United States Congress, NDAA 2018 Sec. 1091-1094 , September 18 2017. Unclassified.

590

1 whole or in part) by the Government of the Russian 2 Federation. 3 (c) RULE OF CONSTRUCTION.—Nothing in this section 4 may be construed as applying to the editorial use by a local 5 commercial television station, qualified noncommercial edu- 6 cational television station, or television broadcast station 7 of programming that is owned, controlled, or financed (in 8 whole or in part) by the Government of the Russian Federa- 9 tion. 10 Subtitle H—Modernizing 11 Government Technology 12 SEC. 1091. SHORT TITLE. 13 This subtitle may be cited as the “Modernizing Gov- 14 ernment Technology Act of 2017” or the “MGT Act”. 15 SEC. 1092. DEFINITIONS. 16 In this subtitle: 17 (1) ADMINISTRATOR.—The term “Adminis- 18 trator” means the Administrator of General Services. 19 (2) BOARD.—The term “Board” means the Tech- 20 nology Modernization Board established under section 21 1094(c)(1). 22 (3) CLOUD COMPUTING.—The term “cloud com- 23 puting” has the meaning given the term by the Na- 24 tional Institute of Standards and Technology in

†HR 2810 PAP

591 1 NIST Special Publication 800–145 and any amend- 2 atory or superseding document thereto. 3 (4) DIRECTOR.—The term “Director” means the 4 Director of the Office of Management and Budget. 5 (5) FUND.—The term “Fund” means the Tech- 6 nology Modernization Fund established under section 7 1094(b)(1). 8 (6) INFORMATION TECHNOLOGY.—The term “in- 9 formation technology” has the meaning given the term 10 in section 3502 of title 44, United States Code. 11 (7) IT WORKING CAPITAL FUND.—The term “IT 12 working capital fund” means an information tech- 13 nology system modernization and working capital 14 fund established under section 1093(b)(1). 15 (8) LEGACY INFORMATION TECHNOLOGY SYS- 16 TEM.—The term “legacy information technology sys- 17 tem” means an outdated or obsolete system of infor- 18 mation technology. 19 SEC. 1093. ESTABLISHMENT OF AGENCY INFORMATION 20 TECHNOLOGY SYSTEMS MODERNIZATION 21 AND WORKING CAPITAL FUNDS. 22 (a) DEFINITION.—In this section, the term “covered 23 agency” means each agency listed in section 901(b) of title 24 31, United States Code.

† HR 2810 PAP

592 1 (b) INFORMATION TECHNOLOGY SYSTEM MODERNIZA- 2 TION AND WORKING CAPITAL FUNDS.— 3 (1) ESTABLISHMENT.—The head of a covered 4 agency may establish within the covered agency an 5 information technology system modernization and 6 working capital fund for necessary expenses described 7 in paragraph (3). 8 (2) SOURCE OF FUNDS.—The following amounts 9 may be deposited into an IT working capital fund: 10 (A) Reprogramming and transfer of funds 11 made available in appropriations Acts enacted 12 after the date of enactment of this Act, including 13 the transfer of any funds for the operation and 14 maintenance of legacy information technology 15 systems, in compliance with any applicable re- 16 programming law or guidelines of the Commit- 17 tees on Appropriations of the Senate and the 18 House of Representatives or transfer authority 19 specifically provided in appropriations law. 20 (B) Amounts made available to the IT 21 working capital fund through discretionary ap- 22 propriations made available after the date of en- 23 actment of this Act.

† HR 2810 PAP

593 (3) USE OF FUNDS.—An IT working capital fund established under paragraph (1) may only be used— (A) to improve, retire, or replace existing information technology systems in the covered agency to enhance cybersecurity and to improve efficiency and effectiveness across the life of a given workload, procured using full and open competition among all commercial items to the greatest extent practicable; (B) to transition legacy information technology systems at the covered agency to commercial cloud computing and other innovative commercial platforms and technologies, including those serving more than 1 covered agency with common requirements; (C) to assist and support covered agency efforts to provide adequate, risk-based, and cost-effective information technology capabilities that address evolving threats to information security; (D) to reimburse funds transferred to the covered agency from the Fund with the approval of the Chief Information Officer, in consultation with the Chief Financial Officer, of the covered agency; and † HR 2810 PAP

594 1 (E) for a program, project, or activity or to 2 increase funds for any program, project, or ac- 3 tivity that has not been denied or restricted by 4 Congress. 5 (4) EXISTING FUNDS.—An IT working capital 6 fund may not be used to supplant funds provided for 7 the operation and maintenance of any system within 8 an appropriation for the covered agency at the time 9 of establishment of the IT working capital fund. 10 (5) PRIORITIZATION OF FUNDS.—The head of 11 each covered agency— 12 (A) shall prioritize funds within the IT 13 working capital fund of the covered agency to be 14 used initially for cost savings activities approved 15 by the Chief Information Officer of the covered 16 agency; and 17 (B) may reprogram and transfer any 18 amounts saved as a direct result of the cost sav- 19 ings activities approved under clause (i) for de- 20 posit into the IT working capital fund of the cov- 21 ered agency, consistent with paragraph (2)(A). 22 (6) AVAILABILITY OF FUNDS.— 23 (A) IN GENERAL.—Any funds deposited into 24 an IT working capital fund shall be available for 25 obligation for the 3-year period beginning on the † HR 2810 PAP

595 1 last day of the fiscal year in which the funds 2 were deposited. 3 (B) TRANSFER OF UNOBLIGATED 4 AMOUNTS.—Any amounts in an IT working cap- 5 ital fund that are unobligated at the end of the 6 3-year period described in subparagraph (A) 7 shall be transferred to the general fund of the 8 Treasury. 9 (7) AGENCY CIO RESPONSIBILITIES.—In evalu- 10 ating projects to be funded by the IT working capital 11 fund of a covered agency, the Chief Information Offi- 12 cer of the covered agency shall consider, to the extent 13 applicable, guidance issued under section 1094(b)(1) 14 to evaluate applications for funding from the Fund 15 that include factors including a strong business case, 16 technical design, consideration of commercial off-the- 17 shelf products and services, procurement strategy (in- 18 cluding adequate use of rapid, iterative software de- 19 velopment practices), and program management. 20 (c) REPORTING REQUIREMENT.— 21 (1) IN GENERAL.—Not later than 1 year after 22 the date of enactment of this Act, and every 6 months 23 thereafter, the head of each covered agency shall sub- 24 mit to the Director, with respect to the IT working 25 capital fund of the covered agency—

† HR 2810 PAP

596 (A) a list of each information technology investment funded, including the estimated cost and completion date for each investment; and (B) a summary by fiscal year of obligations, expenditures, and unused balances. (2) PUBLIC AVAILABILITY.—The Director shall make the information submitted under paragraph (1) publicly available on a website. SEC. 1094. ESTABLISHMENT OF TECHNOLOGY MODERNIZATION FUND AND BOARD. (a) DEFINITION.—In this section, the term “agency” has the meaning given the term in section 551 of title 5, United States Code. (b) TECHNOLOGY MODERNIZATION FUND.— (1) ESTABLISHMENT.—There is established in the Treasury a Technology Modernization Fund for technology-related activities, to improve information technology, to enhance cybersecurity across the Federal Government, and to be administered in accordance with guidance issued by the Director. (2) ADMINISTRATION OF FUND.—The Administrator, in consultation with the Chief Information Officers Council and with the approval of the Director, shall administer the Fund in accordance with this subsection. † HR 2810 PAP

597 1 (3) USE OF FUNDS.—The Administrator shall, 2 in accordance with recommendations from the Board, 3 use amounts in the Fund— 4 (A) to transfer such amounts, to remain 5 available until expended, to the head of an agen- 6 cy for the acquisition of products and services, or 7 the development of such products and services 8 when more efficient and cost effective, to im- 9 prove, retire, or replace existing Federal infor- 10 mation technology systems to enhance cybersecu- 11 rity and privacy and improve long-term effi- 12 ciency and effectiveness; 13 (B) to transfer such amounts, to remain 14 available until expended, to the head of an agen- 15 cy for the operation and procurement of infor- 16 mation technology products and services, or the 17 development of such products and services when 18 more efficient and cost effective, and acquisition 19 vehicles for use by agencies to improve Govern- 20 mentwide efficiency and cybersecurity in accord- 21 ance with the requirements of the agencies; 22 (C) to provide services or work performed in 23 support of— 24 (i) the activities described in subpara- 25 graph (A) or (B); and

† HR 2810 PAP

598 1 (ii) the Board and the Director in car- 2 rying out the responsibilities described in 3 subsection (c)(2); and 4 (D) to fund only programs, projects, or ac- 5 tivities or to fund increases for any programs, 6 projects, or activities that have not been denied 7 or restricted by Congress. 8 (4) AUTHORIZATION OF APPROPRIATIONS; CRED- 9 ITS; AVAILABILITY OF FUNDS.— 10 (A) AUTHORIZATION OF APPROPRIA- 11 TIONS.—There is authorized to be appropriated 12 to the Fund $250,000,000 for each of fiscal years 13 2018 and 2019. 14 (B) CREDITS.—In addition to any funds 15 otherwise appropriated, the Fund shall be cred- 16 ited with all reimbursements, advances, or re- 17 funds or recoveries relating to information tech- 18 nology or services provided for the purposes de- 19 scribed in paragraph (3). 20 (C) AVAILABILITY OF FUNDS.—Amounts de- 21 posited, credited, or otherwise made available to 22 the Fund shall be available until expended for 23 the purposes described in paragraph (3). 24 (5) REIMBURSEMENT.— 25 (A) REIMBURSEMENT BY AGENCY.— † HR 2810 PAP

599 1 (i) IN GENERAL.—The head of an 2 agency shall reimburse the Fund for any 3 transfer made under subparagraph (A) or 4 (B) of paragraph (3), including any serv- 5 ices or work performed in support of the 6 transfer under paragraph (3)(C), in accord- 7 ance with the terms established in a written 8 agreement described in paragraph (6). 9 (ii) REIMBURSEMENT FROM SUBSE- 10 QUENT APPROPRIATIONS.—Notwithstanding 11 any other provision of law, an agency may 12 make a reimbursement required under 13 clause (i) from any appropriation made 14 available after the date of enactment of this 15 Act for information technology activities, 16 consistent with any applicable reprogram- 17 ming law or guidelines of the Committees 18 on Appropriations of the Senate and the 19 House of Representatives. 20 (iii) RECORDING OF OBLIGATION.— 21 Notwithstanding section 1501 of title 31, 22 United States Code, an obligation to make 23 a payment under a written agreement de- 24 scribed in paragraph (6) in a fiscal year 25 after the date of enactment of this Act shall † HR 2810 PAP

600 1 be recorded in the fiscal year in which the 2 payment is due. 3 (B) PRICES FIXED BY ADMINISTRATOR.— 4 (i) IN GENERAL.—The Administrator, 5 in consultation with the Director, shall es- 6 tablish amounts to be paid by an agency 7 under this paragraph and the terms of re- 8 payment for activities funded under para- 9 graph (3), including any services or work 10 performed in support of that development 11 under paragraph (3)(C), at levels sufficient 12 to ensure the solvency of the Fund, includ- 13 ing operating expenses. 14 (ii) REVIEW AND APPROVAL.—Before 15 making any changes to the established 16 amounts and terms of repayment, the Ad- 17 ministrator shall conduct a review and ob- 18 tain approval from the Director. 19 (C) FAILURE TO MAKE TIMELY REIMBURSE- 20 MENT.—The Administrator may obtain reim- 21 bursement from an agency under this paragraph 22 by the issuance of transfer and counterwarrants, 23 or other lawful transfer documents, supported by 24 itemized bills, if payment is not made by the 25 agency during the 90-day period beginning after † HR 2810 PAP

601 1 the expiration of a repayment period described 2 in a written agreement described in paragraph 3 (6). 4 (6) WRITTEN AGREEMENT.— 5 (A) IN GENERAL.—Before the transfer of 6 funds to an agency under subparagraphs (A) 7 and (B) of paragraph (3), the Administrator, in 8 consultation with the Director, and the head of 9 the agency shall enter into a written agree- 10 ment— 11 (i) documenting the purpose for which 12 the funds will be used and the terms of re- 13 payment, which may not exceed 5 years un- 14 less approved by the Director; and 15 (ii) which shall be recorded as an obli- 16 gation as provided in paragraph (5)(A). 17 (B) REQUIREMENT FOR USE OF INCRE- 18 MENTAL FUNDING, COMMERCIAL PRODUCTS AND 19 SERVICES, AND RAPID, ITERATIVE DEVELOPMENT 20 PRACTICES.—The Administrator shall ensure— 21 (i) for any funds transferred to an 22 agency under paragraph (3)(A), in the ab- 23 sence of compelling circumstances docu- 24 mented by the Administrator at the time of 25 transfer, that such funds shall be transferred † HR 2810 PAP

602 1 only on an incremental basis, tied to met- 2 ric-based development milestones achieved 3 by the agency through the use of rapid, 4 iterative, development processes; and 5 (ii) that the use of commercial prod- 6 ucts and services are incorporated to the 7 greatest extent practicable in activities 8 funded under subparagraphs (A) and (B) of 9 paragraph (3), and that the written agree- 10 ment required under paragraph (6) docu- 11 ments this preference. 12 (7) REPORTING REQUIREMENTS.— 13 (A) LIST OF PROJECTS.— 14 (i) IN GENERAL.—Not later than 6 15 months after the date of enactment of this 16 Act, the Director shall maintain a list of 17 each project funded by the Fund, to be up- 18 dated not less than quarterly, that includes 19 a description of the project, project status 20 (including any schedule delay and cost 21 overruns), financial expenditure data re- 22 lated to the project, and the extent to which 23 the project is using commercial products 24 and services, including if applicable, a jus- 25 tification of why commercial products and † HR 2810 PAP

603 1 services were not used and the associated de- 2 velopment and integration costs of custom 3 development. 4 (ii) PUBLIC AVAILABILITY.—The list 5 required under clause (i) shall be published 6 on a public website in a manner that is, to 7 the greatest extent possible, consistent with 8 applicable law on the protection of classified 9 information, sources, and methods. 10 (B) COMPTROLLER GENERAL REPORTS.— 11 Not later than 2 years after the date of enact- 12 ment of this Act, and every 2 years thereafter, 13 the Comptroller General of the United States 14 shall submit to Congress and make publically 15 available a report assessing— 16 (i) the costs associated with estab- 17 lishing the Fund and maintaining the over- 18 sight structure associated with the Fund 19 compared with the cost savings associated 20 with the projects funded both annually and 21 over the life of the acquired products and 22 services by the Fund; 23 (ii) the reliability of the cost savings 24 estimated by agencies associated with 25 projects funded by the Fund;

† HR 2810 PAP

604 1 (iii) whether agencies receiving trans- 2 fers of funds from the Fund used full and 3 open competition to acquire the custom de- 4 velopment of information technology prod- 5 ucts or services; and 6 (iv) the number of IT procurement, de- 7 velopment, and modernization programs, of- 8 fices, and entities in the Federal Govern- 9 ment, including 18F and the United States 10 Digital Services, the roles, responsibilities, 11 and goals of those programs and entities, 12 and the extent to which they duplicate work. 13 (c) TECHNOLOGY MODERNIZATION BOARD.— 14 (1) ESTABLISHMENT.—There is established a 15 Technology Modernization Board to evaluate pro- 16 posals submitted by agencies for funding authorized 17 under the Fund. 18 (2) RESPONSIBILITIES.—The responsibilities of 19 the Board are— 20 (A) to provide input to the Director for the 21 development of processes for agencies to submit 22 modernization proposals to the Board and to es- 23 tablish the criteria by which those proposals are 24 evaluated, which shall include—

† HR 2810 PAP

605
1 (i) addressing the greatest security,
2 privacy, and operational risks;
3 (ii) having the greatest Government-
4 wide impact; and
5 (iii) having a high probability of suc-
6 cess based on factors including a strong
7 business case, technical design, consider-
8 ation of commercial off-the-shelf products
9 and services, procurement strategy (includ-
10 ing adequate use of rapid, agile iterative
11 software development practices), and pro-
12 gram management;
13 (B) to make recommendations to the Ad-
14 ministrator to assist agencies in the further de-
15 velopment and refinement of select submitted
16 modernization proposals, based on an initial
17 evaluation performed with the assistance of the
18 Administrator;
19 (C) to review and prioritize, with the assist-
20 ance of the Administrator and the Director, mod-
21 ernization proposals based on criteria established
22 pursuant to subparagraph (A);
23 (D) to identify, with the assistance of the
24 Administrator, opportunities to improve or re-
25 place multiple information technology systems

† HR 2810 PAP

606 1 with a smaller number of information technology 2 services common to multiple agencies; 3 (E) to recommend the funding of mod- 4 ernization projects, in accordance with the uses 5 described in subsection (b)(3), to the Adminis- 6 trator; 7 (F) to monitor, in consultation with the Ad- 8 ministrator, progress and performance in exe- 9 cuting approved projects and, if necessary, rec- 10 ommend the suspension or termination of fund- 11 ing for projects based on factors including the 12 failure to meet the terms of a written agreement 13 described in subsection (b)(6); and 14 (G) to monitor the operating costs of the 15 Fund. 16 (3) MEMBERSHIP.—The Board shall consist of 7 17 voting members. 18 (4) CHAIR.—The Chair of the Board shall be the 19 Administrator of the Office of Electronic Government. 20 (5) PERMANENT MEMBERS.—The permanent 21 members of the Board shall be— 22 (A) the Administrator of the Office of Elec- 23 tronic Government; and 24 (B) a senior official from the General Serv- 25 ices Administration having technical expertise in

† HR 2810 PAP

607

1 information technology development, appointed
2 by the Administrator, with the approval of the
3 Director.
4 (6) ADDITIONAL MEMBERS OF THE BOARD.—
5 (A) APPOINTMENT.—The other members of
6 the Board shall be—
7 (i) 1 employee of the National Protec-
8 tion and Programs Directorate of the De-
9 partment of Homeland Security, appointed
10 by the Secretary of Homeland Security; and
11 (ii) 4 employees of the Federal Govern-
12 ment primarily having technical expertise
13 in information technology development, fi-
14 nancial management, cybersecurity and
15 privacy, and acquisition, appointed by the
16 Director.
17 (B) TERM.—Each member of the Board de-
18 scribed in paragraph (A) shall serve a term of 1
19 year, which shall be renewable not more than 4
20 times at the discretion of the appointing Sec-
21 retary or Director, as applicable.
22 (7) PROHIBITION ON COMPENSATION.—Members
23 of the Board may not receive additional pay, allow-
24 ances, or benefits by reason of their service on the
25 Board.

† HR 2810 PAP

608 (8) STAFF.—Upon request of the Chair of the Board, the Director and the Administrator may detail, on a reimbursable or nonreimbursable basis, any employee of the Federal Government to the Board to assist the Board in carrying out the functions of the Board. (d) RESPONSIBILITIES OF ADMINISTRATOR.— (1) IN GENERAL.—In addition to the responsibilities described in subsection (b), the Administrator shall support the activities of the Board and provide technical support to, and, with the concurrence of the Director, oversight of, agencies that receive transfers from the Fund. (2) RESPONSIBILITIES.—The responsibilities of the Administrator are— (A) to provide direct technical support in the form of personnel services or otherwise to agencies transferred amounts under subsection (b)(3)(A) and for products, services, and acquisition vehicles funded under subsection (b)(3)(B); (B) to assist the Board with the evaluation, prioritization, and development of agency modernization proposals. (C) to perform regular project oversight and monitoring of approved agency modernization

† HR 2810 PAP

609 1 projects, in consultation with the Board and the 2 Director, to increase the likelihood of successful 3 implementation and reduce waste; and 4 (D) to provide the Director with informa- 5 tion necessary to meet the requirements of sub- 6 section (b)(7). 7 (e) EFFECTIVE DATE.—This section shall take effect on 8 the date that is 90 days after the date of enactment of this 9 Act. 10 (f) SUNSET.— 11 (1) IN GENERAL.—On and after the date that is 12 2 years after the date on which the Comptroller Gen- 13 eral of the United States issues the third report re- 14 quired under subsection (b)(7)(B), the Administrator 15 may not award or transfer funds from the Fund for 16 any project that is not already in progress as of such 17 date. 18 (2) TRANSFER OF UNOBLIGATED AMOUNTS.—Not 19 later than 90 days after the date on which all projects 20 that received an award from the Fund are completed, 21 any amounts in the Fund shall be transferred to the 22 general fund of the Treasury and shall be used for 23 deficit reduction. 24 (3) TERMINATION OF TECHNOLOGY MODERNIZA- 25 TION BOARD.—Not later than 90 days after the date † HR 2810 PAP

610 1 on which all projects that received an award from the 2 Fund are completed, the Technology Modernization 3 Board and all the authorities of subsection (c) shall 4 terminate. 5 TITLE XI—CIVILIAN PERSONNEL 6 MATTERS 7 Subtitle A—Department of Defense 8 Matters 9 SEC. 1101. PILOT PROGRAM ON ENHANCED PERSONNEL 10 MANAGEMENT SYSTEM FOR CYBERSECURITY 11 AND LEGAL PROFESSIONALS IN THE DEPART- 12 MENT OF DEFENSE. 13 (a) PILOT PROGRAM REQUIRED.—The Secretary of 14 Defense shall carry out within the Department of Defense 15 a pilot program to assess the feasibility and advisability 16 of an enhanced personnel management system in accord- 17 ance with this section for cybersecurity and legal profes- 18 sionals in the Department described in subsection (b) who 19 enter civilian service with the Department on or after Janu- 20 ary 1, 2020. 21 (b) CYBERSECURITY AND LEGAL PROFESSIONALS.— 22 (1) IN GENERAL.—The cybersecurity and legal 23 professionals described in this subsection are the fol- 24 lowing:

† HR 2810 PAP

NATIONAL SECURITY ARCHIVE

National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu