Agencies received mixed scores in the most recent Federal IT Acquisition Reform Act (FITARA) scorecard, with five agencies posting higher scores and another five posting lower scores than last year. But the team behind the scorecard at the Government Accountability Office said changes are in the works for the next IT modernization rubric.
Kevin Walsh, the GAO’s FITARA executive, told members of the American Council for Technology and the Industry Advisory Council (ACT-IAC) that the software licensing grade on the FITARA scorecard may soon be on its way out.
The FITARA 8.0 scorecard released in June shows that all agencies except for four received an ‘A’ for software licensing. Those with failing grades include the departments of Commerce and Interior, as well as the Nuclear Regulatory Commission and the Environmental Protection Agency.
“I think if the scorecard were to ever eliminate an area, that would probably be one that would be a candidate. It’s close to saying, as far as we can track it, that work is done,” Walsh said Wednesday.
The Office of Management and Budget’s recent data center consolidation guidance will also change the way GAO and Congress will measure progress on that metric going forward.
OMB’s guidance no longer requires agencies to maintain inventories of the smaller, non-tiered data centers that make up about 80% of their inventory and would prioritize the optimization of existing data centers over further consolidation.
Carol Harris, GAO’s director of IT management issues, warned at a House Oversight and Reform Committee’s subcommittee on government operations hearing in June that the change in metrics would slow or even halt progress on data center consolidation.
Walsh said future scorecards may also be influenced by pending legislation, such as the 21st Century IDEA Act that Congress passed last year and FedRAMP Reform Act introduced in July by subcommittee Chairman Reps. Gerry Connolly (D-Va.) and Ranking Member Mark Meadows (R-N.C.)
In the months leading up to the release of the each FITARA scorecard, Walsh said his team at GAO meets with members of the House Oversight and Government Reform Committee’s information technology subcommittee, as well as former committee leadership like Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.).
“We meet with them on an ongoing basis and I bring the scorecard itself, and present to them a series of options that could be used, based on issues or questions that have arisen,” Walsh said about the process of adding – and dropping – criteria from the FITARA scorecard.
The group also weighs input from individual members of Congress. Walsh said former IT subcommittee chairman Hurd has expressed his desire to make the FITARA scorecard more of a “digital hygiene scorecard,” which Walsh said he understood to mean how agencies overall are handling IT management.
While GAO collaborates with Congress on the FITARA scorecard, Walsh said lawmakers have the final word on what makes the cut.
“We tell them, “Hey, this is imperfect, but here are the pluses and minuses this way. Here’s what’s good and bad about it.’ It really is kind of an advisory role, but the ultimate decision is with the Hill,” Walsh said.
Maria Roat, the Small Business Administration’s chief information officer, said she agrees the FITARA scorecard needs to “evolve” over time, but cautioned that agencies need some consistency with how they’re assessed.
“There may be some things over time that drop off and things get added, [but] you can’t make changes to that scorecard every six months, because you’ll never have a goal post,” Roat said.
SBA, USDA CIOs question FISMA score on FITARA scorecard
For the first time, the FITARA 8.0 released this month included a cybersecurity score that reflects agencies’ performance Federal Information Security Modernization Act. That FISMA score stems from agency inspector general cybersecurity reviews and progress made under cybersecurity cross-agency priority (CAP) goals.
But USDA CIO Gary Washington said the IG part of the FISMSA score isn’t “indicative of what we should be focusing on in cybersecurity.”
“The FISMA score is just the FISMA score. It’s the OIG looking at two systems out of — pick an agency — 40 systems, 140, 240 systems. It’s a little bitty piece, and I don’t think the cyber score is representative of what an agency may be doing,” Roat added.
Beyond GAO, other members of the federal IT community have recognized that while the FITARA scorecard has shone a spotlight on important issues, such as elevating the authority of agency chief information officers, the scorecard doesn’t capture the full IT health and modernization vigor of an agency.
Flip Anderson, director of FITARA operations at UDSA, said GAO remains open to agency feedback about the FITARA scorecard. For example, Anderson said he’s had talks with GAO and the CIO Council about the methodology for the “transparency in risk management” category.
“On the surface, it looks like the worse you do on the federal CIO dashboard, the better you look on the FITARA scorecard … I’ve reported that to Kevin [Walsh]. ‘We’ve got an issue with how this score’s being done. There needs to be a better methodology for our scoring,’” Anderson said.
Recognizing that FITARA doesn’t tell the whole picture of an agency’s IT health, ACT-IAC, in collaboration with USDA and the governmentwide CIO and CFO Councils, have launched an updated IT management maturity model that gives agencies a roadmap for how to improve their performance under FITARA. ACT-IAC rolled out its first iteration of the model in 2015.
Washington said the maturity model’s metrics are now a “performance element” for all CIO office personnel, and has made the model part of USDA’s FITARA self-assessment mandated by OMB.
The 2015 model grades agencies on three stages of maturity, with a three being the highest score, on five key metrics. USDA reached a level two maturity level on all five key criteria in December 2017. Anderson said he expects the agency to reach a level three maturity in all those areas by the end of December.