Is the FITARA Scorecard – the semi-annual congressional exercise that aims to hasten Federal agency IT modernization – now ready for a set of fresh objectives and renewed focus on leading-edge indicators of IT health in government?
The consensus– from all corners of the debate in Congress, among government IT leaders, and by leading private sector voices – is a resounding yes.
The broad aim of such an effort would be to make the scorecard a better measuring tool for agency progress on some of the fresher Federal policy priorities – like improving cybersecurity, moving ahead on the Biden administration’s cybersecurity and zero trust orders, tackling requirements to improve citizen service, and compliance with looming updates to the Federal Information Security Management Act (FISMA).
While the spirit in Washington seems more willing than ever to push the FITARA Scorecard into its next big chapter, the trick will be not only forging consensus to change the current process, but also figuring out mechanisms to generate the Federal agency data needed to make any new scoring systems meaningful.
FITARA 13 Thumbnails
Scores trended modestly higher for the 24 CFO Act Federal agencies whose IT progress is measured by the FITARA Scorecard, which is compiled every six months by the House Oversight and Reform Committee with input from the Government Accountability Office (GAO).
On the latest scorecard, seven agencies earned higher overall scores, four saw their grades decline, and 13 remained steady with gradings from the previous scorecard issued in July 2021. No agency received a failing overall grade – 22 of them got marks in the “B” and “C” range.
Only two agencies – the National Science Foundation (NSF) and the U.S. Agency for International Development (USAID) – won the top grade of “A” for their performance.
Helping to shape the scoring trends were higher marks for some agencies for their work on shrinking data center footprints under the Data Center Optimization Initiative (DCOI), and lower grades for agencies that are not proceeding quickly enough on transitioning their communications contracts to the General Services Administration’s Enterprise Infrastructure Solutions (EIS) contract.
As always, the easiest way to make sense of the House Oversight and Reform Committee’s multicolored scorecard is to view the results on MeriTalk’s FITARA Dashboard.
Even before the House Government Operations Subcommittee held its Jan. 20 hearing to discuss the FITARA 13 scorecard results and grill agency CIOs on performance issues, the biggest topic on the table was how to update the scorecard to make it a more relevant yardstick for pressing IT issues that agencies face today.
In announcing the hearing, the subcommittee said that a “variety of factors, including methodology, data availability, agency motivation, and the cycle of the scorecard, have resulted in stalling grades.” Given that degree of “stagnation,” the subcommittee said it planned “to update the methodology behind the Scorecard to ensure it accurately reflects the agency progress.”
One of the eight grading categories on the latest edition of the scorecard – how well the 24 CFO Act agencies are doing with cutting their data center footprints by implementing the DCOI policy – is already being dropped for the next scorecard. After each of the 24 agencies earned an “A” grade in that category, the subcommittee declared an oversight victory on that front, and claimed several billion dollars of taxpayer savings as a result.
That leaves seven categories in play – EIS progress; CIO authority enhancements; transparency and risk management; portfolio review; setting up IT working capital funds under the Modernizing Government Technology Act; CIO reporting lines; and cybersecurity – as ripe for consolidation, updating, or the addition of something entirely new.
Perhaps the most important factor driving eventual scorecard changes is the clear bipartisan support for that process.
While the scorecard is issued by the House Oversight and Reform Committee, the driving force behind the effort is the leadership of the Government Operations subcommittee, and at the panel’s Jan. 20 hearing, both Chairman Gerry Connolly, D-Va., and ranking member Jody Hice, R-Ga., were in lockstep on the idea of scorecard evolution.
“The scorecard needs to evolve to reflect the changing nature of IT services and to guarantee we are accurately assessing the modernization and IT management practices of federal agencies,” Rep. Connolly said. “The subcommittee is at an inflection point, and the time is ripe to modernize this oversight tool.”
“I think it’s a fair question as to whether indeed we’ve reached a point of diminishing returns,” with the current scorecard categories and structure,” Rep. Hice said. “We need to legitimately consider where do we go from here,” he said. “Beyond the current scorecard, I believe it’s time to take a hard look at how FITARA can evolve from this point.”
“The goal here is to incentivize progress, not to get a gold star on our foreheads,” Rep. Connolly said.
All Eyes on Cyber
Of the seven scorecard categories that remain in place currently, none are drawing interest as closely as the cybersecurity category – and how to make it reflect Federal agency security postures more accurately.
Dave Powner, a former IT and Cybersecurity Director at GAO who is now executive director of MITRE Corp.’s Center for Data-Driven Policy, talked at the Jan. 20 hearing about limitations of the data that now helps determine the FITARA grade for cybersecurity.
Instead of those current sources, he proposed using metrics that tie into the Biden administration’s cybersecurity executive order – including those related to zero trust security migration – along with supply chain risk management best practices. He also suggested making those metrics consistent with current efforts in Congress to update the FISMA statute that sets the rules for how agencies undertake security operations.
“Security is absolutely one of the top areas for oversight … and we need to keep that as our priority,” Rep. Hice said. The congressman also pointed to ongoing congressional debate over FISMA reform, and taking that into account said, “We should re-examine the scorecard metrics and think how cyber assessments can better serve our purposes.”
Carol Harris, the current director of IT and cybersecurity at GAO, was among several hearing witnesses to second the idea of cybersecurity category changes. She suggested expanding the category “to better address the ongoing and emerging challenges facing our nation, including mitigating global supply chain risks, and improving the implementation of government-wide cybersecurity initiatives.”
Modernization Ideas Abound
Outside of the narrow cybersecurity arena, subcommittee members and witnesses at the Jan. 20 hearing offered up numerous suggestions for new FITARA scorecard categories or tweaks to existing ones, with many of them pointing to the same theme: tracking the progress of IT modernization.
Most of those ideas – which also feed into goals of improved security – encountered little in the way of philosophical objections from subcommittee members. But the debate did touch on limitations to what changes may be more practical, given the current availability of data on which to base any new scorekeeping.
Powner tossed out a range of modernization-related ideas, including ways to measure how agencies retire legacy systems, track how they line up acquisitions of newer and more modern systems, budget for IT systems using Technology Business Management (TBM) principles, and produce data on rates of Federal agency adoption of cloud services.
Suzette Kent, the Federal CIO from 2018 to 2020 and now head of her own consulting firm, seconded the recommendations for modernization related FITARA scoring categories, and suggested a focus on the all-important funding aspects of IT upgrades.
She stated that IT modernization is a continuous process that “demands changes to some of the rigid funding and procurement processes to better align with multi-year initiatives, and best practices for modern technologies – the types of things that you’ve embedded into the goals for working capital.”
She also suggested a new focus on scoring agencies for progress in improving customer service. Noting that mobile digital technology is increasingly the dominant means of communication, Kent suggested using metrics that “highlight our progress towards digital and mobile-native platforms” and “quality customer experiences … on par with what citizens experience in every other industry.”
Both Powner and Kent delivered strong pitches for a FITARA scoring category to measure agency progress on dealing with IT workforce shortages and reskilling needs.
“Workforce performance should be included because as we’re evolving the technology ecosystem, we cannot under-invest in our Federal workforce,” Kent said. “Having transparency on workforce gaps would be helpful because it is a critical success factor, and some agencies may need to make additional investments to attract and retain this talent in a very competitive environment,” said Powner.
Private-sector providers of modern IT technologies to the Federal government, who watch the FITARA Scorecard closely for progress from their customers, are offering their own ideas about how the grading exercise should evolve.
“The FITARA scoring areas need to be reviewed periodically to ensure that metrics are meaningful for the future,” Jeff Chancellor, principal systems engineer at Software AG, said.
“One area I have long wanted to see measured is ‘Organizational Readiness for Change,’” he said. “In particular, metrics should be captured on the people aspects of embracing/adopting change. This has an impact on training, and on people’s ability to shift to new roles.”
“If data is a driving force for change, then it makes sense to track data accuracy and completeness,” Chancellor said. “This data is either manually managed by people, but also automatically generated by discovery tools. Completeness can be measured by asset owners’ performance to keep data fresh against measurable and meaningful criteria.”
Commenting on the most recent FITARA Scorecard results, Chancellor said the data “shows that the measurement area of Portfolio Review has steadily improved since it started being tracked in 2018.”
“One can surmise that improvements are based, in large,on modern data-driven Enterprise Architecture Management and Portfolio Management solutions,” he said, adding, “Learn the techniques used by our FedRAMP customers that are making a difference in their FITARA scores.”
If Not Now, When?
Close followers of the FITARA process – and especially the last few semi-annual scorecards and associated congressional hearings – know that the current calls for scorecard category changes are not simply an episode of déjà vu. Sentiment for those kinds of changes, especially in the cybersecurity category, has been debated for at least the past year, if not longer.
The nitty-gritty details of the scorecard process – and how they change in the future – remain the province of the House Government Operations Subcommittee leadership. What’s different this time around with the Jan. 20 hearing is the frank admission by subcommittee leadership that the process has become stale. That’s the loudest indication that changes are coming.
The question remains: how soon?
Powner, who in his previous role at GAO was once one of the very few people in the room when FITARA grades were hashed out on several previous scorecards, lent his considerable handicapping experience to MeriTalk following the Jan. 20 hearing on the possible timing of scorecard changes, and which category changes might happen first.
On the timing question, he predicted it more likely than not that the 14th edition of the FITARA scorecard, expected in July of this year, will feature some meaningful category changes. “I think there’s serious sentiment for this, and you’re going to see changes,” he said.
“I think it will be a start,” he said, adding, “it’s not going to be all of the five categories that we recommended … because it’s driven by data, but I see a start to see significant changes.”
When asked which categories are most likely to change in the near term, Powner predicts the cybersecurity category will get a new look the soonest.
“I think cyber will be number one because I think there’s so much attention right now with the cybersecurity executive order and with zero trust, and I know there’s some good work going on at the Office of Management and Budget (OMB) to look at a more robust set of metrics,” he said. “I would expect cyber to be changing soon.”
Queried about his preference for a second category change, Powner said he wants to see the scorecard tackle IT workforce issues.
“I would really like to see the workforce addressed,” he said. “I’m not as confident that that’s going to be as quick as the cyber changes. But again, I think there’s a lot of focus on building up the workforce” in Federal policy efforts including the President’s Management Agenda. “So let’s get the right measures in place and track it.”