Agency compliance with the Federal Information Technology Acquisition Reform Act (FITARA)

Introduction

Chairman Connolly, Ranking Member Hice, members of the Subcommittee on Government Operations, thank you for inviting me to testify today. I am grateful for the Committee’s support of the United States Agency for International Development (USAID) in information technology reform, and I am pleased to have this opportunity to discuss our progress in complying with the standards set out in the Federal Information Technology Acquisition Reform Act (FITARA).

A Year Like No Other

No one could have imagined the COVID-19 global pandemic would have altered life as we’ve known it since early 2020. The need to change how we work, how we live, and how we interact with each other seemed to shift at warp speed. For USAID and its people, responding to these global health crises is at the core of our mission, and we have a long-standing history of dealing with emerging threats in global health security, such as Ebola and now COVID-19.

In November, USAID will celebrate 60 years as the primary government agency responsible for administering aid to foreign countries to promote social and economic development. USAID’s global health programs have saved lives, protected people most vulnerable to disease, and promoted the stability of communities and nations, while advancing American security and prosperity. And as the lead Federal coordinator for international disaster assistance, USAID has a longstanding history of harnessing the expertise and unique capacities of other U.S. government entities to respond to natural disasters and complex crises around the world.

USAID’s global information technology infrastructure plays a critical role in enabling and enhancing every aspect of the Agency’s mission. Our 12,000+ people work in more than 100 countries, often under the most difficult circumstances where communication capabilities are severely limited. They depend on our IT infrastructure to successfully perform our critical work. Because of this, we are an organization that relies on agile, mobile information technology solutions and data to inform our decisions about where to target resources to maximize the impact of our development efforts.

Early IT Modernization Enables USAID to Shift to Telework Worldwide

Now, more than ever, reliable, secure, and effective information technology systems are essential to USAID achieving its mission. As a global organization that works in some of the most challenging locations around the world, and given the global business demands of how USAID delivers U.S. foreign assistance on the ground, our Agency’s overseas staff have been heavily reliant on modern and mobile IT solutions, even prior to the COVID-19 pandemic.

USAID’s early cloud migration activities were aligned with OMB’s 25 Point Implementation Plan to Reform Federal Information Technology Management, which was released in 2010 and designed to improve the Federal Government's acquisition and use of information technology assets. One point of the plan, the "Cloud First" policy, required each agency to quickly move at least three applications to cloud-based services, and USAID was a leader in meeting this mandate.

The move to a cloud-based email messaging and collaboration platform significantly and quickly improved USAID mission delivery. It provided: a mobile, on-demand messaging platform that is able to meet the needs of USAID’s global workforce; improved cost efficiency; enhanced cybersecurity; and provided overall functional and operational improvements to our IT environment. Additionally, unlimited email storage and the ability to access the same service from any USAID-approved location solved two big business challenges and enabled the Agency to improve in the key area of mobility. As early adopters, our staff within the CIO’s office, as well as leadership and staff across the Agency, are accustomed to working in a cloud environment and leveraging the cloud to underpin our communication, security, data, and development platforms. Today, USAID is 100% cloud enabled, with no legacy systems.

These early modernization investments served USAID well when the Agency formally transitioned its entire workforce to maximum telework in March 2020. The COVID-19 pandemic required our staff to use more of our mobile and collaborative IT solutions to move to full-time telework, which highlighted how crucial IT is to our Agency. Overseas, we partnered with our Missions to provide flexible IT solutions where telework was not practical or a regular work modality, leveraging connectivity options such as a Virtual Desktop Infrastructure, a cloud productivity suite of mail and collaboration tools, and mobile and cloud strategies to keep USAID’s work moving forward.

Overall, USAID had great success in quickly transitioning to remote work domestically and overseas; saw minimal impact on connectivity and access; and the Agency’s IT support infrastructure has performed above expectations even as nearly four times the amount of staff overseas telework on a given day compared to pre-COVID-19 levels. We see evidence of our success reflected in our customer satisfaction scores, which have increased significantly over the past year. And we credit this to our early modernization activities and the hard work and dedication of our forward-leaning team.

Impact of the FITARA Scorecard and Looking Ahead

Given all that has transpired this past year, I think about where USAID was 10+ years ago, where we are today, and what helped us get here. USAID has come a long way since its initial “D” rating on the first FITARA Scorecard, and more work remains to be done. Although our journey to the cloud began before FITARA and the Scorecards, the impact and benefits we have realized by its creation and evolution have significantly aided our journey.

FITARA was ground-breaking legislation in many ways, not the least of which was elevating the CIO position within the government, and providing the “teeth” CIOs needed to have visibility and approval for all IT investments across their agency. FITARA has served as the cornerstone for establishing, measuring, and helping to advance critical IT programs for CIOs across the government. For USAID, the legislation has underpinned our success in aligning the people, processes, and technology needed to balance innovation with compliance, mission needs, costs, and evolving threats. It has also provided an opportunity to have a collaborative dialogue with OMB, GAO, the Committee and Congress, working together to improve how agencies implement FITARA.

USAID is proud to be the only Agency to receive four overall “A” ratings on FITARA Scorecards (January 2017, November 2017, December 2019, and July 2020). Nonetheless, there is still work ahead for our Agency as we continue to advocate for the necessary budget transfer authority for an IT Working Capital Fund, implement a myriad of new cybersecurity requirements, navigate the internal intricacies in the Agency’s CIO reporting relationship to continue to elevate the role of the CIO, and begin to implement supply chain requirements more broadly across the Agency.

New World, New Challenges

Although agencies will continue to face significant IT challenges and risks, the past year has shown the true benefits of a modernized, agile, innovative IT organization, particularly during a global crisis. Aside from the technology challenges of moving thousands of employees to full-time telework overnight, the pandemic also ushered in a new, more sophisticated wave of cyber warfare.

As was most recently evidenced in the “Sunburst” cyber-espionage campaign that resulted in the SolarWinds Orion and Microsoft Exchange breaches, the threats our adversaries attempt are growing more pervasive, sophisticated, and damaging to both governments and private sector organizations. As these threats become more advanced, the need for the Federal government to further enhance its cybersecurity posture and better understand the various supply chains continues to grow.

More than ever, software flaws are being exploited by sophisticated hackers who take these vulnerabilities and use them to create attacks that compromise the computer systems of thousands of organizations, all at once.

Make no mistake - because of what we do and where we do it, USAID is a prime cyber target. USAID fights to keep up with the threats presented by cyber attacks and Nation State actors’ persistent and sophisticated approaches to breach the countermeasures we have in place. USAID is the first Federal agency to successfully stand up a Continuous Diagnostics & Mitigation (CDM) Dashboard Ecosystem and ingest a representative data set of Agency IT assets. CDM is just one element of our approach to risk mitigation. We continue to implement and mature our vulnerability management program, asset endpoint protections, identity access management, and zero trust, along with our compliance with several OMB and DHS directives aimed at improving the identification, management, and remediation of risk.

USAID is not solely focused on a defensive posture. In 2013, years before the passage of the Foundations for Evidence-Based Policymaking Act, we proactively established data governance bodies, which now cover the entire data lifecycle, addressing complex challenges related to data sharing, protection, and licensing for re-use. Over the past year, USAID expanded its efforts to leverage state-of-the-art technologies to help the Agency realize the full potential within its many data sources. For example, the Development Data Commons (DDC) provides an easy-to-access and comprehensive way for our staff to access data and analytics. The DDC breaks down data silos and applies advanced Artificial Intelligence (AI) and machine-learning tools to complex, heterogeneous data to shed new insight into our mission-driven challenges. We also have an AI pilot project that uses machine learning to identify security-related anomalies from firewall threats and traffic logs. These projects and many others demonstrate the significant investment USAID is making in innovative tools and platforms that will continue to help secure our networks and data globally, and help us keep pace with the Agency’s ever-changing technology and information needs.

“The only source of knowledge is experience.” – Albert Einstein

I am both humbled and honored when asked my thoughts on being one of the longest-tenured CIOs in the government. Throughout my career over the past 27 plus years, I seized every opportunity to learn, to gain experience in areas ranging from IT operations, enterprise architecture, telecommunications, project management, and information security. I wanted the knowledge -- and experience -- to excel when every opportunity presented itself.

Experience has shown me that the most impactful CIOs are those with a technical background who can embrace and lead change. They can harness the speed and advancements of IT innovation, and translate them into a business strategy with clear objectives and priorities. The longer a CIO is in the position, the more time they have to create a vision, and then develop and deliver IT strategies and systems that support that vision and the goals of the organization.

Most importantly, as a CIO I maintain a focus on hiring and retaining a highly qualified and dedicated workforce with the knowledge and drive to support the critical work of USAID in reducing the reach of conflict, preventing the spread of pandemic disease, and counteracting the drivers of violence, instability, transnational crime and other security threats around the world.

Conclusion

USAID looks forward to the continued benefit the Scorecard and its measurements provide to Federal CIOs and the clearly defined priorities that help agencies deliver mission outcomes, provide excellent service, and effectively steward taxpayer dollars on behalf of the American people.

I would like to thank Members of Congress, and members of this Subcommittee in particular, for your continued leadership, interest in, and support for our work. USAID looks forward to collaborating with you to address future challenges and new opportunities for reform. Thank you for your time, I welcome your questions.