In a letter dated May 9 and made public this week, Ernst primarily requested details about how the SBA is managing IT investments through its IT Working Capital Fund, which the Iowa Republican said it hasn’t used appropriately. But she also probed the agency for details about its AI use cases, alleging the SBA had uses it hadn’t reported publicly in its annual inventory.

“In a recent interview, you stated that the SBA has embraced AI. Despite this, the SBA has not been transparent and reports that it has not used AI,” wrote Ernst, ranking member of the Senate Committee on Small Business and Entrepreneurship. 

AI use case inventories, which were required initially under a Trump-era executive order and later enshrined into statute, are intended to provide information about agency uses of the technology in disclosures posted on their websites. 

However, Stanford research, a Government Accountability Office review, and FedScoop reporting have found that AI inventories have lacked consistency and, in some cases, have omitted uses that should be made public. The Biden administration has recently expanded reporting requirements for those inventories and is looking to improve them.

While the SBA’s AI use case inventory currently shows no uses of the technology, Ernst cited several instances in which the agency had publicly touted AI use cases at the agency. 

She highlighted a May 2023 press release that stated “SBA will use advanced data analytics, third party data checks, and artificial intelligence tools for fraud review on all loans in the 7(a) and 504 Loan Programs prior to approval, starting August 1, 2023.” 

Ernst also pointed to a June 2023 press release that said the agency had used “several tools, including first-of-its-kind artificial intelligence,” to block millions of applications for pandemic relief that were ineligible, duplicative, or attempts at fraud.

In addition to IT investment information and AI disclosure, Ernst also requested information about how SBA planned to use its IT Working Capital Fund to improve its score for the Federal Information Technology Acquisition Reform Act.

Ernst said despite the establishment of the fund — which was created under the Modernizing Government Technology Act that became law in 2017 — SBA “has had declining performance in its efforts to manage IT and implement” FITARA. In the past three years, the agency hasn’t achieved higher than a “C” on its FITARA score, which tracks agency IT modernization progress.

The SBA confirmed to FedScoop that it had received the letter but didn’t provide further comment. Ernst had requested a response by May 23.

The post Ernst seeks information about SBA’s artificial intelligence use cases, IT work appeared first on FedScoop.

The latest round of grading awarded one A, 10 Bs, 10 Cs, and three Ds to federal agencies, Rep. Gerry Connolly, D-Va., announced at a roundtable discussion on Capitol Hill. While the grades were generally a decline from the last iteration of the scorecard, Connolly said that starting at a “lower base” was expected with the addition of a new category. “The object here is to move up.”

Carol Harris, director of the Government Accountability Office’s IT and Cybersecurity team, who was also at the roundtable, similarly attributed the decline to the cloud category.

“A large part of this decrease in the grades was driven by the cloud computing category, because it is brand new, and it’s something that we’ve not had a focus on relative to the scorecard,” Harris said.

The FITARA scorecard is a measure of agency progress in meeting requirements of the 2024 Federal IT Acquisition Reform Act that has over time added other technology priorities for agencies. In addition to cloud, the new scorecard also changed existing metrics related to a 2017 law, added a new category grading IT risk assessment progress, and installed a progress tracker.

“I think it’s important the scorecard be a dynamic scorecard,” Connolly said in an interview with FedScoop after the roundtable. He added: “The goal isn’t, let’s have brand new, shiny IT. It’s to make sure that our functions and operations are better serving the American people and that they’re protected.”

Harris also underscored the accomplishments of the scorecard, citing $4.7 billion in savings as a result of closing roughly 4,000 data centers and $27.2 billion in savings as the result of eliminating duplicative systems across government.

“So, tremendous accomplishments all coming out of FITARA and the implementation of FITARA,” she said.

The Thursday roundtable featured agency representatives from the Office of Personnel Management, the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the U.S. Agency for International Development. USAID was the only agency to get an A.

Updated scorecard

Among the changes, the new scorecard updated the existing category for Modernizing Government Technology to reflect whether agencies have an account dedicated to IT that “satisfies the spirit of” the Modernizing Government Technology Act, which became law in 2017.

Under that metric, each agency must have a dedicated funding stream for government IT that’s controlled by the CIO and provides at least three years of flexible spending, Connolly said at the roundtable.

The transparency and risk management category has also evolved into a new CIO investment evaluation category, Connolly said in written remarks ahead of the roundtable. That category will grade how recently each agency’s IT Dashboard “CIO Evaluation History” data feed reflects new risk assessments for major IT investments, he said.

The 17th scorecard also added a progress tracker, which Connolly said Democrats on the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation worked on with the GAO to create. Connolly is the ranking member of that subcommittee.

“This section will provide transparency into metrics that aren’t being regularly updated or do not lend themselves to grading across agencies,” Connolly said, adding the data “still merits congressional attention, and we want to capture it with this tool.”

The progress tracker also allows stakeholders to keep tabs on categories the subcommittee has retired for the scorecard.

The release of a new scorecard has in the past been a hearing, but Connolly indicated the Republican majority declined to take the issue up. 

At the start of the meeting, Connolly said he was “disappointed” that “some of the Republican majority had turned their backs on FITARA.” He later noted that by “the difference of two votes, this would be called a hearing instead of a meeting.”

FITARA scorecard grades in September were also announced with a roundtable and not a hearing.

“FITARA is a law concerning federal IT management and acquisition,” a House Committee on Oversight and Accountability spokesperson said in a statement to FedScoop. South Carolina Republican Rep. Nancy Mace’s “subcommittee has held a dozen hearings in the past year concerning not only federal information technology management and acquisition, but also pressing issues surrounding artificial intelligence, and cybersecurity. These hearings have been a critical vehicle for substantive oversight and the development of significant legislation.”

This story was updated Feb. 2, 2024, with comments from a House Committee on Oversight and Accountability spokesperson.

The post FITARA scorecard adds cloud metric, prompts expected grade declines appeared first on FedScoop.

The suggestions were among those that seemed to generate interest at a Tuesday roundtable on Capitol Hill, including some legislative interest in fixing cloud procurement from Connolly, the ranking member of the House Committee on Oversight and Reform’s subcommittee focused on cybersecurity and IT. 

The roundtable discussion followed the release of the latest Federal IT Acquisition Reform Act (FITARA) scorecard, which measures agency progress in meeting that statute’s requirements and centered on how agencies are progressing with cybersecurity improvements in government. 

Those in attendance included IT and cyber officials from the departments of Commerce, Veterans Affairs and State, Social Security Administration, Government Accountability Office, and General Services Administration.

Among the challenges for the government procuring cloud services is an absence of the definition of “cloud” in the Federal Acquisition Regulation (FAR), Carol Harris, a director for GAO’s IT and cybersecurity team, noted at the meeting. Harris said the GAO is currently looking into the main challenges for cloud procurement.

“In addition, there’s not a type of contract available that covers a consumption-based pricing model, which is what you do when you procure cloud,” Harris said. “And so because of these outdated requirements in the FAR, these agencies are having to do these workarounds, and that’s a major problem.”

Harris suggested there’s an opportunity for congressional action. 

“I have to admit, I did not know, and neither did GAO until recently, that the FAR – the major procurement vehicle of the federal government — has no definition of cloud,” Connolly told FedScoop after the meeting. 

He added: “We’re going to fix that.”

Harris also noted that there are challenges for agencies in how to effectively hire employees with cloud expertise, and agencies are awaiting requirements and deadlines from the Office of Management and Budget on the application rationalization component of the government’s cloud computing strategy “Cloud Smart.” 

Another suggestion on the performance metrics themselves came from Kelly Fletcher, chief information officer for the State Department, who pointed to the volume of cybersecurity scores agencies are given, including FITARA and Performance.gov metrics.

“In no way to impugn any of the scores, I think they’re all really valuable, but the problem is when I try to explain to my leadership ‘how are we doing on cybersecurity,’ frankly, I can pick and choose,” Fletcher said. 

She added: “I think some consistency across these public metrics would be very helpful.”

Connolly, in response, noted that FITARA is tied to the elements in the statute it stems from, but said he wasn’t sure if lawmakers were aware there were competing scores when they created the scorecard. “I think it’s good feedback for us to try to at least stay cognizant of those other measurements,” Connolly said.

The post Improving cloud procurement, consistent performance metrics among tech officials’ suggestions to Congress during FITARA meeting appeared first on FedScoop.

The number of CFO Act agencies receiving A grades on the 16th FITARA Scorecard — a measure of CIOs’ progress in meeting the requirements of the 2024 Federal IT Acquisition Reform Act that has evolved to incorporate other tech policies, laws and programs — grew to three since the previous grades were issued in December 2022. Those top-graded agencies are the departments of Education and Labor, and the U.S. Agency for International Development, which was the only one to earn an A last time around.

Meanwhile, six other agencies also improved their overall scores from a C to a B: the departments of Agriculture, Energy, Homeland Security and Interior, Office of Personnel Management, and Social Security Administration.

The rest of the field remained unchanged, sitting with either B or C grades.

Typically the House Oversight Committee hosts a hearing to review what’s been a biannual scorecard release since 2015 and calls on a variety of CIOs and federal IT leaders to testify on progress. But this time around, more than nine months since the last scorecard’s release, the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation will host a roundtable led by Ranking Member Rep. Gerry Connolly, D-Va., on Tuesday afternoon with representatives from the Government Accountability Office, General Services Administration, departments of State, Veterans Affairs and Commerce, and Social Security Administration.

In his prepared opening remarks for that roundtable, Connolly said: “While the Chairwoman [Rep. Nancy Mace] has an ambitious agenda this Congress, we could not allow a lapse in having a scorecard and we remain committed to working with Chairwoman Mace on the evolution the FITARA Scorecard and have been collaborative in changes.”

“While I look forward to our Subcommittee FITARA oversight hearing later this year, we cannot abandon our traditional biannual oversight cadence of FITARA. As we consider incorporating many insights offered at today’s discussion into future FITARA Scorecards, I look forward to collaborating beyond just this event to create a thoughtful, effective, and bipartisan tool that empowers our CIOs and then holds them accountable for transformational IT change.”

Based on the scorecard the committee provided to FedScoop in advance of the roundtable, it appears a pair of new categories are being previewed for addition to the tool: one focused on cloud and another that is an aggregate measuring CIO reporting structure, budget and acquisitions.

The post One-third of agencies make gains in latest FITARA scorecard appeared first on FedScoop.

According to the department’s inspector general, the VA was not able to provide records for 4,513 contracts, which represents 39% of the IT contracts signed by the agency between March 2018 and the end of fiscal year 2021.

Per the 2015 Federal IT Acquisition Reform Act (FITARA), chief information officers at federal agencies must have visibility of IT contracting decisions and the power of approval. Where appropriate CIOs can designate other agency officials to act as their representatives, but they retain accountability for the contracts, according to the law.

In its report, the VA IG said: “For each contract action, we asked the department to provide evidence of approval or a rationale explaining why a FITARA review was not required. We revised our list based on VA’s responses and excluded any contract actions that were approved, as well as those contract actions with valid rationales for not needing FITARA approval. Following the review of VA’s responses, we identified the remaining list of potential IT contract actions as lacking evidence of FITARA approval.”

The audit was conducted between February 2022 and March 2023 and examined IT contracts that were signed between fiscal 2018 and 2021.

Late last month, Democrats on the House Committee on Veterans’ Affairs introduced a pair of bills that are intended to fundamentally reshape IT acquisition and management at the VA.

Reps. Mark Takano of California and Sheila Cherfilus-McCormick of Florida have proposed the Manage VA Act and the Department of Veterans Affairs IT Modernization Improvement Act, which are intended to spur a wider overhaul of how technology services are procured at the agency.

If enacted, the Manage VA Act would create a VA undersecretary for management post, which the lawmakers say would have the effect of consolidating and standardizing acquisition and IT functions across the department.

The post VA watchdog identifies missing approval records for $661.4M in IT contracts appeared first on FedScoop.

Speaking with FedScoop, senior members of the federal tech policy community explained what this could mean for day-to-day operations at the IT departments of government agencies, and outlined key issues C-suite leaders will have to face during the 118th Congress:

• Increased oversight of IT and cybersecurity spending at federal agencies including the IRS, DHS and FTC
• The departure of lawmakers and federal C-suite executives with IT expertise
• Strong resistance to spending on disinformation programs that Republican lawmakers view as potentially curtailing free speech
• Heightened focus on agency record-keeping  

Increased oversight

Federal agency leaders can expect increased oversight from Republican lawmakers as they ramp up opposition to the  administration’s agenda. In particular, chief information officers and other senior officials with direct responsibility for IT project management should expect more frequent calls to attend congressional hearings and respond to questioning from lawmakers.

Scrutiny of the federal agencies that have substantial funding increases including the Internal Revenue Service, Department of Homeland Security, Federal Trade Commission and Federal Communications Commission is likely to be especially in-depth and potentially hostile.

As one federal IT policy expert told FedScoop: “The Republicans in the House are super-focused on oversight, and of the federal agencies, IRS is likely at the top of the list. They are not thrilled with the $80 billion allocated to the agency as part of the [Inflation Reduction Act].” 

Another IT policy expert agreed with this characterization and said the IRS would need to be ready “to make the case that investment in IT services is going to streamline and improve services for citizens.”

Republicans in both the House and Senate have expressed staunch opposition to the $80 billion the IRS received from the Inflation Reduction Act, of which $4.8 billion is allocated for revamping the agency’s antiquated IT and cybersecurity systems.

A September letter from Republican senators to outgoing IRS Commissioner Chuck Rettig sounded the alarm over “speculative return-on-investment” estimates from the IRS and Treasury Department over IT spending, including $347 million relating to a Foreign Account Tax Compliance Act compliance program.

Sens. Chuck Grassley, R-Iowa, and John Thune, R-S.D., last week announced their intention to introduce legislation that would give Congress a direct say in how the $80 billion in fresh funding for IRS is spent.

Carl Szabo, vice president of the tech industry group NetChoice, told FedScoop that Reps. James Comer, Cathy McMorris Rodgers and Jim Jordan — all of whom are slated to lead major committees in a GOP-led house — are sponsors of a bill to protect speech from government interference, and that they’re likely to use their new power to pursue deep-dive investigations into the tools being used by agencies, including DHS, to tackle misinformation.

Departure of expertise

A changing of the guard among lawmakers is likely to reduce focus on certain cybersecurity policy proposals including FISMA and FITARA reform. If the Republicans take the House, Rep. Gerry Connolly, D-Va., will lose his position as chairman of the House Oversight Subcommittee on Government Operations.

“No longer having Connolly setting the agenda will be a major setback for the federal IT community,” said one federal IT policy source. A potential Republican successor for Connolly remains uncertain, with lawmakers such as Rep. Nancy Mace, R-S.C., being floated as a candidate.

IT policy sources also emphasized that it will take several months for the Republican Party to hire sufficient staff to reshape the House committees, and that the likely structure of subcommittees remains uncertain. The House Oversight steering committee could, for example, establish a subcommittee focused specifically on federal IT operations.

In addition, heightened scrutiny from lawmakers raises the specter of further government agency IT leadership departures, even as government departments struggle to hire and retain cybersecurity talent. As one IT policy source: “If you’re going to get the s*** kicked out of you, are you going to stick around?”

Federal IT policy leaders speaking with FedScoop warned of a pressure-cooker environment on the Hill arising from the increased pace of oversight, but added that agency leaders have been preparing for this outcome and should have the support mechanisms in place to rebuff partisan attacks.

“Don’t forget that agencies and the White House are expecting this and have staffed up with lawyers and senior advisers,” said one policy expert.

Disinformation focus

House Republicans have expressed their intent to interrogate DHS’s attempts to tackle misinformation and disinformation. 

“All the key House Republicans that will lead tech-related committees are sponsors of legislation to protect speech from government interference, which would affect DHS activity significantly,” added Szabo. “They’ve openly said they’ll do a deep-dive investigation into misinformation and disinformation reduction efforts by the Biden administration and the tools and technologies the federal government is using to push social media platforms and the tech industry to moderate content or censor.” 

Democrats say disinformation — false information spread deliberately — is a threat to democracy and national security. However, an increasing number of Republicans regard attempts to counter disinformation as a threat to First Amendment rights.

In particular, Republicans have expressed concerns about a February bulletin from DHS saying the federal government plans to work with public and private sector partners, including major social media companies, to reduce the “proliferation of false or misleading narratives, which sow discord or undermine public trust in U.S. government institutions.” 

 CISA also published a report in June setting out plans to tackle misinformation and disinformation that some Republicans have warned could result in censorship under the guise of national security or election security. 

DHS provoked the ire of Republicans and stirred national controversy in April with its launch of a Disinformation Governance Board. The agency was pressured to backtrack and shut down the committee after it received criticism from both sides of the political aisle.

Digital record-keeping

Another key area where technology leaders can expect further attention from a Republican-led House of Representatives is in the area of digital record-keeping.

Top House Republicans earlier this month called out Securities and Exchange Commission Chairman Gary Gensler for inconsistencies and hypocrisy with digital record-keeping laws. Such criticism is likely to become more vocal, and it could result in fresh investigations being launched.

The controversial deletion of Secret Service phone data around the time of the Jan. 6 attack on the U.S. Capitol revealed wider systemic problems with federal digital records preservation. Republicans have already sent Biden administration officials hundreds of record preservation letters indicating their intent to probe the administration for illegal behavior, including regarding federal transparency laws.

“Republicans took aim at the SEC and Gary Gensler recently, so we expect that to continue in the majority because they’re mad at him for his ideological agenda and his record-keeping stuff,” said James Czerniawski, senior tech policy analyst at the conservative advocacy group Americans for Prosperity. “The Federal Trade Commission, which regulates tech companies, will also face scrutiny from Republicans for their policies and spending, including through records preservation.”

House Republicans that are likely to control key committees, including Jordan, Comer and Tom Emmer, sent the SEC a letter Nov. 2 pointing to reports that the agency was “failing to comply with federal record-keeping statutes.” 

The GOP letter also referred to recent litigation showing that the “SEC is failing to identify and produce records of official business conducted on non-email or ‘off-channel’ platforms, such as Signal, WhatsApp, Teams, and Zoom.” 

In addition, Republicans have criticized SEC officials for using the private communications platforms for official business, without producing these records in response to open-record requests, while at the same time aggressively enforcing record-keeping laws on Wall Street banks. The SEC in September fined Goldman Sachs, Morgan Stanley and other financial firms over $1.1 billion after bankers discussed deals and trades on their personal devices and apps.

Republicans on the House Judiciary Committee in August also sent the Federal Trade Commission a letter outlining their intent to investigate recent watchdog findings of the agency’s use of unpaid consultants and experts, and instructed the agency to preserve all relevant digital records.

Benjamin Freed contributed to this article.

The post What the midterm results mean for federal IT leaders appeared first on FedScoop.

Giving evidence during a federal IT modernization House Subcommittee on Government Operations hearing Friday morning, she highlighted the role the scorecard has played in codifying the authority of CIOs within the c-suite of federal government departments.

“[W]e have found that agency CIOs must also have a voice as strategic executive ‘C-suite’ partners to ensure the cybersecurity posture of the agency is strong and the agency is on an accelerated path to IT modernization. We therefore recommend that the CIO Reporting Relationship metric be retained in the FITARA Scorecard,” she said in evidence to lawmakers.

Currently, the scorecard includes a “CIO direct reporting” component, which assesses how much real authority agencies give to their IT leaders. It is intended to give visibility of the ease with which CIOs can make their views heard to the head or deputy head of their respective government department.

Martorana’s comments come amid a debate among technologists and lawmakers over what information should be included within the FITARA biannual scorecards. Earlier this year, grades of eight agencies fell following a revision of the methodology used to assess federal government departments’ IT modernization progress as part of the scorecard.

The agencies whose scorecard grades decreased were the departments of Commerce, Defense, Homeland Security, Transportation, and Treasury; Environmental Protection Agency; National Science Foundation; and Office of Personnel Management.

The FITARA scorecard has also ensures agencies used IT portfolio management tool PortfolioStat to achieve best possible value for taxpayers.

PorfolioStat, which was launched by the Office of Management and Budget in 2012, is a tool used by agencies to assess the current maturity of their IT portfolios and eliminate duplication across their organizations.

The post Clare Martorana says FITARA scorecard should retain CIO reporting relationship metric appeared first on FedScoop.

Speaking Thursday at a House Oversight and Reform Committee hearing accompanying the publication of the 14^th iteration of the FITARA scorecard, the watchdog’s Director of Information Technology and Cybersecurity Carol Harris said the legislation — and the issuance of biannual scorecards — had ensured agencies used IT portfolio management tool PortfolioStat to achieve best possible value for taxpayers.

PorfolioStat, which was launched by the Office of Management and Budget in 2012, is a tool used by agencies to assess the current maturity of their IT portfolios and eliminate duplication across their organizations.

“While PortfolioStat is an OMB initiative, it should be noted that its sustained implementation and success would not be possible had it not been codified in FITARA and monitored over the years through your scorecard,” Harris told lawmakers.

According to Harris, roughly 82% of federal government IT projects are now being developed using best practices laid out in the scorecard.

The GAO IT leader was speaking following the publication of FITARA scorecard 14.0. The grades of eight agencies fell following a revision of the methodology used to assess federal government departments’ IT modernization progress.

Agencies whose scorecard grades decreased were the departments of Commerce, Defense, Homeland Security, Transportation, and Treasury; Environmental Protection Agency; National Science Foundation; and Office of Personnel Management.

“This downward pull [in scorecard grades] was largely due to the sunset of the existing data center category and a change in the cyber category scoring due to the absence of cross-agency priority goal data,” said Harris.

Lawmakers speaking alongside Harris at the hearing also highlighted the absence of cross-agency priority goal data in the scorecard’s cyber category, and called on the Biden administration to make sure such data is provided in the future. 

The chief information officers of the EPA, DOD and General Services Administration gave evidence at the hearing, and responded to questions from lawmakers about progress being made to move to GSA’s Enterprise Information Solutions contract.

The post FITARA has helped agencies save $24.8B on federal IT projects: GAO leader appeared first on FedScoop.

The departments of Defense, Homeland Security and Justice and the Government Accountability Office all had unawarded EIS task orders as of May 26.

GSA invoked the continuity of service (CoS) clause for three legacy enterprise network and telecommunication contracts, giving agencies until Sept. 30, 2022, to sign a memorandum of understanding (MOU) that they’ll either complete their transitions to the $50 billion EIS contract or find another solution by May 31, 2024.

“We don’t know the number yet,” Hill said, during an ACT-IAC event. “But we have had some agencies come back and say they do intend to sign the MOU without a doubt.”

Hill didn’t name those agencies but said GSA is in discussions with them about how it can help, although options are limited at this point in the transition process.

Legacy Networx, local service and Washington Interagency Telecommunications System (WITS) 3 contracts will still expire on May 31, 2023, but GSA hopes invoking the CoS clause will help agencies — which may have experienced pandemic-related supply chain disruptions — avoid future service interruptions.

The next EIS deadline for agencies is Sept. 30, 2022, when 100% of their telecom inventory is expected to be transitioned to EIS. A total of 118 out of 222 agencies met the 90% disconnection deadline of March 31, particularly small ones.

Depending on how an agency is transitioning, the percentage of services disconnected doesn’t necessarily indicate progress, but agencies should be executing work orders so vendors can get started, Hill said.

Several agency officials said the Federal IT Acquisition Reform Act (FITARA) 13.0 scorecard — in which 15 out of 24 agencies received F grades on their EIS transitions —  caused their leadership to put more resources toward the effort.

“As soon as you get that bad grade, now all of a sudden: What’s happening?” said David Naugle, senior IT specialist at the Social Security Administration.

SSA leadership began investing in projects holding its EIS transition up, after the agency received a D in that area on the FITARA 13.0 scorecard, and now it’s on pace to migrate the remainder of its services by the end of the fiscal year, Naugle said.

Naugle estimates SSA is saving $80 million a year since it awarded its data network services EIS contract, and savings will increase to 54% once voice services contract work is completed.

The average agency should see around 25% cost savings post-transition, Allen said.

Agencies like the U.S. Department of Agriculture, which will be running two networks a while longer, haven’t realized those savings quite yet.

“We won’t see any avoidance or savings until we get that sorted out,” said Gary Washington, chief information officer of USDA.

The post GSA gauging which agencies will extend network, telecom services on legacy contracts appeared first on FedScoop.

DOE plans to deploy hardware and software tools through the Continuous Diagnostics and Mitigation (CDM) Program that will improve asset management within three to six months, Dunkin said, during the House Oversight and Reform Subcommittee on Government Operations’ FITARA hearing Thursday.

Dunkin was responding to criticism from Rep. Andrew Clyde, R-Ga., that DOE’s cyber priorities don’t seem in order, given its purview over weapons-grade nuclear material — not to mention the electric grid and potentially pipelines if House legislation passes.

“We believe that our security posture is stronger than the FISMA score reflects,” Dunkin said. “And you will start to see, over the next few months in the quarterly reports, improvements in those metrics as we implement some specific CDM capabilities that we have not yet implemented.”

Clyde took issue with DOE’s stated priorities of addressing the climate crisis, clean energy union jobs and energy justice, which Dunkin was quick to point out are set by Secretary Jennifer Granholm and not specific to her office.

The representative asked if — given DOE’s Federal Information Security Management Act (FISMA) grade on FITARA 13.0 — U.S. infrastructure, national security sites, or soft or hard targets had been exposed to cyberattacks. 

“With a grade of D, that doesn’t give me a whole lot of confidence,” Clyde said. “I think that the Department of Energy’s priorities are a little misguided here.”

The specifics of DOE’s security posture and cyberattacks should be discussed in a classified briefing, Dunkin said — which both Clyde and subcommittee chair Rep. Gerry Connolly, D-Va., expressed interest in holding.

At a high level DOE continues to enhance visibility into IT resources and investments, support CIO and IT management authorities, improve its cyber posture, issue policies for IT management, and strengthen governance and oversight, Dunkin said.

DOE scored an A on its data center optimization but still plans to close seven more by 2025, Dunkin said.

The department uses a working capital fund for some of its IT acquisitions but is exploring the creation of a second such fund for modernization, Dunkin said.

In addition to the forthcoming CDM tools, DOE invested in vulnerability management, data analytics, crowdsourced penetration testing and enhanced training. DOE also recently launched the Omni Technology Alliance Internship Program to create a cyber and IT talent pipeline.

Multiple panelists at Thursday’s hearing, not just Dunkin, criticized FITARA’s current cyber component for not adequately measuring agencies’ cyber postures. Several proposed tying FITARA metrics to recent cyber directives.

“The good news is that the recent executive order on cybersecurity, issued in May of 2021, can serve as a blueprint for what federal agencies should be doing to enhance their cybersecurity position,” said Richard Spires, former CIO at the Department of Homeland Security. “In particular the EO places special emphasis on agencies implementing a zero-trust architecture, having holistic visibility across one’s IT infrastructure, implementing secure guidelines in cloud computing environments, focusing on protecting high-value data and assets, and dealing with supply chain issues.”

The post Dunkin: DOE’s cybersecurity posture ‘stronger’ than D grade reflects appeared first on FedScoop.