Agencies Progressed in FITARA Scorecard, But House Considers Reform

Agencies Progressed in FITARA Scorecard, But House Considers Reform

Future iterations of the scorecard could include expanded cybersecurity and infrastructure categories.

Federal agencies are making greater strides in critical IT performance and modernization initiatives, according to the House Oversight and Reform Committee’s FITARA 13.0 scorecard released this week. All evaluated agencies received passing grades, with data center consolidation rising as one area of success.

But to better meet evolving IT needs, the committee is considering adjusting the scorecard metrics to better account for areas like cybersecurity supply chain and IT workforce challenges.

Thursday's 13th semiannual FITARA scorecard indicated that all agencies received a C- or higher, with 12 of the 24 evaluated agencies earning B scores or higher for the first time. Two agencies — the National Science Foundation and U.S. Agency for International Development — topped the charts with the only A scores.

Since FITARA 12.0 in July 2021, seven agencies saw increases to their scores, while four saw declines and 13 remained the same. The Government Accountability Office, which works with the committee to form each FITARA scorecard, noted that from the first scorecard in November 2015, the increased agency scores have assisted agencies in increased IT portfolio review savings from $3.4 billion to $23.5 billion.

GAO added in its FITARA report that the FITARA scorecards “have served as effective tools for monitoring federal agencies’ efforts in implementing statutory requirements for addressing other important IT issues.”

All evaluated agencies have seen success previously in software licensing inventory update FITARA metrics, leading the Oversight Subcommittee on Government Operations to retire that metric from scorecard assessments. As agencies all received As in the 13.0 scorecard, Subcommittee Chair Rep. Gerry Connolly and federal IT leadership are looking to apply new components to future FITARA scorecards to push for continued progress in federal IT.

“The goal here is to incentivize progress, not to get a gold star on our foreheads,” Connolly said. “In the data center consolidation category, every agency received an A grade based on the scorecard’s current methodology. As such, the 14th scorecard will retire this methodology when it’s released later this year.”

Although the committee added cybersecurity as a newer FITARA metric, current and former federal IT leaders emphasized that the cyber component needs further specifications, especially amid increased cybersecurity vulnerabilities and White House mandates to strengthen agency cyber postures.

“Regarding cyber, this category should be expanded to better address the ongoing and emerging challenges facing our nation, including mitigating global supply chain risks and improving the implementation of government-wide cybersecurity initiatives,” GAO IT and Cybersecurity Director Carol Harris said.  

Former GAO IT and Cybersecurity Director David Powner and former Federal CIO Suzette Kent echoed Harris’ comments, adding that features like zero trust adoption to the FITARA scorecard could benefit agencies’ cybersecurity.

Harris added that the committee should consider adding a metric category to address and decommission legacy IT. About $63.3 billion of $100 billion spent on federal IT annually goes toward maintaining antiquated systems. Kent agreed, arguing that bringing visibility to agency modernization activities would improve FITARA assessments.

Powner expanded on the modernization aspect, sharing that future FITARA scorecards should also include categories around mission modernization, as well as an IT budgeting and funding category that would incorporate Technology Business Management methodology to better capture all IT costs and align them to agencies’ services.

Along the lines of agency services, Kent said that FITARA should also measure digital services as agencies move forward digital engagement with the public.

“Your constituents are so digitally dependent. Now’s the time to include metrics that highlight our progress toward digital and mobile-native platforms, quality customer experiences,” Kent said. “They’re on par with what citizens experience in ever other industry, and we have goals that are already defined both in law and the [executive orders] that could be elevated for incorporation into that future scorecard.”

Powner also emphasized making a more robust infrastructure metric for future FITARA scorecards. The committee most recently added a telecommunication services transition metric to FITARA, especially amid the three-year delay mandating agencies to transition to the General Services Administration Enterprise Infrastructure Solutions (EIS) contract vehicle. Of the 24 agencies, 15 received failing grades on this metric, so Powner said a broader category that includes cloud and telecommunications infrastructure could help.

“We need to add an infrastructure category that will continue to shine the spotlight on having modern and secure networks with the EIS contract, but should also include, Mr. Chairman, a cloud adoption metric and move on from a data center focus,” Powner said.

Finally, Kent and Powner highlighted that adding an IT and cybersecurity workforce category is a critical aspect that the committee should consider in future scorecards. This metric, they argued, could bring transparency to workforce gaps and incentivize agencies to make additional investments to attract and retain talent to execute critical technological and security activities across the government.

While Harris, Kent and Powner made these recommendations, some agencies are already working to meet goals around cybersecurity, further data center consolidation, workforce development and more.

Department of Energy CIO Ann Dunkin testified that at large, she is aiming to increase visibility into IT-related resources investments across her agency, as well as supporting CIO and IT management authorities. She also highlighted how Energy is working to close seven more data centers by 2025, despite already receiving an A in data center consolidation in FITARA 13.0.

“I’m committed to enhancing energy efficiency and sustainability of our remaining data centers,” Dunkin said. “DOE continues to make progress toward improving our cybersecurity posture. Various security needs within DOE’s mission space present unique cybersecurity challenges that require a risk management program to be flexible and allow for risk-based decision-making to enable our mission. The department is leveraging the Department of Homeland Security’s Continuous Diagnostic and Mitigation Program to obtain additional security tools, including most recently, hardware and software asset management.”

Dunkin added that the agency has a multi-pronged approach to developing its IT and cyber workforce. This includes its Omni Technology Alliance Internship program — DOE’s paid IT talent internship program for students from underserved communities.

Office of Personnel and Management CIO Guy Cavallo also shared efforts that align with some of the recommended changes to future FITARA scoring, including how OPM was able to reduce the overall Office of the CIO staff vacancy rate by 20%.

Amid the recently published Presidents Management Agenda’s call for strengthening customer services, Cavallo said that OPM is establishing a “total life journey map” of federal employees’ careers, illustrating the workforce journey from application to retirement to understand how modernization can improve employees’ experience working in government.

The next FITARA scorecard will likely release in the middle of 2022. However, GAO and subcommittee leadership are considering a shift in the FITARA review period to an annual basis to give agencies enough time to indicate modernization changes.