Grading the FITARA scorecard

What's next for the FITARA scorecard?

Federal officials, lawmakers and industry stakeholders called for improved metrics to grade compliance under the law after the release of the 13th biannual scorecard earlier this year. 

From building out new categorizations focusing on legacy information technology and the cyber supply chain, to addressing legislative barriers and other roadblocks which prevent the Office of Management and Budget (OMB) from collecting comprehensive data on agency IT efforts, a wide-range of experts have consistently suggested similar recommendations to more accurately reflect progress in key areas.

Some of those calls have been echoed for years to the House Government Operations Subcommittee, which has been tasked with compiling the scorecard since its inception in 2015, while working with the Government Accountability Office to continuously provide updates on its grading methodologies and categories. 

CIO authorities

FITARA was intended to empower agency chief information officers by giving them a  say in budget development and having them report directly to an agency secretary or deputy secretary. Lawmakers have said the reporting structure allows CIOs to embed themselves into an executive team as a key player, while keeping the agency informed on constantly-evolving changes to the federal IT landscape.

But many agencies have not met the requirements of CIO authority and one key question for oversight officials is how to use the scorecard as a lever to enforce compliance. 

Carol Harris, director of information technology and acquisition management issues at GAO, suggested in an interview with FCW that the next scorecard should lower an agency's score by an entire letter grade if they do not have the correct CIO reporting structure, rather than a half-letter grade as it is currently assessed. 

"Where we see this persistent lack of change is because of a culture in the agency. Agencies are used to doing it a certain way, and that plays a very large part," she said. 

Rich Beutel, who led the drafting of FITARA as a senior staffer on the House Oversight Committee, said that "in my view agencies are just being parochial and digging in their heels, not wanting to change," he said. "I just think it's agency reticent, and it needs to change. They need that line of sight for authority."

Dave Powner, who used to lead IT oversight at GAO and is now executive director for data driven policy at MITRE, said the scorecard has "gotten a little stale." He'd like to see improved metrics around cyber initiatives like supply chain risk management and developing zero trust architectures. 

Powner suggested the current moment called for significant changes to be made to the next scorecard, and said the data center category should "morph into some type of cloud adoption" subcategory to continue incentivizing improvements on network modernization. But he also added that some issues are a "no brainer" for agencies to have already implemented, including establishing the federally-required CIO reporting structures.

Data center consolidation is one area where the FITARA scorecard has helped drive the change intended by the law. In the latest scorecard, every participating agency  scored an "A" on the data center consolidation and optimization category this year. Since the law was enacted in 2014, agencies have reported closing an estimated 6,800 data centers nationwide while saving a potential $6.6 billion in costs.

Rep. Gerry Connolly (D-Va.), chairman of the Subcommittee on Government Operations and an original co-sponsor of the FITARA legislation, said in January the 14th scorecard will retire the category later this year.

In a statement to FCW, Connolly described the FITARA scorecard as "an iterative and collaborative accountability tool" and added: "The scorecard is one of the longest sustained congressional oversight efforts in recent memory."

"It has continually evolved throughout the 13 scorecards – adding and removing categories responsive to changing federal IT priorities, improving metrics based on agency feedback, and highlighting urgent areas of concern," Connolly said. "In addition to getting input and feedback, we will ensure we are basing our scores on publicly available data consistent across all the agencies to use as the metrics."

Improving data collection

Richard Spires, who served as CIO of the Department of Homeland Security and the IRS, told FCW that grading is still exclusively "based on available public data that is reported by the agencies."

Spires has called for collaboration between the executive branch, Congress and GAO to change or add new reporting requirements which further enhance the scorecard. In testimony to the House Oversight Committee, he suggested convening an advisory group to develop recommendations over a three-to-six month period that would include a plan for implementing changes to agency data collection in order to enable more accurate grading processes.

For now, some experts have called for expanded self-reporting from agencies to begin assessing new categories like IT planning, legacy modernization, budgeting and the workforce, as Congress debates changes to how OMB and others can collect enterprise-wide data on things like service delivery and customer experience. 

Harris said the most important next step was obtaining that data from agencies as efficiently as possible to continue making progress on the implementation of the law.

"The last thing we want to do is make perfect the enemy of good," she said, "so we want to figure things out and make changes where necessary."