oversight

Second Interim Status Report on the U.S. Office of Personnel Management's (OPM) Infrastructure Improvement Project -- Major IT Business Case

Published by the Office of Personnel Management, Office of Inspector General on 2016-05-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                            UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                  Washington, DC 20415



  Office of the
Inspector General
                                                   May 18, 2016


      MEMORANDUM FOR BETH F. COBERT
                     Acting Director

      FROM: 	                  NORBERT E. VINT
                               Acting Inspector General

      SUBJECT:                 Second Interim Status Report on the U.S. Office of Personnel
                               Management’s (OPM) Infrastructure Improvement Project – Major IT
                               Business Case (Report No. 4A-CI-00-16-037)

      Executive Summary

      This interim status report discusses the events that have transpired since the Office of the
      Inspector General’s (OIG) September 3, 2015 Interim Status Report, as they apply to the
      concerns outlined in the initial June 17, 2015, Flash Audit Alert – U.S. Office of Personnel
      Management’s (OPM) Infrastructure Improvement Project. We submitted a draft copy of this
      report to Office of the Chief Information Officer (OCIO) representatives to elicit their comments
      on our findings, conclusions, and recommendations. The OCIO’s comments on the draft report
      were considered in preparing the final report and are attached as an Appendix to this report.

      OPM has still not performed many of the critical capital project planning practices required by
      the Office of Management and Budget (OMB). Of primary concern, prior to initiating the
      Infrastructure Improvement Project (Project), OPM did not perform the mandatory Analysis of
      Alternatives to evaluate whether moving all infrastructure and systems to a new environment
      (initially known as Shell, but now referred to as IaaS [Infrastructure as a Service]) was the best
      solution to address the stated objective of this initiative: to provide a secure operating
      environment for OPM systems at a lower cost. In light of recent developments involving the
      creation of the National Background Investigations Bureau within OPM to replace the Federal
      Investigative Services, the current Federal background investigations program, and the shifting
      of the responsibility for developing and maintaining the associated information technology
      systems to the Department of the Defense, this analysis is even more important. In addition,
      most, if not all, of the supporting project management activities required by OMB have still not
      been completed.




 www.opm.gov	                                                                                    www.usajobs.gov
Honorable Beth F. Cobert                                                                                        2


Furthermore, the estimated lifecycle costs of the Project are unsupported by any detailed
technical analysis of the level of effort needed to modernize OPM systems and migrate them to
the IaaS platform. However, OPM has made strides in identifying the inventory of its IT systems
being moved to the new environment, and performing a risk analysis to determine the timing of
modernization and migration activities.

The primary concern outlined in our June 2015 Flash Audit Alert was that OPM had not
followed disciplined project management best practices in its effort to fully overhaul and migrate
the agency’s technical infrastructure to the IaaS. We recommended that OPM complete an OMB
Major Information Technology (IT) Business Case (Business Case) that encompassed the full
scope of this project, and explicitly stated that the use of project management practices should be
associated with this process.

Although OPM initially disagreed with our recommendation, the agency ultimately submitted a
Business Case to OMB as part of the fiscal year (FY) 2017 budget process and subsequently
informed our office and the Congress that it now had a formal plan for this major initiative.
However, we have reviewed the Business Case documentation and have concluded that the
efforts put forth by OPM do not meet the OMB requirements and thus have not fully addressed
the intent of our recommendation.

Major IT Business Case

A. Capital Planning Process

       As reported in our June 2015 Flash Audit Alert, OPM initiated its Project without preparing a
       proper Business Case to seek approval and secure funding from OMB. OPM initially
       objected to our recommendation to do so, asserting that it would take too long and delay
       critical activities already in process.1 On August 3, 2015 we were alerted that OPM had
       changed course, and now agreed to develop a Business Case that would be completed by
       September 30, 2015.

       At the time it seemed unlikely that OPM would be able to complete the OMB-required
       capital planning process that would support such a document with the necessary level of rigor
       in this short timeframe. Our review of OPM’s September 30, 2015 Business Case has


                                                            
1
  “Completing and submitting an initial OMB Major IT Business Case document requires anywhere from eight
months to a year of research, consultations, discussion, and effort.” Memorandum to McFarland from Archuleta,
Response to Flash Audit Alert – U.S. Office of Personnel Management’s Infrastructure Improvement Project
(June 22, 2015), at page 2.
 
 


                                                                               Report No. 4A-CI-00-16-037
Honorable Beth F. Cobert                                                                           3


   confirmed that OPM officials failed to perform almost all of the capital planning activities
   that are required to be associated with a Business Case document.

   OMB Circular A-11 is the primary document that instructs agencies how to prepare and
   submit budget requests for OMB review and approval. The Capital Programming Guide is a
   supplement to this circular, and is intended to assist agencies to “effectively plan, procure,
   and use [capital] assets to achieve the maximum return on investment.” Capital assets
   include IT hardware, software, and modifications.

   Also, Section 5122 (“Capital Planning and Investment Control”) of the Clinger-Cohen Act
   specifically requires that agencies establish a process for maximizing value and minimizing
   risk associated with IT acquisitions.

   The process outlined in the Capital Programming Guide supplement to Circular A-11
   involves the appointment of an integrated project team as the first step associated with major
   IT investments. Such a team should consist of experts from a variety of disciplines
   (including project management, procurement, cost estimating, risk management, budget, etc.)
   to manage the project throughout its lifecycle. One of the first activities that the integrated
   project team should carry out is an analysis of alternative courses of action.

   This is referred to in OMB’s budget guidance as the Analysis of Alternatives process. As
   part of this process, the integrated project team should consider a variety of factors, including
   availability of different options, affordability, cost and benefits, and risk. The team should
   conduct market research to identify as many alternatives as possible, develop a project
   baseline consisting of a risk-based budget and schedule, and use a benefit-cost approach to
   selecting the best available alternative within the budget.

   The benefit-cost analysis is supposed to be a formal, systematic, economic assessment of
   each alternative solution based on the net present value of all quantifiable benefits and costs.
   The solutions should be ranked based on the discounted net present value of the benefits less
   the costs, and include some attempt to quantify the risk associated with the assumptions used
   to estimate benefits and costs.

   This is clearly a complicated and time consuming process, and is not something that could
   have been completed in a matter of weeks. At the time we issued our Flash Audit Alert in
   June 2015, many of the activities had not been completed in support of a properly developed
   Business Case. We expressed the opinion that OPM’s desire to better secure its IT
   environment as quickly as possible, and therefore declining to perform many of the
   mandatory planning steps, resulted in a high risk that the Project would fail to meet its
   objectives. Now that we have reviewed OPM’s recent Business Case and its supporting



                                                                     Report No. 4A-CI-00-16-037
Honorable Beth F. Cobert                                                                           4


   activities in depth, we are even more concerned about the lack of disciplined capital planning
   processes.

   OPM did not initially convene an integrated project team (although one has since been
   appointed) or complete the proper market research and analysis of alternatives before
   deciding to abandon OPM’s legacy environment and embark on its IaaS effort. We were told
   by OCIO staff that OPM’s former Chief Information Officer discussed possible alternatives
   with her staff, with input from Imperatis (the contractor that was hired to help secure OPM’s
   legacy environment in the wake of the April 2014 data breach) in selecting this alternative.
   However, no documentation was provided to us to support this assertion.

   Furthermore, OPM did not develop a realistic budget based on an understanding of the
   number of systems that would need to be migrated to the new environment, the level of effort
   associated with the required modernization and security updates, and the cost of this process
   (See Section B. for further discussion). Another critical requirement of the capital planning
   process is not only to develop realistic life-cycle cost estimates for the capital asset, but also
   to assess the political support for those costs. It would not make sense to initiate a major
   project potentially costing hundreds of millions of dollars without first understanding
   whether OMB would support, and the Congress would appropriate, funding for the project.

   As reported in our first interim status report in September 2015, OPM informed us in April
   2015 that it had extensive discussions with OMB about this project, and that its project plan
   had been approved by OMB and other agencies involved in cybersecurity. When we asked
   for a copy of the project plan that had been provided, we were given what was essentially a
   list of security tools that OPM planned to purchase, not something that could be considered
   any type of planning document, project charter, or business case for the Project. We also
   asked OPM to provide evidence to document the nature of its meetings with OMB. OPM has
   not provided any documentation, even though it claims that “extensive discussions” took
   place with OMB.

   In any event, it is clear that OPM initiated this major IT project without following the proper
   procedures. In the wake of the April 2014 data breaches, OPM decided on a course of action
   without following the required capital planning procedures. We recognized that there was a
   sense of urgency after discovering that a breach had occurred and agreed that it was critical
   to secure the legacy environment as quickly as possible (this was the first, or Tactical, phase
   of the Project). However, once the legacy environment was stabilized, OPM should have
   conducted the appropriate Project planning steps required by OMB Circular A-11, especially
   developing the Project budget and analysis of alternatives.




                                                                      Report No. 4A-CI-00-16-037
Honorable Beth F. Cobert                                                                                         5


       A further complication is the recent decision by the PAC-PMO, after its 90-day review,2 to
       create the National Background Investigations Bureau, an independent component of OPM,
       and transfer responsibility for the IT systems that support the background investigations
       business process to the Department of Defense. Our understanding is that OPM planned to
       use its revolving fund, which derives the majority of its revenues from background
       investigations, to fund a significant portion of the costs of the Project. However, since the IT
       systems that support background investigations processing will now not be part of the IaaS, it
       would seem that a large portion of the planned funding source will not be available for the
       Project.

       As a result of OPM’s failure to perform proper capital planning activities, especially
       developing a realistic estimate of the Project’s life cycle costs and conducting the appropriate
       analysis of alternatives, we continue to believe that there is a very high risk that the Project
       will fail to meet its stated objectives of delivering a more secure environment at a lower cost.

       It is still not too late, however, for OPM to complete the activities that should have been done
       before it initiated this Project. This is even more important given the changes that have
       occurred. OMB guidance for completing a Business Case states that “significant changes . . .
       should be reflected in an updated investment-level Alternatives Analysis, subject to OMB
       review.”

       Recommendation 1

       We recommend that OPM complete an Analysis of Alternatives as described in the Capital
       Programming Guide supplement to OMB Circular A-11 as soon as possible. This analysis
       should recognize changes in the internal and external environment and no consideration
       should be given to funds already spent associated with the Project (i.e., avoid the sunk cost
       fallacy).

       OCIO Response:

       In its response to the draft report, the OCIO stated that:

       “OCIO agrees that conducting such an AOA going forward, including looking at
       alternatives to “Shell” for mitigating, migrating, or modernizing legacy applications and
       infrastructure, would be beneficial to OPM and bring enhanced rigor to the capital
       planning process. It is particularly beneficial in light of the recent decision to transition
                                                            
2
  The Suitability and Security Performance Accountability Council Program Management Office (PAC-PMO) is an
interagency group chaired by OMB and comprised of the Director of National Intelligence and the OPM Director in
their respective roles as Security and Suitability Executive Agents. In the wake of the OPM data breaches, the PAC-
PMO initiated a 90-day review of the suitability and security clearance process.   


                                                                                Report No. 4A-CI-00-16-037
Honorable Beth F. Cobert                                                                         6


   background investigation services to the National Background Investigations Bureau
   (NBIB) and have DOD provide the IT support to the NBIB.”

   The OCIO’s response also outlined the additional steps it plans to take to improve its
   capital planning process, including:
      	 Creating and updating application profiles and conducting reviews of major IT
           systems, prioritizing High-Value Assets (HVAs). As part of these reviews, OPM
           plans to complete and document an Analysis of Alternatives in which migration to
           “Shell” will be considered against other alternatives.
      	 Applying a similar Analysis of Alternatives with respect to data center
           consolidation. Looking at each data center, OCIO plans to consider migration to
           Shell against other alternatives, such as mitigation or modernization of the legacy
           infrastructure, and/or migration to alternative environments.
       Instituting an updated process to ensure that IT business cases are aligned with
           OMB A-11 and other modern IT practices for other existing and future projects.
       Adopting an Agile methodology in which iterative development cycles would
           provide feedback to form the basis of subsequent activity.

   OIG Reply:

   We acknowledge that OPM officials agree with our recommendation, and commend them for
   their thoughtful response and detailed plan to implement it. The Agile development
   methodology is envisioned, and in fact encouraged, in OMB’s budget guidance in which the
   concept of ‘useful project segments’ is applied to capital financing principles. We
   emphasize, however, that an Agile approach should be balanced with the need for structured
   development and budgeting principles. We will continue to closely monitor OCIO’s efforts
   to improve its capital planning process as it relates to the Project.

B. Lifecycle Cost Estimates

   As briefly discussed in the previous section, a critical component of the capital asset planning
   process is estimating the full lifecycle costs of a major IT initiative. This is true for two
   reasons. First, estimating the full lifecycle costs allows the development of a baseline for
   evaluating feasible alternative solutions. Second, it provides sufficient information so the
   agency may seek a funding commitment for the lifecycle of the project (or at least for major
   useful segments) before committing to its implementation.

   A prerequisite to estimating the lifecycle costs of the Project requires that OPM first fully
   understand its scope, which means that OPM would have to conduct a complete inventory of
   systems, and have an understanding of their technical architecture and the level of effort



                                                                    Report No. 4A-CI-00-16-037
Honorable Beth F. Cobert                                                                         7


   required to migrate or modernize them. Only after this critical, but understandably complex,
   process is completed can a realistic cost estimation be done. OPM, however, initiated the
   Project before completing this process.

   OPM’s Business Case submitted to OMB with the FY 2017 budget request outlines the costs
   already incurred for this Project along with reasonable short-term cost estimates to finish
   developing the IaaS portion. However, its cost estimates for modernizing and migrating its
   information systems to the new environment are unsubstantiated because of the incomplete
   inventory and technical analysis. OPM officials have candidly informed us that their cost
   estimates are “best guesses.” In our opinion, these cost estimates significantly understate the
   true costs of the Project.

   Another problem is the limited amount of funding that OPM is allocating to its
   modernization and migration effort. The IaaS Business Case contains budget projections that
   allocate the majority of funds toward three primary areas: maintaining the legacy
   environment, maintaining the new IaaS environment, and modernizing and migrating OPM’s
   information systems. For FYs 2017 through 2020, the budget allocates approximately 20 to
   25 percent of the Project’s IT costs to modernization/migration, while the rest is dedicated to
   concurrently securing and maintaining the legacy and IaaS environments.

   However, this approach does not seem to consider the fact that maintenance costs for the dual
   environments will not likely remain fixed. As these two environments continue to age, the
   costs of keeping them functional and secure will continue to increase. Eventually,
   maintenance costs could consume OPM’s entire budget for the Project, leaving no funding
   available for modernization and migration. We addressed this potential worst-case scenario
   in our June 2015 Flash Audit Alert by warning that the agency’s approach could force it to
   indefinitely support both the IaaS and its legacy environment. This would further stretch
   already inadequate resources, and therefore make both environments less secure and
   susceptible to another data breach.

   Because OPM’s lifecycle cost estimates are unsupported and probably significantly
   understated, there is a high risk that future budgets will continue to be inadequate to complete
   the Project. This increases the likelihood of the “worst case scenario” mentioned above,
   unless OPM decides to simply move its legacy systems into the IaaS without first
   modernizing and updating their security and operational features. While this may mitigate
   the cost impact of maintaining dual environments, it would not be consistent with the original
   Project goals.

   We recently became aware of a plan to physically move legacy systems from the old data
   centers into the new data centers, but keep them in a separate logical environment from IaaS.



                                                                    Report No. 4A-CI-00-16-037
Honorable Beth F. Cobert                                                                               8


   While on the surface this seems like a reasonable plan to save money in the short term, it
   does not significantly reduce the risks associated with maintaining security controls in two
   logical environments indefinitely.

   Another impact of OPM’s inadequate project planning is the potentially wasteful spending
   that has occurred in creating an IaaS environment before it was clear that it was the best
   solution, and before the technical analysis of the scope of the effort was completed. OPM is
   currently spending approximately $25 million annually to maintain the IaaS.

   While OPM has not yet determined the full scope of this Project, there has been some
   improvement in developing an inventory of legacy systems and estimating the costs to
   modernize them. OPM’s Senior Cybersecurity and Information Technology Advisor to the
   Director has developed a framework that we are optimistic can begin to provide OPM with
   this critical information. This “application profiling” scoring approach not only provides a
   means to evaluate the urgency of modernizing or migrating individual information systems,
   but also includes the critical step of estimating the costs associated with each application.

   While this type of analysis should have occurred before heavily investing in IaaS, we are
   pleased to see that OPM at least has a framework in place to begin developing true cost
   estimates for this Project. With this information in hand, OPM will be in a position to
   develop a realistic lifecycle cost estimate as input to the analysis of alternatives discussed in
   Section A and Recommendation 1.

   Recommendation 2
   We recommend that OPM leverage the application profiling scoring framework to develop
   cost estimates for modernizing and/or migrating all OPM information systems, and use this
   information to support the capital planning activities referenced in Recommendation 1. The
   Business Case should be continuously updated to reflect these cost estimates as they become
   more concrete.

   OCIO Response:

   “OPM also concurs with the OIG’s recommendation that the agency would benefit from
   more rigorous estimation of lifecycle costs. To achieve this, OPM IT Program Managers
   plan to use the application profile framework designed by OPM’s Senior Cybersecurity
   and Information Technology Advisor to inform lifecycle cost estimation for modernization
   projects. As we continue to develop our cost estimates, we will continue to seek feedback
   from partners such as the Office of Management and Budget and the OIG.”




                                                                      Report No. 4A-CI-00-16-037
Honorable Beth F. Cobert                                                                          9


    OIG Reply:

    We agree with the approach of using the high-value asset application profile framework to
    estimate modernization costs on a system by system basis, but these efforts should be based
    upon recognized cost estimation principles and procedures.

If you have any questions about this interim status report, please contact me, at 606-1200, or
someone from your staff may wish to contact Michael R. Esser, Assistant Inspector General for
Audits, at         .

Appendix

cc: 	   Kiran A. Ahuja
        Chief of Staff

        Kathleen M. McGettigan

        Chief Management Officer 


        Lisa Schlosser       

        Acting Chief Information Officer 


        Clifton N. Triplett 

        Senior Cybersecurity and Information Technology Advisor 


        Janet L. Barnes 

        Director, Internal Oversight and Compliance 





                                                                    Report No. 4A-CI-00-16-037
                                                            APPENDIX

                              UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                                          Washington, DC 20415



Chief Information                                     APR 2 2 20'6
    Officer



      MEMORANDUM FOR                     MICHAEL R. ESSER
                                         Assistant Inspector General for Audits

      FROM:
                        ~o
                             a           LISA SCHLOSSER
                                         Acting Chief Information Officer

      SUBJECT:                           CIO Response to the Second Interim Status Report on the U.S.
                                         Office of Personnel Management's (OPM) Infrastructure
                                         Improvement Project

      Introduction
      The OPM Office Of the Chief Information Officer (OCIO) has reviewed the Second Interim
      Status Report on the U.S. Office of Personnel Management's (OPM) Infrastructure Improvement
      Project. The OCIO appreciates the detailed analysis and feedback provided in the report, and
      generally concurs with the recommendations. This response focuses on the efforts underway,
      and planned next steps, to address the recommendations.
      Since the Office of the Inspector General (OIG) issued the first Flash Audit Alert on the status of
      OPM's Infrastructure Improvement Project last summer, we have already begun to address OIG
      concerns. As the OIG has noted, OPM has:
           •    Submitted an updated OMB Major Information Technology Business Case for the
                Infrastructure Improvement Project;
           •    Engaged in on-going efforts to inventory IT systems and identify plans to mitigate,
                migrate, or modernize these systems; and
           •    Drafted an Application Profile methodology and process that assesses potential IT system
                risk while migrating and modernizing OPM IT applications. As discussed in more detail
                below, this will inform the development of a more comprehensive lifecycle cost estimate
                for IT applications and for the Infrastructure Improvement Project.
      As the OIG acknowledges, OPM embarked on the Infrastructure Improvement Project with a
      "sense of urgency" following the 2014 data breach. OPM previously concluded that it was
      critically important to take the appropriate steps to better secure OPM's aging legacy
      infrastructure in the near term, while putting in place a longer-term solution to transition its
      infrastructure into a more secure, modem environment. OPM consulted with its interagency
      partners, including the Department of Homeland Security and the Office of Management and
      Budget, as it developed its new "Shell" or IaaS enviromnent.


      www.opm.gov        Recruit, Retain and Honor a World-Class Workforce to Serve the American People   www.usajobs.gov
  As the OIG points out, however, OPM did not conduct a formal Analysis of Alternatives (AOA)
  at the time. OCIO agrees that conducting such an AOA going forward, including looking at
  alternatives to "Shell" for mitigating, migrating, or modernizing legacy applications and
  infrastructure, would be beneficial to OPM and bring enhanced rigor to the capital planning
  process. It is particularly beneficial in light of the recent decision to transition background
  investigation services to the National Background Investigations Bureau (NBIB) and have DOD
, provide the IT support to the NBIB. As previously discussed with the OIG, it has been, and
  continues to be, OPM's intent to utilize an agile methodology that is iterative in nature and that
  allows us to continue to adapt to evolving needs, circumstances, and technologies. Consequently,
  in accordance with the OIG's recommendations, OPM OCIO intends to take the following
  actions:
 Recommendation 1: Capital Planning Process Improvement Plan
 OPM concurs with Recommendation 1 and has initiated and plans to continue to implement the
 following steps to enhance our Capital Planning Process:
    1) 	 OPM OCIO is creating and updating application profiles and conducting reviews of
         major IT systems, prioritizing High-Value Assets (HVAs). These reviews are designed to
         assess risk and to meet the standards of 0 MB Circular A-11 and other modem IT
         practices. As part of these reviews, OPM plans to complete and document an AOA in
         which migration to "Shell" will be considered against other alternatives. These
         alternatives may include mitigation or modernization of the legacy system, and/or
         migration to other environments that are or may become available in the future, such as a
         commercial or government cloud.
    2) 	 As part of its ongoing efforts to rationalize its infrastructure and reduce costs, OPM
         OCIO plans to apply a similar AOA with respect to data center consolidation. Looking at
         each data center, OCIO plans to consider migration to Shell against other alternatives,
         such as mitigation or modernization of the legacy infrastructure, and/or migration to
         alternative environments. After OCIO completes its review of its legacy data centers, it
         plans to then conduct an AOA for the new "Shell" data centers in                    and
                        , to determine whether these data centers should continue to be utilized, be
         scaled differently, or migrated to a different environment.
    3) 	 For existing and future projects, the OPM OCIO, in coordination with the OPM
         Investment Review Board, plans to institute an updated process to ensure that IT business
         cases are aligned with OMB A-11 and other modem IT practices.
 We are taking an agile approach to these plans, working in iterative cycles in which feedback on
 our progress in one stage will inform our approach to the next. For example, we anticipate that
 the first stage of our infrastructure review will evaluate alternative paths to modernization for
 one of the data centers in our legacy infrastructure environment. We will share the results of this
 first stage of analysis with the OIG for feedback on our approach.



                                                  2

Collectively, these steps will have two benefits for OPM. First, they will help ensure that the
future architecture and management of the Infrastructure Improvement Project is rigorous, and
that OPM makes the most cost-effective decisions for transitioning out of the legacy
environment while maintaining a strong security posture. Second, these actions lay the
groundwork for better investment management processes in the future.
Recommendation 2: Lifecycle Cost Estimate Improvement Plan
As stated above, OPM also concurs with the OIG's recommendation that the agency would
benefit from more rigorous estimation of lifecycle costs. To achieve this, OPM IT Program
Managers plan to use the application profile framework designed by OPM's Senior
Cybersecurity and Infmmation Technology Advisor to inform lifecycle cost estimation for
modernization projects. As we continue to develop our cost estimates, we will continue to seek
feedback from partners such as the Office of Management and Budget and the OIG.
These profiles, which are currently in their first iteration, will allow OPM to prioritize systems
for modernization by using the NIST FIPS 199 and the OMB HVA evaluation criteria to rate
them as low, medium, or high priority across a number of dimensions. Some of these
dimensions, such as process complexity and technical obsolescence, are "drivers" of
modernization. Other dimensions, such as feasibility and funding source, are " challenges" to
modernization. OPM will consider these profiles when making modernization funding decisions
and will update business cases for Maj or IT Investments as necessary.
Conclusion
As we continue to implement these and other improvements, the OPM OCIO will share the
results with the OIG on a frequent basis, to include providing on-going updates as part of the bi­
weekly meeting agenda.
If you have questions about this report, I encourage you to contact me directly at           . We
look forward to further discussions on this topic.


cc: 	   Kiran A. Ahuja
        Chief of Staff
        Kathleen M. McGettigan 

        Chief Management Officer 





                                                 3