten to know them in any way And so I think it is really just about very intentional leadership Senator LANKFORD So let me delve in on this a little bit more for all four of you if any of you want to be able to answer this Has your perspective changed or maybe it has not I am interested to be able to know what that might look like that there are certain positions that you will no longer hire those within a geographic area or certain tasks and certain jobs you know that they are very capable of teleworking from anywhere in the world for that mindset but at least anywhere in the country Is there a perspective that you have that in the future there will be certain jobs that you will hire remotely find the best person no matter where they live and have them permanently work not in an office space Mr LY Yes I can speak for the accounting industry My peers who were not previously doing telework or remote work and believed that was impossible and saw what we did said ‘‘I am not sure how that is possible I have been forced to ’’ And they are finding a lot more efficiency a lot more productivity when they implement the best practices around it Senator I was watching a YouTube video of yours on YouTube I was really inspired by this daily interaction or weekly interaction you have with different people from your home State that visit D C and you have coffee with them I was thinking to myself wow imagine being able to have that kind of coffee virtually with people all over the world that are from your home State and be able to answer questions and connect with them both formally and informally And that is what we do also—that is what I recommend also for most companies who go to remote work is an example is we have a daily virtual lunchroom Anyone can jump into that virtual lunchroom Everyone has lunch or has a meal And so they can go in and interact with one another and not even talk about work or we do the same thing with coffees with the CEO I have a weekly coffee where any employees can jump in and have an informal time with me As Lane said all those interactions take leadership it takes modeling and brings kind of that aspect of the culture that you are trying to build that normally happens in an office But there are definitely roles we are hearing from clients as well as from peers in the accounting industry which is very slow to move in regards to technology that are surprised at how well it is 23 working and how now they are expanding the different locations they are willing to hire from Senator LANKFORD OK That is helpful Let me ask about meritbased affirmation Some of that is remote working It is harder to be able to stop by their cubicle or stop by their office compliment them on the work that they are doing That has to be a very intentional thing for a leader to manager to be able to do in that situation It is also when we talk about raises when you talk about promotions it is difficult to be able to do when you are not interacting with that person when you are literally getting data about that person’s performance rather than interacting with them to be able to know what they are doing How are you handling merit-based affirmation whether that be promotions raises whatever that may be Mr WILSON Senator this is Lane again It is sort of much of the same I insist that all of my performance reviews and all of the performance reviews of my team if the person is not there in your office and obviously they are not now that has to be done by videoconference It has to be done face to face You need that interaction and I think even after this pandemic is over if you have people that are working remotely as Sea´n said I think you have to get them all in together on an occasion and it is obviously better to have those discussions in person But if you cannot adding the face on the video is a big benefit Senator LANKFORD Yes Are you adding some sort of metrics that you are trying to track performance with or how are you handling that Is there a piece of software that has been useful to you to be able to evaluate the performance or quotas whatever it is that you are putting on individuals in the field to be able to know customer service responses How do you manage that Mr WILSON Yes So we have used that sort of collaborative software for a very long time in terms of our sales representatives the people in the field who are supposed to be interacting with customers From a high level in the office environment with lawyers HR professionals accountants that sort of thing we do not get down to the individual level There may be some privacy issues you have to think about there But we do track that on a very broad level As I indicated in my testimony we have been able to get a pretty good handle on the fact that our employees are utilizing this collaborative—the teleconferences the chatting that sort of thing— on a much higher rate than they were before And that gives us some comfort that these interactions are occurring Senator LANKFORD OK Other input from other individuals Mr ZANNI This is John I can add that my experience has been that employees really like having ownership and measurable goals right because it sets expectations appropriately In most cases when you cannot assess whether people are doing their job are not part of the problem or even in some case most of the problem it is the manager themselves who have not really thought what they want them to do and how to measure it It is hard but once you do that then these questions of ‘‘I have not heard from James Lankford in 2 days I wonder if he is actually working ’’ they come up very rarely because you just look at the results or the output 24 And so that is what we have focused on and it has been pretty effective Senator LANKFORD Good By the way I know James He is working Mr ZANNI OK Good Senator LANKFORD Anyone else Mr MORRIS Senator I would just add and I referenced this in my opening remarks that designing a performance management system that is built around regular interactions between a supervisor and an employee is a builder of trust at the end of the day I think setting goals and reevaluating those goals through that system where you are having regular conversations and using data around it is incredibly important What I would also say is making sure that those goals are balanced We like to think of them in not just quantitative terms which is where it is easy to count but also in qualitative And concepts like leadership and agility and looking at aspects of 360-degree feedback All of these are important aspects to build that trust between a supervisor and an employee in a sort of modern performance management approach Senator LANKFORD OK Let me ask this Several of you in your written testimony or in your oral testimony talked about increasing need for IT professionals cybersecurity John you mentioned specifically the challenge of people working from a home system that you have no idea how that router was actually set up the security settings that are there They are working in unsecured networks at a coffee shop at some point There are a lot of cyber challenges there Are there any lessons learned that we should be aware of on the Federal side that we could implement Mr ZANNI I will start Absolutely So I am glad you brought this up because one of the biggest challenges is there is a lack of cybersecurity experts within the country Today there are over 600 000 open positions about 50 percent more than before COVID And without the people—you have people processes and product—without the people you will not be able to implement a good secure solution And so where the Federal Government could help is getting those people trained For example one of the—I still believe in this but I actually created a charitable foundation called Acronis SCS Vets specifically focused at taking our U S veterans and military spouses getting them the nationally recognized certificates they need to get self-sustaining jobs in cyber So it is a reskilling effort It has been very successful Unfortunately my numbers are nowhere near to where they need to be to impact 600 000 people This is an area where I think the government can help a lot in providing cyber training to individuals who need to be reskilled or are willing to learn them to go work for all these businesses Senator LANKFORD OK Other input from others Michael I think you mentioned this as well in your statement Mr LY Yes I think the one thing is as much as you control the endpoints—the laptops the mobile device that your employees are using—I would be hesitant to allow too many of your employees to bring their own devices because you have less control unless you 25 make them basically sign the device over to your company or over to your organization So as much as you can basically protect secure the endpoints as well as their home networks is important And then monitor and make it really clear that employees need to let you know when they are traveling or when they are planning to work at a different location other than their home network because that is where also cybersecurity threats and accidents happen where they are in a public Wi-Fi setting they are in the airport working they are in a coffee shop working and those networks are not secure and they forget to turn on their VPN like required So just making sure that you have technology that alerts you when employees are in different Internet Protocol IP settings or locations that are unsecure and making it really clear that there are strict standards that your company is going to abide by as people work and do remote work and you want them to do it securely and correctly And then who also they give access to their devices to So often you give them a laptop and then they allow their kids or maybe they allow a partner or a family member to use it for web browsing or gaming You want to make it really clear that those devices are for work and that any other kinds of software or activities should be prohibited so that it reduces the amount of cybersecurity threats even for a small business Senator LANKFORD So is there lockdown software anything that you have that prohibits someone from getting online without using the VPN or does not allow them to be able to download applications without having an administrator log in or setting that you have created on that I am still interested in if they have a company laptop but they are on a home Wi-Fi system Their router may be 4 years old and unsecured Do you require that the company also installs their router at home Mr LY Yes So you want to make sure that you provide one a stipend to cover the costs for all those things or you yourself as a company cover those costs and two ensure that those are installed correctly with password protection that is secure as well as that the laptops themselves have updated virus protection on a regular basis And there is software that we use to be able to do that to the computers that we have given to our staff Senator LANKFORD OK Mr WILSON Yes Chairman Lankford a couple of things So when I was with the Judiciary I do not know if it is worth visiting with them or not but we were already unable to add software to the laptops that we were provided by the Judiciary We here at Williams have VPN always on so there is no choice If you are on a wireless network you are VPN’d into the network Then finally I would just say record Michael’s last answer transcribe it and get it out to every Federal employee who is working at home Senator LANKFORD OK We will see if we can actually get that done That is very good advice That is why we are gathering things at this point Let me ask a question about personally identifiable information PII All of you are in businesses that you are dealing with some 26 information that individuals obviously some more than others in accounting and background and such I will give you an example The State Department earlier this year in March April May June just stopped doing passports at all They had no system in place that if someone needed a passport their passport expired whatever it may be they just could not get it because there was no structure in place with the State Department to be able to handle that kind of document in a remote setting And so the alternative was just stop doing it We had about 1 7 million passport requests just back up immediately Obviously State Department is reevaluating that at this point trying to be able to figure out how to do that Multiple other entities whether it be the Internal Revenue Service IRS everyone else multiple agencies in the Federal Government deal with very private or proprietary information through processes Anything that you would say in particular dealing with documents dealing with items that are personally identifiable information that you would teach the Federal Government to say ‘‘Here is something to know about this and how to be able to protect that information ’’ even if someone is working remotely Or would you say there is just no way to be able to do it current technology we just cannot handle it Mr ZANNI Well I will start I have learned in software you can never say that you can do everything perfectly but there are ways to mitigate the risk First the Federal Government has a great standard called Federal Information Processing Standards FIPS 140–2—there is a 140–3 coming out here shortly—which is about how to use encryption both at rest and in transport to protect data We have FIPS-certified product At my company I bought FIPS-certified routers from Palo Alto Networks So first just implementing those standards will radically reduce the risk that personally identified information leaks And that to me is straightforward The other thing is segmenting networks and using that zero trust model where you control who has access to that information I am the CEO of the company If you are one of my customers I cannot get that information because I do not need it on a day-today basis If I want it I have to actually go make a request So somebody can take these images and my voice and pretend they are me but they still will not have access because I just do not have access So there are a number of things you can do that reduce the risk to almost zero Senator LANKFORD Other input OK Let me move on to another question then on this There is a lot of conversation about telework that is in the efficiency standard and most often it goes toward physical footprint leased space your owned space in a headquarters building at some point There are some people who will make their decision based on a footprint space and what costs just depending on the cost of real estate in a particular area In Washington D C obviously real estate is exceptionally high But if you get into Oklahoma City and Tulsa and other places around the country it is not a high cost And so companies will make different decisions based on telework 27 My question to you is more than just physical space leasing or keeping that space open and paying the utility bills for it are there other areas of efficiency that you look at to be able to decide if I am going to have a particular person teleworking they are more efficient they work better in a home setting or in a third location if I can say it that way at some point than they would in an office setting where they are just as efficient if that and so we find other efficiencies or reasons to be able to have someone telework Mr LY Yes I can answer this one Before the pandemic and still even now unemployment in the accounting industry was very low It was lower than the historic unemployment of the country so it was lower than that And so one advantage to telework—and we actually did not decide telework regarding footprint—we chose it because we wanted to access the talent nationwide We wanted to be able to combat against the lowest unemployment rate that we were seeing historically in accounting and finance And we were able to access a workforce that traditionally cannot go into physical office and that is stay-at-home moms So these are moms that need to be available for their school-aged children they are doing drop-offs and pickups they have a 4-to 6-hour window during the day and then they might have some flex time in the evenings or weekends to do the rest of their 40-hour week That allowed us to access a workforce that normally would not show up on unemployment rolls or not looking actively for work traditionally in the accounting field And so that is why the majority of our workforce actually is made up of stay-at-home moms and dads who want an alternative to the traditional workplace So I would say for sectors that are looking for access to larger— access to more nontraditional workers or access to workers that would not normally apply for your job this is a huge advantage for us in the private sector Senator LANKFORD OK So what I have learned so far from the hearing today is we desperately need accountants and we desperately need IT folks around the country So if anyone is 21 years old and listening we have two good career fields for you right now Other ideas or other thoughts about efficiencies or reason to do teleworking Mr MORRIS Senator I would just add that I think challenging ourselves to re-architect the job type in the first place is an important thing to think about So for example thinking about a crowdbased model to solving particular challenges that an organization has as opposed to one individual working for 40 hours a week in a more traditional setting I think could have significant efficiencies Somebody referenced earlier the State Department and the U S military and if you look at crowds associated with those two organizations think about spouses in those two organizations those are usually underemployed individuals that have a lot to offer that could provide significant efficiencies to the U S Government using a different talent model Senator LANKFORD OK Mr ZANNI I would also add that the younger generation—well my generation or at least me think of telework up until COVID as a privilege not a right The younger generation just expect it 28 right I am always connected I should be able to work wherever I am So security concerns aside similar to Sea´n if you want access to the best talent and the fullest employee pool you are going to have to enable telework Senator LANKFORD OK Lane I want to ask you one more quick question and then I am going to try to wrap this hearing up and get final input from everyone Lane you have to deal in the field with issues of rural connectivity I know we have already spoken about broadband before but other solutions and options that you have seen or that have been explored whether it be satellite Internet whether it be phone hotspots and other things Is there anything else that you want to be able to contribute in dealing with areas where it is more difficult to be able to get access Mr WILSON Yes I think you kind of hit the nail on the head and somebody else mentioned earlier the hotspots So when we have somebody in the field that cannot get good broadband access—and there is no doubt in rural areas in Oklahoma and really anywhere in the country the broadband access is not as good it is not as robust as it is in more urban areas—the hotspots are the best solution that we have found A not-so-optimal solution is just not use the video but obviously we would prefer to be able to use that But I think that is the best solution right now until we get the better broadband service into rural areas Senator LANKFORD Yes Let me try to wrap this up if I can Any input that anyone has—let me open this up to a very open-ended question—any input from anyone that you want to make sure that you recommend to the Federal workforce regardless of what agency it is when they are thinking about telework to consider this in the process to be able to make sure we get it on the record Mr LY The only final thought I had was because this is fairly new to many Federal agencies to think about this as small teams So from large organizations to small companies everyone can look at their workforce as a make-up of small teams with managers supervisors and a small set of employees If you are able to apply these practices in small teams then it makes the idea or the hill to climb a lot smaller and it seems a lot more doable So think of small teams of half a dozen or less where there is a supervisor or a leader in their small team and you are practicing remote work proposals that we have all stated and the security protocols needed in that It allows for better communication better accountability and quicker response time as well as agility to move if you need to make changes during the pandemic Senator LANKFORD OK Good input Anyone else Mr MORRIS I would add just one thing and that is that humancentered design is so important when we are thinking about adapting policies changing processes and different technologies So really putting the lens on the human as we start to think through these changes is a best practice Senator LANKFORD OK That is helpful Mr ZANNI And this is John I would add as a Federal Government thinking about some standards or best practices around telework and securing telework You have heard a lot of great antidotes here but there are a lot of small businesses especially and 29 other agencies remote cities that could use that guidance in a way that is easy for them to consume Senator LANKFORD OK Thank you Lane any final comments Mr WILSON Yes I mean look it is just so easy to fall prey to out of sight out of mind And I think our biggest challenge especially in a workforce the size of the Federal Government’s workforce you have to get your leaders to understand that as we move to more of a teleworking environment they have to keep up those touchpoints I know a lot of people have said that today but that cannot be overstated Senator LANKFORD Does your management structure have to be smaller Lane at that point Do you have fewer people that you are managing through telework or does the same ratio still work Mr WILSON Yes I really have not found that to be the case I mean you gain some efficiencies like not commuting back and forth You pick up some time here and there People are more motivated oftentimes when they work from home Some people are not But we have not found that we have had to reduce those ratios as long as our managers and supervisors and leaders are being efficient and proactive Senator LANKFORD Yes Quite a few people that I have talked to have said they have increased their efficiencies dramatically in their workforce because they do not have the travel time they do not have other social distractions at work They were able to just plan their day a little bit differently and quite frankly get up get going They have more time to be able to read the paper catch up on news catch up with their family and not commute and then start on time and take off And less stress depending on the city that you live in and what your commute is normally like back and forth That is a pretty significant change for them Plus it is really nice for parents of small children They are wonderful distractions but you also get a chance to see some things that you would have missed just in life with them So there are some built-in rewards there as well with the little ones that are running around Any final comments from anyone Otherwise I want to be able to wrap up and I want to make sure I get anything else on the record that we need on the record Mr WILSON Thank you for your time Thanks for having us Mr ZANNI Thank you Senator LANKFORD Gentlemen thank you very much I very much appreciate as I mentioned before your written testimonies— a lot of time went into that—as well as your oral testimony I want to tell you that the invitation is open if you have additional input to be able to give to our team as we are trying to be able to pull together ideas and policy changes for the Federal workforce The last time this was done was 10 years ago Obviously there are a lot of lessons that have been learned and we want to make sure we capitalize on those lessons and to be able to implement those as fast as we can across the Federal workforce in the days ahead So that does conclude today’s hearing The hearing record will remain open for 15 days until the close of business on August 12th for submissions statements questions on the record whatever individuals may want to be able to add to the record as a whole 30 So with that the hearing is concluded and I thank all of you again very much Whereupon at 4 06 p m the Subcommittee was adjourned APPENDIX 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 Æ