3 takeaways from the FITARA 17 scorecard roundtable

The FITARA scorecard continues to be a point of contention between Oversight and Accountability Subcommittee on cyber and IT leaders.

The 17th iteration of the Federal IT Acquisition Reform Act scorecard was, once again, a very one-sided affair.

It wasn’t that Rep. Gerry Connolly (D-Va.), co-author of the 2014 law and ranking member of the Oversight and Accountability Subcommittee on Cybersecurity, IT and Government Innovation, didn’t let others speak, though he is prone to enjoy the microphone like most lawmakers.

It was that he was the only legislator at the FITARA 17 roundtable last Thursday.

Subcommittee Chairwoman Nancy Mace (R-S.C.), for a second time since September, didn’t agree to hold a formal hearing so Connolly was left to host a roundtable that had no Republican participation.

Congressman Gerry Connolly (D-Va.) held a FITARA roundtable on Feb. 1. (Photo credit: Jason Miller/Federal News Network.)

“First, I want to mention how disappointed I am that our Republican majority has turned its back on the FITARA scorecard,” Connolly said in his opening statement. “The scorecard has been a bipartisan oversight project for more than eight years with Republican champions like [Reps.] Mark Meadows (R-N.C.), Will Hurd (R-Texas) and Darrell Issa (R-Calif.). It has helped save nearly $30 billion, closed 4,000 unnecessary data centers, expanded the use of working capital funds as flexible vehicles for IT modernization funding, almost doubled the percentage of federal IT projects using incremental development to deliver functionality and empowered agency Chief Information Officers (CIOs) with greater budget and procurement authority and a more direct reporting relationship to agency leadership. The scorecard sits at the heart of this subcommittee’s mandate to oversight federal IT.”

There now has been no formal FITARA hearing since December 2022, the 15th iteration of the scorecard.

A House Committee on Oversight and Accountability spokesperson pushed back on Connolly’s notion that the majority has “turned its back on FITARA.”

“FITARA is a law concerning federal IT management and acquisition. Ms. Mace’s subcommittee has held a dozen hearings in the past year concerning not only federal information technology management and acquisition, but also pressing issues surrounding artificial intelligence, and cybersecurity. These hearings have been a critical vehicle for substantive oversight and the development of significant legislation,” the spokesperson said in an email to Federal News Network.

Mace held 12 hearings in 2023 looking at federal technology and cyber issues, with artificial intelligence receiving the most attention. She did hold hearing on legacy federal IT, the problems with Login.Gov and the continued struggles with the Defense Travel System program — all of which fall under the FITARA umbrella of oversight of federal IT projects.

Exactly why Mace will not hold a FITARA hearing is unclear. Maybe it’s not a “sexy” enough topic, like AI or ransomware, for her? Maybe it’s something different.

Either way, not holding a traditional hearing on FITARA is a missed opportunity for lawmakers, for agencies and for the overall goal of improving how agencies manage, spend and account for the nearly $100 billion spent on federal IT.

But getting away from the big “P” politics playing out between Mace and Connolly, the roundtable provided some important and new updates to federal IT oversight and progress.

Here are my three takeaways from FITARA 17:

EIS under review

The Government Accountability Office is dusting off the cobwebs from its “why did this transition take so long?” probing tool. GAO will begin looking this spring at the continued delays agencies are having in moving to General Services Administration’s Enterprise Infrastructure Solutions (EIS) contract.

Carol Harris, GAO’s director of cybersecurity and IT, provides an update at the Feb. 1 FITARA 17 roundtable. (Photo credit: Jason Miller/Federal News Network.)

“We’ll be able to really dig in deep and ascertain progress and the reasons why agencies are not able to make this transition on time,” said Carol Harris, GAO’s director of cybersecurity and IT, in an interview with Federal News Network after the Feb. 1 roundtable. “We’ll also dig into the missed cost savings as a result as well because that’s a huge component of this. But when you take a look at the progress that’s been made, certainly over the past two years, agencies have done their best and but still we still have, I believe, 14 agencies that did not meet the deadline.”

GSA gave the departments of Justice and Homeland Security until May 2026, while 80 other agencies have until May to complete their transitions.

Of the four agencies that participated in the roundtable, the Office of Personnel Management, the Nuclear Regulatory Commission and the U.S. Agency for International Development all completed transition. The Department of Housing and Urban Development reached the 80% mark as of December, according to GSA’s EIS transition progress dashboard.

As a reminder, the transition from FTS 2001 to Networx took 33 months longer than planned and cost the government an estimated $395 million, according to an analysis by GAO in 2014.

It’s clear this Networx to EIS transition may not meet the 33 month record, but the cost will exceed $395 million.

Cloud grades vs. cloud progress

The string of “Fs” filling the cloud computing category showing a lack of progress is striking when you first look at the FITARA scorecard. Of the 24 agencies, 16 received the lowest grades and six others received “Ds.”

As GAO’s Harris and Connolly said during the roundtable, the grades are supposed to be low given it’s a new category.

“[We are] introducing a new category and a new grade, therefore, we were expecting that we started at a lower base. The object here is to move up. So whatever we started with, we will be measuring it,” Connolly said. “We need to put that into perspective that it’s not like every federal agency just regressed in the last few months because they took large holiday breaks. It’s because we are introducing metrics that really matter. We’re starting at an uneven point with a lot of federal agencies.”

The cloud category is measuring agency progress against several of the areas the Office of Management and Budget outlined in its 2018 federal cloud computing strategy.

These include:

  • Whether agencies are ensuring that the CIOs are overseeing modernization, Agencies have cloud service level agreements (SLAs) attached to all of their cloud deployments,
  • Agencies have standardized SLAs

Harris said GAO is currently reviewing how agencies are meeting these requirements and used the results of that work to give agencies initial grades.

“What we’re seeing is uneven progress across the agencies. None of the agencies have fully implemented the five categories with the exception of the Defense Department,” she said. “That’s something that we need to see improved progress in. When I cited the 47% average [for SLA compliance]. That’s what we’re not seeing across the agencies in the implementation of this area.”

At the same time, what the FITARA scorecard isn’t measuring, which may be equally important, is the actual use of cloud services.

Take the Office of Personnel Management for example. Guy Cavallo, the agency’s CIO, said over the last two years, OPM has deployed over 35 new cloud-based applications that were previously on-premise. OPM also migrated over 100 business applications to the cloud that previously ran in data centers.

“Our goal is to have the majority of OPMs applications operating in the cloud by the end of this year,” Cavallo said.” Now, one of the benefits of utilizing cloud computing is the implementation of enhanced cybersecurity capabilities, such as data encryption, real-time security updates and patching, centralized monitoring and robust access controls. Today, all of those are improving the security of OPM’s applications, data and cybersecurity. We’ve had a number of successes there by leveraging machine learning and artificial intelligence to enhance our cybersecurity capabilities, allowing us to have real-time situational awareness, which allows us to quickly respond to and defend against threats. We also implemented data driven cloud-based dashboards to provide better visibility into our cyber status.”

OPM CIO Guy Cavallo (left) and NRC CISO Jonathan Feibus took part in the FITARA 17 roundtable on Feb. 1. (Photo credit: Jason Miller/Federal News Network.)

Cavallo said OPM is far from done in moving to the cloud. But it’s clear that OPM’s “F” grade doesn’t entire reflect the real goal of moving data and applications out of data centers.

The same can be said for USAID, which received a “D”, and the Department of Housing and Urban Development and NRC, both of which received “F” grades.

NRC’s Feibus said the agency is transitioning legacy technology to the cloud.

“We’re developing solutions that focus more on current and future technologies, including artificial intelligence, machine learning and process automation to keep the agency innovative,” he said. “The NRC has also worked with the General Services Administration on a financial operations pilot. It is implementing the recommendations and best practices we learned to further enhance management of our cloud services. We have been able to locate additional workflows to the cloud to provide an additional layer of resilience to our technology operations.”

USAID’s Gray said by moving to the cloud, the agency has reduced the number of data centers from 87 to 2.

“Even technology refresh is something that historically would take weeks or months to do major upgrades. In my prior agency [Education], we were able to upgrade an entire data center over a weekend, that would never happen. There would’ve be a disruption, but that did not happen because of the cloud,” Gray said.

It’s clear that agencies need to improve how they oversee and manage cloud services, but let’s not confuse that area with the real impact of cloud services on IT modernization efforts.

Working capital fund compromise

If the Technology Modernization Fund (TMF) was the icing on top of the Modernizing Government Technology (MGT) Act cake, then the IT working capital fund (IT-WCF) is the cake itself.

Everyone can “ooh and aahh” over the icing, but when you dig into the MGT Act, authorizing IT working capital funds is what holds the act together and gives agencies hope that IT modernization is an achievable goal.

For the previous 16 iterations of the scorecard, Connolly and GAO graded agencies on whether they were meeting the spirt and intent of the MGT Act by implementing a specific IT working capital fund. Agencies received some partial credit for already having another fund that provides money for technology modernization.

For the 17th iteration, one of the major changes is giving agencies credit for having any working capital fund that supports IT modernization.

After nearly a five years, Connolly realized that it’s not the agencies who didn’t want the IT working capital fund, it’s the appropriators who were less than excited to approve them. Sen. Maggie Hassan (D-N.H.) had planned to try to fix the MGT Act with a technical amendment in 2021, but that bill never moved.

Only a handful of agencies, including OPM and the Small Business Administration, have received approval from Congress to set these up. Others like the departments of Treasury, Labor and USAID have requested Congress give them the green light, but had no luck so far.

HUD is the latest agency to try to run the appropriator’s IT-WCF gauntlet.

Sairah Ijaz, HUD’s deputy CIO, said not having access to a working capital fund has impeded their ability to modernize technology as quickly as they would’ve liked.

“We do see some hope of that coming into the fiscal 2024. We’re hopeful that is something that we will be able to leverage in order to be able to quickly address some of the issues that are part of our long underlying strategies,” Ijaz said.

Like several other agencies, HUD does have a working capital fund out of its CFO office, but it doesn’t specifically support technology modernization.

“We are working to be able to begin the use of that working capital fund, and that’s part of the conversations we’ve been having with all of our counterparts about looking toward that in future appropriations. Currently, our appropriations do not allow for the use of a working capital fund,” Ijaz said. “It has hindered our ability to be able to be flexible, and be able to work toward modernizing our platforms. We’ve had to look towards other areas in order to be able to support our ability to fund some cyber needs. We’ve gone to the TMF and received some funding there to be able to manage that. Then we looked at reallocating some other costs in order to be able to support our cyber needs because that is most important at the moment.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    FITARA

    New cloud category sinks FITARA scores, but that’s not necessarily a bad thing

    Read more
    Gerry Connolly

    Transition to Networx telecom contract cost $395M more than planned

    Read more
    Amelia Brust/Federal News NetworkGSA

    GSA giving two agencies two extra years to transition to new telecommunications contract

    Read more