All too often government reforms come in the form of check-the-box policy compliance that looks sufficient on paper but does little to change the underlying issues facing federal agencies.
As technology becomes ever-more important for meeting the mission, costs for maintaining aging systems skyrocket and the repercussions of failing to deploy and secure applications become more severe, one public-private advocacy group is working to ensure that doesn't happen with FITARA, the most significant IT management reform in almost two decades.
A group from ACT-IAC has developed an IT Management Maturity Model for agencies to assess their progress against FITARA and basic best practices for IT governance. The model was created in conjunction with the Office of Management and Budget and tracks directly with the common baseline established in OMB's guidance.
Agencies submitted implementation plans based on OMB's guidance on Aug. 15 but there's still work to be done to ensure the spirit of the law is carried out, according to Federal CIO Tony Scott, who gave agency plans a B-plus overall.
"The spirit and intent of FITARA [is about] how do we improve IT management outright and not just comply with FITARA," said Darren Ash, CIO for the Nuclear Regulatory Commission and government chair for the FITARA project. "We knew this was not meant to be a check-the-box or compliance exercise, it was really meant to improve how we manage IT and ultimately meet and deliver the mission."
The Maturity Model has three levels: basic capabilities, evolving in maturity and demonstrating maturity.
Each of those maturity levels can then be assessed against five key metrics: governance, budget, acquisition, program management and workforce.
"Agencies can use this to say, 'This is how we comply with FITARA but these are areas we can focus on where we see gaps where we can improve our maturity, our governance and management of IT,'" Ash said, adding that all five metrics are critical to successful IT management.
The group expects agencies to use the model to assess where the organization sits as a whole and not just with regard to specific aspects of FITARA.
"We're hopeful that — especially for those agencies that are not going to be able to demonstrate through their self-assessment that they're compliant with the common baseline — this allows them to anchor themselves in a more general model of IT maturity that's broader than FITARA," said Stephen Holden, FITARA project manager and senior manager at Octo Consulting.
Agencies can use the model to map where they are deficient and find actionable ideas for how to improve, ultimately finding their way to compliance through better IT management, rather than the other way around.
"The idea is to make sure that agency implementation of FITARA doesn't become just a compliance exercise," Holden said. "It really is about this broader IT management maturity. Hopefully this model will help supplement the good work OMB has done."
The model was recently completed and is being shared with certain federal officials to garner feedback. The group plans to release the 40-page document publicly in the next few weeks.
Once the Maturity Model is out there, the group will continue on the second and third phase of the project.
In the second phase, the group plans to crowdsource ideas about what works in federal IT management to provide struggling agencies with a template for success.
"Many agencies just don't know what goodness really looks like," said FITARA project industry chairman Richard Spires, CEO of Resilient Network Systems. "If we were to provide them a policy statement, a set of procedures and a tool that helps them do something, that's been proven to work at another agency, that gets them to how to do it well."
The second phase will also include a picture of what it means to do FITARA well, with a list of real-world examples and success factors.
Finally, the third phase will be a comprehensive, independent review of how agencies are progressing against FITARA and, more importantly, good IT management practices.
That review will likely take place in late fiscal 2016.
"The endpoint is not OMB's approval of our implementation plan; that's the starting point," Ash said. "Between the feedback we'll receive from OMB and the maturity model, this is part of a roadmap, part of our journey to how we continue to mature."