The 15th FITARA scorecard may be the last one as we know it today.
The House Oversight and Reform Subcommittee on Government Operations will hold the bi-annual hearing on Dec. 15 using the current methodology to measure progress against the Federal IT Acquisition Reform Act.
Lawmakers, other federal officials and former agency leaders have been calling for an update to the scorecard for the last few years.
While the subcommittee, the Office of Management and Budget and the Government Accountability Office have been discussing what the future scorecard could look like, a group of former agency chief information officers and other technology executives is offering some specific suggestions in a white paper from ACT-IAC.
“What we tried to do was work off the existing scorecard, and then talk about how we would evolve some of these particular measures,” said Richard Spires, a former DHS CIO and now an independent consultant, who helped lead the effort, on Ask the CIO. “What do you focus on? You focus on things that are measured and reported on. There is no reason today why federal government agencies shouldn’t be not only delivering things agilely, but also using modern development techniques and testing, including DevSecOps. It is best practice. It’s clearly swept the private sector. Every agency will say we’re doing some of that, and that’s fantastic that they’re doing some of that, but have they really embraced it? Have they really got it into production? Are they really doing it on all the applications that they should? That’s where we want to get and that’s really how you’re going get an ‘A’ in this kind of measure.”
The working group sought to expand or modernize six existing grading categories as well as suggesting one potential new ones where data already exists.
“The recommendations contained in this report are based on the project team’s consensus view regarding those changes that would have the most relevant and positive impact on an agency’s IT management capabilities, as well as its ability to deliver the IT infrastructure necessary to create a modern, 21st century digital government,” the white paper states. “In developing the recommendations on grading a category, a primary objective was to keep it simple, so the grading mechanism could be understood by all relevant stakeholders. Further, the agency data needed to grade a category must be either available publicly or easily attainable. For the majority of the FITARA score categories, the data (including agency plans for such things as cloud and modernization plans) should be posted to the IT Dashboard, so the data sources will shift from Congressional data calls to OMB reporting. And finally, the view was to not significantly increase the number of categories in the scorecard.”
Ongoing discussions about FITARA evolution
Dave Wennergren, CEO of ACT-IAC, said the changes in federal technology over the last five years require agencies and Congress to rethink what IT modernization success looks like.
“We’ve talked a lot about the things that you measure are the things that you focus your time and attention on. I think the scorecard bears that out,” he said. “If you look at the things the scorecard has been measuring, you can see trend lines that have actually improved. You can see that the data center focus created improvement in data center optimization, the emphasis on things like enterprise licensing software, purchasing agreements, has created improvement there. As you watch the grades of agencies have improved over the time. So I think there’s a proven track record that good performance management does help prioritize and focus people’s efforts.”
Wennergren, the former Defense Department principal deputy CIO, Department of Navy CIO and vice chairman of the Federal CIO Council, said because agencies need to deliver capabilities in rapid chunks that engages the customer throughout the process, the metrics need to emphasize those concepts.
“The longer it takes to deploy, the farther away agencies get from both the pace of technology change, but also the ability of the people who have to use the system to actually influence whether it does anything at all to help them get their job done,” he said.
House lawmakers, GAO and OMB have been debating what the new scorecard should look like since at least 2019 after FITARA 8. The subcommittee and GAO have made some changes over the years, such as retiring the software licensing category, adding progress in transitioning to the Enterprise Infrastructure Solutions (EIS) vehicle to modernize voice, video and data networks and the subcommittee intends to reduce the data center consolidation and optimization category to just consolidation.
OMB, meanwhile, is working with the subcommittee and GAO on new cybersecurity metrics. Federal Chief Information Security Officer Chris DeRusha is expected to testify before the subcommittee on Dec. 15 likely about what new cyber metrics OMB is collecting from agencies. At the FITARA 14 hearing, the subcommittee and GAO said OMB’s changes to the cyber metrics drove down scores.
Suggested cyber metrics
For the new cybersecurity metrics, ACT-IAC suggested five equally weighted elements: multi-factor authentication, smart patching, asset management and response, zero-trust progress and managing information and communications technology supply chain risks.
Spires said the cyber metrics, for example, are relatively simple to gather data on and report publicly.
“The guiding constraints we used as we were trying to create these recommendations was something that you could collect the data on could be understood by all and that could be relatively simply implemented with a number of new data calls,” he said. “The idea is that if we were to move to a number of these recommendations, we would want OMB to take over the process and actually put it up on the Federal IT dashboard. All of these things could be reported. Maybe there may be some sensitivities about some of the data. But for the most part, this data could be reported on the dashboard, and that would make very, very easy to score without having to do additional data calls.”
The one area where the ACT-IAC working group wanted to add new metrics is around workforce.
Spires said currently agencies are not measuring how they are addressing this challenge through FITARA, but it’s quickly becoming one of the most important areas CIOs and other leaders need to focus on.
The working group suggested only two metrics: IT workforce retirement eligibility, where the lower an agency’s percentage of employees who are eligible to retire the better grade they get; and IT workforce strategic plan, where agencies need to understand what they should have in terms of the number of positions, and skills and abilities for each position.
ACT-IAC plans to continue to socialize the white paper as the subcommittee and GAO continue to develop the new scorecard.
Wennergren said they are having discussions with different members of the House and Senate, with GAO, with the federal CIOs and others.
“We want to make sure all those equities are represented. One of the things that our Institute for Innovation is doing is having dialogues with a couple of federal agencies to see if they could pilot the collection of some of the new data that we’re asking for to see what the art of the possible is to see if it would be feasible to do some of the recommendations that we have in the report,” he said.