House lawmakers didn’t hold their tongues when describing the Defense Department’s seemingly poor implementation of the Federal IT Acquisition Reform Act and what looks to be a total lack of acknowledgement of the law.
Members of the House Oversight and Government Reform Committee from both sides of the aisle expressed disappointment with DoD’s efforts. Rep. Gerry Connolly (D-Va.), ranking member of the government operations subcommittee, said the Pentagon has a “recalcitrant, arrogant management style” and “they seem to inoculate themselves from all norms of accountability and it’s very frustrating.”
Rep. Mark Meadows (R-N.C.), chairman of the government operations subcommittee, said DoD shouldn’t look for any new funding in fiscal 2018 unless it becomes more honest in how it manages its IT budget.
And Rep. Will Hurd (R-Texas), chairman of the Oversight and Government Reform Subcommittee on IT, said DoD needs to recognize they are like any other agency in the federal government and needs to do the right thing.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
At the heart of the matter is what lawmakers and congressional auditors say was DoD’s decision to remove $15 billion in IT spending from the IT Dashboard.
David Powner, the director of IT management issues for the Government Accountability Office, said DoD spends about $40 billion on technology each year.
“What we understand is that it’s been classified, we believe, under the national security system umbrella,” he told the committee. “It’s OK because there is an exemption for national security systems [under FITARA] but to have $15 billion magically appear under that umbrella doesn’t seem right.”
Meadows responded saying, “It doesn’t seem right to me either. Here is what I’d ask for you to do…we are being asked to fund DoD above the $603 billion that the President has requested. In fact, some in our conference want it to be $640 billion. Take the message back to them and unless they get their heart right on this, there will be no support for increasing that. I don’t know how to make it any clearer.”
The decision to remove $15 billion from the IT dashboard was one of the main reasons DoD received a “F” on the latest FITARA scorecard, which the committee released June 13.
“This seems hard to justify since this amount is roughly half of what the Department previously reported to the dashboard,” Connolly said. “I think my colleagues will join me in saying to the DoD and other agencies seeking to follow suit that such unjustified actions will not be papered over and will result in additional action by our subcommittees.”
DoD received “Fs” in three of the four categories—use of incremental development, transparency and managing risk and the data center consolidation initiative—and a “D” under the PortfolioStat review process.
Powner said DoD’s efforts, particularly around the data center initiative, were underwhelming. He said the military only recently submitted its data center consolidation and optimization plan to the Office of Management and Budget for approval by Sept. 30, 2016.
“The data center consolidate, DoD alone was about $4.8 billion in savings and they backed off considerably,” he said. “I think you really need to look at their IT spend. Look at embedded IT spend at DoD, weapons systems, satellite systems, I think a CIO type would really benefit some of those large acquisitions at DoD and help with the cost overruns and the lack of delivery. We’ve had some discussion recently with folks on the Senate side in terms of their authorizations committee, and we laid it on the table that when you look at embedded IT and other things in DoD, it would benefit from a private sector CIO type.”
Powner said one of the reasons why DoD may be struggling with FITARA is IT accountability is spread over too many organizations—the CIO’s office, the acquisition organization and the management office.
“Other than the CIO’s shop, IT doesn’t get the right importance and visibility,” he said.
This idea of visibility and attention to IT spending is not just a DoD challenge, but 11 other agencies do not meet FITARA’s requirements for CIO authorities.
Powner said the inconsistencies with the CIO reporting structure is part of the reason for the stalled and in some cases, uneven implementation of FITARA.
“Half report to the secretary and half don’t. Some of those that report to the deputy secretary still do not have authorities, and some that don’t report do. It is so mixed,” he said. “If you have a major cybersecurity breach at an agency, who are you going to call up in front of Congress to answer why? It’s going to be a deputy secretary and a few others. I don’t know why a deputy secretary wouldn’t want to rely on a CIO to transform the agency into a secured agency because if something happens they will be the ones up here answering. Look at what happened at OPM, it was the director of OPM answering questions and it didn’t fair very well for them.”
When Hurd asked the witnesses from the Department of Health and Human Services about their reporting structure and who CIO Beth Killoran reports to, answers were difficult to come by.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
“Ms. Killoran doesn’t report directly to the deputy or agency head, I think that’s a problem. Would you agree or disagree with that?” Hurd asked HHS deputy CFO Sheila Conley.”
Conley paused and responded, “It depends.”
Hurd rephrased, “Why wouldn’t Ms. Killoran report directly to you or the agency head?”
Conley said she and Killoran are peers as deputy assistant secretaries, and both report to separate assistant secretaries, who both report to the deputy secretary.
“It’s like three people in-between the IT center and the head of the organization, would you have ever advised a private sector company to organize their organization that way?” Hurd asked.
Conley answered, “It would depend upon the span of control so if you have an organization that is headed up and the deputy…”
Hurd interrupted, asking Powner for his opinion.
“I think if we want to have CIOs as strategic partners, you have to report to the box at the top,” Powner said. “I think a key question for these agencies at the head is: What are the three things you are doing to transform the departments and agencies? Technology will be involved in that, and what’s the role of the CIO in helping us get there? I don’t think you get the right answers to those questions.”
Hurd said as OMB and agencies work toward reorganizing their missions as required by OMB, he may write a letter to all secretaries encouraging them to ensure the reporting structure of their respective CIOs meets the spirit and intent of FITARA.
“This is something that I recognize the administration thinks is important because these were some of the questions their transition teams were asking, like ‘why doesn’t the CIO report to the agency head?’ or ‘why in some agencies there are there 14 people with the title CIO?’ he said. “I think as these agencies are coming into their jobs, they are realizing the buck will stop with them when it comes to any sort of cyber attack. It’s in their best interest to use this opportunity to reorganize their agency so that the person responsible for protecting the digital infrastructure is talking to them at every staff meeting.”