A record number of federal agencies and their chief information officers are getting top marks on how they manage IT and cybersecurity.

A total of 13 agencies received an overall A letter grades on a semiannual Federal IT Acquisition Reform Act (FITARA) scorecard.

Another 10 agencies got a B grade for their overall IT and cybersecurity management. Only one agency, the Energy Department, received a C grade. No agencies received a D or an F.

Agencies generally saw lower scores in the previous FITARA scorecard released in February.

Agencies so far, have achieved $31.4 billion in cost saving and cost avoidance under FITARA.

Gerry Connolly (D-Va.), one of FITARA’s authors, and ranking member of the House Oversight and Accountability Committee’s subcommittee on cybersecurity, IT and government innovation,  applauded agencies’ progress at a roundtable event on Capitol Hill Friday.

“These improvements show continued proof of the scorecard’s effectiveness, and highlights that there is now a clear imperative and opportunities for categories and grading methodologies to evolve, to better shine a light on agencies’ potential areas for improvement,” Connolly said.

Carol Harris, a director of GAO’s IT and cybersecurity team, said the “historic” results from the latest scorecard stem from major improvements in two categories — CIO investment evaluation and cloud computing.

“The scorecard continues to be a very highly effective tool for driving behaviors by the agencies,” Harris said.

The CIO investment evaluation score tracks the percentage of major IT investments that are evaluated by the CIO within the last two years.

“Through FITARA, I feel I not only have a seat at the table, but more importantly, I have a voice at the table,” Jason Gray, CIO at the U.S. Agency for International Development, said during the roundtable.

In total, 23 agencies received an A grade in this category — nine more than in the previous FITARA scorecard.

Harris attributed the significantly higher scores to agencies providing more current data.

“That big improvement in the CIO evaluation goal is directly attributed to it being on the scorecard,” Harris said. “CIOs had not been paying much attention to it prior to that.”

FITARA’s cloud score tracks whether agencies adopted the five key cloud procurement requirements, as outlined in the Office of Management and Budget’s Cloud Smart Policy.

A total of eight agencies received an A grade on their cloud scores — seven more than the last scorecard.

Harris said agencies are also showing “steady progress” in the cyber category and another score that reflects agencies’ transition from Networx, a legacy governmentwide telecommunications contract to the current Enterprise Infrastructure Services (EIS) contract.

Of the 11 agencies that have not fully transitioned off Networx, the Commerce and Energy Departments have provided transition plans.

Energy Department CIO Anne Dunkin said the department is 94% complete in its transition to EIS, and expects to complete the transition by the end of December

“FITARA has certainly given CIOs more insight into what’s going on in their departments. I think it’s probably been more successful in any of the previous efforts in changing the conversation,” Dunkin said.

‘OMB is focused on other things’

GAO, however, is raising concerns about the Office of Management and Budget’s oversight of federal IT.

Kevin Walsh, director of GAO’s IT and cybersecurity team, said OMB is partially meeting four of its requirements for portfolio review under FITARA.

But OMB, he added, isn’t meeting a fifth requirement under the legislation for the federal CIO to be involved with each agency’s IT portfolio reviews.

OMB told GAO that to deal with resource and staffing constraints, it sends other OMB officials to meet with agencies.

“However, that is not what FITARA calls for,” Walsh said.

Most agencies’ portfolio reviews, Walsh added, did not include their chief operating officer or deputy secretary, falling short of another FITARA requirement.

“It is hard to make meaningful decisions without senior leaders present,” Walsh said, adding that a lack of senior leadership involvement could explain why agencies’ cost savings under FITARA have plateaued.

Walsh added that OMB also isn’t fulfilling its three requirements for high-risk investment reviews under FITARA.

Of the 17 high-risk IT investments that should have been reviewed within the past three years, nine were reviewed to some degree, but none of those reviews fully met FITARA’s requirements.

Walsh said agencies spent $300 billion on these high-risk projects in fiscal 2023.

OMB told GAO auditors it’s focusing its attention its highest priorities areas, such as cybersecurity.

“OMB is focused on other things. However, discounting these responsibilities is not an option,” Walsh said.

Working capital fund hurdles

Despite the improved FITARA scores, agencies are still running into problems setting up working capital funds.

The 2017 Modernizing Government Technology Act (MGT) Act allowed agencies to set up these revolving funds. However, Connolly said agency leaders are still telling their CIOs that they’re not able to set up working capital funds.

The Department of Veterans Affairs got a D grade for its MGT Act score, but Kurt DelBene, VA’s assistant secretary for information and technology, and the department’s CIO, said the VA has a franchise fund that serves the basic function of a working capital fund.

“If you all called it a working capital fund, I think that would be fine. Sometimes, this very strict definition can kind of bite us in a way we don’t intend,” DelBene said.

Dunkin said the Energy Department is also continuing to work towards establishing an IT working capital fund.

Connolly said future FITARA scorecards will take a closer look at whether agencies are achieving the goals of working capital funds under through different means.

“Sometimes we can get very bureaucratic and very technical on the literal meaning of the law, when what we’re really trying to get at is measuring something that’s underlying, that’s far more fundamental,” Connolly said.

What’s next for FITARA scorecard

In terms of what may change under the FITARA scorecard, Connolly said he’s looking at reforms to FedRAMP, a governmentwide compliance program for cloud service providers to offer their products to agencies.

“We have a lot of companies that are in limbo. We have a lot of companies that have spent years trying to get certified and that’s frankly, our fault as a government. That’s not their fault. We have some equity issues,” Connolly said.

Connolly said future versions of the scorecard may look at how agencies are recruiting, training and retaining the federal AI workforce.

“Where do we get the workforce in the federal government to make sure we’re managing AI and we understand how to regulate and everything else. And I think that may be a good place for us to start.”

The White House announced in July that agencies have made over 200 hires AI to date through a governmentwide AI “talent surge.” The Biden administration expects to hire at least 500 AI experts into government by the end of fiscal 2025.

Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.