Officials with several leading Federal IT service providers applauded government agency grades on last week’s FITARA Scorecard, but also suggested a range of grading category adjustments for the scorecard to better track where agency performance should be going in the future.
The FITARA scorecard issued twice a year by the House Oversight and Reform Committee grades major Federal agency performance across a variety of IT modernization and related policy categories. The grades published last week – the tenth such scorecard issued by the committee – marked the first time that all 24 agencies received a “passing” grade of “C-“ or higher.
The best way to make sense of the multicolored scorecard – which grades major Federal agency performance across a variety of IT modernization and related policy categories – is to view the FITARA Dashboard.
Good Scores Beg Further Improvements
Officials from top IT service providers surveyed by MeriTalk – Pure Storage, Tanium, Alfresco, Zscaler, Trustwave, Duo at Cisco, Red Hat, and Cisco – gave the overall scores a collective thumbs-up for improvements in light of the pandemic conditions in which they were achieved. But they also pointed to ways that agencies can improve their grades in the future.
“Agencies have reacted quickly to pandemic-related challenges, adapted to the new telework environment, and managed to maintain and improve FITARA scores – this is no small feat at a time when nothing is operating as expected,” said Gary Newgaard, Vice President of Public Sector at Pure Storage.
“The FITARA scores reflect the accelerated progress over these past months and the hard work of the Federal CIOs and their teams as they enabled remote work, while maintaining security and operations,” said Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance at Zscaler.
“We know there have been challenges supporting mass telework across government, and agencies have taken different approaches,” Kovac said. “We will see continued steps in the coming months as agencies evolve cloud and mobile environments, identifying the best ways to keep employees safe and productive while they manage data and applications on mobile devices, in traditional data centers, and from cloud service providers.”
“It has now been almost five years since the first November 2015 FITARA scorecard, and while there has been vast improvements across the board and a positive trend, there is still continued work that needs to be done in order to keep pace with the changing threat landscape,” said Trustwave Government Solutions President Bill Rucker.
He explained, for example, that the CIO authority grading category “is one of the major reasons FITARA was first passed and an area where higher scores would show great progress.” He continued, “This specific category is an area where greater authorities can result in more efficiencies through better strategic planning, which should in turn greatly help improvement of scores in other categories.”
Alan Balutis, Senior Director and Distinguished Fellow at Cisco, and a former Commerce Department CIO, also singled out the importance of the CIO authority to catalyze a wide range of benefits.
Responding to a question about including on the scorecard agency progress on transitioning to GSA’s Enterprise Infrastructure Solutions (EIS) contract for communications services, Balutis said, “EIS is like a nice-to-have, but the tall poles in the tent tend to be the CIO reporting relationship – does the CIO have a reporting relationship to the secretary or deputy secretary, does the CIO have a say in IT budgets, and does the CIO have a say in contracting and acquisition decisions. Without those three things, in my view, all the rest is kind of nice to have and nice to do.”
“It’s good to see SBA and GSA with good scores, but they are relatively small agencies in terms of their IT staff. I’m not sure some of the bigger agencies are making the same kind of progress,” he said. “So clearly, we need to focus some increased attention in places like DHS and VA and some other entities that make up the largest share of the agencies that make up the vast amount of money spent on IT.”
“Scores are trending upwards but there is still a lot of room for improvement in cybersecurity. The results show that many agencies are still not doing the basics well,” said Sean Frazier, Advisory CISO, Federal, Duo Security at Cisco.
“The scorecard remains one of the best ways to keep track of agency progress in implementing numerous IT-related Federal initiatives and we are pleased to see continued progress in areas like software asset management, IT modernization and cybersecurity,” said Mark Bohannon, Vice President of Global Public Policy at Red Hat.
“As Federal IT modernization evolves and needs change, so too should the FITARA Scorecard,” he said. “We are aware of recent discussions that propose to make changes to the existing scorecard, updating metrics to reflect current Federal IT priorities and we encourage the committee to continue down this path.”
Category Wish-List Starts with Cyber
As readily as they offered praise for last week’s agency grades, IT industry officials said they are looking for more improvements in other areas – including grading categories – with cybersecurity high on many wish-lists.
“The 10.0 Scorecard shows the need for continued cyber progress across civilian agencies, with 20 agencies receiving a ‘C,’ ‘D,’ or ‘F’ for cyber,” said Nate Russ, Regional VP of Federal at Tanium.
“Agencies need more real-time visibility and control over potential entry points across IT environments,” he said. “We also have to keep in mind that more than half of successful breaches relate in some way to systems that aren’t patched. Ensuring these types of foundational IT security and operations procedures are in place will reduce cyber risk and help agencies continue to strengthen their cyber posture.”
Pure Storage’s Newgaard suggested a focus in the cybersecurity grading category on the ability of agencies to recover from attacks. “If you consider the prevalence of and repercussions associated with ransomware attacks – there needs to be a focus on establishing robust backup and restore capabilities,” he said.
“Everyone is focused on backing up data – and that is good, it should be of every normal course of action,” he said. “What isn’t as widespread, and where the ransomware comes into play, is how much does it take and how long does it take to restore. If the backup is compromised, you are really toast. Further, many agencies are still running aging data centers and data storage systems that were deployed before the age of ransomware – and moving off of legacy systems is not a simple task.”
Duo’s Frazier suggested breaking down cyber-themed grading categories to shed more light on discrete aspects of the challenge. “We’d like to see cyber subcategories, such as ICAM, threat detection, and phishing protection, among other areas,” he said. “There are many facets of cybersecurity that can impact agencies, and not all are created equal. Some vulnerabilities pose bigger risks than others.”
“There has been a lot of high level of accomplishment in certain areas of the scorecard,” said members of the Public Sector Sales Team at Alfresco. “FITARA needs to be dynamic and be used to continue to push agencies forward by raising transparency and increasing efficiencies. FITARA scoring should guard against complacency.”
Some industry requests for future grading categories were less specific, but still keyed in on improving security and promoting modernization.
“Moving forward, FITARA should look to manage processes, standards, and best practices related to secure information sharing, Federation, and digital transformation. MGT evaluation calculation should be graded with greater nuance because of the security implications of legacy systems; a failure in modernization efforts represents a critical risk to mission achievement for a given agency and national security,” the Alfresco officials said.
“There is always more work to be done to secure modern environments. Emerging technology and advancing cyber threats will continue to add complexity,” Zscaler’s Kovac said.
“I think future changes to the scorecard should evaluate the extent to which agencies have moved to mobile and cloud environments, how securely they enable remote access, and end user satisfaction with the remote environment,” he said. “In addition, future categories should take into account the lessons learned from the pandemic, including a category to address how agencies are enabling a remote workforce going forward, and how prepared agencies are for future emergency response/pandemic planning.”
Also on the cyber front, Trustwave’s Rucker said, “with high visibility breaches and ransomware attacks in the news and continued importance placed on cybersecurity, we must continue to strive for more agencies with scores in the ‘A’ or ‘B’ range. Cybersecurity is an area both the public and private sector should always be working to improve.”
Rucker also said he sees sense in House Oversight’s indication that it will include EIS contract progress in future grades. “EIS seems to line up to FITARA objectives, so it’s not a bad thing to add into the scorecard,” he said. “A couple key objectives of EIS include simplification of the process to acquire telecom and IT products and services, as well as providing cost savings through aggregated volume buying (as the government) and price and spend visibility. The aspect of being able to see how the government is embracing third-party managed security services will also be important given the cyber workforce shortage.”
More generally, Rucker suggested a measure on the scorecard to gauge agency use of contractors. “For years, CIOs have said it’s difficult to get the resources to fully implement FITARA provisions in a way needed across the board. One way agencies can fill the gap and address issues with hiring qualified permanent employees is to obtain long-term contracted staff augmentation resources,” he said.
“While contracted staff cannot make specific government decisions, they are often given the same work as non-manager technical staff. Having a component on the scorecard which rates every six months the ratio of budget spent on staff augmentation contractors to government staff employees will provide a good picture of what the dependency on contractors is. It might also highlight some of the funding issues which agencies face and show some of the challenges associated with hiring and onboarding qualified personnel,” he said.
“We continue to believe that the FITARA scorecard is an important driver of Federal cloud adoption, including incentivizing agencies to use open hybrid cloud architectures that enable mobility and flexibility of workloads, moving to cloud where appropriate, with the portability necessary to move workloads and data in the future as needs evolve,” Red Hat’s Bohannon said. “We encourage the committee to leverage the scorecard to keep this issue on the front burner.”
Goodbye MEGABYTE?
The House Government Operations Subcommittee – the House Oversight panel that acts as the driving force behind the FITARA Scorecard – dropped heavy hints that it plans to sunset the MEGABYTE grading category, which required the Office of Management and Budget to issue a directive to every executive agency CIO to establish a comprehensive and regularly updated inventory of software licenses, and to analyze software usage to make cost-effective decisions. In the latest scorecard, 23 of 24 agencies notched an “A” grade in the category.
“The sunsetting of MEGABYTE illustrates the power of FITARA,” the Alfresco officials said. “From nearly every agency scoring an ‘F’ in 2017 to near-total ‘A’ grade achievement in July 2020, hundreds of millions of dollars have been saved by applying better management of software licenses. It’s clear that throughout seven evaluation licenses, stewardship is now a culturally important data point. What’s measured is achieved.”
But they don’t necessarily want the subject forgotten. “The sunsetting may show that agencies have this under control but it’s a really important factor. Agencies are constantly buying software for different use cases and needs that arise (COVID being a prime example) and need to make sure they are tracking usage and not spending money wastefully,” they said.
“With software licensing being a material number in any agency IT budget, it would be nice to see MEGABYTE stay around a while longer,” Trustwave’s Rucker said. “One could argue that seeing most agencies with a solid A rating is out of place with how grades in all of the other components are evaluated. MEGABYTE reporting might do better by making the grading criteria stricter so more value is obtained. The current solid line of ‘A’ grades brings to question how well everyone is actually doing in that area.”
Count in Duo’s Frazier as a continuing fan of the MEGABYTE grading category. “Software license tracking and transparency will remain vital. Software continues to evolve, with the need to be replaced or updated,” he said.