The 9th version of the Federal IT Acquisition Reform Act (FITARA) scorecard brought some of the highest marks in five years. But it also reminded the House Oversight and Reform Subcommittee on Government Operations that some old habits don’t die easily.
Every agency chief information officers still are not reporting directly to the secretary or deputy secretary.
Insight by Cloudera: Learn about what a few federal agencies are doing to tackle data security challenges and improve their cyber data posture in this exclusive e-book.
Disagreements over data center consolidation versus optimization continue and likely will heat up over the next six months.
And agencies continue to struggle implementing a key piece of the Modernizing Government Technology Act.
Carol Harris, the director of IT management issues at the Government Accountability Office, said her three priorities for 2020 are:
So with those three in mind, here are my three takeaways from the FITARA 9.0 hearing.
Rep. Will Hurd (R-Texas), one of the authors of the MGT Act, has said for years the real achievement with the law is not the Technology Modernization Fund, but the authority for each agency to set up technology savings accounts.
While the TMF gets a lot of the attention, Hurd, Rep. Gerry Connolly (D-Va.) and others who created the MGT Act believe agencies will get out of technical debt only by modernizing technology, saving money from that effort and repurposing the savings for other projects.
The problem so far is few agencies have taken steps to set up these new savings accounts, partly because so many already have some sort of working capital or revolving fund.
So far, only four agencies — the departments of Agriculture, Labor and Homeland Security and the Small Business Administration — plan to or have set up a MGT Act authorized fund.
And it looks as though NASA may not be joining that list anytime soon.
The timing of the final decision seemed much longer than necessary. But Wynn said in an interview after the hearing that analysis detailed the working capital authorities, both current and potential ones.
“We’ve laid all of that information out and now are trying to figure out what information our senior leaders will need to make the decision, and we are looking at staffing plans associated with it. I think we will need some top-notch accountants, she said. “So pulling together an entire implementation plan with a presumption that they will say ‘yes’ is what we want to get ready for when we go to decision.”
Wynn said it’s unclear whether NASA will need new legislative authority.
In the meantime, Wynn said NASA received a $10 million line item from Congress in fiscal 2019 for IT modernization and a similar request is part of the fiscal 2020 budget.
Wynn said that money is specifically for the CIO to use to do the analysis and run the IT modernization process.
Of course, $10 million to make decisions and run processes is far different than having a dedicated savings account specifically for transformation efforts.
Since 2013, the Office of Management and Budget and the Government Accountability haven’t agreed on the goals of the data center consolidation initiative.
GAO, for the most part, has been consistent banging on the cost savings drum.
OMB, on the other hand, has floated between savings and optimization over the last six years. In fact at the June FITARA hearing, OMB rolled out the latest data center policy that Connolly said was too focused on optimization and not enough on savings and inconsistent with the law.
Six months later, OMB and GAO remain at odds.
Carol Harris, GAO’s director of IT management issues, said because of the policy change, GAO didn’t grade agencies on their data center efforts in June.
“OMB’s guidance is now final and unfortunately the concerns I raised at the last hearing about the revisions remain unchanged,” Harris told the subcommittee. “Among other things, OMB’s guidance revises the classification of data centers and data center optimization metrics. For example, OMB’s new data center definition excludes 2,300 facilities that agencies previously reported on in fiscal 2018. Many of these excluded facilities represent what OMB itself has identified as possible security risks. Some are also large facilities that agencies will keep operating but will no longer be reporting on.”
Harris pointed to the Social Security Administration and the Department of State as two of those examples. SSA has five data centers over 8,000 square feet and State has two over 10,000 square feet that OMB will stop tracking the progress against the policy’s goal.
“There are 194 data centers over 1,000 square feet for which closure progress will no longer be reported as a result of the redefinition,” she said. “The changes will likely slow down or even halt important progress agencies should be making to consolidate, optimize and secure their data centers.”
At the heart of this debate is the reality of agency needs and the belief by GAO and lawmakers that agencies are leaving billions of dollars in savings on the table, much of which could be used for other IT modernization efforts.
In fiscal 2019, the governmentwide total for data center savings was only $68.8 million, according to the federal IT dashboard. That was way down from the previous three years when the governmentwide total was between $634 million and $856 million. Over the last four years, agencies saved more than $2.2 billion.
Connolly and Rep. Mark Meadows (R-N.C.) both pushed GAO to place a deeper focus on implementation and compliance with FITARA, particularly around data center consolidation.
“That [data center consolidation] is where the savings are. If we are going to retire these legacy systems; If we are going to reinvest in the enterprise, that’s why we are concerned about OMB’s guidance on what will be acceptable. We want explicit language that says close them and consolidate them,” Connolly said. “We were worried, and we thought we had gotten reassurance that this new guidance that included the vague term optimization would allow people to avoid consolidation and achieve these savings.”
Harris said the new OMB policy is a significant step backwards from where the government was four years ago.
“With this redefinition of data centers, we are losing visibility into 2,300 facilities and that’s a problem because agencies are going to lose focus on consolidation being a top priority. In addition to that, there are security risks associated with not monitoring these facilities, even if you aren’t going to consolidate them,” she said. “We have ongoing work right now evaluating the OMB guidance. We do expect to issue that report sometime soon. We will make recommendations to OMB which will include taking another look at the policy and the classification of the data centers.”
One reason why both NASA and the Homeland Security Department received improved grades on the scorecard is due to changes both agencies made around their CIO’s reporting authorities.
NASA Administrator Jim Bridenstine recently signed off on a memo changing the CIO’s reporting structure.
“I have access when needed,” Wynn said. “The NASA CIO and most of the center CIOs sit on all key NASA decision-making councils, and the CIO has direct authority and oversight over center CIO including their IT and acquisition decisions. Within NASA, IT is now regarded as a strategic agency resource with the CIO having clear authority to approve the agency’s IT spend plan.”
Wynn said the best example of the change happening across NASA is with the Artemis Program, which is the effort to return to the moon.
“In order to address the new and unique cyber risks and challenges posed by human spaceflight generally, and in particular by Artemis, OCIO is partnering with the Human Exploration and Operations Mission Directorate (HEOMD) and its Advanced Exploration Systems Division at Headquarters. An OCIO representative will attend vital staff-level and leadership meetings, providing immediate OCIO input on programmatic matters,” Wynn said in her written testimony. “This partnership will allow the OCIO representative to better understand HEOMD’s programs and processes, while helping HEOMD identify and resolve any cyber gaps. The OCIO representative will directly support the Artemis team in evaluating cybersecurity requirements; ensuring an integrated approach to addressing cybersecurity risks; and making certain that cybersecurity considerations are included at the outset of this groundbreaking work.”
The Homeland Security Department CIO has had authority over IT spending worth more than $500,000 for almost the entire life of the department. In 2019, acting CIO Beth Cappella said her office reviewed more than 530 procurement requests.
Despite progress at NASA and DHS, there still are five agencies—the departments of Health and Human Services, Justice, Labor and State and the Nuclear Regulatory Commission—whose CIOs do not report directly to their agency’s top leadership.
The Government Accountability Office said DHS and the U.S. Agency for International Development received partial credit because of changes they made in the reporting structure. Overall, GAO says CIOs still not have the full set of authorities FITARA and other laws give them.
“Laws such as FITARA and related guidance assign 35 key responsibilities to agency CIOs to help address longstanding IT management challenges. In August 2018, GAO reported that none of the 24 selected agencies had established policies that fully addressed the role of their CIO. GAO recommended that OMB and the 24 agencies take actions to improve the effectiveness of CIOs’ implementation of their responsibilities. Although most agencies agreed or did not comment, none of the 27 recommendations have yet been implemented,” GAO states. “According to FITARA, covered agencies’ CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, GAO reported that most of the CIOs at 22 covered agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Consequently, GAO made 39 recommendations to improve CIO oversight for these acquisitions. Since then, 23 of the recommendations have been implemented.”