At Subcommittee Hearing, Members Examined FITARA 15.0 Scorecard and Future of the Oversight Tool
Washington, D.C. (Dec. 15, 2022)—Today, Rep. Gerald E. Connolly, Chairman of the Subcommittee on Government Operations, held a biannual hearing to assess implementation of various information technology (IT) best practices, including requirements from the Federal Information Technology Acquisition Reform Act (FITARA) and the Modernizing Government Technology Act (MGT), following the release of its 15th iteration of the FITARA Scorecard.
The Scorecard has been an essential tool in helping agencies save more than $30 billion by, among other things, facilitating the closure of more than 4,000 unnecessary data centers and encouraging reviews to better align IT investments agency management and business functions.
This Scorecard included a preview of new metrics from the Office of Management and Budget (OMB) that can help Congress and the public determine whether agencies are implementing cybersecurity best practices.
The Subcommittee heard testimony from Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director for Federal Cybersecurity at OMB; Jason Gray, CIO at the U.S. Agency for International Development (USAID); Carol C. Harris, Director, Information Technology and Cybersecurity at the Government Accountability Office (GAO); and Jennifer Franks, Director, Information Technology and Cybersecurity at GAO.
Chairman Connolly opened the hearing touting his 15th hearing on federal information technology oversight, saying: “I don’t believe there is any precedent in Congress for that. I think we’re unique. And it shows bipartisan commitment to making sure that FITARA is implemented. Implementation is key. Passing a law is part of the process. We created a scorecard to try to monitor and get metrics for that information. We have modified that Scorecard over the years on a bipartisan basis. We have added more emphasis on cyber. We’ve also added more emphasis on personnel management issues.”
Members and witnesses enumerated the ways in which FITARA has saved taxpayer dollars and improved service delivery.
- Mr. Gray testified, in response to a question asked by Chairman Connolly: “I look at FITARA in a way like a navigational roadmap for a CIO that you know where those critical landmarks are that keep you on track. And as it has evolved, those landmarks become clearer and we can measure month-over-month, day-over-day, year-over-year to see are we making it towards that goal. I have seen in my time the full embrace of FITARA. It’s not just a compliance activity. The outcome is better informed decisions, better management in terms of resources—and that’s funding and individuals—and applying those resources to the appropriate projects and activities that will lead us to the future.”
- Ms. Harris also applauded the successes of PortfolioStat, a tool that OMB created in response to FITARA. According to the Federal Chief Information Officer Council, agencies use PortfolioStat to “assess the maturity of their IT portfolio management, consolidate and eliminate duplicative spending on commodity IT, and improve agency processes to drive mission and customer-focused IT solutions.” Ms. Harris stated, “[PortfolioStat] has contributed cost savings …[of] $25.5 billion dollars, it’s tremendous.”
Members and witnesses evaluated OMB’s newly released cybersecurity metrics—centered around the National Institute of Science and Technology’s (NIST) Cybersecurity Framework—to help oversight of agencies’ IT acquisition and management.
- Mr. DeRusha, in his opening testimony, said: “We’ve also begun to evolve how we measure success. For FY22, OMB and Cybersecurity and Infrastructure Security Agency have established a new baseline on FISMA metrics, many of which were selected based on components of Executive Order . And these data have been used to measure trends and help agencies identify where additional resources are needed.”
- Ms. Franks emphasized: “For an issue as complex and dynamic as cybersecurity, using a few selective measures cannot give us a holistic picture of what is going to be needed to ... fully comply with the cyber threats across the federal government—the sophisticated and evolving events that plague us day in and day out so what’s going to be needed for these metrics if for OMB’s guidance to give us that automated approach to really staying abreast of the cyber curve and fundamentally give us some up-to-date metrics. … We are really going to need some metrics to help all of the agencies with where they are. Every agency is different [so] … they’re going to need to be designed differently for each agency.”
- Mr. Gray explained: “I think more work must be done. … There’s a lot of activities that agencies are doing to manage risk that are not captured in a FISMA audit or even a cyber score. Which gets to my earlier point that we capture a lot of data and look forward to working across government to measure the holistic risk associated with each agency’s portfolio. I do think it’s a great start.”
Witnesses and witnesses examined how the Scorecard has enhanced the reporting structure for CIOs and can further empower CIOs in the future.
- Congresswoman Eleanor Holmes Norton explained: “FITARA requires CIOs, and here I’m quoting, ‘to have a significant role in the decision, processes, management, governance, and oversight process related to information technology.’ Since the Subcommittee added a CIO reporting authority metric on the Scorecard, the percentage of CIOs with a direct or partial reporting relationship rose from 50% to over 90%. CIOs have previously testified to how helpful FITARA was at giving them a spot in C-Suite conversations.”
- Mr. Gray testified: “I absolutely support the CIO reporting to the agency head for numerous reasons. … The value is not just holding a seat at the table, but it’s ensuring that I am able, or this position is able, to brief senior leadership on: How are things going from a cybersecurity standpoint? How are things going from a governance standpoint? How is operations going? How are we modernizing? What are we doing for user experience and customer satisfaction? How is the workforce doing? And it gives that direct feed to agency leadership so that when they are needing to make decisions across the entire agency that go beyond technology that they have that critical information to inform those decisions.”
- Ms. Harris added, “There is still work that needs to be done to fully empower CIOs. It’s great that they had that seat at the table, they had that that direct line of reporting to the head of their agencies. But there are still additional responsibilities that they carry that need to be fully fleshed out. So, I am very pleased to see this category in the Scorecard expanded to address some of those areas.”