New cloud category sinks FITARA scores, but that’s not necessarily a bad thing

Federal agency scores plummeted on the 17^th Federal IT Acquisition Reform Act (FITARA) scorecard. The reason for the drop in grades: Continued struggles to implement best practices for moving workloads and services to the cloud.

But oversight leaders say the decrease in grades is not only expected, but not indicative of the progress agencies have made over the last decade.

The scorecard, released today by Rep. Gerry Connolly (D-Va.), co-author of FITARA, showed double the amount of “C” grades with 10 “Cs” and three “Ds” for the first time since July 2022.

At the FITARA scorecard roundtable today on Capitol Hill, Connolly and Carol Harris, the director of cybersecurity and technology at the Government Accountability Office, were quick to downplay the drop in grades.

“We were expecting that we started at a lower base. The object here is to move up, so if everyone started with an ‘A’  why would we be measuring it?” Connolly said. “I think we need to put that into perspective, that it’s not like every federal agency just regressed in the last few months because they took large holiday breaks. It’s because they were introducing metrics that really matter, but we know need to be measured because we’re starting at an uneven point with a lot of federal agencies.”

Harris added comparing the previous scorecards with this latest one is like comparing apples and oranges.

“We’ve not had a focus on [cloud computing] relative to the scorecard so the grades were low in this category,” Harris said. “We’re not negating the progress the agencies have made up until this point with regards to data center consolidation and PortfolioStat. The fact that we have nearly $30 billion in savings is tremendous, and that should be applauded.”

Technology executives from the Office of Personnel Management, which received a “C” grade, the Nuclear Regulatory Commission, which received a “B” grade, the Department of Housing and Urban Development, which received a “C” grade, and the U.S. Agency for International Development, which received the only “A” grade on the scorecard for fifth consecutive time, all supported the changes to the scorecard despite the lower overall grades.

“I appreciate the evolution of adding the strategy around Cloud Smart. It is an important thing for us,” said Sairah Ijaz, the deputy chief information officer at HUD, during the roundtable. “If you look at the evolution of how cloud has been presented to the government and the various ways that it’s been presented and ensuring that we have FedRAMP secure cloud and things like that, being able to evolve in the scorecard and keep that as something that we need to focus on, I think it’s extremely important. ”

Jason Gray, the CIO at USAID, said when he sees the “D” under the cloud category, he knows exactly what needs to be done to raise the score.

Harris said one common problem GAO found in its latest research, which is due out later this spring, is a lack of consistent service level agreements (SLAs) for cloud services.

She said in the 2019 cloud smart strategy, OMB required agencies to tie SLAs to cloud services and make sure they are standard across the agency.

“Unfortunately, we’re seeing a 47% average failure rate on the scorecard relative to this particular area,” Harris said. “These are key ingredients for having robust cloud procurements. So I wanted to move this conversation about cybersecurity and the protection of assets in the cloud, which is vitally important, but also from the procurement standpoint, we need to get this right. I’m really glad that as part of the new cloud category, we’re measuring this because we need to see improvement in this area.”

Harris added these service level agreements are critically important because they’re intended to provide continuous awareness of the confidentiality, the integrity and the availability of the data and systems in the cloud.

Connolly, the ranking member of the Oversight and Reform Subcommittee on Cybersecurity, IT and Government Innovation, signaled the change to the scorecard in the previous version issued in September.

The latest scorecard showed 16 agencies with “F” grades and 6 with “D” grades under the cloud category. The grades are based on agency implementation of the best practices outlined in the 2019 Federal Cloud Computing Strategy from the Office of Management and Budget based on the Government Accountability Office analysis from January.

DoD earn only “A” grade under cloud

In his opening statement, Connolly said the cloud category replaces the data center consolidation score after agencies have made substantial progress in closing data centers and migrating workloads to the cloud.

“In spring of 2024, the Government Accountability Office (GAO) will release a report that subcommittee Democrats requested on the extent to which federal agencies complied with executive branch cloud computing guidance. Agencies will be graded based on their ability to meet five procurement-related requirements developed by OMB,” Connolly said. “Agencies will earn one point for full implementation of each requirement, a half point for partial implementation and no points for failing to implement the metric. Cloud spending in the federal government has increased from $10 billion in fiscal 2021 to more than $16 billion in 2023 and FedRAMP cloud authorizations have increased by more than 60% since 2019. This is a growing area of federal IT spending that demands oversight.”

Interestingly, the only agency to receive an “A” grade under this category was the Defense Department. Agencies that have been using cloud services and putting more than 70% of all services and workloads into the cloud like the General Services Administration and the Agriculture Department received “Ds,” and the Small Business Administration received an “F.”

The cloud scores brought down the Education Department and GSA’s overall scores as well. Both received “A”s in the September scorecard, but this time both received “Cs.”

“The strategy identified five key requirements of cloud procurement that help ensure successful cloud adoption. The five requirements focus on ensuring that the CIO oversees modernization, agency cloud-related policies and guidance are iteratively improved, service level agreements are in place, service level agreement contracts are standardized, and visibility in high value asset contracts is continuously ensured,” the scorecard detailed.

Connolly did not include the other previewed category in the previous scorecard, CIO reporting structure, budget and acquisitions in the 17^th iteration.

New progress tracker

Connolly said there are several other evolutions with the scorecard.

He said the a minor change to the Modernizing Government Technology (MGT) category awards full credit to agencies that have an IT-dedicated account that satisfies the MGT Act’s intent, regardless of whether the account is officially called a “Working Capital Fund” (WCF).

He said such accounts must be IT-dedicated funding streams that provide at least three years of flexible spending that is fully controlled by the CIO.

Additionally, the Transparency and Risk Management category now focuses on the timeliness of agency data updates to create the new CIO Investment Evaluation category.

“Specifically, agencies will be graded on the recency of their IT Dashboard ‘CIO Evaluation History’ data feed, which displays how recently agencies’ CIOs submitted new risk level assessments for major IT investments. The more recent the assessment, the higher the grade to ensure that agencies’ CIOs evaluate IT investment risk in compliance with FITARA,” Connolly said. “Agencies have not been consistently updating their data. The raw data on risk designations that previously supported the Transparency and Risk Management category has been moved to the new progress tracker.”

The progress tracker, which also is new for the 17^th iteration of the scorecard, focuses on some of the older FITARA categories like transparency and risk management, data center consolidation and CIO reporting that agencies have mostly been successful in meeting the goals of over the last five or so years.

“One reason we worked with GAO to create the Progress Tracker was to provide greater transparency for some of the scorecard’s underlying data that is not being updated regularly by agencies or no longer lends itself to being easily graded across agencies, but is still valuable to track,” he said. “Raw risk designation percentages for the Transparency and Risk Management category and total cost savings from the Portfolio Review Savings category are now displayed in the progress tracker. We want agencies to continue to update this information and be held accountable for the data they are reporting. For example, not once have all 24 Chief Financial Officer (CFO) Act agencies reported updated risk data in the same year. We would also like to drive more updated portfolio savings data from all 24 CFO agencies. The last time all agencies submitted their data was in 2019. On Scorecard 17.0, you will now see PortfolioStat savings data converted into raw numbers that are accumulative since the first PortfolioStat initiative in 2012.”

Connolly added the progress tracker also keeps the subcommittee’s eye on categories that are at risk of backsliding, like data center consolidation and managing software licenses through Making Electronic Government Accountable by Yielding Tangible Efficiencies (MEGABYTE) Act.

Connolly said the recent GAO report on software licenses “found substantial backsliding on many of the measures tracked by the previous MEGABYTE category on the scorecard. If no one is watching, if no one is keeping score, we know what happens. When the scorecard sunset the software licensing category, it signaled to agencies that this effort was no longer important. Unfortunately, progress has been lost and now must be restored. This example is why federal data center closures will remain an issue on our agenda.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.