New ideas for updating a very old scorecard at which agencies roll their eyes

Deep in the weeds of agency management, you find something called the FITARA scorecard. FITARA stands for Federal Information Technology Acquisition Reform Act. It became law in 2015. Twice each year, agencies receive a scorecard from Congress on how they did managing their IT activities. Now a team, under the IT trade group ACT-IAC, has come up with a list of recommendations for revising the FITARA scorecard. To get the whys and wherefores,  Federal Drive with Tom Temin spoke in-studio with former federal CIO Alan Balutis along with the the Executive Director of the Policy Center at the MITRE Corporation, Dave Powner.

Interview Transcripts:

Tom Temin A little bit of background, the FITARA scorecard, where does it come from and do agencies really believe in it?

Dave Powner Well, Tom, starting off FITARA was passed in December 2014, and following the passage of that law, there were scorecards provided initially in four areas associated with aspects of that law. So, for instance, areas like data center consolidation where we consolidating centers and saving money. Originally, Congress started with four categories. It kind of ballooned now to about eight categories, but consistently every six months for the last eight years, four congressional sessions, there’s been a scorecard in place. And I will say early there were great benefits to the scorecard in terms of cost savings going to more incremental development instead of big waterfall approaches. And what happened is from scorecards eight through 15, there really weren’t a lot of changes. So what ACT-IAC decided to do, we had a great team that was led by Dave Winograd and Richard Spiers, Al and I were able to participate in that. We had a lot of other ex-CEOs, a really top notch group that recommended how we should evolve the scorecards so that we could continue to focus on things that matter cyber cloud, migration, work force, those types of categories.

        Find out how security operations centers continue to evolve to stay ahead of cyberthreats by collaborating closely with industry to staff their operations and modernize their toolkits in our new ebook, sponsored by Maximus. | Download today!

Tom Temin And Alan, do you get the sense that the scorecards actually affected agency activities, or was this one of those things where you can’t fatten a pig by weighing it?

Alan Balutis Well, it’s a troubled analogy, but yeah, I think it’s made a considerable difference. And everybody, I think, agrees with that. CIO Council, OMB, GAO, members of the Hill. And of course, there’s been a revolving leadership on the Republican side. But I think it’s time to evolve that card after eight years and 15 report cards as we’ve advanced and accomplished. Now we want to step up the ante a little bit and advance the ball even further.

Tom Temin Yeah. What has changed in the IT environment, do you think that would prompt a change in what is measured and scored and reported on? Because you mentioned cloud workforce, cybersecurity. Those are still very much extant.

Dave Powner Yeah, those areas have always been around, Tom. But if you look at cyber, for instance, if you look at the current administration with their executive order, the zero trust strategy that’s in place now, the National Cybersecurity Strategy we had metrics to measure cyber, but those metrics do need to change. If we look at like the tenants of zero trust, multi-factor authentication, endpoint detection, those types of things. So again, when you look at what we’re proposing here, there’s one new category. There’s a workforce category that has never been on the scorecard and we think it should be. And I know Alan has a lot of ideas about how that should evolve. The network category on EIS, we’re proposing that that stays and then there’s six categories.

Tom Temin By EIS you mean the Enterprise.

Dave Powner Yeah, right.

Tom Temin The contract from GSA in about half the company half government has actually bought into yet.

Dave Powner Exactly. And that’s why it was put on the scorecard to grade it so that we get more folks moving towards that governmentwide contract. So that one we’re proposing stays. And then the other six categories are really like an evolution of what’s already there. So cyber was already there and we’re just proposing new metrics on cyber.

        Read more: Agency Oversight

Tom Temin And just briefly, the workforce issue then, what is crucial there?

Alan Balutis Well, I think just a week or so ago, Tom, you had Gene Dodaro, comptroller general, head of GAO, on your show. And as you know, in the high risk list, human capital planning and management has been on the list since the very inception. And now as you look at the remaining issues on the list, half of them have human resources as a key component, program management, cybersecurity, etc. Now, if you came in and had a new company and they said we have this long standing problem for 20 years, that’s been our major issue and it’s the major contributor of half of our other big challenges. Wouldn’t you want to take that on? It’s a difficult issue. The metrics have been a little hard to measure, but it’s such a critical path matter and it would drive so much success and progress in other areas. If you were to succeed there. All of that argues for putting it on the top and making it a major priority.

Tom Temin We’re speaking with Alan Balutis. He’s former federal CIO and man about the industry for many years after that. And with Dave Powner, executive director of the Policy Center at Miter Corporation. And you have worked up a prototype FITARA scorecard and actually tested it at two agencies. They wish to remain anonymous for this. But tell us more about that methodology.

Dave Powner Yeah, so the key to the scorecard, Tom, is, is the data available and does the methodology make sense. What we did is we had two agencies that signed up and those were really the two questions that we wanted to answer. Is the data available to apply our scoring methodology and does the scoring methodology make sense? And to cut to the chase on what those two agencies told us, most of this data is readily available to provide a score, and they did. Where they were able to self score so of the methodology made sense, there were some tweaks they had that were very helpful that we plan on incorporating into the methodology that we currently have. And the other thing we’re doing to in addition to piloting is we’re running this past GAO, the federal CIO’s office, as well as congressional staff on the Hill, to make sure that this all makes sense and this is where they want to go.

Alan Balutis All of those have been receptive.

Tom Temin You didn’t hatch this in secret and sort of plop it onto the world. They’ve all been involved, these different stakeholders, to use the modern parlance.

Alan Balutis Indeed.

        Sign up for our daily newsletter so you never miss a beat on all things federal

Tom Temin And I wanted to ask one detail question of your recommendations. CIO Authority. And that’s an issue that has been bedeviling since there have been CIOs, and I think there’s been two or three laws, Alan, in our history of following this. What do you mean there? How would you change that in relation to the scorecard?

Alan Balutis Well, as you know Tom, one of the challenges from the very beginning, after Clinger Cohen was enacted, Senator Cohen went off to become secretary of defense in the Clinton administration. And Congressman Clinger retired. So there was no one to actually follow up. There was a mixed implementation of the act initially, and so CIOs never were granted some of the authorities that are essential to carry out that role, authority over the I.T. budget, authority over procurement. So you could see what’s being acquired. And CIOs have struggled with that. So, again, we view that as a critical path issue, giving them the authorities. And then, of course, seeing that they actually use that authority, because we’ve seen recently a report from the Department of Veterans Affairs where they weren’t reviewing many of the key I.T. procurements in the department. Both are essential having the authority and using that authority to carry through the job.

Dave Powner And Tom, specifically on that topic, if you look at the scorecard today, the CIO authority has one category that they use to evaluate it. Do they report to the agency head, as Alan said, that’s required back to Clinger Cohen. And they get a plus or minus on their grade. What we’re proposing is there’s three areas that we focus on. Do they report appropriately? Are they involved with the budgeting and spend process and are they also involved with the procurement process? So you break that into like three categories. And we think to Alan’s point that that’s really where we need to focus to make sure they are involved with all those key areas.

Tom Temin Yeah, to put the C in CIO, you might say. Correct. And Dave, another question and Alan, you can jump in on this one also. And that is and I’m asking based on your experience at GAO, where you would have looked at a agency or a program or some type of federal initiative over time, and if the scorecard changes. Does it matter that the scores may not be comparable over the long history of them, 15 and counting, or is that really not so important? And what really matters is what they’re doing right now with what is current.

Dave Powner To be honest, I don’t think the actual grade or scores matter. Are we getting progress in terms of outcomes? So if you look at data center consolidation, we saved billions. Incremental development, we went to more incremental approach over time. Do we need to get better cloud adoption plans in place and actually execution against those plans? Do we need to be in the cloud more? Yes. So that’s one of the areas that we propose. Do we need to move our cyber approach more towards a zero trust approach that’s currently required in policy coming out of OMB? Yes, we need to do those things. So really, the grades are there, but it’s really the outcomes. And to be honest with you, what we’re proposing on the evolution of the scorecard right now, everyone’s getting a C or higher. And if you look collectively at everything the agencies have to do workforce, cyber, cloud adoption, the legacy challenges we have, do we really think everyone is doing A’s and B’s in all these areas? Agencies themselves would probably tell you no. So I think this evolution where we look at new categories, push agencies to do things. And I will say, not that you want to give D’s and F’s, but when agencies got D’s and F’s, top management paid attention and there was focus on these things.

Alan Balutis And you used the phrase, I think, report card when you started this interview. You continue that analogy as you advance in your performance. The curriculum gets a little tougher, scoring gets a little more intense, and you step up the ante in terms of your progress. And that makes sense in this arena as well.

Tom Temin Sure. Okay. One pre final question, and that is it sounds like you envision really for the long term a card that continuously changes to reflect changes in technology and reflect changes in the real challenges that the government is facing at a given moment.

Dave Powner I think it should clearly change over time. You need to be fair to the agencies and give them a heads up. One of the things that the committee’s done, and I think it’s really been great, is when they were going to change something, they would preview it the score card prior. So agencies would really have almost a full year to know that it’s coming. But as an example, like with the cyber categories that we proposed, this aligns with the current administration’s policies patching multifactor authentication. But for instance, like quantum cryptography is not in our methodology. Does that need to be down the road? Absolutely. That’s a big deal. So this is always going to evolve over time, Tom.

Alan Balutis Technologies change and evolve and of course, member interests change and evolve. We’ve had some consistency in membership on Democratic side with Congressman Connolly. But as you know, the Republican side, we’ve had several members, they’ve come in with different interests, different focus, and it’s not unreasonable to expect that to change on the legislative side as well as the leadership within the administration.

Tom Temin And you have shared this with the administration, with, as you say, staff members and members of Congress and the industry. And some of the agencies have seen it have been part of it. What happens next? How does it happen?

Dave Powner Well, I think that’s the key question, Tom.  What will happen with scorecards 16, the fifth congressional session? What I would say is clearly there’s a focus on cyber. Cyber is going to be front and center. Again, we want to push the work force category. We proposed eight categories. Do you need to do all eight? Not necessarily. You could do a handful of those, but I think it needs to be targeted on priority areas like workforce, like cyber. Legacy modernization is a big one that you could weave in the cloud adoption suggestions that we have. So we’ll see what happens. But over the next couple of months as the next scorecard gets rolled out.

Tom Temin Allan, any final thoughts?

Alan Balutis The Hill has a lot on their plate right now. Your station is reporting on some of those key issues. But as soon as we get those resolved, I think we’ll get back to normal business and see some progress on the report card.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.