Can the TMF Help Agencies Improve FITARA Scores?

Federal CIO Clare Martorana is calling for prioritized cybersecurity improvements and increased support for the Technology Modernization Fund (TMF) in order for agencies to push forward with IT modernization amid overall stagnant scores across the latest FITARA scorecard.

In the House Oversight and Reform Committee’s Wednesday FITARA 12.0 biannual scorecard, 18 of the 24 Chief Financial Officer Act agencies had unchanged scores, while four improved and two dipped in their grades.

Of all of the scores, the General Services Administration was the only agency to receive an A-plus score, while most other agencies maintained grades in the C to B range.

Amid the findings, Martorana told lawmakers during Wednesday’s FITARA hearing, that acting on the recent White House executive order and providing flexible IT modernization resources through the TMF will help agencies reach better FITARA scores and improve mission delivery.

“First, cybersecurity is our immediate priority in federal IT,” Martorana said. “The cyber executive order puts us on a good path to faster incident response and stronger protective measures. By working rapidly and seamlessly, we can achieve results, and we must. … Secondly, I am committed to modernizing federal IT. The $1 billion [American Rescue Plan] appropriation to [TMF] is an important start to improving government IT’s systems, but it’s just a down payment.”

Government Accountability Office IT and Cybersecurity Director Carol Harris agreed that cybersecurity remains a top area for agencies to build on. She shared that a third of agencies evaluated in FITARA 12.0 received D or F grades, and another third were only at a C. Harris added that agencies could largely improve by establishing enterprise-wide cybersecurity risk management programs.

“We have reported on the agencies’ need to address information security program weaknesses, including establishing an enterprise-wide cyber risk management program,” Harris said. “Having mature cyber risk management programs would help agencies improve in the areas the [inspectors general] are looking at, and in turn, increase their cyber grades on the scorecard.”

In the midst of the SolarWinds hack revelations last winter, Harris said that agencies also need to build a “robust and comprehensive” supply chain risk management program to help the nation get to a better security posture.

TMF has become a resource for agencies to pursue IT modernization projects, but an opportunity for agencies to bolster their cybersecurity postures as well. Martorana — who serves on the Technology Modernization Board that reviews agency TMF proposals — said that since the American Rescue Plan’s $1 billion boost to TMF’s coffers, 43 different agencies have submitted 108 proposals for funding, and about 75% of those proposals have been cybersecurity-specific.

“Agencies are coming to us and saying that they would like to begin on the road to more modern security practices, like zero trust,” Martorana said. “About 75% of all requests into TMF through the American Rescue Plan are focused on cybersecurity.”

42% of the proposals, Martorana added, are overall intended to modernize high-priority systems, many of which are focused on upgrading, updating and increasing the cybersecurity posture of high-value systems.

Since FITARA 12.0 also found that about half of agencies have an IT working capital fund or will have one established by 2022, Martorana said that supporting TMF will provide greater flexibility in agencies’ ability to modernize.

“The repayment flexibility that has been extended to agencies under the American Rescue Plan is having a meaningful impact on agencies’ ability to participate in this,” Martorana said. “Not all agencies have working capital funds. We know that is continuing to evolve, but it was really a barrier of entry for people — being able to participate in TMF with the repayment flexibility loosened a bit. That has made all the difference in the world, and we know that this will continue to have an impact.”

While Martorana focuses on cybersecurity and TMF as bigger factors in overall federal IT modernization, the FITARA IT portfolio review process category, known as PortfolioStat, has helped agencies in IT cost-savings since FITARA began in 2015.

“Since 2015, the amount of money agencies have reportedly saved, including the cost of avoided as a result of their PortfolioStat effort, has risen from $3.4 billion to $23.5 billion,” said Rep. Gerry Connolly. “This increase includes $1.3 billion related to eliminating duplicative software licenses and about $7 billion in savings on data center consolidation.”

Connolly added that agencies should also focus on filling the IT workforce gap in the future too, as much of the federal IT workforce is reaching retirement age.

“As of March 2021, 3.3% of the federal government’s full-time IT employees were under the age of 30,” Connolly said. “52.5% were over the age of 50. Federal agencies must focus on recruiting and hiring young IT professionals with the knowledge and skills needed to address the technology challenges of tomorrow.”