Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Cybersecurity is, once again, the prime focus of the Federal IT Acquisition Reform Act scorecard.
The 15th version of FITARA debuts a new category for federal cybersecurity progress, while also reconfiguring the current IT security metric. The House Oversight and Reform Committee used agency inspectors general assessments based on the committee’s determined weighted average instead of the traditional average.
Federal Chief Information Security Officer Chris DeRusha told the subcommittee that the Office of Management and Budget released new cyber metrics on the Performance.gov site on Dec. 14.
“The metrics that we put up and performance.gov yesterday are a good representative sample where we’ve been focused in [cyber] executive order implementation,” DeRusha told the subcommittee. “For example, if you look in the protect category, we focused on four things there. One is ensuring we understand and prioritizing risk as our adversaries look at our networks. We’re talking about smart patching, which is using intelligence to prioritize our risk remediation. Second, we’re looking at multi-factor authentication. That is one of the most effective ways to keep our adversaries out when they are knocking on the door. And last, we’ve focused on encryption. So if those defenses fail, the harm is lessened or reduced to zero if you’ve got encryption in place. For us, we’ve been really focused on ensuring that we’re putting the most attention and understanding where there may be gaps in implementation, and opportunities for new policy interventions. ”
OMB says the General Services Administration was the only agency to score above 90%, while 14 agencies scored in the 80-plus percentile, including the departments of Justice and Health and Human Services with 88% each, respectively, the Department of Education with an 87%.
The Interior Department scored the lowest with 68%.
The cyber focus comes after the committee knocked down nearly every agency’s grade under the 14th version of the scorecard from July because of the Office of Management and Budget’s change to how it collects cyber metrics used to score agencies. OMB decided to no longer conduct data calls for cybersecurity cross-agency priority goals as it had done for much of the last four years. Instead, the committee relied solely on inspector general reports on the Federal Information Security Management Act (FISMA).
Reps. Gerry Connolly (D-Va.), chairman of the subcommittee on government operations and co-author of FITARA, and Jody Hice (R-Ga.), the subcommittee’s ranking member, were not excited about the change in July and showed little enthusiasm for OMB’s new metrics.
“The metrics have changed, but really nothing is is changed, and that’s what’s kind of disturbing to me,” Hice said. “The data used to compute this scorecard was the same data that was used last year, and really nothing changed, but the grade, and because it’s a little more weighted approach to scoring. For example, last year, the EPA got to ‘D,’ this time, it got a ‘C,’ but nothing has changed, just the way we score. So we’re not getting anywhere. We may pat ourselves on the shoulder and say, ‘Hey, we’ve got better grades,’ but we don’t have better grades. We just have a different way of grading and nothing has changed from last year. And that’s, that’s disturbing to me.”
Unlike the 14th scorecard’s results, this latest version shows improvement among seven agencies. Two agencies saw their grades increase and 17 agencies had their grades stay the same as the last grading period. This is only the fourth time since 2015 that no agency received a “D” or a “F” grade.
The U.S. Agency for International Development received the only “A” grade for this scorecard. This is the third straight grading period the agency received the top score and fifth out of the last seven scorecards.
Meanwhile, the departments of Transportation and Defense lifted themselves out of the in danger of failing class, earning “C” grades.
The cybersecurity changes also didn’t resonate with the Government Accountability Office.
Carol Harris, the director of IT and cybersecurity at GAO, said the metrics are incomplete at best.
“It is not intended to measure cyber comprehensively. I think Mr. [Jason] Gray [USAID CIO] is probably on to it, where you’re going to have to have multiple metrics to give that holistic picture,” Harris said. “But I think what’s important is that these CAP goals need to be addressed because it is the law and having it weaved into existing CAP goals as an enabler is a great thing, but is not what the law says. Real Property and IT need to have stand alone CAP goals because these are long standing IT and management issues.”
The CAP goals Harris referring to are required in the Government Performance and Results Act (GPRA) Modernization Act of 2010.
OMB’s DeRusha said the administration believes they are tracking IT throughout the CAP goals as part of customer experience or federal workforce efforts.
But Harris and several subcommittee members said the law requires OMB to specifically track IT modernization and real property management and not weave them into other goals, and therefore the administration is not following the law.
Gray, who joined the USAID last summer, said the new cyber metrics are a good start, but they need to evolve and mature. He said too often FISMA metrics are dated when they come out, and agencies need additional metrics to better capture how agencies are managing their cyber risks.
“I know we’ve been briefed on it, much like FITARA, and I look forward to it evolving over time. I know the CIO Council has been briefed on the metrics and the methodology,” he said. “For the metrics that are captured, in what I’ve seen, yes, it is accurate as it relates to those metrics. I do think that there needs to be more, and even OMB stated this when we was briefed to the CIO Council that it’s going to mature. I look forward to working closely with OMB and the CIO Council to look for additional metrics that could be used to capture the holistic risk that agencies are managing every day.”
Two other scorecard changes
The committee initiated two other major changes to FITARA 15.
The first is around the data center category. The committee and OMB have been sparring over this category for much of the past nine years.
The big change is the committee modified the scoring to give credit to agencies who provided justifications for their future data center closures. This information came from a letter the committee wrote to agencies in July seeking details around number of data centers still operating and whether they believe they can close more data centers in the future.
“Agencies with no future data center closures beyond October 2022 who replied to the [committee’s] inquiry received an A; agencies with planned closures beyond fiscal 2022 who replied to the inquiry and provided a justification for closures received a B. All agencies replied to the inquiry; had they not, C and F grades would be been received,” the committee wrote in the scorecard.
Overall, 19 agencies received “A” grades and 5 agencies received “B” grades for data center closures.
The second major change focused on the transition to the Enterprise Infrastructure Solutions (EIS) vehicle run by the General Services Administration.
The committee graded agencies on a “pass/fail” basis solely based on whether they met the 90% goal of transitioning to the new network and telecommunications contract from Networx as of Oct. 31.
Five agencies, USAID, the departments of Health and Human Services and Treasury, NASA and the Nuclear Regulatory Commission, were the only agencies to receive a passing grade for EIS transition.
Previously, the committee scored agency EIS transition using a letter grade based on how close they met that 90% goal.
GSA recently signed memorandums of understanding with 82 agencies to give them more time to transition to EIS. GSA says 20 CFO Act agencies, 11 large or medium agencies and 51 small ones signed the MOU extending the deadline to May 31, 2024.