Federal agencies received the highest number of ‘A’ grades ever on the 18th edition of the FITARA Scorecard issued on Friday by Rep. Gerry Connolly, D-Va., leading the congressman to make plans to evolve the scorecard with new categories.
Among the new category options that Rep. Connolly discussed today are ones that involve tracking agencies’ Federal AI workforce training, use of the Federal Risk and Authorization Management Program (FedRAMP), and tech project risk evaluations.
The FITARA Scorecard grades are compiled with input from the Government Accountability Office (GAO) and have been published semi-annually – usually by the House Oversight and Accountability Committee – since 2015. The scorecard grades the 24 largest Federal agencies on their progress across a range of IT-related categories.
Rep. Connolly – ranking member of the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation – hosted a roundtable discussion this morning with agency representatives to discuss the scorecard rather than via an official subcommittee hearing.
“This update demonstrates the highest number of ‘A’s by far ever recorded on a single scorecard,” Rep. Connolly said. “These improvements show continued proof of the scorecard’s effectiveness and highlights that there is now clear imperative and opportunities for categories and grading methodologies to evolve to better shine the light on agencies’ potential areas for improvement.”
“This process has been one of constant evolution as we receive feedback on how better to use the scorecard and improve it, especially as we’ve achieved our goals of improving agency performance in various categories and work to identify new ones,” he added.
For example, Rep. Connolly explained that as agencies achieved their data center consolidation goals, the scorecard then evolved to focus on cloud procurement and management.
The cloud computing category is a relatively new addition to the scorecard, having been adopted as a grading category on the 17th edition of the scorecard issued in February of this year.
The congressman pointed out that agencies greatly improved in this category, going from one ‘A’ on the 17th edition to eight ‘A’s on the latest iteration of the scorecard.
Carol Harris, a director of information technology and cybersecurity at GAO, noted that as of today, the implementation of FITARA has resulted in $31.4 billion in cost savings across the Federal government.
“The scorecard continues to be a very highly effective tool for driving behaviors by the agencies,” Harris said, adding that she commends the agencies for their work in prioritizing the new cloud category since February.
“While we commend the progress that the agencies have made, we don’t want to declare victory because Federal IT acquisitions and operations continue to be a major area in the GAO High-Risk List,” Harris said. “We need to continue to evolve the scorecard and add new categories to reflect other longstanding IT management challenges, the Federal IT workforce is one.”
Harris said that GAO is also looking to evolve the cyber category “to get a more forward-looking picture of cyber hygiene.” Additionally, she said the watchdog agency hopes to address the adoption of emerging technologies, such as artificial intelligence.
Looking ahead, Rep. Connolly agreed that these categories could all make it onto a future FITARA Scorecard. When it comes to AI, however, he said that the first concern that Congress may want to monitor is AI workforce recruitment, training, and retention.
One area that he said will “certainly” be on a coming FITARA Scorecard is FedRAMP compliance.
Rep. Connolly fought for the passage of the FedRAMP Authorization Act, which was approved by Congress late in 2022 as part of the fiscal year (FY) 2023 National Defense Authorization Act (NDAA).
The White House’s Office of Management and Budget (OMB) released long-awaited guidance to overhaul FedRAMP in July, putting the new law into effect and replacing the policy created for the program when it began in 2011.
“The intent of that legislation is to not only codify the FedRAMP process and law, but to expedite and limit cost exposure in the process so people can get certified in a predictable, reliable, cost-effective, and timely way,” Rep. Connolly said. “We want to eliminate multi-year, multi-million dollar exercises, and that requires agency sponsorship.”
“We want to be fair to the private sector that wants to provide services to the Federal government. We also want to make sure that there’s the opportunity for competition. So, FedRAMP is really important. I think that’s in our future,” he said.
GAO Says OMB is Not Meeting FITARA Requirements
Another area that Rep. Connolly said he plans to look into is risk, particularly as to why OMB is not meeting the requirements set forth under FITARA for high-risk IT investments.
In a report published Friday morning, GAO revealed that OMB is not fully addressing key statutory requirements under FITARA for IT portfolio management oversight.
Specifically, OMB is not following any of the three requirements on high-risk IT investments. This means that many high-risk IT programs are not getting reviewed by OMB, even though the law requires the agency to do so.
Kevin Walsh, also a director of IT and cybersecurity at GAO, told Rep. Connolly during the roundtable that these are the kinds of reviews that need to happen “before things go wrong.”
“We identified 17 investments at eight agencies that should have been reviewed at some point during the three-year period to be exempt,” Walsh explained. “Of the 17 investments that should have been reviewed, nine were reviewed to some degree, but none of them fully met FITARA’s requirements.”
Walsh stressed that these investments are “not chump change,” noting that “agencies plan to spend almost $300 million on these 17 this past fiscal year alone.”
“OMB is focused on other things. However, discounting these responsibilities is not an option. These investments are critical to the functioning of our government and nation,” Walsh said.
Rep. Connolly agreed, adding, “One of the concerns I’ve got in getting ready for this scorecard is that OMB seems to have moderated its compliance with the risk provision of the law.”
“I don’t want OMB making arbitrary decisions about what will be reviewed by way of risk,” the congressman said. “The intent of the law here is to have a process so that we’re not making bad mistakes, that we all can see the same thing and maybe make corrections early on … but we can’t do that if we’re not monitoring risk in a robust fashion. So, we’ll have to look at that as well.”
Finally, Rep. Connolly once again expressed his disappointment that Rep. Nancy Mace, R-S.C., the chairwoman of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, “turned her back on the FITARA Scorecard.”
“I hope we can return to traditional, bipartisan, biannual oversight hearings on the FITARA Scorecard,” he said. “I assure you, I ain’t giving up, and I ain’t going anywhere. And assuming the voters will have me back, we’ll be doing this again next year – either as a roundtable or as a hearing.”