DHS and 8 Other Agencies Improve in Latest FITARA Scorecard

DHS and 8 Other Agencies Improve in Latest FITARA Scorecard

An emphasis on cybersecurity boosts DHS from a D-minus to B FITARA score in half a year.

The Department of Homeland Security, as well as several other agencies, has made strides in its IT modernization efforts, and it shows, according to the House Oversight and Reform Committee’s FITARA latest 9.0 scorecard. 

Since 2014, the Federal Information Technology Acquisition Reform Act (FITARA), has measured federal agencies’ progress in modernizing their IT assets by consolidating and optimizing data centers, improving cybersecurity and strengthening CIO authorities. 

While smaller agencies, such as the Small Business Administration and Social Security Administration, have historically been more successful in scoring higher on the semi-annual FITARA scorecards, larger, more federated agencies, on the other hand, have struggled to achieve better scores.

That trend, however, has shifted for some agencies, particularly DHS, which achieved a “B” grade this last scorecard, released Dec. 11. In its previous scoring in June this year, DHS received a D-minus, making the latest mark one that measures significant progress.

In her first time testifying before a congressional committee, DHS Acting CIO Elizabeth Cappello emphasized the agency’s moves to improve its cybersecurity posture, cloud adoption, agile development and data center consolidation.

“Cybersecurity must be at the core of everything we do in information technology,” Cappello said during Wednesday's House Oversight and Reform Committee hearing. She noted her office manages the DHS network that “connects the 240,000 DHS federal employees, more than 4300 physical locations and dozens of mission-essential applications.”

In 2019, DHS adapted a Defense Department security operations center (SOC) accreditation program to create the cybersecurity service provider (CSP) program, Cappello said. The CSP program ensures consistent, high-level accreditation standards across all levels of the department; Immigration and Customs Enforcement's SOC received CSP accreditation this year, and other agencies within DHS are expected to follow by the end of the fiscal year.

“Given all of these efforts, I am proud to note that the department’s improved cybersecurity posture is evident on our federal scorecards, including FISMA and FITARA,” Cappello added. “Our cybersecurity strategy is not static, however, as DHS continues to make great strides in cloud adoption.”

Looking forward, Capello said DHS OIT is implementing OMB’s TIC 3.0 strategy, moving to a zero-trust security model and working with DHS’ chief human capital officer to hire and retain a skilled IT workforce. It hosts an annual Agile expo and is moving to a DevSecOps approach and culture, Cappello noted, and has been a leader in data center consolidation.

“I am excited about our continuous improvement ... but there is more room for progress,” Cappello said.

DHS is one of nine agencies that have received improved FITARA grades in the 9.0 scorecard, while four agencies saw a decline in their scores, and 11 remained the same from the previous scoring in June.

In this round of scoring, agencies who improved also reached a new milestone: the General Services Administration, U.S. Agency for International Development and Department of Education all received A or A-plus rankings, which are scores no agency has seen before in FITARA ratings. 

Wednesday’s hearing only included a review of DHS and NASA. However, the two agencies, which both saw significant FITARA score improvements, have collected $2.6 billion in cost-avoidances and savings in their IT modernization efforts, noted Government Accountability Office IT Management Issues Director Carol Harris.

Despite the progress, Harris said that NASA and DHS will still spend about 80% of its IT budget on maintenance and operations — a statistic that has generally remained the same across agencies in recent years.

“These agencies collectively plan to spend $8.6 billion on IT this year,” Harris said. “For year of them, roughly 80% of their IT spend is on operations systems.”

As DHS, NASA and other agencies continue to work on the goals FITARA outlines for them, Harris added that the committee should focus on three areas of oversight to ensure agencies achieve the best outcomes:

  • Continue to be aggressive on agencies concerning data center consolidation;

  • Continue to push agencies to establish a CIO reporting structure; and

  • Look at working capital funds to ensure agencies have the funds necessary to modernize their legacy systems.

Harris added that for larger, federated agencies to succeed in improving their FITARA scores, they should work on centralizing their information, such as in software licensing, and reiterated the importance of establishing concrete governance relationships with the CIO.

Committee Chair Rep. Gerry Connolly noted that he looks forward to seeing the culture continue to shift to centralize IT decision-making around one CIO. 

“One of the things we wanted to do and hope to do in an evolutionary — rather than mandated — way was to have a primus inter parus (first among equals) CIO,” he said. “We chose to respect the federal culture and let it evolve. When we started ... we had 250 people in 24 agencies called CIO.”

Connolly made it clear that it is essential for one CIO to be “imbued” with the power and responsibility to make decisions and lauded NASA as a model of that structure.

Both Connolly and Cappello noted the challenges to centralization at DHS, a large department with several different mission sets. Cappello noted that the differences between sub-agencies have helped the department at large to take best practices from each on a variety of IT modernization initiatives, such as Customs and Border Protection's work on cloud migration and Homeland Security Investigation's experience with computer forensics.

“While I fully understand the concerns around the reporting structure,” Cappello said, “I would offer that, in DHS, there is a lot of value in the technologists being able to respond directly to the operational requirements.”

Standard