[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
THE IT ROADMAP: AN OVERVIEW OF HOMELAND SECURITY'S ENTERPRISE
ARCHITECTURE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
OCTOBER 8, 2003
__________
Serial No. 108-129
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
92-900 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma C.A. ``DUTCH'' RUPPERSBERGER,
NATHAN DEAL, Georgia Maryland
CANDICE S. MILLER, Michigan ELEANOR HOLMES NORTON, District of
TIM MURPHY, Pennsylvania Columbia
MICHAEL R. TURNER, Ohio JIM COOPER, Tennessee
JOHN R. CARTER, Texas CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota ------
MARSHA BLACKBURN, Tennessee BERNARD SANDERS, Vermont
(Independent)
Peter Sirh, Staff Director
Melissa Wojciak, Deputy Staff Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Philip M. Schiliro, Minority Staff Director
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California DIANE E. WATSON, California
TIM MURPHY, Pennsylvania STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio
Ex Officio
TOM DAVIS, Virginia HENRY A. WAXMAN, California
Bob Dix, Staff Director
Scott Klein, Professional Staff Member
Ursula Wojciechowski, Clerk
David McMillen, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on October 8, 2003.................................. 1
Statement of:
Cooper, Steven I., Chief Information Officer, U.S. Department
of Homeland Security....................................... 17
Evans, Karen S., Administrator of E-Government and
Information Technology, Office of Management and Budget.... 9
Letters, statements, etc., submitted for the record by:
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 8
Cooper, Steven I., Chief Information Officer, U.S. Department
of Homeland Security, prepared statement of................ 20
Evans, Karen S., Administrator of E-Government and
Information Technology, Office of Management and Budget,
prepared statement of...................................... 12
Putnam, Hon. Adam H., a Representative in Congress from the
State of Florida, prepared statement of.................... 4
THE IT ROADMAP: AN OVERVIEW OF HOMELAND SECURITY'S ENTERPRISE
ARCHITECTURE
----------
WEDNESDAY, OCTOBER 8, 2003
House of Representatives,
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:40 a.m., in
room 2247, Rayburn House Office Building, Hon. Adam Putnam
(chairman of the subcommittee) presiding.
Present: Representatives Putnam, Murphy, and Clay.
Staff present: Scott Klein, professional staff member; Bob
Dix, staff director; Ursula Wojciechowski, clerk; John Hambel,
counsel; David McMillen, minority professional staff member;
and Teresa Coufal, minority assistant clerk.
Mr. Murphy [presiding]. Good morning. As you can tell, I'm
not Mr. Putnam. His flight is delayed. He'll be here soon and
I'll be starting off for him. A quorum being present, this
hearing of the Subcommittee on Technology, Information Policy,
Intergovernment Relations and the Census will come to order.
Good morning and welcome to today's hearing on a very
important information technology initiative: The Department of
Homeland Security's Enterprise Architecture. This morning the
subcommittee will be examining the Department's release of its
first enterprise architecture as well as how it aligns with the
overall Federal Enterprise Architecture and E-Government
strategy.
Less than a year ago, on November 25, 2002, President Bush
launched this enterprise architecture development process by
signing into law the bill that combined part or all of 22
Federal agencies into one Cabinet-level umbrella known as the
Department of Homeland Security. As you may be aware, this
consolidation is the largest reorganization of the Federal
bureaucracy since our Defense Department and intelligence
agencies were restructured over a half century ago.
In addition to the challenges of consolidating and
integrating the masses of disparate information technology
systems to allow 22 agencies to function as a cohesive
organization, the Department quickly discovered it had a
critical and enhanced role to secure, analyze, and share
important information across traditional agency boundary lines,
including intergovernmentally.
To achieve the Department's core mission, the need to
interface and become interoperable with systems internally and
externally quickly became a top priority. The Department
inherited a collection of legacy systems for a variety of
missions, from securing our borders to providing intelligence
data identifying subjects of interest. Clearly the challenge
was, and continues to be, an enormous exercise in collaboration
that requires cooperation throughout the entire organization.
In assessing the huge task it faced, the Department of
Homeland Security discovered it operated more than 1,000
servers and approximately 700 different applications, including
more than 300 applications performing some variety of back-
office operations. Nearly 50 of those disparate applications
have been functioning to prevent and respond to terrorist
events.
As we have seen during congressional debate and at
hearings, the Department has faced tremendous challenges to
become interoperable in unifying multiple field structures;
blending the cultures of each agency and some 180,000
employees; standardizing data to improve information sharing;
and integrating both existing applications and IT. Needless to
say, building an effective Department from 22 separate entities
will require sustained leadership from both IT and other top
managers to ensure the transformation of a diverse collection
of agencies, programs, and missions into an integrated
organization. Quite frankly, some have expected this
transformation to simply occur overnight and fail to fully
appreciate the magnitude of the effort required to achieve the
integrated functionality necessary to operate in a
collaborative manner. The IT challenge is only part of the
equation, however; the success of that component is critical to
the ultimate success of the transformation itself.
The challenges that face the Department are both real and
difficult, in fact, leading the General Accounting Office to
designate the administration of the Department as a high-risk
area. Foremost among those challenges is the Department's
development and implementation of a coherent enterprise
architecture to support its mission. Even the President's own
homeland security strategy identifies, among other things, the
need for an enterprise architecture as a necessary component to
achieving the goal of the Department's systems interoperating
effectively and efficiently.
As I am confident our witnesses will convey today, an
enterprise architecture is a very important step because it
will help identify shortcomings and opportunities in current
homeland security-related operations and systems, such as
duplicative, inconsistent, or missing information.
I also understand that as part of its enterprise
development efforts, the Department has established working
groups comprising State and local CIOs to ensure that it
understands and represents their business processes and
strategies relevant to homeland security. In addition, I
understand that OMB, in its examination of DHS's overall IT
program, an effort to identify redundant activities that might
be candidates for consolidation and integration through the IT
budget submission process, has taken an initial first step to
evaluate DHS's component systems.
Given the climate that exists in our world today and the
eminent danger that confronts our Nation, there are justifiably
huge expectations for the Department of Homeland Security. Many
folks are insisting upon results, and today we will examine a
significant step forward in producing those results.
Truthfully, it is a remarkable achievement that we are here
today, in such a short period of time by virtually anyone's
measure, to unveil this critical information technology
milestone at the Department of Homeland Security.
This subcommittee has held 15 hearings during the 108th
Congress focused on e-government, integration and consolidation
of governmentwide functional IT systems, information privacy
and cyber security. Development of an effective enterprise
architecture at the Department will provide a detailed roadmap
to address nearly all of the important IT issues examined this
year by the subcommittee, including how DHS will configure its
IT in such functions as grants management, geospatial
information, HR and financial management systems, smart cards
and biometrics, records management and the handling of
personally identifiable information by government.
In addition, this subcommittee's oversight activities on
cyber security have made it abundantly clear that developing
and adhering to an enterprise architecture is the most
effective method of integrating information security solutions
over the long term. Congress recognized the importance of EA in
assessing risk and achieving secure systems through passage of
the Federal Information Security Management Act, which requires
agencies to consider security throughout the life cycle of a
system. Consistent with today's architecture release, we will
continue to press for cyber security solutions at the initial
stages of systems development versus attempting to attach
expensive, disparate solutions to the old processes and systems
as an afterthought.
Finally, on a broader scope, the subcommittee will review
how this initial Department of Homeland Security roadmap aligns
with the overall Federal Enterprise Architecture and E-
Government Strategy managed by the Office of Management and
Budget. Accordingly, we are very pleased to be joined today by
the distinguished CIO from DHS, Mr. Steve Cooper, and we
welcome the brand new administrator for Information Technology
and E-Government, Karen Evans, for her very first appearance at
a congressional oversight hearing in her new position.
I now yield to the gentleman from Missouri, the ranking
member, Mr. Clay, for any opening remarks that he may wish to
make.
[The prepared statement of Hon. Adam H. Putnam follows:]
[GRAPHIC] [TIFF OMITTED] T2900.001
[GRAPHIC] [TIFF OMITTED] T2900.002
[GRAPHIC] [TIFF OMITTED] T2900.003
Mr. Clay. Thank you, Mr. Chairman, and thank you for
calling this hearing. I also thank the witnesses for appearing
before us today. Unfortunately, this morning is full of
competing opportunities. The full Committee on Government
Reform is downstairs holding a hearing on rebuilding Iraq, and
I apologize for not being able to give this hearing my
undivided attention.
It wasn't that long ago that information policy in the
Federal Government was about buying computers. People talked
about information resource management, but what they really
meant was buying computers and computer software. Congress
believed that information policy was about getting the right
information to decisionmakers at the time they had to make a
decision. That concept was a part of the last rewrite of the
Paperwork Reduction Act which was written in the early 1990's.
These competing concepts have come together and been named
enterprise architecture.
Unfortunately, it took a few billion dollar mistakes at the
IRS and the FAA before the executive agencies got it. When you
strip away all of the jargon, the process of developing an
enterprise architecture is about mapping the way an
organization communicates and making sure those communications
are timely and effective.
Congress put together 22 agencies from nearly every
Department in the government to create the Department of
Homeland Security. The managers of the Department now have the
task of making those agencies work together as a cohesive
whole.
The enterprise architecture is designed to be a roadmap for
how that will happen. Like most maps, there are a variety of
ways of getting from A to B. Some routes are more direct than
others. Some are more expensive and some more educational. What
really matters is how the Department chooses the route it will
take. Implementing this transformation is about communication
and cooperation. If the individuals and agencies within the
Department lose sight of those goals, the process will fail and
the Department will fail in its mission to protect the American
public.
If this transformation becomes bogged down in selecting
which personnel system will be used or which payroll system or
whether it runs on PCs or Sun Microstations, the process will
fail.
I look forward to our discussion today, and I hope our
witnesses will proceed with a minimum of jargon. Thank you, Mr.
Chairman.
Mr. Murphy. Thank you, Mr. Clay.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T2900.004
Mr. Murphy. I too hopefully will understand half of what is
said. I will rely on you to understand the other half. Thank
you for your leadership in this subcommittee.
I ask now that the witnesses rise to be sworn in.
[Witnesses sworn.]
Mr. Murphy. Let the record show that both witnesses
responded in the affirmative.
I'd like to start by introducing our first witness for her
5-minute opening statement, Karen Evans. On September 3, 2003,
Karen S. Evans was appointed by President Bush to be
Administrator of the Office of Electronic Government and
Information Technology at the Office of Management and Budget.
Ms. Evans replaces our good friend Mark Forman, and I
understand she began as Administrator on Monday; and to her
great fortune, 48 hours later she's testifying before Congress.
I hope you've had time to prepare.
Prior to joining OMB this week, Ms. Evans was Chief
Information Officer at the Department of Energy and served as a
vice chairman at the CIO Council, the principal forum for
agency CIOs to develop IT recommendations. Previously she
served at the Department of Justice as Assistant and Division
Director for Information Systems Management.
Ms. Evans, thank you for agreeing to serve in this
important post. We are grateful for the work you're going to be
doing, and we look forward to working closely with you and your
staff. Welcome, and I yield 5 minutes for your opening
statement.
STATEMENT OF KAREN S. EVANS, ADMINISTRATOR OF E-GOVERNMENT AND
INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET
Ms. Evans. Good morning, Mr. Chairman, Ranking Member Clay,
and members of the committee. It is my pleasure to be here
during my first week as the new administrator of the Office of
Electronic Government and Information Technology at OMB. Thank
you for the opportunity to discuss with the committee the steps
the administration has undertaken and will continue to take to
improve Federal IT management, particularly as it relates to
our homeland security mission.
Mr. Chairman, I know that under your leadership, this
committee has been a forerunner in Congress on a number of
critical IT issues such as enterprise architecture, e-
government and IT security. I look forward to working with you
and the committee to make progress on our shared priorities. My
remarks will focus primarily on the administration's Federal
Enterprise Architecture [FEA] efforts as well as OMB's role in
assisting the Department of Homeland Security in their
enterprise architecture [EA] work.
The development and implementation of the FEA is a key step
toward achieving significant governmentwide improvement in the
management of Federal IT resources. The FEA gives agencies a
new way to describe, analyze, and improve how the Federal
Government serves its citizens. By looking at the government's
many lines of business, the citizen groups it serves, and the
underlying tools and technologies, agencies will be better able
to leverage resources while improving service delivery.
We will be able to identify opportunities to eliminate
redundant investments while improving integration of resources
and information sharing across Federal agencies with State and
local governments.
This business focus framework will assist Federal agencies,
OMB, and the Congress in improving the performance of the
government. The outcome of our FEA efforts will be more
citizen-centered, customer-focused government that maximizes
technology investments to better achieve mission outcomes.
The FEA also directly supports the development of
individual agency's EAs by providing a framework for agencies
to align their performance, business, data application and
technology layers to the FEA.
OMB has leveraged both traditional management and budget
processes to ensure that the FEA is directly linked to and
informed by each agency's EA and agency's IT investments. Each
agency's EA must describe how they meet their missions through
the use of people, business processes, data and technology,
while each major IT investment request must detail how the
investment is aligned with and supports the FEA and the agency
EA.
While it is essential for each agency to develop and
implement an EA, nowhere is this more critical than for the
Department of Homeland Security. Achieving effective homeland
security will require IT investments that guarantee realtime
information sharing to improve response time and
decisionmaking. To meet these goals and assist in overcoming
information sharing barriers, we require wise IT investments
that support homeland security missions, enhance productivity
and improve information sharing while providing for security
and privacy.
In his proposal for creating the Department over a year
ago, the President highlighted the use of EA techniques. The
President stated that the development of a single EA for the
Department would result in elimination of duplicative and
poorly coordinated systems that are prevalent in government
today, and that we must fund homeland security missions based
on an overall assessment of requirements rather than a tendency
to find all good ideas beneficial to a separate unit's
individual needs even if similar systems are already in place
elsewhere.
The merging of 22 previously separate agencies has resulted
in DHS inheriting many redundant and overlapping IT systems and
processes, nearly all designed to address individual programs.
Both the FEA and the Department's EA will be instrumental in
identifying opportunities for both reducing existing
duplication and preventing new redundant investments.
Throughout the fiscal year 2005 budget process, OMB will
work with the Department to eliminate redundant and
nonintegrated operations systems and processes for both IT
infrastructure and mission areas. DHS's EA is indispensable to
achieving these results.
However, to be an effective tool, the EA must reflect
organizational decisions made by the Department's leaderships
and be used by the entire Department and particular senior
officials in mission and management in making all resource
decisions.
Tough but necessary investment decisions must be made on
which systems and processes remain, which will be consolidated
and which are eliminated.
OMB will continue to oversee DHS's efforts to implement
their EA, consolidate their IT investments and support and
shepherd E-gov initiatives through both management and budget
processes. Through the budget process OMB will assess all DHS
major IT investments with a strong focus on planned integration
and consolidation of overlapping systems.
Additionally, through the President's Management Agenda,
under the expanding electronic government score card, OMB will
assess on a quarterly basis the Department's progress in their
EA development and implementation as well as their IT
consolidation activities.
The administration will continue to work collaboratively
across Federal agencies with Congress, State, and local
governments and the private sector to strengthen information
sharing in support of homeland security efforts. Both the FEA
and DHS's EA are vital tools necessary to improve the
management and performance of our homeland security missions.
While we recognize the significant challenges facing DHS in
consolidating the cultural and resource legacies of 22
component agencies, we fully expect that DHS leadership will
continue to build an integrated and interoperable structure.
To ensure we successfully meet this goal, OMB will work
with DHS leadership to ensure that their EA efforts, their
integration of business processes and consolidation and
elimination of redundant IT investments remains a top priority
and is addressed in a timely manner.
I look forward to working with the committee on our shared
goals of improving the Federal Government's management of all
its IT resources, including those related to homeland security.
Thank you.
Mr. Murphy. Thank you, Ms. Evans.
[The prepared statement of Ms. Evans follows:]
[GRAPHIC] [TIFF OMITTED] T2900.005
[GRAPHIC] [TIFF OMITTED] T2900.006
[GRAPHIC] [TIFF OMITTED] T2900.007
[GRAPHIC] [TIFF OMITTED] T2900.008
[GRAPHIC] [TIFF OMITTED] T2900.009
Mr. Murphy. Our second witness this morning is Steven I.
Cooper, Chief Information Officer of the U.S. Department of
Homeland Security. Prior to being appointed by the President to
be the first CIO at the Department, Mr. Cooper served at the
White House as a Special Assistant to the President for
Homeland Security.
Prior to Federal service, Mr. Cooper spent 20 years in the
private sector, most recently as a CIO at Corning in New York.
Previously he served as Director of IT for Eli Lilly & Co. in
Indianapolis. He also held key IT management positions with
CSC, Maxima, and CACI.
Mr. Cooper, you certainly have been given a monumental
task, and I know Members of Congress are looking forward to
your candid views on this subject and the Department of
Homeland Security. You may proceed.
STATEMENT OF STEVEN I. COOPER, CHIEF INFORMATION OFFICER, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Cooper. Thank you. Mr. Murphy and members of the
subcommittee, I'm very pleased to appear before the
subcommittee today. I want to thank the chairman and members of
the subcommittee for giving me the opportunity to talk about
the Department of Homeland Security's enterprise architecture
efforts and initiative. I'm very pleased to announce to you
that we have completed the first version of our target
enterprise architecture and are already beginning to implement
the objectives of our enterprise architecture transition
strategy.
The enterprise architecture will help DHS align information
technology investments with its mission and business needs,
help us improve data sharing and interoperability with its many
information sharing partners and stakeholders that include
other Federal agencies, State and local tribal governments and
particularly the private sector responsible for our critical
infrastructure.
In my previous testimony, I discussed the vision and
strategy of DHS and how that strategy must be supported by a
disciplined capital planning and investment control process
that is guided by a business-driven enterprise architecture.
Our strategy identified major initiatives, such as
information integration across the Federal, State and local
government, private industries and citizens, common standards
for electronic information sharing and integration, improved
communications capability and interoperability and reliable
public health information capability and sharing.
The enterprise architecture captures this strategy and
describes a target information management infrastructure that
will be dramatically different from the one we have today, one
that will provide timely, accurate, useful, and actionable
information to all individuals who require it all the time.
We have accomplished something we believe to be truly
unique in the Federal Government. We have designed and
delivered a comprehensive and immediately useful target
enterprise architecture in less than 4 months. Our enterprise
architecture is enabling us to make decisions now about our
information technology investments, even as we continue the
hard work of developing greater detail, reaching deeper to find
more opportunities for consolidation and are beginning to
develop new and improved mission support capabilities enabled
by information technology.
Now I'd like to kind of take everything we've done and see
if I can summarize it in easy to understand jargon in less than
a couple minutes.
Mr. Murphy. Please.
Mr. Cooper. First let me share some of the things that we
found. First of all, we have inherited a ton of stuff. Most of
it is categorized in some manner within the legacy organization
that developed it.
At that time everything was developed for the mission and
capability of that specific legacy entity. For example, legacy
Customs, legacy Immigration and Naturalization Service, Federal
Emergency Management Administration and so forth.
What we have to do and what we have already begun doing--
and we have our first release--is to basically step back and
now take a look in the context of the Department of Homeland
Security, how do all the parts and pieces fit together.
The diagram that you have on your left, which isn't quite
the eye test that you have on the right--and we'll get copies
of these to the committee members--but on the left you
effectively have a diagrammatic representation of the
strategies, goals and objectives of the Department. We refer to
it as our value chain, the same as you would find in any
private sector corporation. It represents what we have to
accomplish to secure the homeland and protect the lives and
secure 286 million Americans. It's that simple.
On the right, that single diagram which we labeled a
sequencing diagram effectively represents all the work that
we've done in this first release. Let me try to verbally
describe what you see up there. First and foremost, the value
chain in that left-hand diagram is represented across the
center--the rough center of the diagram left to right. So those
kind of blue-turning-to-gray rectangles are the mission, goals,
and objectives of the Department. I'll give you an easy
example. We talk about preventing incidents, disseminating
information, preparing for incidents. God forbid something
should happen, we have to respond to that incident and we have
to recover from that incident. At the highest level, that's the
goal of the Department related to terrorism.
If we then begin to break that down, what we find is a
lower-level category that aligns with that mission that we've
labeled threat identification and management, to give you one
example for illustrative purposes here.
Below that horizontal grouping of rectangles the little
teeny tiny print that none of us can read are basically all of
the projects and initiatives that we found underway in the
Department at this time.
Now, what you can visually see is some of the columns have
a whole bunch of projects, and some of them have very few or
none. The first thing that that tells us is where we've got a
whole bunch of them, they're basically in the same mission area
and may provide an opportunity for integration and
consolidation.
Collectively, those projects represent somewhere on the
order of about $2 billion in fiscal year 2004. So we're talking
a pretty sizable capital investment.
Our work then, if I continue the example of threat
identification and management, I'm going to read these quickly,
but you'll get the idea, OK, and some of these names you will
recognize. CAPS 2, U.S. VISIT, SEVS, which is the Student
Exchange and Visitor System, electronic surveillance system,
FORCE, IDENT consolidated intelligence system, numerical
integer intelligence system, cyber warning information,
national warning system. You get the idea.
There are about 16 major initiatives in this threat
identification and management column, and one of our first
orders of business is to understand how do they integrate, how
do they overlap, if they overlap, and what can we do to both
successfully deliver the mission capability represented by
these applications but at the same time be respectful of the
fact they represent a huge investment of taxpayer dollars. We
don't want to be wasteful. We want to ensure homeland security,
and we may have opportunities to both consolidate, deliver
mission-capable, deliver accurate, useful and timely
information and save money. That's our objective. We repeat
that across every one of those columns. There's a significant
amount of work to do.
The pink stars or the lavender stars represent what we
believe to be quick hits. Those are things we believe we could
do very quickly, meaning within about a 6-month timeframe, to
accomplish delivering mission capability, doing no harm to
current mission capability in each of our inherited legacy
environments, and at the same time begin some of the
consolidation activity, integration activity.
At this point in time let me stop, and I think Karen and I
would both be delighted to answer questions of the committee.
[The prepared statement of Mr. Cooper follows:]
[GRAPHIC] [TIFF OMITTED] T2900.010
[GRAPHIC] [TIFF OMITTED] T2900.011
[GRAPHIC] [TIFF OMITTED] T2900.012
[GRAPHIC] [TIFF OMITTED] T2900.013
[GRAPHIC] [TIFF OMITTED] T2900.014
[GRAPHIC] [TIFF OMITTED] T2900.015
[GRAPHIC] [TIFF OMITTED] T2900.016
[GRAPHIC] [TIFF OMITTED] T2900.017
[GRAPHIC] [TIFF OMITTED] T2900.018
[GRAPHIC] [TIFF OMITTED] T2900.019
[GRAPHIC] [TIFF OMITTED] T2900.020
[GRAPHIC] [TIFF OMITTED] T2900.021
Mr. Murphy. Thank you both for your testimony. This shows a
very complex system that needs to be smoothly integrated,
because where there's all that complexity, there's also a lot
of places that there are chinks in the armor, so to speak, that
we make sure we resolve so no one sees those as vulnerable
positions.
Mr. Cooper, let me begin by questioning you at the bottom
line. How will the enterprise architecture that you discuss
contribute to the achievement of the overall mission of the
Department of Homeland Security?
Mr. Cooper. First and foremost, as I mentioned, the
enterprise architecture captures and represents all of our
mission capability. One of the first things that we recognize
is that we have to basically understand what we have today
before we can add new mission capability from an information
technology enablement perspective.
So the first immediate value is we know what we have, we
know what we need to rationalize and stabilize from an
infrastructure perspective, meaning we've got to have a stable
platform before we can launch new capability. From that stable
platform, which we anticipate will probably take us about 12 to
24 months, the good news is that we deliver value along the
way, so it's not an all-or-nothing proposition, but it will
take us about 12 to 24 months to completely stabilize our
infrastructure.
We then can launch new mission capability along the way,
but we can rapidly speed up, we can make wiser investments of
how we want to achieve new capability. We can understand where
we are lacking support for some of our mission capability. We
can identify that immediately, as I mentioned, by showing
basically the white space in our enterprise architecture.
Mr. Murphy. As a followup there, when you talk about things
you can do within the first 6 months, are those things you can
do within the first 6 months because they are relatively more
simple to change or because those are high priorities?
Mr. Cooper. Both.
Mr. Murphy. Let me followup by asking you to describe for
this subcommittee how a comprehensive architecture will produce
a Department that is more efficient, productive and cost
effective. I think you're talking about $2 billion worth of
programs here.
Mr. Cooper. Exactly. You had already mentioned in fact in
your opening remarks that we've identified, for example, over
300 information technology solutions and applications that are
what we call back-office in nature. They represent the
functions around human resources, finance, budgeting,
procurement acquisition capability.
While I can't argue that necessarily one or two is the
right answer, I can tell you 300 is not the right answer. All
right.
So one of the things that we can immediately do, and we
have now identified these, we can immediately begin to stop or
not continue some of the redundant applications, guided by the
principle of doing no harm. We need to make informed decisions
about where we stop, and we will do that. We'll do it conjoint
with OMB. We'll do it with this committee and with Congress as
appropriate. But we can begin to move from many, in this case
300, down to some sizable, manageable number. That enables us
to take the savings that we will achieve in this integration
and consolidation and apply that to other areas of need. The
idea would be hopefully that our efforts do not cost additional
money, but rather we are able to redirect where we invest.
Mr. Murphy. Let me followup with that. You're going to
integrate 22 agencies through all this. So I mean, what is the
real effect going to be on DHS in accomplishing its overall
mission of utilizing your enterprise architecture here, getting
these 22 agencies together?
Mr. Cooper. Let me give a couple more specific examples in
the mission area. The principle that we're after is basically
to simplify our environment. OK. We want to make things less
complex, but at the same time deliver mission capability.
In the mission space we've already identified areas of
opportunity. One I shared with you around threat identification
and management. Another one that we've begun to do work in is
identity credentialing. We have several applications underway
that deal with the identification of people and how they are
documented, how that documentation is then authenticated.
By first identifying all these different initiatives, we
can take a look at where they overlap, we can begin to bring
multiple project teams that began in their legacy environments,
meaning the Coast Guard had different initiatives underway, the
Secret Service had different initiatives underway, legacy
Customs, legacy INS, all had appropriate to their mission
initiatives underway. By bringing those teams together and by
having them work with one another, we accomplish a couple very
important things.
First of all, we rapidly integrate the actual functionality
to deliver mission capability of the Department. We now have
people with expert skills in this area or other areas working
so that we speed up the process by which 190,000 people begin
to know who to talk to and who to collaborate with inside the
Department. Extremely important and extremely valuable for us
to do that as quickly as we can.
The second thing, we begin to leverage that expertise. Each
one of those experts brings their expertise and their
perspective from the objective that they previously operated
in, their previous operating environment. By sharing we benefit
as a Department because now we have a broader perspective.
The United States benefits because we now are bringing many
experts to bear on common problems, and we can do it faster.
Hopefully we can do it less expensively, and we can achieve a
result that is basically greater than the sum of the parts.
Collaboration, knowledge management, identity
credentialing, intelligence information, integrated case
management are all other examples of areas of activity that
we're bringing collective project teams and initiatives
together.
Mr. Murphy. You were talking about the legacy and what
appears to be redundancy, but are these functions that
different from one another, or are they going to want to
preserve some of their turf on how they handle this?
Mr. Cooper. Well, let me answer in two parts. First of all,
from a process and functionality standpoint, there is overlap.
Let's take something like the identification of people who
might be a threat to the United States. We can do the same
thing with the identification of cargo, in tracking cargo
before it reaches our ports of entry. Secretary Ridge has
announced that is our Smart Border Initiative.
In both of those cases there clearly are aspects of each of
those processes that we want to retain within the inherited
legacy environment, but there are also aspects that we
absolutely want to share.
Now, the second part of the question about are there
cultural objectives to overcome, candidly I would tell you,
yes, there are. We have some parts of the Department that have
a 200-year-plus very rich history and legacy of tradition and
honor and service to America. We don't want to do away with
that. We don't want it to disappear. This is about change. This
is about organizational change. This is about people
understanding how do I continue to have a valued role in a new
working environment, which is now the Department of Homeland
Security. That's tough. It requires each of the individuals
involved to understand how they have to contribute in a new
role. It does require some very hard work with regard to
organizational entities and how those entities cooperate and
work together.
Mr. Murphy. So how confident are you that the content of
this whole EA program has sufficient depth and scope to address
the intended purposes here?
Mr. Cooper. At the moment it does not have sufficient
depth. What we explained and what I shared in my testimony back
in the April timeframe was that we will continue--this is a
living, breathing type of initiative. It's dynamic. We will
continue, and have already begun on effective release of two of
our enterprise architecture. That is, to continue the work that
has begun and now push it both down in level of detail and fill
in some of the gaps, some of the white space that you see that
we weren't able to address adequately in our initial 4 months.
I am very confident that the process of enterprise
architecture as defined by OMB and as now applied by DHS will
deliver all of the level of detail granularity, understanding,
business goals, business-driven linkage that we will need. It
will take us a little bit more time to fully populate the
enterprise architecture, but the important message is we are
using our enterprise architecture now to make decisions about
IT investment. We will continue to do that, as it becomes more
robust.
Mr. Murphy. Ms. Evans, I know it's Wednesday and you pretty
much have to grasp the entire program you've inherited Monday,
but actually I wonder if you could also comment on OMB's
perception of this. How and when do you think you'll have a
grasp of the sufficient scope and depth of this EA program from
OMB's perspective?
Ms. Evans. Well, the only perspective--and a preliminary
review of the Department of Homeland Security's EA efforts, we
believe is really very encouraging. We are pleased that they
have identified a current state enterprise architecture as well
as a target state and a transition plan. We are also very
encouraged with the clear linkage that they have to the Federal
Enterprise Architecture efforts as well as their commitment to
a component-based approach for application and integration.
What we will be evaluating as we go forward are the
investment decisions that they are now making, and it will be
reflected in the President's budget for the fiscal year 2005
budget.
Mr. Murphy. One thing that certainly struck us with this
new Department is it's not the same kind of discussions held
back in the 1790's when forming departments to begin with, but
part of where we are now is we're looking at evaluation metrics
and how one will put some things in place to evaluate what is
going on.
Mr. Cooper, what is being put in place?
Mr. Cooper. We use two high-level metrics, kind of from the
startup of the Department, because obviously we hadn't had a
chance to get together. We hadn't had a chance to get guidance
from the Secretary and business leadership yet, but we
immediately put two metrics in place. One was speed to market
or cycle time. OK. We set that as a metric, because we felt
that it held value almost across every business process of the
Department. If there are activities that we can do, if we can
take out nonvalue-added work in our business processes to
reduce the time, for example, that critical information,
homeland security-sensitive information gets from its source to
sworn law enforcement officers as an example, then in fact we
are moving to increase the security of the United States.
The second metric that we have applied thus far is the
quality of the information that's used wherever it's used
throughout the Department. By focusing on cycle time, speed,
and quality of information----
Mr. Murphy. Those are the metrics you're using?
Mr. Cooper. Those are the two metrics that we're using
right now, OK. We felt that immediately added value. What we
intend to do and what we've begun now, as we now continue the
in-depth work and based upon the data that we've gathered thus
far, we now can begin to actually attach specific performance
metrics to each of the mission areas of the Department.
So, for example, if we look at the cargo area, we can
actually now begin to use the information gathered to determine
an easy one: how many containers that we believe might hold
risk are inspected. OK. Today that percentage is not very high.
It isn't that we want to move to 100 percent inspection, but we
want to move to 100 percent of those where we believe there is
sufficient risk or the informed information we have leads us to
believe that we ought to inspect that container.
Mr. Murphy. Are you talking about imported containers?
Mr. Cooper. Yes. In that example, imported containers.
Mr. Murphy. But what about packages shipped within this
country as well?
Mr. Cooper. Again, as appropriate, what we would want to do
is use the enterprise architecture information that we gather--
remember, the information is gathered from subject matter
experts in all of our business areas. This isn't an IT
activity, an information technology activity. It's a business-
driven activity. So by participation of the business experts in
each of the component areas, they are the folks who then in a
facilitated manner can determine here are the performance
metrics that we want to use.
One of the questions that we have in the Department that
we're working toward is how do you measure the success of the
Department--is it as simple as no terrorist incidents, or is it
more complex--so that we understand kind of the correlation and
cause effect of the activities taken by the Department to
prevent any type of incident. We believe it's the latter.
Mr. Murphy. Are you working with private business in the
same aspect too? Are we talking about just intragovernment
agencies here? You talked about 22 agencies. Let's look at
packaging from the shipping companies from the Postal Service,
UPS, FedEx, coordinating with those efforts as well.
Mr. Cooper. Absolutely. Now, in that particular example
that you gave, we have a major initiative underway that you may
be aware of called ACE. If I translate the acronym, it's
basically the former Customs modernization effort which is now
Customs and Border Protection. That initiative we are working
directly with private industry. In fact, there is a supporting
network, the trade support network, that is comprised--I
believe its membership at any given point in time represents
about 150 private sector entities and associations. They
actually work directly with Customs and Border Protection to
determine requirements, and those requirements then move
through a release management process. They are vetted both
internally by the Department and with our industry partners to
determine the priority, the sequencing, cost, business
advantage, that type of thing, such that they then drive
additional capability that appear in subsequent releases in our
modernization effort.
We are doing a similar type of thing in many areas of the
Department. We recognize the responsibility that the Department
has to both partner with and draw upon the private sector, for
we view them as stakeholders, we view them as customers, we
also view them as important suppliers of a lot of the solution
sets that we need to put in place.
Mr. Murphy. For both of you, can you give some immediate
uses, benefits? And when can we expect to see some concrete
results as a result of this whole transition?
Ms. Evans. As it relates to DHS, this particular effort?
Mr. Cooper. Oh, I shouldn't have put you on the spot,
should I?
Ms. Evans. That's OK. I would like to say that as I move
forward, given that this is my 3rd day, the way that we're
moving forward with this so that you can--and I'd like to come
and really speak more specifically to this--is that we intend
to evaluate DHS going forward through the budget process and
ensure that they continue on that progress through the score
card initiative that OMB has, the President's management agenda
score card. But we're working with DHS, just as we work with
all the agencies, so that they really can realize the
potentials and the results of their efforts as they move
forward and make those decisions using the enterprise
architecture.
Mr. Cooper. Let me give you one example that's not quite as
glamorous, that's not quite as sexy as some of the things that
we get involved in, but it's critically important, and it deals
with records management and document management. OK. One of the
things that we have recognized--and with headquarters when we
stood up a new headquarters, there was nothing, there was no
legacy anything that we inherited. Our enterprise architecture
helped us identify existing records management capability,
existing document capability that we could immediately draw
upon and begin to apply at the headquarters level. So while not
very glamorous, it's a very real example where rather than
going out and reinventing the wheel and rather than reaching
out and saying, oh, we have this need in a vacuum, we'll just
go ahead and move forward in this direction, we actually use
the enterprise architecture to draw upon expertise and
understanding what we already had available inside the
Department.
Mr. Murphy. I yield to Mr. Clay for some questions.
Mr. Clay. Thank you, Mr. Chairman.
Mr. Cooper, this enterprise architecture document is quite
lengthy. At the same time it does not address what many experts
say is the most important variable in any merger: agency
culture. The culture at the Secret Service and in the former
Federal Emergency Management Agency could hardly be more
different. How will you address these cultural differences in
implementing this enterprise architecture plan?
Mr. Cooper. One of the things the Secretary has clearly
stated is that we want to respect and retain the cultures and
the traditions of the entities that now comprise the Department
of Homeland Security. The value of our enterprise architecture
in one sense is that it actually is an objective way to take
some of the emotion out of some of the cultural aspects of how
we come at things. Each of us brings our own perspective to
bear on any type of problem or any type of challenge that all
of us face in our professional careers or within our roles and
responsibilities.
The enterprise architecture being devoid of a motion
actually can objectively document here's the process that we
are trying to deal with or trying to automate or trying to
improve. Everybody can see it. Everybody can see themselves and
their perspective in our documentation of that process.
Second, we clearly document this is the information that is
needed, both as input to that process and perhaps produced by
any particular process within the Department. All right. We can
agree factually on what information is needed, what information
comes out, what information flows through the process, who
needs to receive that information, when do they need to receive
it, in what form do they need to receive it. All right.
By kind of breaking this down step by step, we don't
eliminate or negate culture, but we allow all of us to have a
common frame of reference with which we can bring the best that
all of us have to bear on the appropriate problem.
We then can step back and again in the same objective
manner collectively reach consensus around, now, how do we want
to automate the process and the delivery of information.
Mr. Clay. All right. And in practice that's working.
Mr. Cooper. In practice we're underway.
Mr. Clay. Let me ask you, it's my understanding that this
is just version 1 of the architecture and that you expect to
develop subsequent versions in the future. What does this
version represent, and what will it allow you to do?
Mr. Cooper. OK. This version represents--think of it this
way. We're starting top down, meaning we started with the
National Strategy for Homeland Security. It's pretty high
level. It's a pretty macrotype of strategy. We're trying now to
push the level of detail down in terms of functional
responsibility, in terms of business processes that carry out
the mission, in terms of the information that supports all of
these business processes; but I've given some very real
examples that we have begun to identify even in this first
release. So there are things that we can do, documentation
management being one. OK. Those little pink stars, which even I
admit I can't read from here at the table, but if I got up and
ran around there, so those pink stars represent about a dozen
very real opportunities that we can act on right now.
Now, the banding which most of you can see, the darker blue
at the bottom, represents about a 6 to 12-month timeframe. That
lighter green as you move up the chart represents about a year
to 2 years, and then that lightest color at the very top
represents about a 2-plus-year timeframe. OK. And you'll see
those little colored boxes out there.
So even in this first pass, even in just the 4 months of
work, we actually have begun a roadmap that says here are the
things that we can do in each of these timeframes to add real
value in the respective timeframes.
Mr. Clay. What will--that takes me to the next question.
What will version 2 add to this architecture? When will we see
it, and what will version 2 allow you to do that cannot be done
within this version?
Mr. Cooper. OK. What we don't have here is all of the level
of detail about how the processes actually operate and some of
the lower level details, meaning some of the activities and
tasks of how the processes are actually carried out. That will
come in subsequent releases, meaning we'll continue to
populate, we'll add more detail.
That work becomes more tedious, it's a little bit more
time-consuming, so we don't--the first 4 months we kind of--
think of it this way. We went kind of about an inch deep and a
mile wide. All right. Now subsequent releases, we start going
deeper and deeper and deeper. So the breadth of each release
may be less, but it's greater detail. That enables us to
actually understand in more detail and make more definitive
decisions about how information actually fits together; where,
for example, might we source once in the entire Department
information about employees for human resources purposes,
information about cargo for use by all business processes that
must use cargo information. OK. Visa information, for example,
we might with this additional detail--we could determine how do
we source it once, meaning capture it once, reuse it many times
across the Department.
Mr. Clay. Thank you for your response.
Ms. Evans, one of your stellar achievements at the
Department of Energy was the contract with Oracle that
incorporated security into the software contract. I'm
interested to learn of your plans to expand this program. Do
you expect this to become a feature of the Smart Buy Program?
Ms. Evans. First, I'm very proud to speak about that
particular effort at energy. What we really did was leverage
our business requirements and work that into the contract so
that we could ensure that what we needed to do at the
Department really move forward to ensure our cyber posture. It
is my intention to bring that feature where it is applicable to
the smart buy activities. It was applicable in this particular
case given this type of software and the applications that the
Department was doing to incorporate that into the contract. Not
necessarily all efforts that will be going through the smart
buy would necessarily need to have that type of feature, but it
is my intention to ensure that feature in support of the
national cyber security strategy is incorporated into the smart
buy activity.
Mr. Clay. Wonderful. Wonderful. Let me also ask you, as the
Federal CIO you face many of the same problems that Mr. Cooper
faces, but your job of defining a common mission is even
greater than that faced by Mr. Cooper. Creating common
enterprise architectures across the Federal Government is a
formidable task.
Do you have any recommendation for Mr. Cooper as he tackles
this task at the Homeland Security Department?
Ms. Evans. And that is the big question.
Mr. Clay. I realize you're new here but----
Ms. Evans. That's OK, and actually I really believe that as
my esteemed colleague moves forward and as I move forward with
my role changing, that the enterprise architecture--and you
really did hit on the issue, which is it really does facilitate
communications on all levels throughout all management in
government, and that this effort really is about leadership
with partnership. And so I really am approaching this going
forward as it's a partnership between the agencies, with
Congress, with private industry, State and local government,
and so that we can provide that so that the result of the
architecture efforts and the resulting investment decisions
will really benefit the country as a whole. And I make that
recommendation to Mr. Cooper as I do all my fellow CIOs.
Mr. Clay. Thank you for that response.
And thank you, Mr. Chairman, and so good to see you.
Mr. Putnam [presiding]. Thank you, sir. It is good to be
here. The airline gods have been working against me all day.
Got a baby due at home and fog at National Airport. So between
that I have been to Richmond and back and refueled and all that
fun stuff.
And I want to apologize to the two of you for being late. I
am glad we are able to move forward.
Ms. Evans, I want to take the opportunity to welcome you to
your new position and thank you for your time and attention to
this subcommittee. Your predecessor, Mr. Forman, was a frequent
flyer with our subcommittee, and we have reason to believe that
you will be as open and accessible and available as he was; and
we are delighted to see you in that role and look forward to
working with you in the future.
And, Mr. Cooper, we don't envy the position you have of
assimilating all of the different systems and agencies and
cultures that you face. And we look forward to being partners
in that effort to bring about the change that I think everyone
in Congress envisioned when supporting the creation of the new
department, and work together to make that a seamless
transition for the best interests of homeland security and the
taxpayer.
If I may, I will continue with some of the questioning that
Mr. Clay and Mr. Murphy have begun. Ms. Evans, I am curious how
OMB, how aggressively you intend to enforce compliance with the
Federal Enterprise Architecture. That is an area that certainly
is a responsibility that is on your shoulders. And some is on
Congress' shoulders to stand by this and be tough, but I would
like to hear your thoughts on your ways to enforce compliance.
Ms. Evans. Well, it is the intention of OMB and through the
budget guidance that was issued this year to the agencies to
align their architecture efforts with the FEA. That is our
intention through the management processes and the budget
processes that exist that we will assist the departments in
ensuring that alignment is there and that the architecture is
used for business investment decisions.
Mr. Putnam. Have any discussions taken place within the
agency about holding up spending and working with the
appropriators to make sure that is not bypassed?
Ms. Evans. Since this is my 3rd day, I would like to take
that one back to find out specifically what the details are.
Because I do know there are ongoing efforts within OMB, but I
would like to get back to you about exploring that opportunity
of how we can partner and be able to ensure that these
investments, especially where DHS is concerned, are made
wisely.
Mr. Putnam. I appreciate that, and that is a discussion we
need to have because it is important that somebody be the bad
cop; and it's important that the communication take place with
Congress to make sure there is not an end run, and we don't
undermine your efforts on one hand or allow somebody to back-
door those efforts. And I'll take that answer as the answer to
my next question also, which was, how are we going to
incorporate each individual agency's enterprise architecture
into the overall plan and link that into their IT budget
submissions?
So if you would like to elaborate on that, you can.
Ms. Evans. Primarily, it will be using the existing
processes that are in place by managing the management
processes we have in place and the budget process. Progress
guidance and--is issued through the budget process. However,
ensuring that progress is made is happening through the
quarterly scorecard reviews that each agency has through the
President's management agenda, more specifically the expanding
E-Government Initiative. There are specific milestones that we
do work with each agency to ensure that they make that progress
and that they are aligned.
Mr. Putnam. Well, it is important to make sure that the
existing management processes are enforced, but I think
personally, based on the information we've collected from
previous hearings, that there may be additional processes
required, because there have been some breakdowns in the
current processes that didn't work. If you look at the smart
card programs or some of the other things that we are trying to
tear down, stovepipes on the left hand, and the right hand is
building them back up. And that's a discussion that will be
ongoing, without a doubt.
In July, we held a hearing to review the efficiencies
associated with consolidating and integrating the functional
business systems, particularly HR, finance data, criminal
investigations and so forth. And you have mentioned, each of
you, in your testimony some quick-hit IT investments that you
plan to pursue.
Could you expand on that? And I will begin with Mr. Cooper.
Mr. Cooper. We can. One of the things that our enterprise
architecture, even our early work in this Release 1, helped us
to begin to understand was that in some critical mission
areas--and I mentioned this before you joined us, so let me
quickly repeat these key category areas.
These are labels. These are just working labels inside the
Department that help us categorize things, but we talked about
a family of applications related to identity credentialing. We
talked about a family of applications and issues relating to
risk and threat assessment.
Another family related to intelligence information: how we
gather and produce information, intelligence products, use them
within the Department, move appropriate level of secure,
classified and unclassified information out to the various
stakeholders and constituents that need that information;
integrated case management, collaboration, knowledge
management, information presentation, data visualization, those
types of things.
Those are all families we identified as areas of
opportunity for consolidation, potential areas, OK? We are not
automatically saying that everything becomes one, but by using
our enterprise architecture and linking it to our investment
process, we were able this year, even in the short period of
time of the standard for the Department, we have actually
written and submitted to OMB consolidated exhibit 300's.
Rather than having, for example, 20-some independent
projects and/or applications move forward, each with its own
business case and justification to OMB, we wrapped them
together and said, wait a minute, these are all the same
family; let's write a consolidated business case, let OMB know
that our intention is not to violate any rules or regulations
or laws or anything, but our intention is to look at these
holistically and ask OMB, help us do this. OK?
The same request would come to this committee and to the
appropriate committees of Congress to say, hey, look, allow us
the opportunity to take this type of look.
One of the challenges in doing this is that many of the
initiatives that are under way are--the funding is appropriated
independently. So we need to cooperate, we need to collaborate
to do the right thing. It's going to take all of us working
together to appropriately integrate and consolidate.
Mr. Putnam. But before we go to Ms. Evans on that, do you
have the flexibility that you need? In a herd of horses, DHS is
clearly a zebra. I mean, you are a new creature, recently
developed by the Congress, trying to amalgamate all these
different agencies, different systems, different legacy
systems, different HR systems, different applications.
Do you have the ability in the existing statutory framework
and OMB or internal executive branch framework to do the things
you need to do, to move people around, move resources around to
assimilate those systems?
Mr. Cooper. Thus far, I believe we do. Understand, of
course, we're doing it as I give you the answer, and we are
continuing to learn.
I think what we would ask, certainly, is if you'll allow us
a little bit of continued learning time. We believe that we
have all of the appropriate statutory authority necessary to
accomplish the mission, goals and objectives of the Department.
If you'll allow us a little bit more learning time as we apply
them because, remember, this is now the first full fiscal year
that we have headed in as a department. It's the first fiscal
year we have had a little bit of input into a full budget
process, if you will, and even that was kind of constrained and
allow us to come back and offer guidance from that learning
over the next several months, I think that might be more
helpful. But thus far, we believe we are under way and we
believe we may be able to accomplish everything we need to
accomplish thus far.
Mr. Putnam. That's certainly a reasonable request, but just
understand that you're operating on a narrow margin,
considering the nature of your mission and Congress' very
strong desire to see a seamless transition that is as short as
possible with everybody pulling in the same direction. And from
the IT side, there's probably an awful lot of people in the
government who would like to see you fail to amalgamate all
these systems and that you'll eliminate all of their excuses
for not being able to do it. Because if DHS can pull it off,
there's no reason why everybody can't really make this thing
work.
Ms. Evans.
Ms. Evans. My predecessor did previously brief on lines of
business opportunities. And so, as you asked about some quick
hits in there, the work continued on the lines of business
analysis, and it continues on for four specific lines of
business, which is criminal investigations, public health,
financial management and human resources. The one quick hit
that was identified through the analysis dealt with data
statistics, and that effort has moved over to the Smart Buy
Initiative, where it was identified we could truly leverage the
buying power of our agencies that are involved in statistical
analysis and move forward to get a quick hit as far as
realizing benefits of purchasing statistical packages for those
groups.
As far as the other four initiatives, I'd be happy to
followup with the committee and provide additional detail on
the current status as it moves through and completes through
the budget process this year.
Mr. Putnam. That would be very helpful.
You're probably familiar that I sent a letter to GSA about
an opportunity to realize some immediate savings in the
relicensure of software. Could you give us a status report on
where that is?
Ms. Evans. We are currently, based on the letter that you
sent, relooking at the opportunities so we can move forward;
and I am in the process right now of looking at opportunities
that GSA has provided in response to your letter. And, again, I
would be glad to come back and talk to you in further detail
about what actions will be taken so we can realize the benefits
of the Smart Buy program.
Mr. Putnam. Absolutely. I think it has tremendous
potential.
Mr. Cooper, who is the person in the Department actually
responsible for holding the business owners accountable for
implementing the business transaction strategy?
Mr. Cooper. I think it is a shared responsibility. I have
direct responsibility for ensuring that we develop and use
departmental enterprise architecture. I need help, quite
candidly, from all of the senior leadership of the Department.
The enterprise architecture, as I stated previously, is not an
information technology initiative, it is a business initiative;
and therefore, I need the help and support of the Secretary,
the Under Secretaries, the appropriate agency and bureau heads
in order for all of us to be successful in this endeavor. But I
am the person who is held accountable.
Mr. Putnam. Ms. Evans, coming from the Department of
Energy, the last zebra to lose its stripes, what lessons
learned from DOE can be applied to the newest department in
government?
Ms. Evans. There are a lot of opportunities in that I think
that the management team and the partnership moving forward is
really key. And based on my new role, I know DHS is committed
to the mission overall. The enterprise architecture was truly
an effort that we really used.
Again, it is leadership with partnership. It's not
necessarily leadership through ownership of any of these types
of things, but it is really leadership through partnership. As
you use the enterprise architecture and you move through the
steps, it really does, as my esteemed colleague pointed out,
remove the emotion from the situation where people really are
committed to making good sound investment business decisions
and ensuring that the dollars are invested wisely; and the
architecture provides a method for that communication to occur.
That really is what happened within the Department, and I
would say that I had a wonderful Secretary and Deputy Secretary
who were committed to the President's management agenda and
really realizing the full benefits of what can be achieved
through proper, sound information technology investments.
Mr. Putnam. Mr. Cooper, how often do the highest level IT
persons in each of the 20-some-odd agencies that have merged
into DHS get together and swap ideas and communicate?
Mr. Cooper. We do that formally on a weekly basis. I
established the Department of Homeland Security CIO Council
almost a year ago, even before the Department was established,
even though it wasn't called the DHS Security Council at the
time. We have been meeting on a weekly basis for that period of
time.
That council is comprised of the CIOs of each of the
component agencies that came into the Department where there
was a named CIO. We didn't exclude anybody--small, large didn't
matter; everybody is a member. We have augmented that with some
additional key senior leadership in IT.
We use that group in a couple of different ways. First of
all, we absolutely meet to share. Our whole goal is to create a
single information technology-coordinated function in support
of the mission of the Department of Homeland Security, and I'd
argue that we are, in fact, well under way in achieving that
type of goal and collaboration.
Second, that same council, reconvened in a formal manner,
becomes the first-level review process of our capital planning
and investment review process for the Department. So for all
information technology investments, we're the first step. So
that initiative will come before us and we meet then as the
enterprise architecture board, same membership, to pass and
enforce compliance with the enterprise architecture.
Mr. Putnam. As you know, this subcommittee has done an
awful lot on cyber security. If you would, please comment on
how security is addressed in DHS-EA.
Mr. Cooper. You'll actually see it. If you get up close
enough to this thing, you will see the appropriate parts of the
information security.
But in addition to evolving it as an integral part of all
appropriate business processes, particularly with regard to our
classified host of processes and information, we have a formal
information security program headed by our chief information
security officer, Robert West, inside the Department. He has
already established an information security advisory board that
is comprised of the information system security officers and
information security managers of every component of the
Department, including the smaller agencies that didn't--that
got that from their parent departments. They actually now have
designated DHS individuals inside the Department.
They meet on a regular basis, usually not lengthier than
monthly, to not only address all information security policy
issues, the compliance thereof, any type of reporting, such as
FISMA, that we have recently completed our report out to you
and to OMB; but they also serve to coordinate all of the
processes that look at building--as we have mentioned, both
Karen and I, building information security into all of our
initiatives, not kind of pasting it on or tacking it on after
the fact.
Mr. Putnam. Ms. Evans, perhaps you would like to comment on
the role of security in the Federal Enterprise Architecture.
Ms. Evans. And I would be happy to do that, sir.
Cyber security, right now, through the work of the Federal
CIO council on the architecture subcommittee, there is an
effort under way that is specifically dealing with cyber
security to ensure that it is integrated throughout the models
that are being produced that support the Federal Enterprise
Architecture.
So it is not going to be a separate entity or a separate
model unto itself, but each model comprised and rolled up into
the Federal Enterprise Architecture will have a cyber security
element to ensure that every decision, everything that we go
forward with that cyber security is adequately addressed to
ensure the cyber posture for the Nation.
Mr. Putnam. Thank you.
We have had our share of worms and viruses this year. And
my understanding is that 90 percent of the Federal Government
is a single operating system, the same one. And so while we
talk about not building more stovepipes on the one hand, there
is this concept out there of monoculture, of a particular
vulnerability that wipes out the entire enterprise. And I am
curious how we work through those issues with regard to the
Federal Enterprise Architecture. Knowing the vulnerabilities
that are out there, knowing that it could be exacerbated by
having the vast majority of the Federal enterprise on the same
operating system, how do we guard against these worms and
viruses and issues that will only grow worse and more rapid as
time goes by?
Ms. Evans. When we look at that and look at the worms and
viruses that are going forward, it really comes down to
configuration management and how each entity moves forward and
deals with configuration management. And as OMB moves forward
and works with each department and agency, most of these
situations, when you look at them--and I can speak--I will step
back into my DOE role, when we did the analysis in the past
year of things that occurred within the Department. They were
all related to, if we had patched in a timely and appropriate
manner, that we would have avoided that situation.
So this really does come down to being able to ensure that
patches are applied in a timely manner and that good
configuration management processes are in place within each
department.
Mr. Putnam. And how quickly is information on the latest
patch disseminated throughout the Federal Government right down
to local case work type--the local Social Security offices
around the country and USDA offices and bases around the world?
How quickly can we get the word out and have reason to expect
and hold people accountable for applying that patch?
Ms. Evans. I would say currently--I still sit in as the
vice chair of the CIO Council, so I am aware that my
predecessor has also briefed on that particular area. But we
have moved through the Federal CIO Council to put procedures in
place so the dissemination of that information happens very
quickly through cooperation, and also with the efforts of
FedCIRC over at DHS; so that then there is a process that's in
place within each department that then makes sure that
information gets disseminated to all the appropriate sources
for the patching.
As far as how quickly that occurs within each agency, I
would be glad to go back and get more information on that and
brief the committee; because OMB did collect that information
from each agency, and so I would be glad to discuss that with
you in further detail.
Mr. Putnam. Since you have it, yes, I would be very
interested in knowing to what extent enterprise-wide we're
actually applying the patches that are available. I mean,
undoubtedly it's just like business or home users or anything
else, people don't want to fool with it, they don't think they
need to, they don't think it applies to them, they don't think
that they'll get it, they don't feel like stopping what they're
doing to do it. All the same human issues that go into the
private sector apply to government and perhaps even more so.
So it would make sense the same reluctance that exists in
the private sector would exist in the government, and I would
be curious to know how effectively we have ingrained the
importance of adequate patch management and rapid response to
that.
If you would, though, comment on the fact that is such a
high percentage of a single operating system. Is that a
concern? Is that a nonissue? Elaborate on that if you would.
Mr. Cooper. Can I jump in?
Mr. Putnam. Certainly.
Mr. Cooper. I think for us--let me answer it this way.
For us, when we took a quick look across the inherited
components of the Department, particularly in kind of a desktop
space, what we saw was that about 80 percent of our inherited
environments were a single vendor. It was a very easy business
decision from an economic standpoint to say, OK, in that space,
for the time being, let's go with what we have.
The costs of changing would have been prohibitive. It also
would have led to very serious concerns about the abilities to
sustain mission capability from day one.
However, having said that, we are paying a lot of attention
to the security vulnerabilities of that particular operating
system environment. We are, within the Department of Homeland
Security, very actively encouraging a heterogenous environment,
particularly in our mission application space as opposed to
desktop type of space. So as we have mission-critical
applications, we are taking a look at what is the environment
we want to put that particular application or application
hosting in. We do have a lot of inherited environments that are
not that same particular vendor; and we will not only continue
to support, but probably expand some of that capability in a
Unix environment or a Linux environment because we think that
is highly appropriate to what we are trying to accomplish in
the Department.
We want to do no harm to mission capability. We want to do
it in an effective and economic way. And we want to do it so if
we need to migrate, we are migrating in a way that is cost
effective, rapid, and again, does not harm the delivery of
mission capability.
Mr. Putnam. That's a very helpful response. I have no
hidden agenda in the question. I am the guy that just wrote a
letter to GSA demanding to know why they are not standardizing
this stuff. I just recognize that there's a line where the
economic incentives of a common vendor and common applications
are superseded by security concerns, and that's an art and not
a science, and that's why we pay you the big bucks to decide
where that line is, but I am not being critical of any vendor
at all. As long as human beings are going to be designing and
developing this stuff, there will be problems.
But there is certainly a vast opportunity in the Federal
Government for nonmission-critical desktop applications and
things where there are tremendous cost savings to be realized
and certain niche components in agencies like yours where you
want redundancy. And so I think that's perfectly appropriate.
Ms. Evans. I would like to say, sir, that even if it is a
single operating system, any type of approach as we go
forward--and I would really like to get back to configuration,
it is a risk-based approach that all of us take in moving
forward and assessing the risk; how quickly and how can we
apply resources to ensure that things are properly patched.
Technology does exist where, regardless of what the
operating system is, you can automate the application of the
patch and then move forward.
So as we move forward to whether it's standards-based or a
single type of operating system or the known operating systems
that we are managing in our environments, technology exists so
that we can look at how we can apply our resources the best way
that we can, automate the things that can be automated, such as
patch management, and then allow those resources that we have,
the scarce resources that we have that are doing these daily
operations to really be focused on the high-level, mission-
critical operations and ensuring that those are adequately
secure as we move forward.
Mr. Cooper. If I may add one additional thought, and I
don't mean this to be as controversial as it may end up
sounding.
Mr. Putnam. Choose carefully. There are a lot of pens and
pads in the room.
Mr. Cooper. But, I mean, this in a constructive way.
Patch management is something that we have to do because of
what we're dealt. We have entered into conversations with this
particular company that none of us are naming and had some very
serious and candid conversations about, Look, realistically you
have to improve the quality of your product relating to
information security. It's that simple.
Karen is absolutely right. We have invested a significant
amount of time and energy and people's, you know, resources and
expertise and everything in configuration management, in patch
management. But I also argue that we could lessen the need for
that if we worked cooperatively and collaboratively with some
of our major vendors to produce quality product that doesn't
have quite so many vulnerabilities in it.
Mr. Putnam. Well said. And certainly the purchasing power
of the Federal Government would be a powerful incentive to
improve the quality of any particular vendor's given product.
As long as we are willing to buy products that are not to the
standard that they should be, people will continue to sell
those to us.
Both of you have been down in the trenches and have seen
the Federal Government's IT enterprises at the field level, and
you understand, certainly better than anyone on this
subcommittee without a doubt, the real-world cultural
differences.
As you have assumed these new major positions of
responsibility, what are your thoughts on ways to break down
those barriers and really have effective information sharing,
effective cross-agency coordination and cooperation?
Mr. Cooper. I think, from my perspective, one of the
biggest challenges is kind of--I guess it's communication,
meaning getting the right folks in one room at one time to have
the type of conversation that really then almost always enables
us to reach the type of collaborative decisions we need to
make. And I'm not sure that's anybody's fault.
Right now in the Department we have so much coming at us,
we're literally trying to change the tires on the car while
it's moving 70 miles an hour. We're still staffing, meaning
we're still trying to hire folks into some of our authorized
positions, things like that. So getting quality time with some
of the key people to address many of the challenges of
information sharing is difficult. I mean, it is a very real
challenge. It's not because anybody is trying to do the wrong
thing.
When we are able to do that, we're actually able to reach
consensus and move forward rather quickly. But doing that first
within the Department of Homeland Security, then doing it among
and between the Department and other Federal agencies, then
doing it with each of our stakeholders--it's a numbers game.
There are 56 States and territories. We have a State
homeland security coordinator in each of the 56 States and
territories. That one is easy, and we have regular
conversations with those folks a couple times a week. But if we
then try to reach out and collaborate around information
sharing with, for example, counties, there are 33,000 counties.
I don't know how to do it, I admit. I don't know how to get
exactly the right representation. How do we collectively pull
all these folks together?
There are 89,000 municipalities at the local level. Now
layer on top of that the five major sectors of the emergency
responder community or the first responder community. Our
struggle is, how do you get the right people together to have
the discussion.
Mr. Putnam. Well, you've done an outstanding job of laying
out the challenge, but I would just respond to that by saying
the primary purpose in your Department's creation was
information sharing. I mean, all the functions of the
Department of Homeland Security were already there, but it was
a breakdown in information sharing that allows bad guys to fly
in on airliners and allows bad guys to cross the border and
allows bad guys to smuggle bad things in the bottoms of ships.
So I view your role in the Department of Homeland Security as
being the most critical. That was the reason why I voted to
create it.
We are not going to save any money in the near future. We
hope to in the long run, but it's going to cost us more in the
short run to merge all this stuff together. It was the fact
that one file wasn't being transferred from one desktop to
another desktop. It was the fact that people in one border
guard station weren't talking to the one right next to them,
and they were wearing separate uniforms at the same time. It
was that information sharing, I think, that led the Congress to
make that leap. And so it's vitally important.
I know that both of you have other engagements and need to
leave very shortly, and I can't hold it against you since I was
an hour and a half late getting here myself. I will give you
the opportunity at this point in the meeting to express
whatever is on your mind, and you think is important to go in
the record and for the subcommittee to hear.
And as you embark on your 3rd day on the job, we'll give
you a few more moments to collect your thoughts and go with Mr.
Cooper first and let him respond, and then we'll go to you, Ms.
Evans.
Mr. Cooper. Thank you very much for the opportunity to join
you today. And I would welcome the opportunity to come back and
continue the dialog. I think that's very, very important.
The key message that I want to deliver is that, in a very
short period of time, we have developed our first release of an
enterprise architecture for the Department of Homeland
Security, and we are using it. So in spite of some of the
challenges and things I shared with you, we are really doing
real things on the ground.
We are making progress in the information sharing arena. We
have connected between States and local governments and that
type of thing that previously we had no connection. And we are
sharing information on a daily basis.
We need to expand that. We need to buildupon it. We're not
where we all want to be, but there is very positive news and a
lot of it is linked to what we are learning and continuing to
learn, developing our enterprise architecture.
I also would like to thank some of the folks that have
joined me today and would like to introduce them by name to the
committee, because they really are the key people who have led
a significant amount of the effort that I've been just the
spokesperson for here this morning. Sitting behind me, George
Brundage, Charles Thomas, Amy Wheelock and two other
individuals who weren't able to join us, Katherine Santana and
Ron Williams, really form kind of the core team that guided a
whole host of other individuals too lengthy to name across the
Department and have achieved Release 1 of our enterprise
architecture.
Mr. Putnam. Thank you very much. And I do want to note that
DHS produced the first EA in 4 months.
Mr. Cooper. That's correct.
Mr. Putnam. And I don't think that can be overstated. It's
very impressive, and it's a testament to your hard work and
folks on your team, and a lot of the other departments can
derive some lessons from that accomplishment.
Ms. Evans.
Ms. Evans. I too would like to thank you for the
opportunity to be here today.
I would like to state that I will plan to continue the work
of my predecessor. I believe that he started many great things
here in the government to be able to move us forward to achieve
things and to really achieve value for the government and the
American citizen.
So I really would plan to drive toward the full utilization
of the President's E-Government Initiative and progressing the
work of the enterprise architectures within the agency, as well
as the Federal Enterprise Architecture through the work of the
CIO Council, and ensuring that the CIO Council remains a forum
for discussion and for agencies as we move forward; and then
continue to work to institutionalize the work he started within
the management processes that are available to us, and continue
to work with the subcommittee as we move forward, ensuring
things such as IT security, privacy, planning, implementation
and evaluation of all these IT investments for the agencies.
Mr. Putnam. Thank you very much. And I want to thank both
of you for your hard work and for your commitment to public
service. Obviously, you bring a tremendous expertise in
coordinating our IT blueprint toward eliminating those
stovepipes that we talked so much about, reducing redundancies
where it's appropriate and making systems more secure and maybe
even saving us a buck or two. It is a complicated issue that
will not be solved overnight, and I speak for the entire
subcommittee in saying you have our support in working through
this process.
I hope that you will not burn out and cash out but keep the
faith and keep plugging away because it's certainly an
important yet difficult task.
In the event that there are some questions from the
subcommittee that we were not able to get to, I would ask the
record remain open for 2 weeks for those submissions. And I
believe both of you have made notes on things that we have
discussed that we would like further clarification on from the
subcommittee.
Again, we wish you the best and thank you for your support.
And with that, the subcommittee will stand adjourned.
[Whereupon, at 12:15 p.m., the subcommittee was adjourned.]
�