The Federal Information Technology Acquisition Reform Act scorecard should be embellished with yet another column indicating whether agencies have set up the rotating capital fund outlined in the Modernizing Government Technology Act, according to Karen Evans, national director for U.S. Cyber Challenge’s Center for Internet Security.
The MGT Act, which Rep. Will Hurd, R-Texas, reintroduced April 28, proposes a working capital fund within agencies that chief information officers can use to save money for IT projects. Evans recommended a check-mark for this act on the FITARA scorecard, which also evaluates agency CIO authority enhancements, transparency and risk management, portfolio review, and data center consolidation.
Tracking initiatives and oversight would be easier with one master scorecard instead of a separate scorecard indicating whether agencies have put Hurd’s legislation into practice, Evans said.
“It’s very easy to have that scorecard and add another column. Why wouldn’t you just add another column? If you start doing something separate, you’ll have compliance for compliance sake,” Evans said. “It would make sense that oversight things get integrated overall. It’s supposed to add harmonization. It helps align all discussion.”
In addition to the four grading categories, December’s FITARA scorecard included the addition of a column denoting, with a plus or minus mark, whether CIOs reported to their agency’s secretary or deputy secretary. The draft of President Donald Trump’s executive order on cybersecurity suggests that the administration is placing considerable authority in department secretaries.
For example, it tasks the secretaries of the departments of Commerce and Homeland Security with creating a plan to secure the nation’s networks. The secretaries of Commerce, Homeland Security, Defense, Education, and Labor will present a report on the state of education of the cybersecurity workforce within 120 days.
Because secretaries will rely heavily on collaboration with CIOs, Evans said naming permanent CIOs will be a top priority. The emphasis on secretary accountability will highlight which agencies have acting CIOs versus permanent ones. She said the Department of Defense, which received a funding boost in Trump’s proposed budget and oversees several cyber threat assessment efforts, may see a permanent CIO soon.
“For years and years, everyone’s been arguing that the CIO doesn’t have enough authority. This administration is holding secretaries accountable,” Evans said. “The group of secretaries coming in knows the importance of how cyber plays. These positions may actually get filled faster than they have in the past.”
Some agencies are functioning with acting CIOs right now. These acting officers are probably not in a tailspin, however, because they have the long-standing goals of their predecessors to address. Evans said that acting CIOs will create plans to address issues such as cloud migration and data center consolidation until a permanent CIO is named.
For example, she said an acting CIO with a radical idea for procuring shared services can get the paperwork for this plan ready to go for the permanent CIO whenever he or she takes office.
“The acting isn’t going to leap out with that, but would have it ready to go. These are long-term foundation issues,” Evans said. “It’s not politicized. Every agency needs IT. The political part is mission priorities. I would think that FITARA would not necessarily be slowed down.”
Certain grading criteria can cause Federal IT managers to get “wrapped around the axle,” Evans said. For example, the push for data center consolidation, spurred by both FITARA and the Data Center Optimization Initiative (DCOI), consumes agencies’ attention.
The requirement to close down data centers spawned widespread concerns as to what constitutes a data center in the first place and how to migrate to cloud computing in the absence of these physical servers.
Evans said data center consolidation is as much an exercise in evaluating how agencies deliver services as it is a clean-out of servers.
“Agencies tend to build infrastructure around one incident,” Evans said. “That’s the idea behind data center consolidation.”
Fluidity in grading criteria is important, according to Evans. She said that, ultimately, the Government Accountability Office needs to consider eliminating categories as they incorporate new ones. The scorecard requires constant evaluation of data as agencies continue to mature and new issues crop up.
“Right now, this is still a pretty new scorecard. This is the challenge for GAO. Sometimes they create some issues,” Evans said. “It’s also OK to delete columns. Constantly evaluate what you’re measuring. The one thing you want to avoid is measuring something that’s not giving you the true picture. I’m trying to plant a seed. Certain things with the metrics should evolve.”