The Federal Information Technology Acquisition Reform Act (FITARA), passed by Congress in December 2014, represented the first major legislative overhaul of Federal IT in nearly 20 years. Beginning in November 2015, the Government Accountability Office (GAO) has released two scorecards a year grading agencies’ performance under the law. Suffice to say, agencies haven’t always been making the GAO’s Honor Roll, with plenty of Cs and Ds to go around. However, many agencies have made significant improvements over the last 3 years.
With Scorecard 6.0 released last week, MeriTalk thought it was time to take a look back to the evolution of the FITARA Scorecard and see how agencies have improved over the last 3 years.
The House Oversight and Government Reform (OGR) Committee held its first FITARA Scorecard hearing on Nov. 4, 2015. OGR Committee members heralded the scorecard and hearing as an important step for Federal IT.
“For decades the Federal government has operated with poorly managed and outdated IT infrastructure,” the committee members said in a statement. “FITARA empowers agency CIO’s with specific authorities that enhance their role and responsibility for the management of IT. FITARA provides a set of tools and guidelines, that when implemented properly, allows agencies to better manage and secure IT systems and acquisitions.”
In terms of grades, things weren’t looking so good for Federal agencies. For the first scorecard, agencies were graded on four categories–Data Center Consolidation, IT Portfolio Review Savings, Incremental Development, and Risk Assessment Transparency. Seventeen agencies received an F or a D for their overall grade, with only the Department of Commerce and GSA earning B’s. In terms of the toughest category, 16 agencies got an F for IT Portfolio Review Savings. When it came to Risk Assessment Transparency, five agencies were able to impress the GAO and score an A.
Agencies had a lot more to be proud of when 2.0 came out in May 2016, as F’s were replaced with C’s, B’s, and even A’s. Though agencies still struggled with IT Portfolio Review Savings, six agencies–Nuclear Regulatory Commission (NRC), Treasury, Energy, Energy, Defense, and Agriculture–were able to pull up failing F’s to passing grades, with NRC going from an F to a B in only six months. Under the previous scorecard, 16 agencies scored a D as their overall grade. With the release of 2.0, the majority of agencies now scored a C or better.
With the release of Scorecard 3.0 came a few changes and additions to the scorecard format. The Incremental Development category was renamed Agency CIO Authority Enhancements. The category requires agency CIOs themselves to certify that IT investments are implementing incremental development. Scorecard 3.0 also added a new category that measured whether the agency CIO reports to the agency Secretary or Deputy Secretary—this category didn’t receive a grade, just a check or minus. Additionally, Risk Assessment Transparency was updated to Transparency and Risk Management.
Once again, agencies showed marked improvement over the previous scorecard. Twelve agencies improved their overall grades, with only one agency–Transportation–reporting a failing grade. Additionally, the number of A’s in the individual categories shot up dramatically. Under the first scorecard, 14 total A’s were given out and 15 under the second scorecard. However, agencies earned 23 A’s under the 3.0–with the Department of Commerce racking up A’s in three categories. As for who CIOs were reporting to, the results were split evenly–12 agencies with CIOs reporting to the Secretary or Deputy Secretary, and 12 agencies with CIOs reporting to someone else.
In June of last year, OGR met to discuss the fourth scorecard. Once again, the scorecard underwent some changes. OGR piloted a new category on software licensing inventories, which would measure whether agencies had an accurate inventory of their software licenses. Additionally, the scorecard now includes whether agency CIOs are acting or permanent. Data Center Consolidation also received a name change to Data Center Optimization Initiative (DCOI), to coincide with the new Office of Management and Budget policy on data centers.
While some agencies saw their grades improve, a handful had grades slip. “From Scorecard 3.0 to Scorecard 4.0, four agencies’ grades improved, 15 agencies’ grades stayed the same, and five agencies’ grades have declined,” said Rep. Will Hurd, R-Texas, during his opening statement at an OGR hearing where the scores were released. Most notably was the Department of Defense (DoD) receiving a failing grade–going from D+ to F+.
On the positive side, Scorecard 4.0 saw its first overall A, with the United States Agency for International Development (USAID) receiving an A+.
Disappointingly, for OGR, the majority of agencies scored an F on the new Software Licensing category, with only the Environmental Protection Agency and USAID earning A’s.
Shortly before Thanksgiving of last year, OGR met to discuss the fifth FITARA scorecard and quite a few agencies had something to be thankful for. Under Scorecard 5.0, the Software Licensing category went from pilot to permanent status. At the hearing to announce scores, Rep. Hurd expressed his hope for the continued evolution of the scorecard.
“Ultimately, I’d like to see the scorecard evolve beyond FITARA implementation, to more of a digital hygiene score for agencies,” he said.
In terms of improvements, three agencies–Education, Office of Personnel Management, and the Small Business Administration–saw their scores go up. Additionally, the majority of agencies earned A’s for Agency CIO Authority Enhancements–up from nine in the previous scorecard. Agencies also got a better handle on their software licenses with six agencies receiving A’s–up from two in the previous scorecard. However, the majority of agencies–17–earned failing grades. The number of agencies receiving failing grades for DCOI also shrunk from 10 to seven.
The most recent scorecard, released earlier this month, saw the introduction of two new categories. The first measures how well agencies are fulfilling the recently enacted Modernizing Government Technology Act. The second new category–dubbed Cyber–focuses on cybersecurity and will grade agencies on their progress in improving their information security programs. As with the other scorecards, results were mixed. Five agencies–Energy, HHS, Housing and Urban Development, Labor, Transportation, and the National Science Foundation–saw their scores improve. However, 11 agencies slipped in the grade book.
For the first time since the scorecard started tracking it, there was some movement on who CIOs reported to–15 CIOs now report to either the Secretary or Deputy Secretary of their agency, up from 12 in previous iterations of the scorecard. Software Licensing was another bright spot on the report, 10 agencies now report passing grades–up from seven in Scorecard 5.0. However, most agencies struggled in the new cybersecurity category with 18 agencies receiving F’s or D’s and no agencies receiving an A or B.
Once again, the DoD landed in the hot seat as the only agency to report an overall failing grade.
“On a bipartisan basis, we are concerned about DoD’s scoring,” said Rep. Gerry Connolly D-Va., at the hearing. “It’s the only agency to receive an overall grade of F. It’s the third scorecard in which you’ve received an F.”
Dave Powner, director of IT management issues at GAO, tried to offer an explanation for DoD’s lower scores.
“The facts are, of FITARA’s seven major sections, two fully apply to DoD, one doesn’t, and the other four partially do,” said Powner, who has attended every FITARA scorecard hearing.
However, committee members didn’t necessarily agree with Powner’s assessment.
“DoD is not that different,” said Rep. Greg Gianforte, R-Mont. “Being different is not an excuse for not following the rules.”
At the hearing, both the DoD and Department of Agriculture, which saw its grade slip from C- to D-, said that comprehensive overhaul plans were already underway aimed at improving their FITARA performance. It’ll be six months before OGR has a chance to see whether that overhaul plan is effective.
Looking back over the last six scorecards, it’s obvious that OGR and GAO view the scorecard as a living, breathing tool that needs to evolve and adapt to a changing IT landscape. While agencies are by no means making the Dean’s List, there is marked improvement that’s coupled with Congress holding lagging agencies to account. With the most recent changes in mind, it seems as though Hurd is getting his wish to see the scorecard evolve beyond a FITARA implementation tool into a holistic cyber hygiene score. It’ll be interesting to see what changes Scorecard 7.0 brings.
And for a look back at all of MeriTalk’s coverage of FITARA since the very first scorecard, visit our FITARA section in the CIO Briefing Room.