The Government Accountability Office releases an information technology report card twice each year, grading 24 Chief Financial Officers Act of 1990-designated agencies on their adherence to IT best practices. Now awaiting its sixth iteration, the Federal Information Technology Acquisition Reform Act, or FITARA, scorecard has become the defining evaluation of agency commitment to IT modernization. It has also evolved to include other legislation, such as the Modernizing Government Technology (MGT) Act and Making Electronic Government Accountable by Yielding Tangible Efficiencies (MEGABYTE) Act, in its evaluations.
Federal Times sat down with GAO’s resident IT expert, Director of IT Management Issues Dave Powner, to find out what to expect for the upcoming scorecard (to be released in May or June 2018).
As we are approaching the sixth FITARA scorecard, what kinds of trends or changes have you seen play out in agencies?
In terms of trends, we have seen major improvement over the five scorecards to date. And the important thing to say, too, is these things are not going to be fixed overnight. We have some cultures and bureaucracies at agencies that are very ingrained and difficult to change, and that is part of the reason why we do not have the appropriate [chief information officer] authorities in place. So, some of this is going to take time.
As an example, from November 2015 to April 2018 we have seen the percent of software development projects using incremental approach go from 58 to 76 percent. So, that is pretty good, if we are planning three-quarters of our projects to use incremental development.
When you look at the risk on the dashboard: when we first started doing this only about less than a quarter, 23 to 24 percent of the projects, were listed as yellow or red [which correspond with D and F grades]. Now, we have about 55 to 60 listed as yellow or red. Why is that important? It is not that it is getting worse, it is that we are acknowledging risk so that we can better manage these acquisitions.
From a savings point of view, we have seen the data center savings go from $1 billion to about $3 billion, roughly. So, those are real results, when you start talking about billions of dollars [saved], [centers] going small, [and] better transparency.
When we first started doing the MEGABYTE calculation, only three agencies of the 24 had a complete software license inventory. The last scorecard was up to seven … so we are making progress there.
What can you say about the inclusion of MGT-authorized working capital funds on the scorecard?
I do think you are going to find some type of score or insights into whether agencies are establishing those working capital funds and there is clear accountability for them. Or what the committee has done over time when they introduce new areas to score is sometimes they preview it.
I do think Chairman Hurd [R-Texas] has been very clear that this is going to expand beyond FITARA to a digital hygiene scorecard. For instance, if you look at cybersecurity, there are [Federal Information Security Management Act] reports out there that could be scored.
How do you expect cybersecurity to be incorporated into the scorecard?
It’s up to the committee. How this really works is the committee determines the major areas that they want to focus on. Obviously, what is on the scorecard now are major provisions in FITARA, and you could also argue that many of these things were part of OMB policy before they became FITARA.
There are several ideas that are being kicked around by the committee right now that are very good, that will provide this digital hygiene and cyber hygiene going forward. If you look at what is going on with the current administration modernization strategy — you know, the No. 1 [cross-agency priority] goal in the President’s Management Agenda is modernizing IT — this whole idea of modernizing IT and solving cybersecurity or bolstering cybersecurity is very important going forward.
Would you say that the threat of congressional oversight being able to look directly at scores has been enough to motivate agencies to do more?
I think the oversight that occurs with Congress gets attention. And at some agencies it has gotten attention at higher levels than typically these issues would have gotten attention, and that is all very good. We want these cyber issues and IT issues elevated to a higher level in departments and agencies so they get the right attention and the right management focus on them.
FITARA passed in 2014. The first scorecard was 2015. Have you seen any flagging of interest or motivation with these scorecards since then?
I think [interest] has continued. I mean, this is all just good IT management hygiene. Who would argue on doing away with old waterfall approaches and going with the small deliveries? Who would argue with empty data centers where we do not utilize equipment and having better optimization there? And, in the process, saving some bucks along the way, too. You know, these things are items that should be done by CIOs and departments and agencies whether FITARA existed or not.
What are the agencies to watch for on the upcoming scorecard?
There is a single A, with the [U.S. Agency for International Development]. There are some agencies that have consistently gotten B’s, like GSA, and I think they do a very good job.
Sometimes it is not just about A, B, C. It is about how effectively they are doing this. If we incorporate cyber at some places, you might be seeing some agencies that do a better job on cyber, looking a lot better with their general hygiene, and that is probably a good thing.
A big thing here is the tenure of CIOs, getting the job done here. With the average tenure, which is typically about two years, can you really effect change and do something within two years? By the time you get your policies in place and start figuring the agency out, you are gone. So, as another good example I’ll point to the Department of Justice and someone like [CIO] Joe Klimavicz over there. He has been there four years at DOJ now, and I think you get grounded and you really start seeing good progress.
Have you found that there are any agencies that are reticent or more difficult to work with for the scorecard?
The short answer is yes. What I like to focus on at these hearings, and I would give the Oversight and Government Reform Committee a lot of credit for this, is typically there are agencies that get high scores and low scores and it is not an effort to beat people up. It is an effort sometimes to focus on the positives, too. And if you look at any of these scores in any given area, there are at least four or five A’s in any given area. And if some can get A’s, we can have more that get A’s. Sometimes it is okay to have the hammer at GAO, but I think a lot of times if you balance that with the positives, that is where we are most effective.
Is there anything new to keep an eye out for when the scorecard comes out?
The new areas are going to be whatever the committee decides on — whether it is MGT or cyber or others — that is going to be the big. That is really going to be a turn with the scorecard, where it moves a bit beyond just the provisions in FITARA. And that is positive.
Are there any misconceptions that people have about the scorecard you want to clear up?
Yeah. I would say — in terms of the transparency on how the calculations are done and what is behind the scores and everything — if you go back to the first hearing in November 2015, the committee put on their website, and it is still there, how the calculations were done down to details.
We at GAO have met with 19 of the 24 departments and agencies — and some agencies multiple, multiple times — going over exactly what data is used, how the calculations are actually put in place, and what is measured. So, there has been great transparency on that. And we have also met with the CIO Counsel, with the FITARA working groups there, and shared with them everything that the committee does with their calculations and the data that is used.
If they are confused about that, come and talk to us. The door is open. We will gladly sit down with them and talk to them about how this is done; everything is very transparent.
Jessie Bur covers federal IT and management.