Federal Chief Information Officer Clare Martorana promised the House Oversight and Reform Subcommittee on Government Operations new cyber, website and customer ...
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Federal Chief Information Officer Clare Martorana’s time before the House Oversight and Reform Subcommittee on Government Operations on Sept. 16 lacked many of the trite lines of questioning that have usually come with federal IT hearings.
There were no complaints about the definition of a data center. Lawmakers did a nice job of keeping big “P” politics to a minimum. And concerns about specific constituent issues were mostly left out during questioning.
At the same time, Martorana, who reached her 18-month mark on the job earlier this month, kept the lawmakers at bay at least for a few more months around hot topics like cyber and customer service metrics.
What we did learn from the hearing, however, puts the Office of Management and Budget and the Office of Federal CIO on record to produce public, transparent metrics and deliver on promises in fiscal 2023.
Here are my three takeaways from the hearing:
One long-held view across the federal sector over the last two decades is agencies need more money to get out from under the technical debt.
OMB hasn’t shared a new estimate about how much truly old technology agencies are working with for at least six years. Former Federal CIO Tony Scott projected in 2016 that federal technical debt topped $7 billion.
This is why when Congress included $1 billion for the Technology Modernization in the American Rescue Plan Act, Rep. Gerry Connolly (D-Va.) and others called it a down payment.
But more than a year after receiving the money, not every member of the subcommittee is convinced that more money for federal IT is the answer.
Rep. Jody Hice (R-Ga.), ranking member of the subcommittee, raised concerns about how agencies are spending money to modernize technology and the Federal CIO’s oversight of that spending.
“There’s an underlying assumption that the vast amounts of funding somewhere in the neighborhood of $100 billion a year will somehow deliver the intended results. But in my time in Congress, at least, and certainly during my time as ranking member of this subcommittee, I’ve learned that it’s probably not wise to make that assumption,” he said. “While my Democratic colleagues claimed the source of the problem is lack of funding, I, quite frankly, reject that premise. Simply pouring more money into a black hole is not a solution. What we need is solid oversight that is backed by reliable information in order to determine the true state of our federal IT and to determine whether federal IT projects are delivered on time and on budget.”
Hice’s comment may come off as partisan given Republicans general dislike for spending more money.
But stepping back from the “politics” of the concept, OMB’s oversight of federal spending has become less transparent.
The PortfolioStat and TechStat processes from the Obama administration have been in a deep slumber for more than five years. Former OMB staff have said PortfolioStats have not been regularly performed for several years. Instead, OMB reassigned resources to other priorities.
The PortfolioStat implementation guidance hasn’t been updated since 2015 and there no public discussion by OMB about how they are using the process to address IT projects that may be in trouble. In fact, the Government Accountability Office made recommendations in 2015 to improve the PortfolioStat process and OMB implemented two of four of those suggestion with GAO closing the two that weren’t implemented.
The Federal IT Dashboard does still discuss savings from PortfolioStat, more than $407 million in fiscal 2021 alone. But there is little public evidence for how agencies achieved those savings and what OMB’s role was in overseeing those efforts.
OMB designed TechStat and PortfolioStat to bring some much needed top-level oversight to federal IT projects. At one point, OMB encouraged agencies to do their own internal oversight sessions and several did early on.
But what has happened over the last five-plus years around oversight of IT project is unclear, and that lack of transparency came out during the hearing.
Del. Eleanor Holmes Norton (D-D.C.) asked Martorana that exact question.
“Empowering CIOs and then holding them accountable for using their authorities effectively is the goal of our subcommittee through the biannual FITARA scorecard,” he said. “So may I ask you, how will you work with Congress to provide the public data and information that will help you and your efforts to highlight IT leadership and accountability?”
Earlier on during Holmes Norton’s questioning, Martorana offered some insights into how she views her role. She said the Federal CIO helps agency CIOs navigate a complex set of rules, regulations and laws that drive their operating environments.
“It is really incumbent upon this role to make sure we are playing an oversight role, that we are measuring and where we are able to that we are sharing best practices across every federal agency and CIO that I work with,” she said. “We’re all trying to solve the same problems. We don’t want to start from a blank piece of paper. So when one agency does goes on an IT modernization journey, for example, we want to make sure that we share those best practices across the entire federal enterprise.”
Hice piled on this line of questioning later in the hearing.
“You bring up your position, and with the ability you do or do not have to actually produce change. I’m curious about that. I’m going to give you three questions that I would like for you to respond back to the committee,” he said. “Question number one, can you supply this committee with a copy of your job description? Secondly, who established that position? How did the process come about that the Federal CIO position was established? And then thirdly, do other CIOs recognize this position and do they submit to your proclaimed authority? If you can send me an answer to those questions here in the next week or so I would appreciate it.”
Rep. Gerry Connolly, chairman of the subcommittee, added to Hice’s request seeking answers about the Federal CIO’s relationship with the Federal Chief Technology Officer, which is currently vacant as the Biden administration hasn’t nominated anyone yet, and how the roles of those two offices have evolved over the past decade.
All good questions from Hice, Connolly and the members because throwing more money at a problem rarely has been the answer and usually just exacerbates the underlying issues for why more money is needed in the first place.
What is the Federal CIO’s oversight role and how are they ensuring agencies are accountable for IT spending? And please don’t tell me the budget side of OMB and desk officers are the first line of defense.
Hice reiterated his concerns about the Technology Modernization Fund from the FITARA hearing in July. It’s a good sound bite, for sure. While there is little evidence or truth behind that thought, Hice, once again, highlights OMB’s ongoing challenges to communicate and demonstrate the value of the TMF.
Hice’s comments focused on OMB’s reduced requirement for agencies to repay the “loans,” and whether OMB is ignoring the spirit and intent of the TMF’s underlying law, the Modernization Government Technology Act.
“The broader MGT Act meant doing away with the types of ancient systems that still run too many of our vital government programs. In addition, the tenet of the TMF was that it would create an efficient cycle,” he said. “The Biden administration has opted for partial or even minimal reimbursements. I want to know why. It’s also emphasizing cybersecurity and customer experience projects, which in and of themselves are fine, but doing so rather than retiring old systems. Again, it’s not that these practices in and of themselves are bad, but it simply and clearly is not the intent of Congress. So why is the administration doing this? We need answers. Does the savings based model of the TMF not work? Or is it simply inconvenient? This committee needs to know and what progress is being made to retire legacy systems.”
On a side note, Hice asked if there was a definition of legacy systems, which smart folks in industry pointed out to me that yes, there is, of course. And it’s in the MGT Act as IT systems that are “outdated or obsolete system of IT.”
But going back to the TMF, questions about the repayment requirements have long been a sticking point for both agencies and Congress.
Martorana said the year before OMB changed the repayment process, the TMF Board saw only one proposal to obtain money. That may be the first time we’ve heard that tidbit about the lack of interest in applying for the TMF.
Martorana offered a few statistics about the impact and excitement over the TMF since the repayment changes and the flush of money that came in.
She said the board received more than 150 TMF proposals for projects totaling over $2.8 billion.
“The TMF Board has invested more than half of the TMF ARP funding, and – as the board continues to invest the remaining ARP funds – our goal is to balance speed with ensuring we invest in high quality, impactful proposals that have a high likelihood of success,” Martorana said in her written testimony. “Looking ahead, we will focus on targeted investment areas, such as those in the Customer Experience (CX) Allocation announced in June 2022, as well as coordinate within OMB and with other key stakeholders to set goals for the next fiscal year that better integrate agency budget requests and results.”
Martorana promised Hice and the subcommittee that repayment remains a goal for every TMF project.
“I think within the next year you are going to see such dramatically improved outcomes from the TMF projects, because we are managing them in a completely different way than we did previously by having technologists upfront in every single part of the investment,” she said. “We review our investments quarterly, if people are not hitting their milestones, we do not give them additional funding. If teams are failing at a component, we rally people together to be able to support them with the subject matter expertise that will help them be effective and efficient.”
But as Martorana shared, calculating and achieving cost savings from IT modernization projects isn’t easy.
Before becoming Federal CIO, Martorana was the CIO at the Office of Personnel Management where she tried to modernize old mainframes and eventually move the workloads to the cloud.
“The challenging part was we weren’t able to recognize the cost savings as quickly as I would have hoped. You had to start first by reengineering all of your business processes because you can’t just lift and shift and do exactly what you did on the mainframe without interrogating the way that you do business because newer systems are differently efficient, and they potentially have the opportunity for us to really leapfrog. So you want to make sure that you’re thinking about the business process and not just moving old antiquated because that’s the way we did it 25 years ago to the cloud, for example,” she said. “I had originally planned once we were able to get the new mainframes up and running, I thought we would be able to sunset the old equipment, so get rid of operations and the maintenance cost and all of the ancillary costs, and staffing that had to be burdened managing those systems. It took years of compliance activity that we needed to go through in order to actually get those offline and stop paying for both. So we were really challenged in recognizing cost savings.”
It’s clear OMB has to explain to Congress why achieving cost savings, while admirable, may not make the most sense as one key end goal. Martorana’s example is a good start, but they need about 20 more explained in grave detail so it sinks in with members.
Connolly has been on a bit of a mission to codify the Federal Risk Authorization Management Program (FedRAMP) for the past few years. His FedRAMP Authorization Act of 2021 was the first bill the House passed in January. Additionally, the House adopted the bill as an amendment to the 2023 defense authorization act, giving it another path to become law.
It’s now a question of whether the Senate will support it, and previously, the Senate Homeland Security and Governmental Affairs Committee had been hesitant, particularly Ranking Member Sen. Rob Portman (R-Ohio).
But Sen. Gary Peters (D-Mich.) and others introduced the Federal Secure Cloud Improvement and Jobs Act last fall to provide “quicker, more secure commercial cloud capabilities in government, which will improve cybersecurity and empower agencies to deliver modern digital services to citizens.” The bill made it out of committee in May, but hasn’t advanced on the Senate floor.
No matter what happens with the FedRAMP bill, Martorana said OMB recognizes the program needs to improve.
“We’re on a path to really make sure that FedRAMP is the most robust marketplace it can possibly be. But there are many small companies with innovative software that we would love to be able to have go through the FedRAMP program, but it is cost prohibitive for some of these small organizations,” she said. “We have actually asked members of my team to work collaboratively with GSA and the program team and really roll up our sleeves. We need to fix this to make sure that not only we are supporting the supply chain issues, making sure they’re secure software development, but also making sure that we can meet the speed of the need of federal agencies to have some innovative technology available to them with the umbrella security of the FedRAMP seal of approval in a way.”
What that effort will look like is unclear.
To their credit, the FedRAMP program management office has consistently looked for ways to improve the speed, but not lose any rigor of the program. That led them to developing the FedRAMP tailored process as well as the use of Open Security Control Assessment Language (OSCAL) to automate the security documentation process and speed up approvals.
Just last week, FedRAMP issued its draft Authorization Boundary Guidance, which is critical to helping cloud service providers and their security package going to the JAB. The guidance is open for public comment until Oct. 17.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED