FITARA, FedRAMP Among Congressional IT Modernization Priorities

As federal agencies work to consolidate their IT offices, modernize legacy systems and secure essential data, they can rest assured that there are leaders in Congress working to ensure they have the guidance and funding to encourage those efforts.

In discussing Federal IT Acquisition Reform Act (FITARA), the act designed to put CIOs directly in charge of acquisition and IT management, and to quantify and consolidate data centers and other IT consolidation efforts to reduce costs and increase efficiency, Representative Gerry Connolly was careful to distinguish between “consolidation” and “optimization.” He explained that current laws are aimed toward consolidating data centers, but some agencies have pursued optimization instead, seeking innovation outside of direct data center consolidation.

“The goal was consolidation and remains consolidation,” Connolly said at the MeriTalk Cyber Strong Brainstorm. Connolly is chairman of the IT Subcommittee of the House Oversight Committee.

Despite the miscommunication over the language, Connolly said he is “impressed” by the innovation strategies coming from the White House.

“There is a lot of overlap between what they’re seeking to do and what we are seeking to do,” he said. “I indicated that if they pursue those goals, we will support that.”

He has since engaged with the administration, understanding that optimization was not a “retreat” from the consolidation goals, and that agencies will still measure their progress according to the FITARA scorecard.

As the chairman of the IT Subcommittee and a co-author of FITARA, Connolly said he will continue to ensure agencies work to improve their scores, highlight success stories along the way and share best practices for agencies that are behind the curve. One story so far has been consolidating the number of CIOs in the federal government.

“When we began with FITARA, spread out over the 24 agencies [that Congress surveyed], we had 250 people with the title CIO,” Connolly said. “That is a structure that is, by definition, not accountable, nor does it empower someone to make decisions.”

Congress did not prohibit agencies from having multiple CIOs, but it encouraged agencies to designate a “first among equals” who would be both empowered to make agency-wide IT decisions and would be directly accountable to the secretary or agency lead for all IT management, Connolly said.

“When you report to the deputy assistant undersecretary for widgets in the bowels of the basement, you can be ignored,” Connolly said. “But if you report directly to the secretary, I cannot afford to ignore the instructions and guidance you’re giving.” Since the initial encouragement, 14 of the 24 agencies have appointed a CIO that reports directly to the secretary.

Conolly also discussed legacy systems and the new Modernizing Government Technology law, aimed at reducing maintenance costs, which he estimated account for 70 to 80% of the $96 billion the federal government spends on IT annually. The law established a technology modernization fund “designed to incentivize agencies to modernize their systems … but the appropriations have been anemic,” Connolly said. Ahead of the end of the fiscal year, he plans to encourage bipartisan support to increase the appropriations for the law such that it can impact the long-term maintenance costs of legacy systems.

“It’s a hard sell because it’s counterintuitive why you would want more money when you’re already spending $96 billion,” Connolly explained, especially when systems modernization is a “multi-billion, multi-year effort.” The law, if properly funded, would give CIOs the freedom to modernize those systems without taking money away from operation and personnel expenses and would be much more encouraging than an unfunded mandate in that regard.

“The other point of [the law] was to free up agencies to able to reinvest in themselves with the savings they effectuate from FITARA,” said Connolly. The next step for Congress here is working with agency general counsels to clarify conflicts between the law and appropriations. Some general counsels have expressed concern about using the savings on projects other than what they were originally intended for, Connolly explained, but in his mind, “When Congress says, ‘thou may,’ that latest law is the law.”

Finally, Connolly discussed FedRAMP and upcoming legislation to improve the risk and authorization process codified by the policy. New legislation slated for later this year is designed to streamline a process that was originally intended to take “six months and a quarter of a million dollars,” but now often takes years and millions of dollars between the initial submission and certification for industry programs and products.

“That effectively means no entry for a lot of mid-size companies,” Connolly lamented. “They simply cannot afford that kind of risk or investment for the uncertainty of getting certified at all.”

FedRAMP is currently a GSA program, but Connolly plans to anchor it with a law that sets a standard for “a presumption of adequacy at all federal agencies.” Setting a standard that includes the different requirements for every agency will be difficult, but the law should set a basic set of requirements that can be modified depending on which agency the product must comply with, he said.

“Our intent here is to return FedRAMP to its original, streamlined process,” Connolly said. His plans for the legislation include not only designing the regulations to get FedRAMP there, but also cooperating with his counterparts in the Senate to make the FedRAMP bill a bipartisan priority.

“We are the stewards of data – very personal information – of tens of millions of Americans,” Connolly underscored. “Every time there is a data breach in the public sector, it further erodes public confidence in the government.” His subcommittee will continue to provide “vigorous oversight” of federal agencies to secure public data, he added.

“If we can succeed in bringing the federal government fully into the 21st century, in terms of cyber and technology,” said Connolly, “it may not be much heralded, but it will better serve the American people.”