The House Oversight and Reform Committee will tackle a wide range of IT modernization issues when Congress reconvenes in September, but the chairman of its government operations subcommittee has warned that some of the legislative fixes lawmakers passed years ago still haven’t worked as planned.
Rep. Gerry Connolly (D-Va.) said he expects the committee next month to markup his FedRAMP Authorization Act, which would codify the Federal Risk Authorization and Management Program into law. The bill would require agencies to provide a “presumption of adequacy” to vendors that have already gotten FedRAMP-certified at other agencies.
“Some federal agencies, we understand, have very specialized kinds of services or needs in a particular domain and that may require an additional review and certification. But the basics, once you get through them [once], ought to be presumptively good for a company,” Connolly said Thursday at MeriTalk’s cybersecurity brainstorm event in Washington.
Connolly and subcommittee ranking member Mark Meadows (R-N.C.) had first introduced the bill in the last session of Congress, and reintroduced the bill last month. However, the subcommittee’s scrutiny of FedRAMP has already had some of its intended effects.
At a subcommittee hearing last month, Jack Wilmer, the Defense Department’s chief information security officer and deputy chief information officer for cybersecurity, said DoD will now issue general provisional authorizations to vendors that have a Provisional Authority to Operate (P-ATO) at the FedRAMP-moderate impact level from the Joint Authorization Board (JAB).
Connolly said the Pentagon’s actions marked a change in the right direction, considering Wilmer represents DoD on the JAB, which the congressman described as the “gold standard” for FedRAMP certification.
“People would get certified at JAB, only to find that when they went to do business at the Pentagon, they had to get started all over again — even though the Pentagon was represented at the JAB,” Connolly said.
Beyond proposed legislation, challenges remain for laws that have been on the books for a number of years. The Modernizing Government Technology (MGT) Act, Connolly said, is on track to receive an “anemic” level of funding in fiscal 2020.
The House-passed spending bill proposes giving the board that oversees the fund $35 million next year, a fraction of the $150 million outlined in the administration’s budget request.
Connolly acknowledged that additional IT modernization funding might be a “hard sell” to Congress, considering that agencies already spend more than $96 billion a year on IT, but the Technology Modernization Fund looks to give agencies an incentive and an opportunity to modernize their legacy systems.
Federal Chief Information Officer Suzette Kent, who oversees the fund, told members of the subcommittee at a recent Federal IT Acquisition Reform Act hearing that limited TMF funding would restrict the scope of IT modernization projects that agencies could undertake.
Another major provision of the MGT Act also remains contested. Several agencies have reported to lawmakers they’ve been unable to set up working capital funds — funded through the cost savings achieved by replacing legacy IT systems — to bankroll additional IT modernization projects.
“Even though we passed a law that says you can do that, there are all too many general counsels who are saying, ‘Well, no, actually you can’t because that’s an appropriated dollar and you need additional authority to do that.’ So we’re kind of in a legal dispute … We may need to clarify the MGT Act, either by working administratively or to pass another law that makes it very clear what the authority is,” Connolly said.
Connolly also pushed for data center consolidation as the ultimate goal of the FITARA scorecard, rather than the objective of data center optimization as outlined in the Office of Management and Budget’s recent Cloud Smart guidance.
“That’s where the money is,” Connolly said about the potential cost savings possible with data center consolidation. Those savings, he cautioned, might not be possible with optimization as the target.
“When we use words that are fuzzified, you get fuzzified results,” Connolly said.