Education pushes back, OPM opens up during FITARA hearing

Most of the time, the focus on the twice-a-year Federal IT Acquisition Reform Act scorecard hearing is on the grades. Which agencies are up, which are down and which agency chief information officers remain in the proverbial back room versus the board room?

But when you dig deeper into the testimony or the hearing discussion, that’s where some of the most interesting IT modernization progress news is revealed.

Here are three takeaways from the House Oversight and Government Reform Subcommittee on Government Operations FITARA 10 hearing:

Education defends data incident

The Education Department received a B+ on the FITARA scorecard, down from an A+ in December. But that wasn’t the reason Jason Gray, the agency’s CIO, appeared before the House Oversight and Reform Subcommittee on Government Operations on Aug. 3. After his opening statement highlighting Education’s IT modernization progress over the last few years — upgrading 5,000 laptops, reducing storage costs and saving $20.5 million — Rep. Stephen Lynch (D-Mass.) made the reason why Gray was appearing before the subcommittee clear.

“I read recently a pretty good story in The Washington Post that talked about thousands and thousands of borrowers of student loans whose personal information, their Social Security numbers, their detailed financial information was left exposed by the Department of Education for like six months. These are people who were looking for some relief, either they had been taken advantage of or exploited by for-profit universities … yet we left all their information available to whomever would tap into it,” Lynch said.

Jason Gray is the Education Department CIO.

The data incident Lynch referred to came to light in late June and immediately drew the attention of lawmakers.

Gray, obviously, was prepared for the question.

“I would share that article was incorrect. The department did not leave that open for many months,” he said. “We had a situation where a file share was inadvertently left open to internal department only employees. As we briefed the committee on Friday [July 31], there was not external access. It was one element. We did report as required by OMB memo 20-04. It is a low-risk incident.”

Gray compared the situation to where a safety deposit box in a secured vault in a bank is left unlocked and the only people who can access the vault are trusted, vetted employees. He said it was one file out of 7 million folders where a user inadvertently allowed others in the department permissions to access the data.

“This is a situation where an employee actually recognized that a safety deposit box in that vault was left open and external people could not get to it. It should not have been unlocked,” he said. “

Lynch interrupted to ask if every single person has a “need to know?” — meaning they have access to the data. Gray said while every employee is vetted to be able to review that information, they all don’t need to access it.

Lynch said Education needs to tighten up the access to this sensitive data, to which Gray agreed and said the agency already has taken steps to do that.

“We took care of it right away. We also went through and scrubbed and rescrubbed. We hired a third party to come in and recheck all of what we’ve done. As of this morning, they have come to the same exact conclusion as it relates specifically to this incident, it was a low-risk incident,” Gray said.

For the rest of the hearing, another 35 minutes or so, Gray received three more questions, two of which focused on this data incident and Education’s cybersecurity challenges.

Reps. Glenn Grothman (R-Wis.) and Gerry Connolly (D-Va.) both asked about improving Education’s cybersecurity scores. On the scorecard, the agency received a C and the agency’s inspector general 2019 Federal Information Security Management Act report from October found Education’s “programs were not effective in any of the five security functions — identify, protect, detect, respond and recover.”

Gray said Education has taken a four-phased approach to focus on its processes, policies, tools and training of employees.

“We’ve also developed and implemented a cyber risk scorecard with near-real time metrics and it’s aligned to the National Institute of Standards and Technology’s cybersecurity framework,” he said. “That’s visible to our system owners so they see exactly how they are doing. When something is red, it’s not necessarily red, but it’s an indication that it needs some work. The scorecard gets briefed every single month to the secretary and deputy secretary and monthly to all the assistant secretaries.”

Scorecard changes coming sooner than later

If you didn’t stay around for the second panel of former federal IT executives, then you missed what the future of FITARA likely will look like.

It was clear the subcommittee plans to add the transition to the Enterprise Infrastructure Solutions (EIS) program from Networx for telecommunications and infrastructure modernization to future scorecards. And it was clear the subcommittee is considering removing the software licenses subcategory from the future scorecards as every agency but the Office of Personnel Management received an “A.”

But the second panel, which featured Richard Spires, former Department of Homeland Security CIO, LaVerne Council, former Department of Veterans Affairs CIO, and Dave Powner, former Government Accountability Office director of IT issues, identified some of the more substantial ideas for change.

All three offered five improvements lawmakers and GAO should consider, and several common themes emerged.

“Some of the graded have reached a level of maturity where perhaps grading is no longer a necessity. This is not to say they are no longer important, but there are other areas that would benefit from the transparency, measurement and oversight the scorecard provides,” said Powner, who is now director of strategic engagement and partnerships at the MITRE Corp.

Spires, who now runs his own consulting firm, said despite the progress of FITARA, agencies continue to need to mature processes and procedures to manage and maintain technology systems and applications.

“Given the success of the scorecard, it should continue as a tool to measure agency progress. I recommend changes to the scorecard to sharpen the focus on IT management and modernization,” he said.

All three thought the subcommittee should address workforce gaps and IT budgeting challenges through future scorecards.

Council, the current CEO of Emerald One, LLC, said ensuring agencies have a “culture of readiness” to adopt new or emerging technologies is critical.

“IT is not an island. It is a catalyst, a partner, a visionary. No CIO can transform their technology environment in isolation. The culture must be prepared to adjust to that transformation,” Council said. “The organizational culture must not only endure technology modernization. They must embrace it.”

Powner added focusing on the workforce would help better address long-standing challenges to fill critical skillsets.

“[A]lthough not directly tied to this scorecard discussion, Congress should look at using more critical pay authorities for CIOs, as well as examining five-year appointment terms for CIOs to address the short tenure problem and its impact on mission modernization,” he said.

The appropriations process has long stood in the way of IT modernization success.

Spires said agencies need to understand cost and value coming from technology, through the use of Technology Business Management standards and through the benchmarking of IT services.

Powner agreed that understanding where money is spent and what agencies get from that funding would help them make the case for increases in technology funding from Congress.

“We must ensure that our agencies’ fiscal reality supports the technology mandates we impose. It is a disappointing reality that many of our agencies continue to receive technology budgets that allow them to do little more than maintain and sustain outdated systems,” Council said. “For FITARA, the Modernizing Government Technology Act, the Technology Modernization Fund and other technology legislation to affect significant change and position our government for the next crisis, consider how they may link to one another. Is TMF funding contingent upon FITARA scores? Can FITARA scores be decreased due to the low use of the mechanisms in MGT? By creating more meaningful connections between the different tactics, the committee can create the leverage and strength some agency CIOs need to build support through their leadership teams.”

Spires offered an interesting idea for how to keep the scorecard relevant going forward. He suggested creating an advisory board led by GAO and includes the CIO Council, OMB and private sector experts to come up with suggestions to improve FITARA over the next three-to-six months.

OPM IT modernization revealed

Remember when the Office of Personnel Management was the agency every lawmaker and contractor cared so much about? A short five years ago this past June marked the anniversary of when the world found out about the neglectful status of OPM’s IT infrastructure that led to the loss of data of 21.5 million federal employees and contractors.

The public focus on OPM dimmed the further we got from the breach and the agency technology officials crawled out of sight over the past few years leaving much to wonder about whether the agency fixed many of its systemic IT problems.

Clare Martorana, OPM’s seventh CIO in seven years, shed a little light on the state of OPM’s IT modernization efforts during the hearing. And on the surface, it’s hard to tell just how much progress the agency has made.

Clare Martorana is the chief information officer for the Office of Personnel Management.

On the positive side, Martorana said the agency rolled about 2,800 laptops to employees and moved to Microsoft Windows 10 and cloud-based Office 365 email.

“[W]e made improvements to expand our virtual private network (VPN) capacity and security to ensure we’d be able to provide the same level of support to our workforce of about 2,800 OPM employees, as well as about 11,000 Department of Defense Counterintelligence and Security Agency (DCSA) employees and contractors,” Martorana said in her written testimony. “OPM staff and contractors moved seamlessly to maximum telework, utilizing this secure connection to the OPM network over the internet to access the various OPM systems and applications. Due to our laptop repair program, virtually every staff member was able to take their laptop home and perform their work with little to no interruption.”

She said OPM has an average of 4,500 concurrent users a day and the network consistently remains below 50% bandwidth consumption.

Another positive development happened in mid-July. She said OPM successfully migrated their mainframe technology from the headquarters building in Washington, D.C., to the Iron Mountain commercial data center in Boyers, Pennsylvania.

“We also met the challenge of decoupling OPM’s systems from DCSA’s 2 1/2 months before the Oct. 1 deadline as required under the National Defense Authorization Act (NDAA) for Fiscal Year 2018 and Executive Order (EO) 13869,” Martorana said. “OPM and DCSA’s systems are now fully operational in a new modern environment and have a disaster recovery environment in place. Many said this could not be done.”

This really was the first update by OPM in nearly 18 months since David Garcia left February 2019 and leadership elevated Martorana to the CIO role.

But it also shows how far OPM has to go. Martorana said the agency’s IT budget remains fed by seven disparate funding streams. She wants to create a working capital fund under the MGT Act, but it’s unclear whether Congress will grant her that authority.

Martorana also seemed to insinuate that real IT modernization at OPM can’t truly begin until DCSA takes over all security clearance related technology infrastructure and systems later this year.

“We are struggling with our staffing. We are struggling to make sure we have appropriate staff levels to support all of the systems we are maintaining,” she said. “We are still on a daily basis operating DCSA, national background investigations systems and all of their daily operations as well as all of their laptop and desktop support services. As we are able to hand that mission full over to DoD and focus singularly on OPM, that will give us the opportunity to focus on OPM’s core mission and upgrade all of the services we deliver to our mission.”

One of those core mission areas is the retirement systems modernization effort that has failed numerous times over the past three decades.

Martorana said OPM recently tested an emergency technical solution with one payroll provider to allow for the electronic submission of retirement applications to OPM.

“Our test was successful and can be expanded to the remaining payroll providers should we have the funding levels necessary to support this effort,” she said.

Martorana promised to get OPM’s FITARA scorecard grade up to a B+ from a C+ in the next grading period. She said funding under the coronavirus stimulus bill will help the agency improve how it manages its software licenses to meet the goals of the MEGABYTE Act.

“Before you can modernize an enterprise, you must ensure that you have a solid foundation to build upon,” she said in her testimony. “OPM is undergoing the foundational efforts to modernize outdated and dilapidated systems and infrastructure which makes operating challenging on a daily basis.”