Editor’s Note: The industry-government organization American Council for Technology and Industry Advisory Council, or ACT-IAC, rebounded nicely with the 2019 edition of its ImagineNation ELC conference.
With more than 1,000 attendees and dozens of sessions focused on all the typical hot topics in federal IT, the conference covered the range of discussions from thought provoking innovation that is happening across government, to the usual trite comments around “cyber is a team sport” or the oldie-but-goodie, “It’s not the technology, it’s the culture that needs to change.”
Several industry attendees told me they wish more government people attended, and others said they would liked to have seen a more non-IT discussion. But overall, the reaction is the 2019 version was much better all-around than the 2018 conference.
Here is part 2 of my takeaways from the 2019 edition of its ImagineNation ELC conference. Find part 1 here:
Insight by Galvanize: During this webinar Marianne Roth, the chief risk officer of the Consumer Financial Protection Bureau, will provide a deep dive into enterprise risk management at CFPB. Additionally, Dan Zitting, the CEO of Galvanize, will discuss how making better use of data and technology can help federal agencies more rapidly allow decision makers address and mitigate risks.
This December, the Federal IT Acquisition Reform Act (FITARA) turns five years old.
Step back and think about that fact for a second—it has taken half a decade for chief information officers to only begin to truly have the power to manage and control their agency’s technology spending.
NASA is the latest example of the change for CIOs that finally is happening. Renee Wynn, the NASA CIO, said at the ImagineNation ELC conference that starting in October 2020 all employees whose job it is to do IT will fall under her office.
Wynn called it having more “custody and control” of all IT across NASA.
“I now have full responsibility for software lifecycle management across NASA. It was just given to us. I hope to get the plan approved in December to begin implementation,” she said. “That means if engineers need software they are coming to us or if rocket scientists need software, they will come to us too.”
That has not been the case at NASA for decades where the CIO had limited visibility and control into the mission area IT. That caused huge cybersecurity risks and real problems that Wynn only now is starting to address.
“This is one step toward managing our supply chain risks. We have processes in place, but cannot scale fast enough. We are all beginning to recognize it’s a rich field for attack,” she said. “I now have a cyber professional embedded for entire set of phases for Artemis, our mission to get boots to the Moon and then Mars. That embed is pulling together the highest risks we face. It’s not just landing on the moon or Mars, but the hardware and software risks associated with it.”
NASA earned a B+ grade in the December 2018 scorecard only to see a huge drop in the June 2019 report down to a D-. Part of the reason for the drop, Wynn doesn’t report directly to the NASA administrator or deputy administrator, and poor cybersecurity scores.
Wynn’s experience to get more control of NASA’s IT is but one example of FITARA in-action across the government.
Maria Roat, the Small Business Administration CIO, said it took her 2-to-3 years to lower the requirement that SBA offices seek her approval for any IT buy worth $50,000 and above. The approval level used to be set at $150,000 or more.
“Now I’m trying to get my arms around credit card spending, which is up to $10,000,” she said. “Last year, one of our offices bought servers at the end of the calendar year and we didn’t know about it. But once they tried to connect it to our network, it was flagged and the servers still sitting there unconnected.”
SBA received a B+ on the FITARA scorecard for the last two grading period, receiving three As in the process.
So here we are five years later, and many agencies only now are seeing the impact of FITARA. Part of the reason is change in culture and in policy doesn’t come easy to government—no surprise there—and another part of the reason is the having the right CIO and agency leadership in place. ACT-IAC has been trying to help out, releasing a FITARA maturity model and updating it in August. Project leaders say another revision already is in the works.
David Powner, the former Government Accountability Office director of IT management and now director of strategic engagement and partnerships at MITRE, said GAO and Congress designed the FITARA scorecard initially to get the right attention and drive the outcomes desired by the law.
Powner said after focusing the scorecard on the initial goals of FITARA and expanding it to include software license management, it’s time to update what it measures and what new behaviors it should drive.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
“The scorecard should be a federal government and not a Congressional scorecard. The legislative branch and executive branch need to come together more on what is measured, and I think they both need to give a little bit,” he said.
Powner said that means the scorecard should follow the President’s Management Agenda areas like mission fulfillment, workforce training and even something like customer satisfaction.
Margie Graves, the deputy CIO of the federal government, said OMB recognizes the FITARA scorecard needs to evolve and is working closely with GAO and the CIO Council on what the new grading areas will look like.
“We are redesigning what measures should be and how we can drive the change we want in the future around citizen services, customer satisfaction and mission delivery,” Graves said. “All these things put the end recipient at the center of the equation. The other thing that we will see change is meeting each agency where they are. Some measures do work for one-size fits all, but they are few and far between. We need to lay out a plan that is relative to that agency and have them hit milestones they have laid out. Those are measures to make sure people are scored fairly. This is not about blame and shame, but moving the needle and getting people to right place.”
Tony Scott, the former federal CIO during the Obama administration, offered a different perspective on what the scorecard should measure.
He said agencies don’t do a good job measuring debt because that will tell them where to put money and resources.
“From a transparency and visibility perspective, we need to measure technical debt we are incurring when we don’t address the legacy stuff we have, and how far we are falling behind. It’s no different than measuring the national debt,” he said. “Then there is architectural debt. That measures old models versus old technologies and how the organizational structures are part of the systems we create. If you look at the way organizations outside of government digitized, they focused more on horizontal integration not vertical integration.”
Scott said the final debt that OMB should measure is around policy or process debt.
“We have to clear the dust or cobwebs out of attic and create an environment where things can survive when there is change. It’s about having the best rules under which we operate,” he said. “I’d love to see the scorecard measure those three things, and figure out if we really are making progress.”
No matter what the scorecard ends up measuring, the fact is the agencies are starting to feel the impact of the 5-year-old law. The scorecard combined with Congressional oversight has driven better behaviors across the government—admittedly far from perfect, but the progress and impact are real.