S3306-119

2. Realigning use of funds with original congressional intent Section 1078 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 40 U.S.C. 11301 note) is amended— in subsection (b)— by amending paragraph (3) to read as follows: The Administrator shall, in accordance with recommendations from the Board, use amounts in the Fund for the following: To transfer such amounts, to remain available until expended, to the head of an agency for the acquisition, procurement, and operation of information technology, or the development of information technology when more efficient and cost effective, to— modernize, retire, or replace legacy information technology systems used by the agency; enhance cybersecurity and privacy at the agency; improve long-term efficiency and effectiveness of agency information technology; or improve the ability of the agency to perform the mission of the agency and deliver services to the public. To provide services or work performed in support of— the activities described in clause (i); and the Board and the Director in carrying out the responsibilities described in subsection (c)(2). To fund only programs, projects, or activities, or to fund increases for any programs, projects, or activities that have not been denied or restricted by Congress. To transfer such amounts only for programs, projects, or activities that will be reimbursed to the Fund to the extent necessary to ensure total amounts in the Fund are no less than the amounts needed to keep the Fund operational until the Fund sunsets pursuant to subsection (g)(1). The Administrator shall, upon receiving a recommendation from the Board under subsection (c)(2)(F), suspend or terminate funding for any project with respect to which the head of an agency provided fraudulent or misleading statements about such project (including fraudulent statements about technical design, the business case, or program management with respect to the project) in the application or proposal for amounts from the Fund for such project. in paragraph (5)— in subparagraph (A)— in clause (i)— by striking or (B); and by striking (3)(C) and inserting (3)(A)(ii); and in clause (ii), by striking , consistent with any applicable reprogramming law or guidelines of the Committees on Appropriations of the Senate and the House of Representatives; and in subparagraph (B)(i)— by striking paragraph (3)(C) and inserting paragraph (3)(A)(ii); and by striking the solvency of the Fund, including operating expenses and inserting the following: total amounts in the Fund are no less than the amounts needed to keep the Fund operational until the Fund sunsets pursuant to subsection (g)(1); in paragraph (6)— in subparagraph (A)— in the matter before clause (i), by striking subparagraphs (A) and (B) of paragraph (3) and inserting the following: paragraph (3)(A)(i); in clause (i), by striking ; and and inserting a semicolon; by redesignating clause (ii) as clause (iv); and by inserting after clause (i) the following new clauses: which shall include terms of repayment that require the head of the agency to reimburse the Fund for funds transferred under paragraph (3)(A)(i) at a level that ensures total amounts in the Fund are no less than the amounts needed to keep the Fund operational until the Fund sunsets pursuant to subsection (g)(1); which shall include terms of repayment that require the head of the agency to fully reimburse the Fund for any services or work provided under paragraph (3)(A)(ii) in direct support of the project; and in subparagraph (B)— by striking clause (i) and inserting the following: for any funds transferred to an agency under paragraph (3)(A)(i), in the absence of compelling circumstances documented by the Administrator at the time of transfer, that such funds shall be transferred only— on an incremental basis, tied to metric-based development milestones achieved by the agency through the use of rapid, iterative, development processes; and after the head of the agency has provided the Director any information the Director is required to report pursuant to paragraph (7)(A)(i); and in clause (ii)— by striking subparagraphs (A) and (B) of paragraph (3) and inserting paragraph (3)(A)(i); and by striking paragraph (6) and inserting this paragraph; and by inserting at the end the following: Not later than 10 days after receiving a request from the Committee on Homeland Security and Governmental Affairs of the Senate or the Committee on Oversight and Government Reform of the House of Representatives for a copy of a written agreement entered into under subparagraph (A), the Director shall provide such Committee with a copy of such written agreement. in paragraph (7)(B)— in the matter preceding clause (i), by striking every 2 years thereafter and inserting every 2 years thereafter until the Board terminates pursuant to subsection (g)(3); in clause (i)— by striking establishing; and by striking the cost savings associated with the projects funded both annually and over the life of the acquired products and services by the Fund; and inserting the amount repaid to the Fund in accordance with the terms established in the written agreements described in paragraph (6);; in clause (ii)— by striking reliability of the cost savings and inserting total cost savings; and by striking the semicolon and inserting ; and; in clause (iii), by striking ; and and inserting a period; and by striking clause (iv); in subsection (c)(2)— in subparagraph (A)— in clause (ii), by striking the greatest Governmentwide impact; and and inserting the following: the greatest impact on modernizing, retiring, or replacing Federal legacy information technology systems; and; by redesignating clauses (i) through (iii) as clauses (ii) through (iv), respectively; and by inserting before clause (ii), as so redesignated, the following new clause: the ability for the head of the agency to ensure repayment of funds transferred from the Fund to the head of the agency, in accordance with subsection (b); in subparagraph (D), by striking to improve or replace multiple information technology systems and inserting the following: to modernize, retire, or replace legacy information technology systems under subsection (b)(3)(A)(i); in subparagraph (F), by inserting after subsection (b)(6) the following: or the identification of fraudulent or misleading statements about the project (including fraudulent statements about technical design, the business case, or program management with respect to the project) in the application or proposal for amounts from the Fund for the project; and in subparagraph (G), by inserting after operating costs of the Fund the following: to ensure total amounts in the Fund are no less than the amounts needed to keep the Fund operational until the Fund sunsets pursuant to subsection (g)(1); in subsection (d)(2)— in subparagraph (A), by striking subsection (b)(3)(A) and for products, services, and acquisition vehicles funded under subsection (b)(3)(B) and inserting subsection (b)(3); in subparagraph (B), by striking the period at the end and inserting a semicolon; and in subparagraph (C), by inserting after and reduce waste the following: and ensure total amounts in the Fund are no less than the amounts needed to keep the Fund operational until the Fund sunsets pursuant to subsection (g)(1); by redesignating subsections (e) and (f) as subsections (f) and (g), respectively; by inserting after subsection (d) the following new subsection: An agency Chief Information Officer, in coordination with stakeholders and other agency officials, shall provide to the Federal Chief Information Officer in accordance with the guidance issued under paragraph (3)— not later than 180 days after the Director issues the guidance under such paragraph, a list of high-risk legacy information technology systems used, operated, or maintained by the agency; and within 1 year after the first year in which the list is provided under subparagraph (A), and annually thereafter, any updates to such list. The Federal Chief Information Officer shall— not later than 90 days after the date on which the Federal Chief Information Officer receives the list required by paragraph (1)(A) from each agency Chief Information Officer, compile, on the basis of each such list, a list of 10 legacy information technology systems that present the greatest security, privacy, and operational risks to the Federal Government; and not later than 90 days after the date on which the Federal Chief Information Officer receives updates under paragraph (1)(B) from at least one agency Chief Information Officer, update, as necessary, the list required by subparagraph (A) on the basis of each update to the list provided by agency Chief information Officers under paragraph (1)(B). Not later than 14 days after the date on which the Federal Chief Information Officer compiles the list required by subparagraph (A), or updates such list, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Government Reform of the House of Representatives, and the Comptroller General of the United States, a report (which may include a classified annex) containing— such list (including any update made to such list under subparagraph (A)(ii)); and each list provided by an agency Chief Information Officer under paragraph (1)(A) (including any update made to any such list under paragraph (1)(B) and any information included on the list pursuant to paragraph (3)(A)(ii)). Not later than 180 days after the date of enactment of the Modernizing Government Technology Reform Act, the Director shall issue guidance on implementing the requirements of this subsection that shall, at a minimum— prescribe an appropriate format for the list to be provided under paragraph (1)(A); prescribe any additional information to be included on such list; provide guidance on how an agency Chief Information Officer should identify high-risk legacy information technology systems that, at least, requires agency Chief Information Officers, in coordination with other agency stakeholders, to identify as a high-risk legacy information technology system any outdated or obsolete system of information technology that is critical to the agency such that the loss or degradation of the system would create a security, operational, or privacy risk to the agency or would otherwise impact the ability of the agency to perform the mission of the agency, effectively deliver programs, or conduct business; and provide guidance on how existing reporting structures can be used to submit the list under paragraph (1)(A). The Director may update the guidance issued under subparagraph (A) as the Director determines necessary. This subsection shall cease to have effect on the date that the Fund sunsets pursuant to subsection (g)(1). In this subsection: The term agency Chief Information Officer means a Chief Information Officer designated under section 3506(a)(2) of title 44, United States Code. The term Federal Chief Information Officer means the Administrator of the Office of Electronic Government. in subsection (g)(1), as so redesignated, by striking On and after the date that is 2 years after the date on which the Comptroller General of the United States issues the third report required under subsection (b)(7)(B), and inserting After December 31, 2032,. (3)Use of funds(A)In generalThe Administrator shall, in accordance with recommendations from the Board, use amounts in the Fund for the following:(i)To transfer such amounts, to remain available until expended, to the head of an agency for the acquisition, procurement, and operation of information technology, or the development of information technology when more efficient and cost effective, to—(I)modernize, retire, or replace legacy information technology systems used by the agency;(II)enhance cybersecurity and privacy at the agency;(III)improve long-term efficiency and effectiveness of agency information technology; or(IV)improve the ability of the agency to perform the mission of the agency and deliver services to the public. (ii)To provide services or work performed in support of—(I)the activities described in clause (i); and(II)the Board and the Director in carrying out the responsibilities described in subsection (c)(2). (iii)To fund only programs, projects, or activities, or to fund increases for any programs, projects, or activities that have not been denied or restricted by Congress.(iv)To transfer such amounts only for programs, projects, or activities that will be reimbursed to the Fund to the extent necessary to ensure total amounts in the Fund are no less than the amounts needed to keep the Fund operational until the Fund sunsets pursuant to subsection (g)(1). (B)Termination or suspension of fundsThe Administrator shall, upon receiving a recommendation from the Board under subsection (c)(2)(F), suspend or terminate funding for any project with respect to which the head of an agency provided fraudulent or misleading statements about such project (including fraudulent statements about technical design, the business case, or program management with respect to the project) in the application or proposal for amounts from the Fund for such project. ; (ii)which shall include terms of repayment that require the head of the agency to reimburse the Fund for funds transferred under paragraph (3)(A)(i) at a level that ensures total amounts in the Fund are no less than the amounts needed to keep the Fund operational until the Fund sunsets pursuant to subsection (g)(1);(iii)which shall include terms of repayment that require the head of the agency to fully reimburse the Fund for any services or work provided under paragraph (3)(A)(ii) in direct support of the project; and; (i)for any funds transferred to an agency under paragraph (3)(A)(i), in the absence of compelling circumstances documented by the Administrator at the time of transfer, that such funds shall be transferred only—(I)on an incremental basis, tied to metric-based development milestones achieved by the agency through the use of rapid, iterative, development processes; and(II)after the head of the agency has provided the Director any information the Director is required to report pursuant to paragraph (7)(A)(i); and; and (C)Congressional requests for copy of written agreementNot later than 10 days after receiving a request from the Committee on Homeland Security and Governmental Affairs of the Senate or the Committee on Oversight and Government Reform of the House of Representatives for a copy of a written agreement entered into under subparagraph (A), the Director shall provide such Committee with a copy of such written agreement.; and (i)the ability for the head of the agency to ensure repayment of funds transferred from the Fund to the head of the agency, in accordance with subsection (b);; (e)Responsibilities of the Federal Chief Information Officer; agency Chief Information Officers(1)Agency inventoryAn agency Chief Information Officer, in coordination with stakeholders and other agency officials, shall provide to the Federal Chief Information Officer in accordance with the guidance issued under paragraph (3)—(A)not later than 180 days after the Director issues the guidance under such paragraph, a list of high-risk legacy information technology systems used, operated, or maintained by the agency; and(B)within 1 year after the first year in which the list is provided under subparagraph (A), and annually thereafter, any updates to such list.(2)Prioritization List(A)RequirementThe Federal Chief Information Officer shall—(i)not later than 90 days after the date on which the Federal Chief Information Officer receives the list required by paragraph (1)(A) from each agency Chief Information Officer, compile, on the basis of each such list, a list of 10 legacy information technology systems that present the greatest security, privacy, and operational risks to the Federal Government; and(ii)not later than 90 days after the date on which the Federal Chief Information Officer receives updates under paragraph (1)(B) from at least one agency Chief Information Officer, update, as necessary, the list required by subparagraph (A) on the basis of each update to the list provided by agency Chief information Officers under paragraph (1)(B).(B)Report to CongressNot later than 14 days after the date on which the Federal Chief Information Officer compiles the list required by subparagraph (A), or updates such list, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Government Reform of the House of Representatives, and the Comptroller General of the United States, a report (which may include a classified annex) containing—(i)such list (including any update made to such list under subparagraph (A)(ii)); and(ii)each list provided by an agency Chief Information Officer under paragraph (1)(A) (including any update made to any such list under paragraph (1)(B) and any information included on the list pursuant to paragraph (3)(A)(ii)).(3)Guidance(A)In generalNot later than 180 days after the date of enactment of the Modernizing Government Technology Reform Act, the Director shall issue guidance on implementing the requirements of this subsection that shall, at a minimum—(i)prescribe an appropriate format for the list to be provided under paragraph (1)(A);(ii)prescribe any additional information to be included on such list;(iii)provide guidance on how an agency Chief Information Officer should identify high-risk legacy information technology systems that, at least, requires agency Chief Information Officers, in coordination with other agency stakeholders, to identify as a high-risk legacy information technology system any outdated or obsolete system of information technology that is critical to the agency such that the loss or degradation of the system would create a security, operational, or privacy risk to the agency or would otherwise impact the ability of the agency to perform the mission of the agency, effectively deliver programs, or conduct business; and(iv)provide guidance on how existing reporting structures can be used to submit the list under paragraph (1)(A).(B)UpdatesThe Director may update the guidance issued under subparagraph (A) as the Director determines necessary.(4)SunsetThis subsection shall cease to have effect on the date that the Fund sunsets pursuant to subsection (g)(1).(5)DefinitionsIn this subsection:(A)Agency Chief Information OfficerThe term agency Chief Information Officer means a Chief Information Officer designated under section 3506(a)(2) of title 44, United States Code.(B)Federal chief information officerThe term Federal Chief Information Officer means the Administrator of the Office of Electronic Government.; and