OCR of the Document

View the Document >>

Edwin Simcox, Chief Technology Officer and Acting Chief Information Officer, Department of Health and Human Services, Statement for the Record for the House Committee on Oversight and Government Reform, “Federal Information Technology Acquisition Reform Act (FITARA) Scorecard 7.0.” December 12, 2018. Unclassified.

TESTIMONY OF Edwin Simcox Chief Technology Officer and Acting Chief Information Officer U S Department of Health and Human Services Before the Subcommittees on Information Technology and Government Operations Committee on Oversight and Government Reform U S House of Representatives December 12 2018 Good Morning Chairman Hurd and Chairman Meadows Ranking Members Kelly and Connolly and Members of the Committee Thank you for giving me the opportunity to discuss the Department of Health and Human Services’ HHS progress in meeting the objectives defined by the Federal Information Technology Acquisition Reform Act FITARA HHS testified in June 2017 about the status of FITARA implementation and we appreciate the opportunity to return and share the transformative gains we’ve made with our effort in less than two years Advancing Agency Mission through improved IT Management I currently serve as the Department’s Chief Technology Officer and Acting Department Chief Information Officer CIO I report directly to the Secretary of Health and Human Services The synergy and partnership across HHS’s C-suite of senior policy officials – the Secretary Deputy Secretary Assistant Secretary for Administration and the Assistant Secretary for Financial Resources ensures that HHS’s IT-related matters receive the appropriate attention and benefit from senior policy leadership direction and support Furthermore I collaborate with HHS’s Chief Financial Officer Chief Human Capital Officer Chief Acquisition Officer and Operating Division CIOs to ensure that our fiscal year 2019 IT spend of approximately $6 1B is secure well-managed and supports HHS’s mission and business operations FITARA provides specific areas of priority focus for IT portfolio management and as a result of the law HHS took steps to enhance the roles and responsibilities of the HHS CIO increasing CIO visibility across the 1 Department and ensuring that the CIO is an active participant and provides approval of IT spending during the HHS IT budget process At HHS FITARA provides a foundation for crossdepartmental engagement and fosters a governing framework through which we build common strategic direction for IT enablement of operations and mission results As noted in the House Oversight and Government Reform FITARA Scorecard 6 0 – HHS improved in four of the five FITARA 5 0 metrics – bringing those scores to an “A” rating But it is the real and meaningful results that make HHS’s FITARA journey remarkable as exemplified by HHS’s collaborative and data-driven approach which delivered the Department’s first software inventory Such results would not have been possible without Senior Policy Official leadership and support collaboration across HHS’s CIO CFO and CAO communities and partnerships with GAO OMB and Congressional staff Approach to Successful FITARA Implementation― Targeted Improvement Initiatives Immediately after HHS testified before this Committee at the release of FITARA Scorecard 4 0 in June 2017 HHS paused to analytically review the FITARA legislation assess our FITARA implementation plan and identify opportunities to strengthen our approach to executing both the spirit and intent of the law As the principal agency for protecting the health and well-being of all Americans we know that the public counts on us to deliver essential health and human services foster scientific advances and support efforts to strengthen and modernize the Nation’s healthcare delivery system Efficient and modern information technology is the foundation and catalyst for successful delivery of these mission-critical programs and FITARA provides the governing and collaborative construct to ensure that we invest and manage our technology in the most effective and efficient manner possible HHS’s revitalized approach to FITARA implementation gave the entire Department the opportunity to use data to deliver meaningful results that improved HHS’s IT governance management and strategic investments HHS galvanized our internal CIO Community and Department-wide policy officials through FITARA Scorecard initiative called “A by May ” publicly announced by the HHS Assistant 2 Secretary for Administration ASA on August 23 2017 The initiative elevated the importance of meeting FITARA objectives and paved the way for Agency-wide participation in improvement efforts HHS developed a methodology to execute the “A by May” initiative focused on the three core components of data dialogue and delivery D3 to initiate real change “A by May” and the “D3” approach were successful in that we engaged an audience to deliver measurable results HHS’s D3 strategy incorporated tactical and strategic activities to ensure that the Department writ-large understood the importance of FITARA and the value it provides when fully implemented Key HHS actions included  Data – creating an internal FITARA scorecard holding FITARA analytic discussions and road shows developing an annual CIO Work Plan based on achievement of FITARA outcomes embracing and refreshing our approach to transparency and risk management to acknowledge the inherent risk to mission critical projects and targeting high-dollar investments with low risk ratings o Results achieved based on HHS’s data-driven activities include HHS’s recognition of IT investment risk rose from 11% of investments in September 2017 to 40% in January 2018 representing $2 37 billion in IT investments with a moderate to high risk association Acknowledgment of these inherent risks has positively impacted the Department’s FITARA Transparency and Risk score By May 2018 HHS categorized 93% of its Major Investments as moderate or high risk and achieved an “A” for this element on the Scorecard 6 0  Dialogue – HHS instituted bi-weekly and monthly communications with Operating Division CIOs to discuss FITARA requirements and to support actions to achieve those targets HHS also established a monthly cadence of briefings with OMB GAO and the Assistant Secretary for Administration to apprise these partners of our activities and progress Finally HHS ensured senior policy leadership’s awareness of FITARA activities through routine communication with the Deputy Secretary and his staff A key component to these conversations focused on deepening HHS’s understanding of the letter and intent of the law Through dialogue HHS expanded understanding of FITARA such that it was no longer perceived as an “IT Law” but rather a law designed to support mission and business operations through the effective use of technology 3 o We identified captured and reported costs avoided or saved through use of shared services commodity and consolidated IT acquisitions adoption of the cloud among others approaches o Delivering Real Change – Software Licensing o In accordance with FITARA the Making Electronic Government Accountable by Yielding Tangible Efficiencies MEGABYTE Act of 2016 OMB memoranda M-16-12 and GAO Report 14-413 HHS developed its first foundational software license inventory consisting of over 12 000 software entries representing over 4 million software licenses In February of 2018 the Office of the CIO first collected and integrated automated data from the Continuous Diagnostics and Mitigation tool for a sample of HHS licenses This foundational inventory is regularly updated through the quarterly Integrated Data Collection IDC and is used to support deliberations related to investments and opportunities for greater use of enterprise license agreements Modernizing Government Technology Legislation and IT Modernization HHS fully supports the spirit and intent of the Modernizing Government Technology MGT provisions in the National Defense Authorization Act for Fiscal Year 2018 P L 115-91 to improve HHS technology We believe that HHS’s Nonrecurring Expenses Fund NEF provides HHS the ability to meet the goals of the MGT legislation's IT Working Capital Fund under current law The Consolidated Appropriations Act 2008 Pub L 110-161 established the NEF to enable HHS to use expired balances of discretionary appropriations for capital acquisitions needed by HHS programs which HHS has used primarily for laboratory and research facilities Indian Health Service health facilities and information technology systems IT work funded to date includes improving cybersecurity modernizing systems for accounting human resources and contract writing moving IT systems to the cloud automating Medicare appeals processes and establishing modern IT systems at the Centers for Medicare Medicaid 4 Services The NEF provides HHS resources for making important system upgrades modernizing IT infrastructure and procuring capital for the acquisition of mission-critical information technology and facilities HHS remains committed to the spirit and intent of the MGT legislation and its Office of the Chief Information Officer OCIO and Office of the Chief Technology Officer OCTO are working collaboratively to develop a new process for prioritizing IT modernization projects for which OCIO OCTO would recommend investment Federal Information Security Modernization― Cybersecurity Cross-Agency Priorities HHS continues to work towards improving its cybersecurity metric as represented in the Scorecard We have been focused on improving our overall cyber posture and to better understand the two separate components that constitute the score – one that reflects the Federal Information Security Modernization Act of 2014 FISMA Cross-Agency Priorities CAP data reported by HHS and its operating divisions and the other derived from the HHS Office of Inspector General’s annual FISMA audit While we understand the OIG data will remain static since the IG conducts assessments annually we also realize the CAP metrics can change from quarter to quarter HHS has been and remains focused on ensuring that the Department complies with FISMA requirements and meets all expected cybersecurity metrics included in the Inspector General IG Annual Audit report and the President’s Management Agenda Cybersecurity CrossAgency Priorities CAP Under FISMA and the legislation which preceded it we understand that all Federal agencies must implement and maintain a robust cybersecurity program As a result I take ownership in understanding that as CIO I am responsible for ensuring that cybersecurity is addressed at HHS I work closely with the HHS Chief Information Security Officer CISO who is responsible for developing and maintaining the Department’s information security and privacy program Additionally through a delegated authority each HHS Operating Division CIO is responsible for establishing implementing and enforcing its division-wide framework to facilitate its information security program These frameworks feed HHS overall compliance with FISMA initiatives goals and metrics 5 While FISMA performance is difficult to trend year-over-year due to changing CAP goals and metrics HHS continues to improve performance against FISMA metrics HHS improved compliance against one of the three CAP goals which remained consistent year-over-year These results demonstrate our commitment to key cybersecurity capabilities such as hardware asset management mobile device management protecting against data exfiltration and protecting our high value assets These efforts to manage risk may not be reflected in our current scoring Furthermore the Department also takes actions in response to audit findings HHS and its operating divisions are embracing actions that seek to improve FISMA performance while increasing adherence to basic cyber hygiene practices to not only yield greater compliance with existing legislative requirements and reporting requirements but also strengthen the foundation for a robust HHS-wide risk management-driven cybersecurity framework and greatly reduce our cybersecurity risk exposure across the enterprise While the Department continues to improve its information security program opportunities remain to strengthen the overall program The Department of Homeland Security’s Continuous Diagnostics and Mitigation CDM program continues to enable HHS to operationalize the goals of FISMA and gain near real-time understanding of not only our compliance with FISMA but of the cybersecurity risks our enterprise faces on a daily basis We are bolstering these CDM capabilities with other tools to more holistically identify and remediate risk while also increasing cybersecurity training and awareness activities which strengthen the cybersecurity skills of our security professionals while stressing that basic cyber hygiene is everyone’s responsibility across HHS Leveraging the “A by May” D3 Data Dialogue and Delivery framework the HHS is pleased to introduce the “Monitor Maintain and Mature M3 ” initiative to continue to engage HHS Operating Divisions and Staff Divisions around strategies to optimize performance on the IT Scorecard 7 0 metrics including CIO Reporting Data Center Optimization FISMA Compliance and Cybersecurity Cross-Agency Priorities while establishing focus areas for the next iteration of the OGR IT Scorecard 8 0 Specifically we will continue to use our data to provide internal HHS FITARA dashboards host monthly FITARA Meetings with HHS CIOs and CISOs maintain collaborative dialogue with GAO and both IT and Cybersecurity 6 counterparts at OMB We also plan to continue actionable discussion through M3-centered meetings and open dialogue to provide the necessary data and materials around the OGR Biannual IT Scorecard 7 0 Conclusion HHS is committed to achieving the goals set by FITARA and modernizing the Department’s IT systems infrastructure and processes Using this framework for sustainable transformation HHS will work towards creating an ecosystem based on collaboration where IT is viewed as both a resource and essential driver for achieving mission-critical objectives The Department is confident we can leverage the enormous purchasing power of HHS and the Federal Government and expand upon existing shared services to obtain the best price on best-in-class IT acquisitions This approach is designed to be both operationally effective and cost efficient in order to best serve HHS beneficiaries and the American taxpayers While HHS continues to make significant strides in fully achieving all goals defined under FITARA the Department recognizes that a sustainable approach requires a more complex path forward HHS embraces the work and challenges that lie ahead We look forward to continued collaboration with OMB GAO and the House Subcommittees on Information Technology and Government Operations to improve HHS’s FITARA performance 7 Ed Simcox is the Chief Technology Officer CTO and Acting Chief Information Officer at the U S Department of Health and Human Services HHS As the CTO and Acting CIO at HHS Ed provides leadership and direction to ensure that HHS effectively leverages data technology and innovation to improve the lives of the American people and the performance of the operating divisions across the Department Simcox has been working at the intersection of healthcare and technology for 18 years Prior to joining HHS Simcox served as the Healthcare Practice Leader at Logicalis an international IT service provider and consultancy with over 300 healthcare clients in the United States In this role Simcox led the strategy solution development and consulting for the U S healthcare sector He engaged with healthcare providers across the US in a consulting capacity and advocated for the liberation of healthcare data and telehealth adoption Prior to joining Logicalis Ed was director of U S healthcare strategy partnerships and product development for AT T Ed’s portfolio included emerging technologies and products supporting mHealth telehealth and health information exchange Before joining AT T Ed held multiple leadership roles at Indiana University Health a large U S healthcare system with 19 hospitals 50 physician groups and annual revenue of over $6 billion Simcox served as the Chief Technology Officer and prior to that the Director of Business Innovations an internal innovation incubator and design lab Simcox was awarded ComputerWorld's Laureate medal for leading a project that achieved $5 million in savings through the design and implementation of innovative IT solutions in the inpatient healthcare setting During Simcox’s time as CTO Indiana University Health received Hospitals and Health Networks' Most Wired Hospital award based in part on his team’s work with emerging technologies Sheila O Conley Ms Conley serves as HHS’s Deputy Assistant Secretary for Finance and Deputy Chief Financial Officer She is responsible for leading the Department’s financial accountability and stewardship efforts including the preparation and audit of HHS’ annual financial statements modernizing the financial management systems portfolio strengthening internal controls and reducing improper payments in our largest programs She also leads the Department’s Enterprise Risk Management ERM program Before joining HHS in 2006 Ms Conley served as the Managing Director for Financial Policy Reporting and Analysis at the U S Department of State from 2003 to 2006 She held positions of increasing responsibility at the Office of Management and Budget OMB between 1992 and 2003 where she was charged principally with leading government-wide implementation of the CFOs Act of 1990 Ms Conley was a senior manager with an international public accounting firm before entering Federal service where she provided audit and financial management services for over 10 years to a wide range of clients She has received many awards throughout her career including the Presidential Rank Award and HHS Distinguished Service Award Ms Conley is a certified public accountant in the District of Columbia Fellow of the National Academy of Public Administration and member of several professional associations She obtained a bachelor’s of business administration degree summa cum laude from James Madison University She is married and has three sons