Testimony from Beth Anne B. Killoran on The Federal Information Technology Acquisition Reform (FITARA) Scoreboard 4.0 before Committee on Oversight and Government Reform

Good afternoon Chairman Hurd and Meadows, Ranking Members Kelly and Connolly, and Members of the Committee. Thank you for giving me the opportunity to discuss federal information technology (IT) and to describe progress of the Department of Health and Human Services (HHS) in implementing the Federal Information Technology Acquisition Reform Act (FITARA).

Leveraging IT to Support Mission Outcomes

Since the passage of FITARA, HHS has enhanced the roles and responsibilities of the Department Chief Information Officer (CIO) with regard to planning, programming, budgeting, and execution of IT solutions and services within the agency.  HHS is committed to implement Department IT priorities in a cost effective, efficient, and high quality manner to best serve HHS’s beneficiaries and American taxpayers.

FITARA implementation is not just about HHS’s CIO authority.  Our IT efforts support an agency with an annual operating budget of over $1 trillion, representing almost a quarter of all federal outlays, and which administers more grant dollars than all other federal agencies combined.   Through a shared commitment among the HHS CIO, Chief Financial Officer (CFO), Chief Human Capital Officer (CHCO), Chief Acquisition Officer (CAO), and the HHS mission and program communities, together we manage approximately $6 billion HHS agency IT annual spending.  HHS CIO fully participates in the management and governance of the agency’s entire IT portfolio comprising major investments of its 11 Operating Divisions (OpDivs) and more than 20 Staff Divisions.

HHS, the largest civilian agency in the Federal sector, has made great strides under FITARA by ensuring IT is acquired and managed to enhance and protect the health and wellbeing of all Americans.  Through this partnership HHS leadership strives every day to strategically leverage IT to fulfill HHS’s mission to provide effective health and human services and foster advances in medicine, public health, and social services for the nation.

Overall FITARA Implementation Progress to Date

HHS’s FITARA implementation strategy and progress to date is best characterized by the words:  collaboration and dedication.  HHS recognizes the intent of FITARA goes beyond processes, policies and reporting requirements.  It is about establishing a collaborative culture in which all facets of the organization recognize their roles and responsibilities to acquire and manage IT in the most effective and efficient manner possible in order to drive mission outcomes on behalf of the people we serve.  Under this fundamental premise, we have employed a proactive strategy to address programmatic risk; promote transparency; establish clear lines of authority, foster innovative and incremental development; leverage cloud technology; and, invest in our IT workforce.

As a result, HHS has accomplished the majority of the goals we outlined within our FITARA Implementation Plan—ahead of schedule in many instances.  Of the 39 individual actions and milestones outlined in the Plan, HHS met 34 in the areas of budget formulation, budget execution, acquisition, and organization and workforce.  

With such a diverse portfolio and our organization’s profound commitment to long term cultural change, we acknowledge the significant work that still lies ahead of us in order to successfully meet our obligations under the law.  Today we appreciate the opportunity to explain how HHS has established the foundation and framework to move us forward.

HHS CIO partnership with our CFO, CAO, CHCO and HHS Operating and Staff Divisions has been critical to our achievements to date.  With this in mind, HHS has actively engaged its policy leadership on the importance of FITARA implementation by establishing a routine agenda item on the HHS Management Council.  In this venue, HHS’s Executive Leadership is regularly updated on the progress of HHS’s Office of Management and Budget (OMB)-approved implementation plan.   HHS will continue to identify opportunities for collaboration as FITARA evolves at the agency.   Through FITARA-focused workgroups across the agency, HHS continues to make strides towards fully implementing FITARA at HHS by the end of the year.

Establishing Clear Lines of Authority

One of the FITARA-related successes at HHS is the establishment of the process and criteria for delegating authority to each OpDiv CIO upon demonstrating the ability to identify, prioritize, validate and verify their non-major IT investments.  For major IT investments, HHS CIO maintains authority through an enterprise review process that better aligns Department-level IT governance bodies which assess and approve these investments.  This delineation of non-major and major investments, respectively, pragmatically acknowledges that HHS is a highly federated and complex organization, and allows for designated IT-related decision-making based on financial thresholds.

HHS issued ten delegations of authority to all the OpDiv CIOs.  Upon delegating authority, performance is monitored quarterly against the annual HHS CIO Work Plan.  Each year, the HHS CIO provides input into the performance appraisals of these CIOs to the director of their respective OpDiv.  The HHS CIO and the OpDiv CIOs established the Plan in order to ensure shared and transparent responsibility of HHS IT investments.  In this way, we ensure the two-way communication that is necessary to maintain accountability of the overall HHS-wide IT portfolio.

Incremental/Agile Development

Our FITARA intra-agency achievements adoption is furthermore illustrated by our commitment to incremental or agile development.  We specifically seek to deliver IT-enabled functionality, or business value, every six months.  This is accomplished through an iterative process by which requirements and solutions evolve through the collaborative efforts of development teams, stakeholders, and end-users—our customers.

The HHS Enterprise Performance Life Cycle (EPLC) policy was updated this year to include agile development.  This updated policy directs the expanded use of iterative and incremental development methodologies and reflects new authorities for CIO participation, delegation, and decision-making per FITARA.  HHS expects the updated EPLC policy to have a positive impact on the utilization of incremental or agile development methods as well as further engagement by the CIO as programs consider system development and system modification activities.   As more HHS programs adopt agile methodologies we expect to see a complementary increase in technical functionalities being delivered in more expeditious timeframes.

Financial Planning and Execution

Last year, before the House Oversight and Government Reform Committee, I highlighted how HHS is working to improve its IT program review process through the adoption of revised program risk assessment methods, combined with in-depth reviews of our major IT programs.  These risk evaluations, conducted in collaboration with our OpDivs, resulted in a number of initiatives that have resulted in improved transparency and enhanced IT governance across the agency.  For example, the Department adopted a joint CIO and CFO budget and investment review process that provides an enhanced view on how HHS OpDivs are addressing FITARA critical areas and key performance objectives.  This process clarifies IT management authorities and accountability at all levels of the Department.  The clearer delineation and alignment of IT-related efforts in program management, finance, acquisition and human resources has resulted in improved IT decision-making which better account for cost, benefit and risk.

The purpose of our budget review is to discuss with each of the OpDiv CIOs their IT budget priorities, current risks, alignment to agency priorities and status of their IT investments for the budget year under discussion.  Each meeting results with the CFO and CIO jointly deciding whether to approve, modify or reject the IT budget; the final outcome is an IT budget statement issued by the CFO and CIO submitted with the HHS budget submission to OMB.

Two key accomplishments from these reviews to date is our prioritization of cybersecurity and developmental funding; for cybersecurity this has resulted in HHS funding increasing from 1% to 4% as percentage of overall IT budget.  While HHS continues to make strides in the review of IT planning, we understand that it is through consistent engagement between the staffs of IT and financial management, and through better integration of data generated from these communities, that we can reach full FITARA implementation.

Transparency and Risk Management

When Congress passed FITARA, HHS made a significant effort to bring its TechStat process into compliance with the new legislation.  HHS reviewed its IT portfolio, identified investments in need of remediation, and worked with the OpDivs to formulate corrective action plans which addressed those issues in a timely manner.  HHS employs the annual CIO Work Plan to review OpDiv performance on a quarterly basis, helping to ensure that the IT portfolio is managed appropriately and that program risks are identified and quickly remediated.  These efforts are reflected in scoring provided through the OMB quarterly integrated data call.  HHS remains committed to maturing its risk management procedures to more proactively anticipate future project risk.

From a policy perspective, HHS improved transparency and management of IT resources through the development, publication and robust implementation of an updated capital IT planning and control policy.  This updated policy, issued in September 2016, supports visibility and reporting around major IT investments.

Finally, as the HHS CIO, I am a regular participant in HHS’s enterprise risk management discussions, which provide a Department-wide forum for HHS Executives and policy leadership to discuss and strategize on known areas of risk.  These enterprise risk management discussions are led by HHS’s CFO and is another example of the collaboration across organizational lines.  As a result of this partnership and engagement, HHS has developed and applied methodology to assess risks related to technology.  Based on those evaluations, HHS has worked with stakeholders in IT, finance and acquisition communities to mitigate those risks which may not be readily evident in our FITARA scorecard.

IT Portfolio Review

Our IT stewardship does not end with planning.  HHS proactively seeks to mitigate program risk where changes to capabilities or requirements throughout the IT investment lifecycle may jeopardize the success of our programs and missions.  In collaboration with OpDivs, HHS continues to mature its implementation of program risk assessment evaluation methods, which are integrated with our thorough reviews of large IT programs.  For example, as the HHS CIO, I conducted a comprehensive review of the IT portfolio of an HHS OpDiv.  This was an opportunity to meet directly with major program managers and the OpDiv CIO to address program-level issues, such as how the program uses IT to fulfill its mission, how it handles IT security, how does it obtains funding, and what governance structures are in place.  HHS found the exercise valuable in that it provided a deeper level of insight into the IT portfolio than was previously available.  HHS plans to continue these in-depth reviews with other HHS OpDivs going forward. HHS also leverages our IT Steering Committee governance framework at both the Departmental level and at the OpDiv level to ensure visibility into and oversight of HHS’s IT portfolio.

As another illustration of our stewardship, HHS completed a TechStat review on the HHS Email as a Service investment in June 2016, based on questions of viability and direction, as well as uncertainty of scope and budget.  The TechStat review resulted in a corrective action plan with 28 items that were resolved by the end of July 2016.  HHS is in active dialogue with three of our OpDivs to determine future TechStat opportunities over the course of the year.

Another focus of FITARA on risk assessment encourages agencies to proactively address network security.  Currently, HHS is working to improve security with an initiative to identify legacy IT risk with its most critical systems, known as the High Value Assets (HVAs).  This effort is identifying the software that HVAs are built upon and software no longer supported or approaching end of vendor support.  HHS will be developing modernization plans as a part of this initiative by October 2017 to identify mitigation strategies and steps to manage the risk unsupported technology presents to the agency.  This effort intends to serve as a building block in a more proactive approach to managing legacy IT across the Department and identifying risk areas in the portfolio.  HHS leveraged the National Institute of Standards and Technology, Cybersecurity Risk Management Framework to help standardize and integrate this endeavor across the agency.  The framework is aligned with HHS’s Agency Risk Management Profile and is consistent with OMB’s Presidential Management Council (PMC) scorecard.  HHS and its OpDivs are therefore able to measure the maturity and effectiveness and provide status based on consistent cybersecurity criteria in order to manage risk.  

HHS continues to implement the tools and processes provided by the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program.  The program will enable HHS to more proactively detect and identify threats while ensuring HHS has near real-time insight into the enterprise’s most critical risks.  In addition, this effort is complemented by other tools and technologies HHS is adopting or already has in place such as leveraging shared services such as DHS’ Einstein 3A and Cyber Hygiene programs.

Data Center Consolidation Efforts

As stated earlier, we added the Data Center Optimization Initiative (DCOI) in late 2016 as part of our FITARA implementation effort.  The initiative incorporates the requirements of the law for achieving the data center consolidation and optimization.  This initiative builds upon the progress achieved through its predecessor, the Federal Data Center Consolidation Initiative (FDCCI).  While we made progress under the former FDCCI plan, DCOI required us to re-work our approach due to the changes in outcome metrics and related definitions.  These changes had an impact on our reporting and subsequent scores.

HHS published its updated DCOI Strategic Plan in April 2017.  Our primary objective is to leverage cloud-based technologies where feasible.  HHS reviewed the current inventory of Federal Data Centers and is working with each HHS component to achieve the goal of consolidating or eliminating facilities that are duplicative, inefficient, or no longer deemed mission essential.  In addition, over the last six months, we conducted reviews to better identify opportunities for cost savings and avoidance around DCOI.

This approach helps HHS to reduce expenditures on data center operations by establishing infrastructure that is able to quickly scale in our dynamic business and technology environment.  HHS increased cloud-based technology utilization from 1% of the IT investments in FY2015 to almost 19% of our investments in FY2017.  HHS is among the top five agencies in two of the six DCOI metrics as shown on the IT dashboard.

Implications for Acquisition Reform

Since the implementation of FITARA, HHS established enterprise agreements with a software service provider and a major software publisher.  The enterprise agreements that are available and used by OpDivs take advantage of HHS’ vast purchasing power by negotiating the best price for software licenses.

The HHS software acquisition effort is also informed by the Making Electronic Government Accountable By Yielding Tangible Efficiencies (MEGABYTE) Act of 2016, as well as by OMB M-16-12, Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing.  HHS is enhancing its ability to inventory its software licenses HHS-wide; analyze license utilization; and report on cost savings and avoidance made possible by this policy.  This includes identifying “best-in-class” software agreements that take advantage of the best price and terms and conditions, and developing enterprise agreements that eliminate redundancies.

In addition, HHS actively participates in tiger teams sponsored by the General Services Administration focused on government-wide software publishers.  Our plan for this year is to begin development of HHS-wide vehicles for the increasing number of services that are delivered over the Internet rather than provided locally or on-site.  In short, optimally taking advantage of cloud computing.

FITARA enhanced the relationship between the Office of the Chief Information Officer (OCIO) and the HHS CAO.  OCIO is a voting member of the Acquisition Strategy Review Board where major HHS acquisitions are reviewed.  At the staff level, our teams coordinate weekly about IT acquisition strategies.  Currently, the OCIO Cybersecurity Team is actively engaged with the HHS Acquisition Team on updating standard contractual terms and conditions to ensure our organization and systems are as well prepared for a cyber-event as possible.  These engagements have bolstered a mutual understanding and synchronization of our acquisition processes.

Developing Our Staff

In terms of the workforce requirements outlined in FITARA, HHS continues to focus on improving the competencies of its staff.  HHS has over 3,000 IT professionals, but many do not have the diverse expertise necessary to support current federal IT needs including IT project and program management, architecture, or cybersecurity.  Our IT workforce is in fact the most critical part of HHS’s FITARA risk management strategy.  They are the primary resource to ensuring the health and security of our entire IT portfolio.

In response, the HHS CIO and CHCO have partnered to comprehensively address IT workforce business needs and legislative requirements while improving our ability to attract, develop, and retain world-class IT talent.  Our strategies focus on:  (1) governance; (2) workforce analytics and planning; (3) targeted recruitment, branding, and staff planning, including succession planning; (4) career development and training; and, (5) talent and performance management, including employee engagement and retention.

Through identification and definition of critical IT and cybersecurity role categories and competency requirements, HHS is growing a mature and holistic IT human capital lifecycle approach.  HHS developed a framework for competency models and career paths that align to FITARA and the Federal Cybersecurity Workforce Assessment Act.  This model is now being adopted and tailored by the Office of Personnel Management for federal-wide use.  HHS has completed eight career paths to date—one of these was for HHS IT project and program managers—and four more are currently under development.

Recently, HHS conducted an IT workforce inventory and we found that workforce shortages and ever increasing workload often create an imbalance that hinders employees’ ability to attend training or obtain certifications.  The HHS CIO and CHCO continue working to identify new methods for recruiting critical IT positions.  Nonetheless we recognize that the pipeline of IT and cybersecurity talent remains inadequate, and Federal agencies are challenged to compete in the hyper-competitive market for talent.  Complicated federal human resources processes impede our recruitment, hiring, and retention efforts. Private industry can sometimes provide more competitive compensation and this hinders HHS’s ability to recruit and retain top IT talent.  

Despite the above challenges, HHS continues to improve our current workforce skills by providing training for IT program and project managers.  HHS has trained over 1,400 personnel since starting the program in November 2015.

Conclusion

As HHS continues to move forward with its implementation of FITARA, the agency has built a collaborative, integrated business foundation which promotes comprehensive governance across the lifecycle of a project; ensures IT investments optimally support mission; assures secure IT services; achieves efficiency; and, reduces duplication by leveraging acquisition strategies and technical advancements to drive cost effective and meaningful outcomes on behalf of the American people.

HHS recognizes the need to continue strengthening standardized and transparent data sharing that is secure and enabled by IT in order the deliver on the promise of digital health:  deliver the best patient-centered health care and human services, which improve the health and well-being of every American and every community at the best cost and of the highest quality possible.  HHS recognizes and embraces the work and challenges ahead of us.  Americans expect and deserve secure, reliable, easy to use, and modern IT resources from the federal government.  HHS has established a collaborative and culture-changing foundation and framework to move us forward with confidence and in support of the mission and people we serve.