A lack of required cybersecurity performance data for the largest 24 Federal agencies over the first half of 2022 left the House Oversight and Reform Committee partly in the dark as it formulated cybersecurity-related grades for the 14th version of its FITARA Scorecard issued by the committee today.
The missing cybersecurity data became a major point of discussion today as the committee’s Government Operations Subcommittee held a hearing to discuss the new scorecard, how the scorecard is evolving by changing its grading categories, and what committee members and hearing witnesses want to see out of the grading exercise going forward.
As always, the easiest way to make sense of the committee’s multicolored scorecard is to view the data using MeriTalk’s FITARA Dashboard.
The latest scorecard features seven grading categories – down from eight categories on the December 2021 scorecard due to the sunsetting of one category tracking Federal agency progress on the Data Center Optimization Initiative. The removal of that one category – in which all agencies had done well in the past – helped to produce a modest downward trend in agency FITARA grades, rather than any wholesale backsliding on the part of agencies.
With cybersecurity at the forefront of so many Federal technology initiatives, the incomplete nature of the grading for agencies on the 14th version of the FITARA Scorecard quickly became a hot-button issue at the hearing.
Committee members said today that the Office of Management and Budget (OMB) failed in its statutory obligation to deliver key agency-specific cybersecurity data derived from compliance with the Federal Information Systems Management Act (FISMA). Because of that, the committee members said, they were forced to rely on a smaller amount of data to assign the cybersecurity-related grades on the latest scorecard.
Rep. Gerry Connolly, D-Va., chairman of the House Government Operations Subcommittee and a prime move in the creation of the FITARA Scorecard, chided the Biden administration for failing to produce timely agency cybersecurity-related data that the committee could use to formulate cybersecurity grades on the latest scorecard.
He identified sources of the cybersecurity data deficit as including the lack of an annual report from OMB on inspector general FISMA assessments, and the administration not publishing cybersecurity cross-agency priority (CAP) goals this year.
“What is new and must be dealt with is the lack of data transparency for agency cybersecurity performance,” Rep. Connolly said. “The administration has only itself to blame for the grades we see in this metric today.” The latest FITARA scorecard shows ten of the 24 agencies receiving a failing grade in the FISMA-driven cybersecurity category.
Rep. Jody Hice, R-Ga., ranking member of the subcommittee, was frank in his criticism of the Biden administration’s failure to deliver agency cybersecurity data that the committee could use to flesh out its grading.
“Obviously, the major issue that stands out is the cyber metric,” he said. “But more importantly to me, what stands out is the Biden administration ignoring the law.”
“Since a cyber grade was included on the FITARA Scorecard, it has included an assessment of agency progress against cyber-related goals set by the administration,” the congressman said. “These were generally part of a larger set of cross-agency priority goals, which are required by law, but the grades for the scorecard here did not reflect any cyber goals from the Biden administration, because they haven’t issued any.” He added, “that’s a mystery to me.”
“From what I can tell, the Biden administration has not issued any CAP goals at all,” he continued. “And while we’re at it, the Biden administration has not delivered the annual cybersecurity report required by FISMA. So when it comes to the most important topic that we’re dealing with here today – cyber – we don’t have much of an idea of what’s going on,” he said. “It’s very, very frustrating.”
Getting the Right Data
Rep. Connolly said today that “the subcommittee looks forward to working with all stakeholders to populate the [cybersecurity] category with more robust data that captures Federal agencies’ cybersecurity posture.”
Carol Harris, director of information technology and cybersecurity at the Government Accountability Office (GAO), said at today’s hearing that GAO is “working with your staff, with OMB, and the agencies to identify data – both public and sensitive – to support a more comprehensive grade” in the cybersecurity category.
“But in the meantime, we need to have clear and measurable CAP goals in place because it’s the law,” Harris said.
A source at OMB told MeriTalk today that the agency is still in the process of determining what data can be published externally to enable public visibility into agency cybersecurity without putting agencies at risk or exposing vulnerabilities. OMB is working on that task along with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Director.
“From day one, the Biden administration has made advancing our nation’s cybersecurity a major priority – including through a landmark executive order the President signed last year and a zero trust strategy that has been lauded by the private sector,” said Isabel Aldunate, a spokeswoman for OMB, in a statement today.
“We’ve already made significant progress transforming the Federal Government’s approach to cybersecurity and addressing long-standing, entrenched challenges – and that critical work is moving full-speed ahead,” she said.
“These grades for Federal agencies are based on an outdated, compliance-oriented approach and no longer reflect the progress agencies have made, which is why we’re working with Congress to recommend an approach that reflects the rapidly evolving nature of the threats that agencies face,” the spokeswoman said.
Rep. Connolly indicated at today’s hearing that the apparent impasse on agency cybersecurity data may not be long-lasting. He said he was “heartened” by a discussion with OMB officials about the issue earlier this week, and pledged that “we will fix the cyber problem.”
The FITARA Scorecard, he said, represents a “snapshot of a moment in time,” and “doesn’t always capture the gray areas.”
“Turning to the future of cyber, this subcommittee eagerly awaits the new and improved data behind the Biden administration’s priority goals detailed on Performance.gov,” Rep. Connolly said. “I, and many others, look forward to hearing from OMB about the administration’s new cyber strategy, which will help agencies remain resilient and adapt in the ever-changing cyber landscape.”