Lawmakers optimistic about IT reform, cyber improvements

The nomination of Shaun Donovan to be director of the Office of Management and Budget and a variety of bills, from federal IT reform and cybersecurity updates to reducing the number of agency reports, crowded the docket of the Senate Homeland Security and Government Affairs Committee business meeting Wednesday.

While there were few surprises, the debate over Donovan’s nomination to be the next director of the Office of Management and Budget presented some insight into the state of the administration’s relationship with a key congressional committee.

Many of the panel Republican members expressed frustration over responses to “questions for the record” from Donovan and the White House after Donovan’s nomination hearing in June.

“I would voice in front of the committee that we had the same problem with him as we did with [DHS Secretary] Jeh Johnson,” said Tom Coburn (R-Okla.), ranking member of the committee. “I got back seven instances of language to questions for the record that were lifted from the President’s budget. I got six that were identical copies to Ms. Burwell’s answers to this committee, and I got three instances where it was pasted on to questions for the record that were identical to what he answered to other questions in the record. On today’s nomination, I’m not going to vote for him. I’m not going to vote against him today. I want to have a frank conversation, because if you are not paying attention to the answers to this committee, you may not be paying attention when we have you before the committee. I’m really disappointed. This is a measure of management, how you answer questions to Congress, and if you are going to let the legislative-affairs shop paste answers that aren’t your answers to questions, what that says is, ‘Whatever.’ And that’s not the Shaun Donovan I know.”

Several other Republican committee members echoed Coburn’s frustrations with the questions for the record.


Sen. Tom Carper (D-Del.), chairman of the committee, said the White House did resend answers to the questions for the record that included real answers.

Unneeded reports on their way out

These frustrations didn’t stop Donovan from passing through this initial hurdle on his way to becoming OMB director. His nomination now moves to the full Senate for debate and vote. Donovan would replace Sylvia Mathews Burwell, who left earlier this month to become the secretary of the Department of Health and Human Services.

Aside from the mild drama over the Donovan vote, lawmakers approved major IT and cybersecurity bills, and seemed to be building momentum to finally get rid of hundreds of unneeded federal reports that agencies spend time and money issuing but that few, if anyone, actually reads.

The committee also approved a substitute amendment for the Government Reports Elimination Act of 2014.

The bill would let agencies eliminate 57 reports that are no longer needed, ranging from the DHS report on a “Prohibition on Importation of Products Made With Dog or Cat Fur” to the EPA’s Great Lakes “Management Comprehensive Report” to many others.

In fact, OMB yesterday released a new request to get rid of or consolidate 74 additional reports. These suggestions follow OMB’s recommendation to consolidate an initial 376 reports it considers redundant.

OMB Deputy Director for Management Beth Cobert said in a blog post that Congress has made some progress in reducing the burden on agencies over the last few years, including in 2011 when it agreed to streamline about 75 reports the Defense Department requested to reduce or eliminate.

Cobert said publishing the list of suggested consolidations is part of the implementation of the Government Performance and Results Modernization Act of 2010.

The House passed a similar bill, sponsored by Rep. Darrell Issa (R-Calif.), chairman of the Oversight and Government Reform Committee, in April.

Along with the reports-elimination act, the Senate committee also approved its version of the Federal IT Acquisition Reform Act and the Federal Information Security Modernization Act of 2014.

Carper and Coburn sponsored an amendment in the nature of a substitute to the House-passed version of FITARA.

Carper said FITARA would initiate the first major change to the role of CIOs since 1996 Clinger-Cohen Act.

Coburn said the goal is to take a narrow and focused approach around the key issues related to IT reform. He added it will keep agencies moving in the right direction to get better value out of IT.

Conflict arises with DoD CIO changes

But Sen. Carl Levin (D-Mich.) withheld his vote on FITARA because of some concerns about how it matches up with language aimed at the Defense Department in the Defense Authorization bill, currently working its way through the Senate.

“Because of what the GAO has recommended to us over at the Armed Services Committee and because of a number of think tanks who have made recommendations to us that we reorganize the CIO and create a new management officer for the Pentagon,” Levin said. “The Pentagon needs a total change in terms of management of their business operations. Sen. Coburn has very clearly identified that in the area of IT. What we have done in our bill is something different than what is in this bill, but is aiming at the exact same problem Sen. Coburn has identified. We don’t have a CIO identified as a CIO in our bill, but rather we combine it with a chief management officer and create a new chief management officer with much greater authority particularly over IT.”

He said the staffs of both committees are aware of the inconsistencies and plan to work them out before either bill goes to the floor for a vote.

As for the FISMA update, Carper said he is confident the legislation will make the government more secure.

“One of the challenges for us has been to figure out how do we balance the responsibilities of OMB and DHS in this regard? I think we’ve come to a good spot,” Carper said. “If I could use an analogy here, the job of OMB is to steer the boat. The job of OMB is to set the policy and to be the enforcer. The job of DHS is to help row the boat and they work at this together. I think we’ve come to a very good understanding and agreement on what that policy should look like going forward.”

He said the committee is comfortable giving DHS more operational authority because of the progress it has made over the last few years in getting its own cybersecurity house in order. Carper said the most recent report on federal cybersecurity places DHS at the top of the list among agencies.

Carper said that’s “leadership by example.”

DHS has been pressing lawmakers to clarify its role in law around defending federal civilian networks and in working with the private sector. DHS officials said recently the Heartbleed vulnerability showed why this change in law is needed.

Carper said the bill doesn’t codify the Einstein intrusion-protection and detection program, and the committee is working with DHS on how best to do that.

Risk management provisions get high marks

Industry and other expert reaction to the Senate’s actions have been mostly positive, especially around FITARA.

Daniel Castro, a senior analyst with the IT and Innovation Foundation, said giving CIOs more control over what’s going on in their agency is among the most significant provisions in IT reform bill. Castro said it will bring more accountability into the process.

Erica McCann, a manager for federal procurement policy with the IT Alliance for the Public Sector, said the Senate version would give CIOs more flexibility to solve problems, especially when it comes to bringing in new ways to oversee and make more transparent the status of federal IT programs.

“I think that having that involvement and that risk management practice built in will be helpful for the federal government in general because it will stop sort of a runaway project from advancing if it has the ability to do that assessment every quarter,” McCann said. “There is a section on the PortfolioStat process. Now this is newer to FITARA. We’ve seen an allusion to it in the past. But there is a new section in this bill that really codifies that PortfolioStat process, which is another risk management process that the federal government goes through on major IT acquisitions so you see two key focuses there on trying to figure what risk management processes need to be implemented.”

She said there have been too many inconsistencies in how risk is applied to IT projects, and FITARA would address some of those challenges.

The Senate bill, however, significantly strays from the House version. McCann said she compared provisions and found only two of 20 provisions that were similar. The Senate’s version dropped out several key measures that ITAPS thought were good and in the House version, including those around cloud, website consolidation and the acquisition workforce.

But that’s not surprising according to Mark Forman, a former OMB administrator of the Office of IT and E-Government and now vice president of IT services and cloud initiatives at TASC.

Forman, who helped write the Clinger-Cohen Act nearly 20 years ago, said FITARA is taking a more sophisticated approach to risk management in IT projects.

But Forman said he’s not convinced that giving CIOs more authority makes sense.

“The head of the department is going to manage the way that they think is best in the interest of the country and the interest of that department,” he said. “If this legislation gets interpreted such that a new head of an agency or every time you bring in a new CIO, the existing head of the agency says, ‘Here are the authorities. Here is how I’m interpreting the authorities for the CIO.’ Then I think it could be very productive.”

Forman also said he’s excited about the renewed call by the Senate for shared services.

However, on the issue of FISMA, Forman said it’s a little awkward for Congress to tell OMB to change a circular. One main point of FISMA reform is for OMB to cancel a major section of Circular A-130 and then release interim guidance before completing a major update to move agencies toward continuous diagnostic and mitigation.

Forman said Congress usually doesn’t get involved in how OMB manages circulars.

All of these bills and Donovan’s nomination now go to the full Senate for debate and vote.


OMB nominee Donovan promises to build on predecessors’ success, progress

OMB proposes to eliminate, consolidate 376 reports

Senate bill would combine, eliminate 300-plus federal reports

Senate lawmakers to extend greater power to CIOs

Senate’s version of FISMA updates cleans up around the cyber edges

DHS push for clearer cyber authorities move to the House