The chairman and ranking member of the House Oversight and Reform Subcommittee on Government Reform delivered a clear to-do list on Thursday to Federal CIOs: pursue further data center consolidation, tighten the reporting lines between CIOs and agency heads, and craft better roadmaps for IT modernization.
At the subcommittee’s hearing on its FITARA 8.0 Scorecard, Chairman Gerry Connolly, D-Va., and ranking member Mark Meadows, R-N.C., aired their concerns over the Office of Management and Budget’s (OMB’s) Data Center Optimization Initiative (DCOI) policy, but also issued broad pointers for CIOs to improve their agency FITARA grades.
Connolly also referred to results from recent MeriTalk research finding that most Federal IT leaders see FITARA as helping to improve the efficiency of government IT, but only 23 percent giving the law an “A” grade.
Consolidation and Modernization
“The big thing for me and the chairman is data centers and making sure those are consolidated,” said Rep. Meadows.
On the larger issue of IT modernization, Meadows offered less specific recommendations but asked agency CIOs to come back to the subcommittee with more defined roadmaps for action at the next FITARA Scorecard hearing, which presumably will be held in December.
He said the Federal government’s continued spending on legacy systems was “mind-boggling,” adding, “I am amazed at how archaic our IT is.”
“For action items, if you would get back to this committee with what is your plan for getting rid of legacy systems and what is the cost of doing it,” he said. “I realize there are logistical problems” with modernization, “but I need a plan,” Meadows said.
“The only frustration you will find by the next FITARA hearing is if there is not a plan, you are going to hear about it,” the congressman said.
New to the latest version of the FITARA Scorecard are grades for cybersecurity that count toward overall agency FITARA scores.
Speaking to the larger themes of modernization and cybersecurity – especially for agencies that deal with a lot of citizen information – Connolly said systems that can’t handle encrypted data need to be replaced. “That’s a nudge” to agency CIOs, the congressman said.
Addressing a witness panel that included the CIOs of the Agriculture Department, Education Department, and Treasury Department, Connolly said, “All of you have a lot of data … You being up to snuff on cybersecurity is very important to the American people.”
On the security front, USDA CIO Gary Washington said the agency has made strides over the past three months to move away from some legacy systems, to employ “entirely new equipment” in some areas, and to use common tools for network configuration and patching. “We are currently stabilizing, but in the next two months I absolutely expect our [cybersecurity] scores to improve,” he said.
Eric Olson, CIO at the Treasury Department, said his agency is trying to lift its cybersecurity score by focusing on its highest-value assets, and by “bringing strong encryption to high-value assets.” He added, “We understand the ask, we will figure it out.”
CIO Reporting Authorities
Carol Harris, director of IT Management Issues at the Government Accountability Office (GAO), told the subcommittee that if both USDA and Treasury had CIOs that reported to the heads of the agencies, both would have gotten a “B” grade on their FITARA scorecard, versus the “C-“ grades they received.
Both CIO Washington and CIO Olson argued they had good access to top agency management, but Rep. Connolly told them that’s not good enough. While the Education Department has a reporting structure that provides “clear” access to top leadership, “senior leadership support may not be as clear” at Treasury and USDA, the congressman said.
“The model here is that the CIO has to report to the boss,” Rep. Connolly said. When Washington said he has “all the access that I need,” to leadership, the congressman replied, “That’s good but that could be personal … It diminishes you or your successor’s power if it’s not official.”
CIOs See Progress Continuing
Washington said USDA has made progress in maturing its strategy on FITARA, which has boosted the agency’s scorecard grade up a full point over the past year. The agency’s IT modernization victories have included reducing the number of agency CIO positions, speeding the adoption of cloud services, and saving $42 million from data center closures.
“We have a lot further to go, but have seen the positive impact that FITARA has had on our department,” Washington said. He said the agency is aiming to boost USDA’s score to as high as “B+” over the next year.
Education Department CIO Jason Gray, whose agency sits with several others in the top grade category of “B+,” said the Education Department is working hard to boost its “C” cybersecurity grade. He said the agency has developed its own cyber risk scorecard and “improved our focus and alignment” on security in order to prioritize and mitigate risks, leading to a 72 percent reduction in system vulnerabilities.
On the modernization front, Gray said the agency has developed a five-year plan and a strategic roadmap that includes leveraging cloud infrastructure, trimming the number of cloud service providers to the agency, and reducing cybersecurity risks. He also said the agency is working with OMB to create a working capital fund to support modernization efforts.
Olson, whose agency boosted its FITARA grade by one full letter grade, to C-, said Treasury did well in some areas including portfolio review (A grade) and DCOI (B grade), but added, “we recognize there is room for improvement” in other FITARA areas.