The latest round of grading awarded one A, 10 Bs, 10 Cs, and three Ds to federal agencies, Rep. Gerry Connolly, D-Va., announced at a roundtable discussion on Capitol Hill. While the grades were generally a decline from the last iteration of the scorecard, Connolly said that starting at a “lower base” was expected with the addition of a new category. “The object here is to move up.”

Carol Harris, director of the Government Accountability Office’s IT and Cybersecurity team, who was also at the roundtable, similarly attributed the decline to the cloud category.

“A large part of this decrease in the grades was driven by the cloud computing category, because it is brand new, and it’s something that we’ve not had a focus on relative to the scorecard,” Harris said.

The FITARA scorecard is a measure of agency progress in meeting requirements of the 2024 Federal IT Acquisition Reform Act that has over time added other technology priorities for agencies. In addition to cloud, the new scorecard also changed existing metrics related to a 2017 law, added a new category grading IT risk assessment progress, and installed a progress tracker.

“I think it’s important the scorecard be a dynamic scorecard,” Connolly said in an interview with FedScoop after the roundtable. He added: “The goal isn’t, let’s have brand new, shiny IT. It’s to make sure that our functions and operations are better serving the American people and that they’re protected.”

Harris also underscored the accomplishments of the scorecard, citing $4.7 billion in savings as a result of closing roughly 4,000 data centers and $27.2 billion in savings as the result of eliminating duplicative systems across government.

“So, tremendous accomplishments all coming out of FITARA and the implementation of FITARA,” she said.

The Thursday roundtable featured agency representatives from the Office of Personnel Management, the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the U.S. Agency for International Development. USAID was the only agency to get an A.

Updated scorecard

Among the changes, the new scorecard updated the existing category for Modernizing Government Technology to reflect whether agencies have an account dedicated to IT that “satisfies the spirit of” the Modernizing Government Technology Act, which became law in 2017.

Under that metric, each agency must have a dedicated funding stream for government IT that’s controlled by the CIO and provides at least three years of flexible spending, Connolly said at the roundtable.

The transparency and risk management category has also evolved into a new CIO investment evaluation category, Connolly said in written remarks ahead of the roundtable. That category will grade how recently each agency’s IT Dashboard “CIO Evaluation History” data feed reflects new risk assessments for major IT investments, he said.

The 17th scorecard also added a progress tracker, which Connolly said Democrats on the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation worked on with the GAO to create. Connolly is the ranking member of that subcommittee.

“This section will provide transparency into metrics that aren’t being regularly updated or do not lend themselves to grading across agencies,” Connolly said, adding the data “still merits congressional attention, and we want to capture it with this tool.”

The progress tracker also allows stakeholders to keep tabs on categories the subcommittee has retired for the scorecard.

The release of a new scorecard has in the past been a hearing, but Connolly indicated the Republican majority declined to take the issue up. 

At the start of the meeting, Connolly said he was “disappointed” that “some of the Republican majority had turned their backs on FITARA.” He later noted that by “the difference of two votes, this would be called a hearing instead of a meeting.”

FITARA scorecard grades in September were also announced with a roundtable and not a hearing.

“FITARA is a law concerning federal IT management and acquisition,” a House Committee on Oversight and Accountability spokesperson said in a statement to FedScoop. South Carolina Republican Rep. Nancy Mace’s “subcommittee has held a dozen hearings in the past year concerning not only federal information technology management and acquisition, but also pressing issues surrounding artificial intelligence, and cybersecurity. These hearings have been a critical vehicle for substantive oversight and the development of significant legislation.”

This story was updated Feb. 2, 2024, with comments from a House Committee on Oversight and Accountability spokesperson.

The post FITARA scorecard adds cloud metric, prompts expected grade declines appeared first on FedScoop.

The suggestions were among those that seemed to generate interest at a Tuesday roundtable on Capitol Hill, including some legislative interest in fixing cloud procurement from Connolly, the ranking member of the House Committee on Oversight and Reform’s subcommittee focused on cybersecurity and IT. 

The roundtable discussion followed the release of the latest Federal IT Acquisition Reform Act (FITARA) scorecard, which measures agency progress in meeting that statute’s requirements and centered on how agencies are progressing with cybersecurity improvements in government. 

Those in attendance included IT and cyber officials from the departments of Commerce, Veterans Affairs and State, Social Security Administration, Government Accountability Office, and General Services Administration.

Among the challenges for the government procuring cloud services is an absence of the definition of “cloud” in the Federal Acquisition Regulation (FAR), Carol Harris, a director for GAO’s IT and cybersecurity team, noted at the meeting. Harris said the GAO is currently looking into the main challenges for cloud procurement.

“In addition, there’s not a type of contract available that covers a consumption-based pricing model, which is what you do when you procure cloud,” Harris said. “And so because of these outdated requirements in the FAR, these agencies are having to do these workarounds, and that’s a major problem.”

Harris suggested there’s an opportunity for congressional action. 

“I have to admit, I did not know, and neither did GAO until recently, that the FAR – the major procurement vehicle of the federal government — has no definition of cloud,” Connolly told FedScoop after the meeting. 

He added: “We’re going to fix that.”

Harris also noted that there are challenges for agencies in how to effectively hire employees with cloud expertise, and agencies are awaiting requirements and deadlines from the Office of Management and Budget on the application rationalization component of the government’s cloud computing strategy “Cloud Smart.” 

Another suggestion on the performance metrics themselves came from Kelly Fletcher, chief information officer for the State Department, who pointed to the volume of cybersecurity scores agencies are given, including FITARA and Performance.gov metrics.

“In no way to impugn any of the scores, I think they’re all really valuable, but the problem is when I try to explain to my leadership ‘how are we doing on cybersecurity,’ frankly, I can pick and choose,” Fletcher said. 

She added: “I think some consistency across these public metrics would be very helpful.”

Connolly, in response, noted that FITARA is tied to the elements in the statute it stems from, but said he wasn’t sure if lawmakers were aware there were competing scores when they created the scorecard. “I think it’s good feedback for us to try to at least stay cognizant of those other measurements,” Connolly said.

The post Improving cloud procurement, consistent performance metrics among tech officials’ suggestions to Congress during FITARA meeting appeared first on FedScoop.

The number of CFO Act agencies receiving A grades on the 16th FITARA Scorecard — a measure of CIOs’ progress in meeting the requirements of the 2024 Federal IT Acquisition Reform Act that has evolved to incorporate other tech policies, laws and programs — grew to three since the previous grades were issued in December 2022. Those top-graded agencies are the departments of Education and Labor, and the U.S. Agency for International Development, which was the only one to earn an A last time around.

Meanwhile, six other agencies also improved their overall scores from a C to a B: the departments of Agriculture, Energy, Homeland Security and Interior, Office of Personnel Management, and Social Security Administration.

The rest of the field remained unchanged, sitting with either B or C grades.

Typically the House Oversight Committee hosts a hearing to review what’s been a biannual scorecard release since 2015 and calls on a variety of CIOs and federal IT leaders to testify on progress. But this time around, more than nine months since the last scorecard’s release, the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation will host a roundtable led by Ranking Member Rep. Gerry Connolly, D-Va., on Tuesday afternoon with representatives from the Government Accountability Office, General Services Administration, departments of State, Veterans Affairs and Commerce, and Social Security Administration.

In his prepared opening remarks for that roundtable, Connolly said: “While the Chairwoman [Rep. Nancy Mace] has an ambitious agenda this Congress, we could not allow a lapse in having a scorecard and we remain committed to working with Chairwoman Mace on the evolution the FITARA Scorecard and have been collaborative in changes.”

“While I look forward to our Subcommittee FITARA oversight hearing later this year, we cannot abandon our traditional biannual oversight cadence of FITARA. As we consider incorporating many insights offered at today’s discussion into future FITARA Scorecards, I look forward to collaborating beyond just this event to create a thoughtful, effective, and bipartisan tool that empowers our CIOs and then holds them accountable for transformational IT change.”

Based on the scorecard the committee provided to FedScoop in advance of the roundtable, it appears a pair of new categories are being previewed for addition to the tool: one focused on cloud and another that is an aggregate measuring CIO reporting structure, budget and acquisitions.

The post One-third of agencies make gains in latest FITARA scorecard appeared first on FedScoop.

The grades of the Commerce, Defense, Justice, Transportation, and Treasury departments, as well as the Environmental Protection Agency and NASA rose. All other agencies’ grades remained unchanged.

GAO began issuing grades biannually in November 2015 to monitor agencies’ progress implementing IT modernization and cybersecurity improvements required by the Federal Information Technology Acquisition Reform Act (FITARA). Evolving the scorecard has long been a priority of Rep. Gerry Connolly, D-Va., who aspired to House Oversight Committee chairmanship before Republicans rested control of the House in the November election.

“We must continue to reap dividends from modernizing legacy IT systems, migrating to the cloud and maintaining a strong cyber posture,” Connolly said in a statement. “I look forward to continuing the scorecard and the longstanding tradition of bipartisan FITARA oversight in the 118th Congress.”

The FITARA 15.0 scorecard further modifies the new data center consolidation component to give credit to agencies that justified future data center closures. Agencies responding with no future closures received A grades, and the five that justified their need for future closures received Bs.

GAO changed cyber component scoring to a weighted, rather than traditional, average. The predominant Federal Information Security Modernization Act maturity level among all 24 agencies scored was level four, managed and measurable security, which meant the General Services Administration and National Science Foundation scored more than 100% for their optimized postures and received A grades.

Lastly GAO changed its scoring of agencies’ transition from expiring telecommunications and network contracts to the $50 billion Enterprise Infrastructure Solutions modernization vehicle. GSA expected agencies to be 90% transitioned by March and 100% transitioned by September, so July’s FITARA 14.0 scorecard graded their progress toward the 90% benchmark with 11 receiving Fs.

For FITARA 15.0, GAO cracked down by issuing pass-fail grades based on whether an agency reached the 90% benchmark with 19 receiving Fs. Only the U.S. Agency for International Development achieved 100% transitioned by GSA’s deadline while the Health and Human Services and Treasury departments and NASA and Nuclear Regulatory Commission passed for being more than 90% transitioned.

The post 7 agencies improve FITARA grades amid more scorecard changes appeared first on FedScoop.

Giving evidence during a federal IT modernization House Subcommittee on Government Operations hearing Friday morning, she highlighted the role the scorecard has played in codifying the authority of CIOs within the c-suite of federal government departments.

“[W]e have found that agency CIOs must also have a voice as strategic executive ‘C-suite’ partners to ensure the cybersecurity posture of the agency is strong and the agency is on an accelerated path to IT modernization. We therefore recommend that the CIO Reporting Relationship metric be retained in the FITARA Scorecard,” she said in evidence to lawmakers.

Currently, the scorecard includes a “CIO direct reporting” component, which assesses how much real authority agencies give to their IT leaders. It is intended to give visibility of the ease with which CIOs can make their views heard to the head or deputy head of their respective government department.

Martorana’s comments come amid a debate among technologists and lawmakers over what information should be included within the FITARA biannual scorecards. Earlier this year, grades of eight agencies fell following a revision of the methodology used to assess federal government departments’ IT modernization progress as part of the scorecard.

The agencies whose scorecard grades decreased were the departments of Commerce, Defense, Homeland Security, Transportation, and Treasury; Environmental Protection Agency; National Science Foundation; and Office of Personnel Management.

The FITARA scorecard has also ensures agencies used IT portfolio management tool PortfolioStat to achieve best possible value for taxpayers.

PorfolioStat, which was launched by the Office of Management and Budget in 2012, is a tool used by agencies to assess the current maturity of their IT portfolios and eliminate duplication across their organizations.

The post Clare Martorana says FITARA scorecard should retain CIO reporting relationship metric appeared first on FedScoop.

In a statement Wednesday announcing his bid, Connolly, who already chairs the Subcommittee on Government Operations, highlighted his 14-year commitment to modernizing government, the federal workforce and U.S. Postal Service reform.

“We need a tested leader, who will not be timid in the face of Republican insurrectionists,” Connolly said in his announcement. “One who has a deep understanding of the issues facing our committee and our country.”

If Connolly is selected for the post, it could augur a more detailed approach to IT modernization issues from the House Oversight Committee during the 118th Congress.

The position opened up when committee chair Rep. Carolyn Maloney, N.Y., lost her primary to Rep. Jerry Nadler on Tuesday due to redistricting, though more senior members — Del. Eleanor Holmes Norton, D.C., and Rep. Stephen Lynch, Mass., who’s previously expressed interest — may stand in Connolly’s way.

Technology issues Connolly has championed include regular updating of the Federal IT Acquisition Reform Act scorecard, increased investment in the Technology Modernization Fund, and codification of the Federal Risk and Authorization Management Program. Connolly also helped establish the bipartisan House IT modernization caucus.

Even if Connolly wins, there’s no guarantee he’ll become committee chair with Republicans expected to take back the House in the November midterm elections.

Republican victory could scuttle hopes of increased attention being paid to agencies’ IT and cybersecurity needs, with party members already promising to investigate President Biden via the committee like Democrats have former President Trump.

“Our caucus must continue to repair the damage left by the Trump administration, while also protecting the progress made by President Biden and our Democratic majorities,” Connolly said in his statement.

The post Rep. Connolly launches bid for House Oversight Committee leadership appeared first on FedScoop.

Agencies whose scorecard grades decreased were the departments of Commerce, Defense, Homeland Security, Transportation, and the Treasury; Environmental Protection Agency; National Science Foundation; and Office of Personnel Management.

The Nuclear Regulatory Commission was the only agency whose grade increased from a C- to a B.

FITARA scorecard grades were first issued in November 2015 as a means of monitoring agencies’ progress in implementing cybersecurity and IT modernization improvements required under the Federal Information Technology Acquisition Reform Act (FITARA). They are issued twice a year by the Government Accountability Office.

Recent changes to the assessment methodology included the retiring the Data Center Optimization Initiative (DCOI) component.

FITARA requires agency chief information officers (CIOs) to certify IT investments are achieving incremental development, and committee staff reverted to letting CIOs self-certify software development projects for the 14.0 scorecard. The 24 Chief Financial Officers Act agencies reported one more acting CIO than in January, bringing the total to three.

Lawmakers made changes to the grading methodology after all agencies received As on the FITARA 13.0 scorecard in January and the cybersecurity component was adjusted due to a lack of cross-agency priority (CAP) goal data.

Agencies’ FITARA grades stagnated in the last two scorecards, which Rep. Gerry Connolly, D-Va., attributed to a failure to incentivize them to improve their IT — given the limited data available and tight six-month turnaround for grading. Connolly chairs the Government Operations subcommittee that holds hearings on the scorecard like the one Thursday morning.

Despite the changes in methodology for FITARA 14.0, 15 agencies’ grades remained the same. That number would have been 20 under the old methodology, and four agencies would have increased their grades.

Committee staff replaced the scorecard’s DCOI component with a new data center consolidation component addressing future planned closures, which is previewed but not included in agencies’ overall grades yet. Seven agencies have no plans for future data center closures.

Agencies continue to struggle with the transition from the General Services Administration’s expiring telecommunications contracts to the $50 billion Enterprise Infrastructure Solutions (EIS) contract for network and infrastructure modernization. They were expected to be 90% transitioned by March and 100% transitioned by September.

Eleven agencies received Fs for their EIS transitions, four fewer than last time. GSA, itself, raised its F grade to a D since January.

The post 8 agencies receive lower FITARA grades following scoring changes appeared first on FedScoop.

The departments of Defense, Homeland Security and Justice and the Government Accountability Office all had unawarded EIS task orders as of May 26.

GSA invoked the continuity of service (CoS) clause for three legacy enterprise network and telecommunication contracts, giving agencies until Sept. 30, 2022, to sign a memorandum of understanding (MOU) that they’ll either complete their transitions to the $50 billion EIS contract or find another solution by May 31, 2024.

“We don’t know the number yet,” Hill said, during an ACT-IAC event. “But we have had some agencies come back and say they do intend to sign the MOU without a doubt.”

Hill didn’t name those agencies but said GSA is in discussions with them about how it can help, although options are limited at this point in the transition process.

Legacy Networx, local service and Washington Interagency Telecommunications System (WITS) 3 contracts will still expire on May 31, 2023, but GSA hopes invoking the CoS clause will help agencies — which may have experienced pandemic-related supply chain disruptions — avoid future service interruptions.

The next EIS deadline for agencies is Sept. 30, 2022, when 100% of their telecom inventory is expected to be transitioned to EIS. A total of 118 out of 222 agencies met the 90% disconnection deadline of March 31, particularly small ones.

Depending on how an agency is transitioning, the percentage of services disconnected doesn’t necessarily indicate progress, but agencies should be executing work orders so vendors can get started, Hill said.

Several agency officials said the Federal IT Acquisition Reform Act (FITARA) 13.0 scorecard — in which 15 out of 24 agencies received F grades on their EIS transitions —  caused their leadership to put more resources toward the effort.

“As soon as you get that bad grade, now all of a sudden: What’s happening?” said David Naugle, senior IT specialist at the Social Security Administration.

SSA leadership began investing in projects holding its EIS transition up, after the agency received a D in that area on the FITARA 13.0 scorecard, and now it’s on pace to migrate the remainder of its services by the end of the fiscal year, Naugle said.

Naugle estimates SSA is saving $80 million a year since it awarded its data network services EIS contract, and savings will increase to 54% once voice services contract work is completed.

The average agency should see around 25% cost savings post-transition, Allen said.

Agencies like the U.S. Department of Agriculture, which will be running two networks a while longer, haven’t realized those savings quite yet.

“We won’t see any avoidance or savings until we get that sorted out,” said Gary Washington, chief information officer of USDA.

The post GSA gauging which agencies will extend network, telecom services on legacy contracts appeared first on FedScoop.

GAO found five out of 17 agencies reviewed failed to meet the Office of Management and Budget‘s metric for reducing the number of servers and mainframes serving as virtual hosts in their data centers, as well as increasing the amount of advanced energy metering covering their floorspace.

OMB’s Data Center Optimization Initiative (DCOI) has agencies consolidate inefficient infrastructure, optimize what’s left and migrate to the cloud, with all 24 Chief Financial Officers Act agencies receiving an A grade for their performance on the most recent Federal IT Acquisition Reform Act scorecard in January. But data center closures and resulting cost savings should slow, making optimization — an area where agencies have yet to address 25 GAO recommendations — all the more important.

“Until agencies fully address all previous GAO recommendations to meet their optimization performance targets, they are unlikely to fully realize the expected benefits, including cost savings from DCOI,” reads GAO’s report.

In addition to virtualization and advanced energy metering metrics, four agencies failed to adequately use production servers in their data centers and one agency saw more data center downtime than OMB expects. A total of seven agencies were exempted from optimization by OMB.

To date, agencies have saved $6.6 billion consolidating and optimizing data centers since fiscal 2012. GAO’s report ran through August 2021 and found agencies had closed 51 data centers that fiscal year, for $335.88 million in savings, with 29 more closures planned and their cost savings goal well within reach.

But agencies expect only 83 more closures between 2022 and 2025 for $46.32 million in savings and will need to shift their focus toward unaddressed optimization metrics, according to the report.

The post Agencies continue to struggle with data center optimization appeared first on FedScoop.

DOE plans to deploy hardware and software tools through the Continuous Diagnostics and Mitigation (CDM) Program that will improve asset management within three to six months, Dunkin said, during the House Oversight and Reform Subcommittee on Government Operations’ FITARA hearing Thursday.

Dunkin was responding to criticism from Rep. Andrew Clyde, R-Ga., that DOE’s cyber priorities don’t seem in order, given its purview over weapons-grade nuclear material — not to mention the electric grid and potentially pipelines if House legislation passes.

“We believe that our security posture is stronger than the FISMA score reflects,” Dunkin said. “And you will start to see, over the next few months in the quarterly reports, improvements in those metrics as we implement some specific CDM capabilities that we have not yet implemented.”

Clyde took issue with DOE’s stated priorities of addressing the climate crisis, clean energy union jobs and energy justice, which Dunkin was quick to point out are set by Secretary Jennifer Granholm and not specific to her office.

The representative asked if — given DOE’s Federal Information Security Management Act (FISMA) grade on FITARA 13.0 — U.S. infrastructure, national security sites, or soft or hard targets had been exposed to cyberattacks. 

“With a grade of D, that doesn’t give me a whole lot of confidence,” Clyde said. “I think that the Department of Energy’s priorities are a little misguided here.”

The specifics of DOE’s security posture and cyberattacks should be discussed in a classified briefing, Dunkin said — which both Clyde and subcommittee chair Rep. Gerry Connolly, D-Va., expressed interest in holding.

At a high level DOE continues to enhance visibility into IT resources and investments, support CIO and IT management authorities, improve its cyber posture, issue policies for IT management, and strengthen governance and oversight, Dunkin said.

DOE scored an A on its data center optimization but still plans to close seven more by 2025, Dunkin said.

The department uses a working capital fund for some of its IT acquisitions but is exploring the creation of a second such fund for modernization, Dunkin said.

In addition to the forthcoming CDM tools, DOE invested in vulnerability management, data analytics, crowdsourced penetration testing and enhanced training. DOE also recently launched the Omni Technology Alliance Internship Program to create a cyber and IT talent pipeline.

Multiple panelists at Thursday’s hearing, not just Dunkin, criticized FITARA’s current cyber component for not adequately measuring agencies’ cyber postures. Several proposed tying FITARA metrics to recent cyber directives.

“The good news is that the recent executive order on cybersecurity, issued in May of 2021, can serve as a blueprint for what federal agencies should be doing to enhance their cybersecurity position,” said Richard Spires, former CIO at the Department of Homeland Security. “In particular the EO places special emphasis on agencies implementing a zero-trust architecture, having holistic visibility across one’s IT infrastructure, implementing secure guidelines in cloud computing environments, focusing on protecting high-value data and assets, and dealing with supply chain issues.”

The post Dunkin: DOE’s cybersecurity posture ‘stronger’ than D grade reflects appeared first on FedScoop.