Key lawmakers in the House voiced general agreement today that they want to explore making big changes to the semiannual FITARA Scorecard that rates major Federal agencies on progress toward IT-related goals.
Debate at a House Government Operations Subcommittee hearing today centered on the need for scoring categories that shed more light on agency cybersecurity, continuing IT modernization, and progress against the goal of improving citizen services, among others.
The subcommittee’s hearing to review the new FITARA grades released today focused less on the new agency performance data, which showed a modest trend toward improved grades for several agencies, but with most agencies tracking steady over the past six months.
Instead, the subcommittee dug into numerous ideas that the House Oversight and Reform Committee – which issues the semi-annual grading report – should look at to revamp what many agree has been a very successful oversight process, but one that also grown a bit stale in its scope.
The wide variety of ideas for scoring category changes from subcommittee members and hearing witnessed encountered little in the way of philosophical objections, but the debate did reveal limitations on what changes may be more practical given the current availability of data on which to base any new scorekeeping.
Reps. Connolly, Hice Support Changes
Subcommittee Chairman Gerry Connolly, D-Va., and Ranking Member Jody Hice, R-Ga., both indicated they are open to future scorecard changes. That bipartisan support is important as their subcommittee is the driving force behind the FITARA Scorecard, which began its semiannual agency IT grading process in 2015.
“Since the Scorecard was first released in 2015, it has driven positive change in information technology system acquisition and management across 24 federal agencies, and it is estimated by GAO that it has saving taxpayers more than $20 billion and improving the security of federal IT systems,” Rep. Connolly said. “There aren’t a lot of other bills that have saved the federal government that much money.”
But, he said, “to continue driving progress, the Scorecard needs to evolve to reflect the changing nature of IT services and to guarantee we are accurately assessing the modernization and IT management practices of federal agencies.”
“A variety of factors, including methodology, data availability, agency motivation, and the cycle of the Scorecard, have resulted in stalling grades for many agencies,” said Rep. Connolly, who pointed to recent scoring trends that have left many agencies in the “B” and “C” overall grade levels. “Agencies appear to be less motivated to improve their grades – perhaps because of the methodology used to calculate some of the metrics,” he said, adding, “for example, two of the metrics are graded on a curve, which can be received as counterproductive to an agencies’ ability to demonstrate improvement during the Scorecard cycle.”
“The subcommittee is at an inflection point, and the time is ripe to modernize this oversight tool,” he said. “The goal here is to incentivize progress, not to get a gold star on our foreheads,” Rep. Connolly emphasized.
At a high level, he singled out agency cybersecurity and IT modernization efforts as two key areas that continue to need “vigorous and continued” oversight. “To conduct such oversight effectively, the FITARA Scorecard must accurately reflect the progress agencies have actually made in their IT efforts, which will in turn motivate agencies to prioritize meaningful changes,” Rep. Connolly said.
Hice Suggests Cyber, CX, Modernization Options
Referring to the latest scorecard where all agencies got an “A” grade in the Data Center Optimization Initiative (DCOI) category, ranking member Hice commented, “I think it’s a fair question as to whether indeed we’ve reached a point of diminishing returns.”
“We need to legitimately consider where do we go from here,” Rep. Hice continued. “Beyond the current scorecard, I believe it’s time to take a hard look at how FITARA can evolve from this point.”
Rep. Hice pointed in particular to ongoing debate on the House Oversight committee over legislation to reform the Federal Information Security Management Act (FISMA), and the apparent lack of sufficient metrics that can be gathered from Federal agencies and elsewhere in the government to give a more accurate picture of agency security postures.
“That’s an indication that we need to evolve and go to the next step,” he said. “Security is absolutely one of the top areas for oversight … and we need to keep that as our priority.”
“As we look forward, taking advantage of the effort to update the underlying FISMA law, we should re-examine the scorecard metrics and think how cyber assessments can better serve our purposes.”
Rep. Hice also voiced support for looking into other scorecard category additions that would track new issues including the pace of Federal IT modernization, dealing with workforce shortages, and improving citizen service.
He also raised questions about the current six-month scorecard cycle, and wondered whether that presented an optimal “cadence” for agencies. “Does a six-month interval actually give agencies enough time to change course if they need to,” he asked, while suggesting whether the scorecard should be issued annually instead.
Outpouring of Ideas
Witnesses at today’s hearing had no lack of ideas to offer the subcommittee that both built on the chairman and ranking member’s suggestions, but that also went beyond them.
Carol Harris, director of information technology and cybersecurity at the Government Accountability Office (GAO), suggested changing methodologies for the current scoring categories of transparency risk management and portfolio review.
And she suggested expanding the cybersecurity category “to better address the ongoing and emerging challenges facing our nation, including mitigating global supply chain risks, and improving the implementation of government-wide cybersecurity initiatives.” She said GAO has done “recent work in each of these areas that will support a potential expansion in this category.”
Harris also urged a focus on IT modernization, based on the fact that about 60 percent of Federal IT funding is now spent on maintaining older systems. “The next logical step should be tracking agency progress in decommissioning their most critical legacy systems,” she offered.
Former GAO IT and Cybersecurity Director Dave Powner, who is now executive director of MITRE Corp.’s Center for Data-Driven Policy, pointed to improvements in Federal IT operations driven by the scorecard since 2015, and said “we need to get similar results in additional areas by updating the scorecard” to reflect pressing IT and cybersecurity challenges.
He proposed adding grading categories to reflect agency progress on: boosting cybersecurity; filling IT and cyber workforce gaps; modernizing legacy IT systems, budgeting to include Technology Business Management principles, and infrastructure improvement including cloud adoption metrics.
On the cyber front in particular, he suggested using metrics that tie into the Biden administration’s cybersecurity executive order, including those related to zero trust security migration, and supply chain risk management best practices – and making those metrics consistent with FISMA reform legislation being considered by the House Oversight committee.
Former Federal CIO Suzette Kent, who now heads her own consulting firm, advised the subcommittee to consider a range of scorecard changes, including to make cybersecurity metrics “more timely and reflective of the current threat environment.”
She also argued that IT modernization is a continuous process that “demands changes to some of the rigid funding and procurement processes to better align with multi-year initiatives, and best practices for modern technologies – the types of things that you’ve embedded into the goals for working capital.”
Noting that mobile digital technology is increasingly the dominant means of communication, Kent suggested using metrics that “highlight our progress towards digital and mobile-native platforms” and “quality customer experiences … on par with what citizens experienced in every other industry.”
She also supported the call for scorecard metrics on Federal workforce development to address current gaps. “Workforce Performance should be included because as we’re evolving the technology ecosystem, we cannot under invest in our Federal workforce,” she said.
Finally, former Department of Homeland Security CIO Richard Spires, who now runs his own consulting firm, suggested that the subcommittee consider scorecard changes including adding an IT planning category. “Meaningful IT modernization starts with good planning, hence this category should reflect the maturity and focus on IT modernization” within agencies planning and enterprise architecture functions, he said.
He also seconded the calls for improved metrics for the cybersecurity category, and mapping elements of the Biden administration cybersecurity executive order to that.