The process of grading agencies under FITARA, the Federal Information Technology Acquisition Reform Act, needs to reflect current challenges including strengthening cybersecurity, phasing out antiquated systems, and growing and maintaining an adequate cyber and IT workforce, CIOs told the House Oversight and Reform Subcommittee on Government Operations.
The FITARA scorecard and the associated oversight is credited with propelling IT systems acquisition and management advancements across 24 federal agencies. In 2015, just 29 percent of agencies received a “C” grade or higher; this December, that number was up to 100 percent. Since the July 2021 FITARA 12.0 Scorecard, seven agencies’ overall grades increased, four decreased, and 13 remained unchanged.
No agencies have received a failing grade since 2018, but fewer than 10 percent of agencies on average have achieved an “A” grade.
“To continue driving progress, the scorecard needs to evolve, to reflect the changing nature of IT services, and to guarantee that we’re accurately assessing modernization and IT management practices of federal agencies,” said subcommittee Chairman Gerry Connolly (D-Va.) at the Jan. 20 hearing to review FITARA 13.0. “The goal here is to incentivize progress, not to get a gold star on our foreheads.”
Connolly noted that 53 percent of agencies “are showing no change to their overall grade over time — that’s not progress. Agencies appear to be less motivated to improve grades, perhaps because of the methodology used to calculate some of the metrics.”
Ranking Member Jody Hice (R-Ga.) noted that on the Enterprise Information Solution metric “15 of the 24 agencies are failing, and I hope we can get answers as to why this is the case.”
“Similar to what occurred with software licensing, it just wasn’t a top priority for the agencies,” said Carol Harris, director of Information Technology and Cybersecurity at the Government Accountability Office. “When you take a look at the history of the past two telecommunication transitions, agencies have sort of dragged their feet in this initiative, and really did not make it a priority until they were very, very close to the deadlines for closing out those current set of contracts.”
Harris told lawmakers in remarks on the latest scorecard that the “escalation in grades reflect the notable improvements agencies have made in most of the scorecard categories.”
“We have the first ever straight-A performance by the agencies in the data center category. Since 2010, the agencies have closed almost 6,800 data centers, and achieved $6.6 billion in savings,” she said, noting that as “seven agencies plan to close 79 more centers, and save a total of $46 million” consolidation “has slowed, because we’ve squeezed as much juice as we can from this initiative.”
“In contrast, the vast majority of agencies are not moving fast enough in their transition off of GSA’s expiring telecommunications contracts. These contracts expire in May 2023. Fifteen agencies have an ‘F’ in this category, and it’s worth noting GSA is one of those agencies.”
Harris said the scorecard “needs to evolve, in order to maintain its effectiveness as an oversight tool,” noting that while about half of the agencies have had no change to their overall grade agencies “are increasingly less motivated to improve in areas where they are being graded on a curve, and that’s risk management and portfolio stack savings.”
The cybersecurity category “should be expanded to better address the ongoing and emerging challenges facing our nation, including mitigating global supply chain risks, and improving the implementation of government-wide cybersecurity initiatives,” she said, and “we should consider adding a category that directly tackles the legacy IT issue” as about 60 percent of the more than $100 billion spent on IT annually goes toward maintaining antiquated systems.
“The next logical step should be tracking agency progress, and decommissioning their most critical legacy systems,” Harris added.
Former Federal Chief Information Officer Suzette Kent said she wants to see a scorecard “that brings visibility to the results achieved, and coalesces the focus between the people doing the work, and the people who approve the funding… something that really matters to agency leaders, and is helpful to the CIOs and their teams.”
“It’s a great achievement when agencies meet the targeted goals, and we’ve seen that. But it’s also a celebration when a category can be removed, because it’s an opportunity to introduce new metrics that are focused on future expectations,” she said. “And in this way, the FITARA scorecard continues its legacy of driving focus on forward progress that your constituents expect.”
Kent recommended four scorecard areas: cybersecurity that addresses evolving risks in a changing operating environment, “including identity and access protocols and accelerating information sharing”; modernization including “evolution of legacy technology, digital capability development, advancing our disciplines around data, and expanded use of automated technologies” that “demands changes to some of the rigid funding and procurement processes to better align with multi-year initiatives and best practices for modern technologies, the types of things that you’ve embedded into the goals for working capital”; agencies’ digital journey to “include metrics that highlight our progress toward digital and mobile native platforms, quality customer experiences that are on par with what citizens experience in every other industry”; and workforce “to ensure that priority is given to skills development and workforce performance.”
“As I’ve returned to the private sector, I often see that citizens judge their experiences with government using the same lens as their private-sector businesses, but they can’t take their business elsewhere,” Kent added. “Maybe we could consider leveraging some external metrics as well that are widely accepted across other industries.”
Former Department of Homeland Security CIO Richard Spires said it is time “to substantively evolve the scorecard, to address the core IT modernization challenges agencies face, as highlighted by GAO’s audit work.”
Spires recommended adding an IT planning category to “reflect the maturity and focus on IT modernization, within the agency’s planning function and enterprise architecture,” and “existing best practices for planning and managing IT could be used, either by GAO or agency IGs, to audit an agency’s IT planning capability, to arrive at an IT planning maturity grade.” Then “combine the incremental delivery and transparency and risk management categories under a broader delivery of IT programs category,” he said, as “agency IT modernization occurs through the successful delivery of IT programs and, as such, there should be a category that measures the ability of agencies to manage such programs.”
Spires also recommended evolving the managing government technology category into a broader IT budget category in which “agencies could be measured on their adoption of [Technology Business Management], along with the use of benchmarking of their IT services, so they can compare their performance to other similar-sized agencies and private-sector corporations.” And cybersecurity, with last May’s executive order as a guide “for what federal agencies should be doing to enhance their cybersecurity position.”
“In particular, the EO places special emphasis on agencies implementing a zero-trust architecture, having holistic visibility across one’s IT infrastructure, implementing secure guidelines in cloud computing environments, focusing on protecting high-value data and system assets, and dealing with supply chain issues,” he said. “The EO can serve as a means to more accurately grade an agency’s cybersecurity posture. To determine the specific measures for a category, and what additional data would be required so that the category could be properly graded, Congress should convene an advisory group that would develop recommendations to evolve the FITARA scorecard. This advisory group should be headed by GAO, but include representatives from the Federal CIO Council, the Office of the Federal CIO, and from the private sector.”
David Powner, former GAO director for IT and current executive director of the Center for Data-Driven Policy at MITRE, opined that three scorecard categories should be retired — incremental, portfolio stack, and data centers — and the scorecard should focus on cybersecurity, workforce, legacy modernization, budgeting, and infrastructure.
“We need to update the cyber area by using metrics that are consistent with the administration’s cyber executive order, zero-trust policy, supply chain risk management best practices and those metrics used by CISOs and industry,” he said. A workforce category should be one that “provides a comprehensive view of agencies’ gaps in critical IT and cyber areas and tracks progress to build the appropriately skilled workforce.” The mission modernization category would give “transparency to our nation’s most important IT acquisitions” while incorporating customer experience and legacy retirement concerns.
An infrastructure category would “shine a spotlight on having modern and secure networks with EIS contracts” including a cloud adoption metric, Powner continued, while an IT budgeting category should be one that “continues the pressure on establishing working capital funds, but also incorporates technology business management, so that IT costs are better captured.”
“It is critical that the updates to the scorecard are coordinated with the federal CIO and OMB, since they have been and will be the source of most of the data used in the grading process,” he said.
Department of Energy CIO Ann Dunkin told lawmakers that as the DOE FITARA program “continues to mature, including at our national laboratories, power market administrations, plants, and sites, we’ll continue to focus on the following: enhancing our visibility to IT-related resources and investments, supporting CIO and IT management authorities at all levels, improving our cybersecurity posture, implementing new and updated policies for managing IT, and strengthening governance and oversight processes.”
The department also “continues to make progress towards improving our cybersecurity posture,” she said. “Various security needs within the DOE’s mission space present unique cybersecurity challenges, requiring our risk management program to be flexible, and allow for risk-based decision making, to enable our mission. The department is leveraging the Department of Homeland Security’s Continuous Diagnostic and Mitigation program, to obtain additional security tools, including most recently, hardware and software asset management.” DOE is also trying to lure more cybersecurity and IT talent with a paid internship program for students from overburdened and underserved communities.
The speed with which government had to adapt when COVID-19 hit also “has inspired us to double down on our efforts to improve DOE’s IT and cybersecurity posture, to remove barriers to innovation at scale, and to lead change across the federal government.”
Office of Personnel Management CIO Guy Cavallo said his agency improved to a “B+” on the latest scorecard through improvements including hiring a chief technology officer, an enterprise architect, a cloud and cybersecurity senior advisor, and a digital services team lead; making the chief information security officer a senior executive service position; and acting “aggressively” to reduce the vacancy rate by about 20 percent from the beginning of FY21.
OPM also launched its cloud earlier in the month, and the on-premises retirement services contact center was replaced with a flexible cloud-based center. The agency’s Investment Review Board was reinstated and is helping “establish an enterprise-wide approach to technology, to help us eliminate fragmentation, and to align our IT investments to OPM’s core mission requirements,” Cavallo said.
“A final area that I want to highlight are the steps we’ve taken to support the OPM workforce, in this new hybrid world of work,” he added. “Through standardizing on an enterprise collaboration solution, we can now easily communicate, internally and externally, across OPM. This has further allowed us to reduce duplicative software costs, by consolidating multiple collaboration tools into a single enterprise solution, thereby saving taxpayer dollars.”