After eight years, the debate over the data center consolidation and optimization initiative may have reached a detente.
For the first time ever, the House Oversight and Reform Committee awarded every agency an “A” grade under this subcategory under the Federal IT Acquisition Reform Act (FITARA) scorecard. The House Oversight and Reform Committee released the 13th scorecard Thursday.
“Each agency’s progress towards meeting goals set by the Office of Management and Budget are calculated, weighted and averaged according to the committee’s priorities. The weights are: savings (30%), closures (30%), virtualization (20%), and energy metering (20%). Notably, the committee decided not to include uptime or utilization in its calculation due to data reliability concerns. These percentages are generally calculated by dividing the current value by the goal,” the committee wrote in the detailed breakdown of the FITARA scorecard, which Federal News Network obtained.
Five agencies improved from scorecard 12 to 13 to achieve this goal. The departments of Commerce and Homeland Security and the U.S. Agency for International Development improved from a “C” to an “A,” while the Department of Health and Human Services received an “A” after a receiving a “D” last time and the Department of Justice earned an “A” after receiving an “F” in July.
“[T]he 14th Scorecard will retire this methodology when it is released later this year. Today, the subcommittee grades agencies using each agency’s quarterly data center submission to the Office of Management and Budget and weights that data center grade according to the subcommittee’s priorities,” said Rep. Gerry Connolly (D-Va.), chairman of the Subcommittee on Government Operations, which held the hearing. “I want to congratulate agencies for getting all ‘As’ in this category. But that is not to be construed as a ‘mission accomplished’ moment by any means. Given the subcommittee’s oversight history on federal data center consolidation, we approach this accomplishment with a bit of a jaundice eye. ”
The committees said OMB and agencies have closed several thousand data centers and saved approximately $4 billion from fiscal 2016-2021.
The Federal IT Dashboard says agencies closed 77 data centers in fiscal 2021 and still run more than 1,600 total data centers across government. These closures led to agencies saving or avoiding spending more than $563 million, almost $20 million more than its established goal for last year.
Carol Harris, director of information technology and cybersecurity at the Government Accountability Office, said since 2010 agencies have closed more than 6,800 data centers and saved or avoided spending more than $6.6 billion.
“The rate of consolidation has slowed and it will continue to taper down,” Harris told the subcommittee. “Thirteen agencies had zero planned closures in fiscal 2021 and an additional seven agencies are not planning for future closures. Looking at 2022 and beyond, seven agencies plan to close 79 more centers and save a total of $46 million. Consolidation has slowed because we’ve squeezed as much juice as we can from this initiative. ”
Overall, two agencies received an “A,” 10 earned a “B” and 12 got “C” grades under the 13th FITARA scorecard. The National Science Foundation and USAID saw their grades increase to “As” from “Bs,” while the General Services Administration lost their “A+” grade, dropping to a “B+.”
The main reason for the four agencies who saw their grades dropped — GSA, the Agriculture Department, the Department of Housing Urban Development and the Social Security Administration — was due to them struggling with the moving away from the Networx contract and on to the Enterprise Infrastructure Solutions (EIS) vehicle.
“Fifteen of the 24 agencies received failing grades due to having less than 54% on GSA’s weighted percentage metric,” the committee stated. “This area rounds each agency’s transition percentage complete, which measures how many services each agency has moved off the expiring contracts, weighted for complexity. It compares that weighted percentage against GSA’s upcoming goal of reaching 90% by March 2022.”
Four agencies have met the goal of moving to EIS: USAID, NSF, NASA and the Transportation Department. The Labor Department received a “B” while HHS and the Veterans Affairs Department received a “C” for this grading period.
The data center and optimization subcategory has been an area of contention for almost as long as the committee has issued the FITARA scorecard.
In the last hearing in August, Reps. Gerry Connolly (D-Va.) and Katie Porter (D-Calif.) pressed Clare Martorana, the federal chief information officer, to update the definition of data centers, specifically with a focus on larger non-tiered ones. This debate started under former Federal CIO Steven Van Roekel in 2013 and continued up through 2019 when former Federal CIO Suzette Kent released the most recent data center policy.
The data center consolidation and optimization initiative wasn’t the only subcategory that saw huge improvements. The committee also said no agency received a failing grade under the cybersecurity area.
The committee said two agencies received “A” grades — the National Science Foundation and the General Services Administration — up from one in last scorecard, and Commerce’s grade rose to a “C” from a “F.”
Committee members continued to raise concerns about both the value and accuracy of the cybersecurity grades. And even those who testified, current and former CIOs, said the FITARA scorecard cyber grades do not accurately reflect the progress they are making.
Ann Dunkin, the Energy Department’s CIO, said of all the FITARA metrics the cyber one is the most inaccurate.
“DoE continues to make progress toward improving our cybersecurity posture. Various security needs within DoE’s mission space present unique cybersecurity challenges ,requiring a risk management program to be flexible and allow for risk-based decision making to enable our mission. The department is leveraging the Department of Homeland Security’s continuous diagnostic and mitigation program to obtain additional security tools including most recently hardware and software asset management,” she said. “These capabilities will provide added visibility support risk based decision making. DoE has also made investments in vulnerability management, big data analytics, crowdsource penetration testing and enhanced training initiatives. We’re looking forward to the new 2022 FISMA risk-based approach to cybersecurity, which will allow you to focus on our highest priority mission areas and risks.”
Former CIOs like Richard Spires and Suzette Kent echoed Dunkin’s and the subcommittee’s concerns about the cyber metrics.
Spires, who was the CIO at DHS and the IRS, recommended focusing on areas like real time monitoring through the use of automated tools as well as taking into account non-public or classified data to help better understand the risks and threats agencies face.
“The good news is that the recent executive order on cybersecurity issued in May of 2021 can serve as a blueprint for what federal agencies should be doing to enhance their cybersecurity position. In particular, the EO places special emphasis on agencies implementing a zero trust architecture, having holistic visibility across one’s IT infrastructure, implementing secure guidelines in cloud computing environments, focusing on protecting high value data and system assets and dealing with supply chain issues,” he said. “The EO can serve as a means to more accurately grade and an agency cybersecurity posture to determine the specific measures for a category and what additional data will be required so that the category could be properly graded.”
Kent added the metrics need to be more timely and let agencies and auditors take into account the risks to the operational environment and the changing needs like around identity and access management.
“Zero trust implementation progress, encryption status, end point detection, information sharing, those may be things that are more timely metrics,” Kent said.
One suggestion from GAO’s Harris was to use the Biden administration’s cyber executive order from May as the basis for the new FITARA cyber metrics. She also said GAO is working new studies around IT supply chain risk management and other enterprisewide cyber initiatives that could act as the baseline for future metrics.
With data centers likely going away and the push to change the cyber metrics, Connolly and subcommittee ranking member Jody Hice (R-Ga.) said they likely will revamp the most of the metrics for the 14th FITARA scorecard, which likely will come this summer.