The latest 9.0 iteration of the modernization report card for federal agencies is its most positive one yet. For the first time ever, some agencies achieved solid "A" scores, with two agencies scored a perfect “A+."
The ninth version the Federal Information Technology Acquisition Reform Act (FITARA) scorecard, released Dec. 11, rates agencies in several modernization categories, including data center closure, cybersecurity and CIO support from leadership. Overall, nine agencies improved their scores, with 11 remaining stagnant and four receiving lower grades than FITARA 8.0.
The FITARA scorecard grades the 24 agencies governed by the CFO Act. The average score is a C to C+ and trending up, a far cry from four years ago.
In an unprecedented achievement, the General Services Administration and the Department of Education received “A+” scores overall, and the U.S. Agency for International Development (USAID) received an “A.” Before Wednesday’s release, the previous highest overall score was an “A-.”
Federal CIO Suzette Kent said at the Advanced Technology Academic Research Center’s IT Modernization Summit Dec. 11 that she was “thrilled” by the results and adding that the "A" grades are a “fantastic thing.”
“When we started in November 2015, there were F’s and D’s and only two B’s,” Kent said in her speech. "A scorecard is a point in time. Agencies are delivering results and improving in the modernization arena every single day. A scorecard is a nice place to take checkpoint and demonstrate what’s been done.”
Speaking to reporters after the speech, she added, “when I look at all the things that we have asked agencies to do ... the ones who got ‘A’s’ did every one of them,” pointing to data center guidance, application rationalization, workforce investments, long-term planning.
The Department of Homeland Security saw the biggest improvement on FITARA 9.0, jumping from an overall “D-” to a “B,” helped by an "A" score in its data center optimization. DHS currently has an acting CIO after former CIO John Zangardi left to join Leidos, a major government contractor. Acting DHS CIO Elizabeth Cappello testified to the House Oversight Committee’s subcommittee on government operations, along with NASA CIO Renee Wynn — whose agency scored a C+.
The Departments of State and Labor, the Nuclear Regulatory Commission and the Social Security Administration all fell. NRC and State scored the lowest, receiving D-.
Several agency CIOs have seen improvements in their reporting structure since the last scorecard. Under the law, agency CIOs must report to the agency head or deputy. On the last scorecard, 10 CIOs didn’t report to the secretary or deputy secretary. Only five agencies — the Departments of Health and Human Services, Labor, Justice, State and the NRC — don’t comply with that requirement. None of their overall scores improved. Three agencies have “acceptable” CIO reporting models, according to the Government Accountability Office’s director of IT management issues Carol Harris, while 16 have the proper structure in place.
Rep. Gerry Connolly, D-Va., praised the leadership of the two CIOs, pointing to their sharp improvements after the two agencies tied for the worst grade on the scorecard in June.
“Both DHS and NASA scorecards reflect increased grades given their agencies’ commitments to give the CIO direct reporting access to the head of the agency,” Connolly said in his opening statement.
At the last FITARA hearing, Connolly and ranking member Rep. Mark Meadows, R-N.C., expressed great concern after being alerted by the GAO that NASA was moving backward by eliminating its CIO’s direct reporting relationship to the administrator. NASA later reversed course and kept the position the same. Wynn said that keeping the position as is “helps me when I’m reporting significant cybersecurity events to be able to get easy access to the administrator."
“The number of reported cyber incidents against NASA continues to increase because we have greater visibility into our network,” Wynn said in her opening statement.
The cybersecurity struggle
The cybersecurity section of the report continues to be a mixed bag for agencies, though CIOs throughout the government take major issue with the way that the section is graded. The cybersecurity scores for the FITARA 9.0 are largely similar to the 8.0 card, with just one "A" and just two agencies receiving failing marks, down from three on the last card. Agriculture raised its grade from an "F" to a “D.”
Agency CIOs have voiced that the cyber score doesn’t accurately reflect cybersecurity measures that they’ve implemented. Asked by Federal Times about those complaints from CIOs earlier in the day, Kent said OMB and agencies were having “ongoing” discussions about the FISMA marks.
“The goal doesn’t change; it’s more around how we measure it and what are increments that you can actually show progress? That’s the really big thing,” Kent said. “In some of those areas, driving change in six months ... it’s more difficult.”
Despite the vast improvements in the department scores, there is some tension between Capitol Hill and the Office of Management and Budget on the data center optimization initiative, another area where agencies are at two ends of the spectrum of scores. The subcommittee is concerned about OMB guidance in the early summer that shifted federal department’s focus from data center consolidation to data center optimization, a policy that Connolly and Meadows decried in the last hearing, saying it was too vague.
The GAO shared the concerns of the subcommittee leaders, with Harris characterizing OMB’s guidance as “taking significant steps backwards from where we were just four years ago.”
“The focus ... needs to be on consolidation because that gives you the large amounts of money [in savings] that you need in order to reinvest back into modernizing agency infrastructure," Harris said.
The OMB guidance also reclassified what constitute a data center, which led to a drop in what qualified as a data center. Connolly argues that things that should be a data center aren’t contained in the bucket. It’s not a small number of facilities that have been reclassified either, and the guidance introduced new cybersecurity risks into the government.
“With this redefinition of data centers, we’re losing visibility into 2,300 facilities and that’s a problem because agencies are going to lose focus on consolidation as being a top priority,” Harris said. “In addition to that, there are security risks associated with not monitoring these facilities, even if you’re not going to consolidate them.”
Harris said that the GAO will be releasing a report “soon” evaluating the data center guidance. She said that the guidance will recommend taking another look at the policy and the classification of data centers.
“We want explicit language that says ‘close them, consolidate them,’” said Connolly.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.