While House Government Operations Subcommittee members offered no firm direction on how they may try to further evolve the FITARA Scorecard, their discussions with witnesses at the April 16 hearing on version 11.0 of the scorecard issued last December brought to light a variety of Federal agency IT concerns that might come into play.
Subcommittee Chairman Gerry Connolly, D-Va., said the panel remains “flexible with respect to the scorecard,” including taking a look at grading categories to “make sure we’re capturing performance.”
“Our goal is to try to make the Federal government more efficient, and to save money along the way … we have saved a fair amount of money,” Rep. Connolly said.
Rep. Connolly said his own priorities for Federal IT oversight include getting a better understanding of supply chain vulnerabilities, the prevalence of legacy systems at agencies, and how the new $1 billion of funding for the Technology Modernization Fund (TMF) can help.
Summing up discussion at the hearing and next steps, Rep. Connolly said, “we also of course want to follow up on legacy IT, the TMF, and how we can best use that to leverage … the acceleration of the retirement of legacy systems so that we’re more cyber secure, and we’re saving taxpayers money.”
Rep. Connolly said he wants the Government Accountability Office (GAO) to follow up on the role that Federal IT has played in Federal and state government pandemic relief efforts, and said the panel could make a formal request for GAO to look at that.
In particular, he mentioned the role of the Small Business Administration (SBA) in distributing hundreds of billions of dollars of relief funding, and the heightened role of the Internal Revenue Service (IRS) during the pandemic. “The IRS has 60 different IT systems, some of which worked well, some of which didn’t,” Rep. Connolly said. “It had to both remain the tax collector and audit entity, while also becoming a benefit deliverer,” and “that transition really challenged IRS in terms of its IT,” he said.
Asked about possible future directions for FITARA Scorecard grading categories, GAO’s Director of IT and Cybersecurity Issues Kevin Walsh, pointed to several new items, but also to the difficulty in obtaining data with which to evaluate Federal agency performance.
One new direction, he said, would be to evaluate whether an agency’s websites were in compliance with industry best practices.
“However, the scorecard is only as good as the data behind it,” he said, while suggesting that existing government dashboards do a better job at reflecting IT spending. The government’s budding effort to embrace Technology Business Management (TBM) practices in tracking spending might help by “closely linking agencies’ accounting systems to IT oversight,” he said.
Walsh also said that the FITARA Scorecard is “not a panacea” because there remain “many critically important topics” that are difficult to address including now well Federal agencies serve citizens and how well they manage human capital.
“It’s a credit to the committee that the scorecard continues to evolve and change to get closer to how to evaluate the efficacy of how the government is spending our money,” he said, adding, “it’s a very difficult concept … I think this scorecard is helping move us in that direction.”
“Measuring how good an agency is at delivering its mission or meeting its mission is something that we in the GAO and in Congress have struggled with for quite a long time,” Walsh said.
Rep. Jody Hice, R-Ga., ranking member of the subcommittee, pressed for more information about the Solar Winds breach, and whether that kind of security issue could be reflected in the scorecard. “How do we develop that, to better equip Congress to recognize problems and deal with problems before they happen,” he asked.
“Part of the challenge,” Walsh said, “when deliberating with you folks on how to come up with these metrics is what data are currently available. Especially in the case of supply chains we want to be careful not to utilize non-public data, we don’t want to put a target on any agency’s head that’s not already there. I agree that supply chain management and the risks associated are critically important to cybersecurity and our governance operations.”
“And we would love to work to explore further metrics that we can use to measure that,” Walsh said, adding, “I think note of caution is warranted though with things as secure and sensitive as that.”
Legacy Replacement Price Tags
Walsh also engaged in a discussion of how to define legacy systems – including definitions around whether the data they house can be encrypted – but could not offer a guess on cost for all 24 CFO Act agencies to replace those.
The inability to encrypt data at rest was “one of the things that we saw at OPM when they had that breach a few years ago, one of the things that came out of that was we heard that OPM was not able to encrypt the data that was on the servers at rest, because of the age of the systems. I think that’s a pretty critical point to be emphasized,” he said.
Walsh stated that a GAO review performed in recent years had found that many agencies had not done the planning to retire or upgrade legacy systems with much specificity as to milestones and describing the necessary work, but said efforts in that direction would be helpful.
“I think we should absolutely be thinking about the oldest system that is in need of modernization, and have some form of plan going forward on how to either turn it off or get it to a much more secure space,” he said.
Discussing the recent appropriation of $1 billion for the Technology Modernization Fund, Walsh said the increased funding will “allow agencies to explore projects that were previously outside of their ability.”
“They didn’t have the money to address some of these critical needs, so I think it will be important,” he said. “The challenge is going to be ramping up that team that manages the TMF to make sure that they have the expertise necessary to oversee these projects.”
Rep. Connolly predicted that the Office of Management and Budget (OMB) will establish “clear criteria” for the expanded TMF funding “because the expectations are really high, but we’re going to have criteria from OMB in terms of who that could be used, and how it should be used.”