While Federal agencies showed an improving overall grading trend across a range of longstanding IT-related categories on the 16th version of the FITARA Scorecard released today, coming additions to the scoring category lineup could create a changed and perhaps more challenging landscape for overall grades on future scorecards.
Why Some Grades Improved
On the latest scorecard, eight agencies saw their overall grades improve by one full grading letter, while the other 16 agencies hung steady with their grades from the 15th edition of the scorecard released in December of last year. Three of the 24 agencies – the U.S. Agency for International Development, Labor Department, and Education Department – got “A” grades overall.
Helping to stabilize the grading landscape was the lack of new scoring categories in the latest FITARA scorecard. The latest scorecard features seven tried-and-true grading categories for which scores were assigned – 1) agency CIO authority enhancements; 2) transparency and risk management; 3) portfolio review savings; 4) data center consolidation; 5) modernizing government technology (MGT); 6) cyber; and 7) transition off Networx contract.
Among the eight agencies that generated better overall grades, the bulk of those gains drew from improvements in their scores for transitioning more fully to the General Services Administration’s Enterprise Information Solutions (EIS) contract for communications services and away from the previous Networx contract. Agencies whose grades benefited from better marks for the transition from Networx include the Education Department, Labor Department, Office of Personnel Management, and Social Security Administration.
Others earned the higher overall grades through improvements in data center consolidation, cyber, and MGT scoring categories. Among those are the Interior Department and Energy Department benefiting from better data center consolidation grades, and the Department of Homeland Security boosting its overall grade through improvements in the cyber and MGT categories.
New Categories to Come
Looking ahead to the 17th edition of the FITARA Scorecard, the biggest wildcards evident from the scorecard released today are previews of two new categories to come – one for cloud and one for CIO reporting structure, budget, and acquisitions.
The scorecard released today provides little in the way of firm details on exactly what kind of performance in those two categories will be evaluated by the Government Accountability Office (GAO) – which compiles the FITARA scores – and members of the House Oversight and Accountability Committee, which typically releases the scorecard.
For those two categories, the scorecard merely contains notes reflecting the completeness of response letters from agencies, and whether responses are forthcoming.
Rep. Gerry Connolly, D-Va., ranking member of the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation, said last month that he is committed to encouraging further adoption of cloud services by the Federal government “through continued FITARA (Federal Information Technology Acquisition Reform Act) oversight hearings” by the House Oversight and Accountability Committee.
Back in March, Rep. Connolly said the subcommittee, which is chaired by Rep. Nancy Mace, R-S.C., planned to continue to work with stakeholders to finalize a modernized cyber score using new metrics from the Office of Management and Budget (OMB).
Additionally, he pledged to continue to push the CIO reporting authority metric and direct agencies to self-report their CIO’s control over IT spending and acquisition – in addition to the status of codifying their CIO reporting relationship.
“We want to move into new frontiers. And Miss Mace and I are going to be doing that in AI, in cybersecurity, and in other fields and endeavors as well, to make sure that America is competitive and to make sure that the Federal government is at the cutting edge,” Rep. Connolly said.
GAO’s Cyber Category Interest
Marisol Cruz Cain, director of information technology and cybersecurity at GAO, said at a Nextgov event earlier this month that there was a lot of interest at her agency in developing more detailed cyber scores for Federal agencies through the FITARA Scorecard process.
Cautioning that she does not do FITARA work directly, Cain predicted “there will be changes coming” with agency cybersecurity grades.
“I think that there has been some talk about looking for more discreet cybersecurity grading,” she said, “so not just looking at the [inspectors general] work and giving them a grade but coming up with more actual real measures to see, like how was your supply chain security, what does your cybersecurity risk management look like?”
“We have been in lots of discussions about how we can measure cyber better on the FITARA scorecard,” she continued. “But I know that the people that created the scorecard are always looking for better ways to measure all of the different areas.”
“Cyber has been a particular area of interest for improving how we get those scores,” she said. “As they change, you’ll see agencies go up and down, because what you measure can bring your score significantly up or significantly down.” She continued, “the more you’re getting used to what’s being measured, you put your focus there, and we’re not sure that what they’re measuring right now are the exact answers … I guess what people kind of call a Holy Grail … of agency cyber posture.”
