FITARA Scores Jump, Stabilize on Software Inventory Improvements

The House Oversight and Government Reform Committee’s version 7.0 of its FITARA (Federal Information Technology Acquisition Reform Act) Scorecard issued today revealed broad trends of improvement and stabilization for Federal agencies compared to the previous scorecard issued in May.

Of the 24 agencies rated in the latest scorecard, 11 agencies boosted their scores since May, while 13 agency scores held steady.

To be sure, some of the agency grades remain low on the A-F scoring system, but it’s clear that for now agencies have managed to build a floor under their efforts to implement FITARA, MEGABYTE (the Making Electronic Government Accountable by Yielding Tangible Efficiencies Act), and the MGT (Modernizing Government Technology) Act.

Notably for the latest round, no Federal agency showed a declining score versus the prior period, and none received an overall “F” grade.

The improved trendlines in the latest report showed a marked difference from previous grades issued in May, when 11 agencies saw grade declines, seven held the line, and six earned higher marks.

Overall, 11 agencies earned grades in the “B” range in the scorecard issued today – the Departments of Education, Energy (DoE), Health and Human Services (HHS), Labor (DoL), Veterans Affairs (VA), General Services Administration (GSA), National Aeronautics and Space Administration (NASA), National Science Foundation (NSF), Small Business Administration (SBA), Social Security Administration (SSA), and U.S. Agency for International Development (USAID).

Seven agencies received scores in the “C” range – the Departments of Commerce (DoC), Homeland Security (DHS), Housing and Urban Development (HUD), Interior (DoI), State, and Transportation (DoT), and the Environmental Protection Agency (EPA).

What are the mile markers as we modernize IT and achieve a holistic view of organizational efficiency? Read more

Bringing up the rear with grades in the “D” range were the Departments of Defense (DoD), Justice (DoJ), Agriculture (USDA), Treasury, Office of Personnel Management (OPM), and the Nuclear Regulatory Commission (NRC).

The House committee attributed much of the sunnier grade trend to better agency efforts in the software licensing arena, saying that “in particular, since the committee included software licensing area on the Scorecard in June 2017, 16 agencies have implemented a comprehensive, regularly updated inventory of software licenses; and also used their inventory to make cost-effective decisions.”

Here’s a breakdown of the committee’s grading in the eight major areas of the latest scorecard:

Software Licensing

On the latest scorecard, the final grades in this category–18 “A” grades and six “F” grades–proved to be an all-or-nothing affair.  The committee said it used three grade components – a “C” if an agency had a “comprehensive, regularly-updated inventory of software licenses, an “F” if it did not, and an “A” if the inventory was used to make “cost-effective decisions.”

A total of eight agencies ran the table by jumping from “F” to “A” grades–SSA, SBA, NRC, NSF, DHS, Energy, State, and DoD–leading five of them to full-grade FITARA score improvements, and helping SBA to a full two-grade jump, to a “B+.”  Two other agencies made the jump from “C” to “A” – DoJ and Labor; DoJ’s overall FITARA grade remained stuck at “D-,” while Labor’s saw an overall full-grade pop, to “B-.”

The committee said that while six agencies received failing grades–DoC, HUD, DoI, Treasury, EPA, and OPM–each of them currently has “efforts underway to create and use an inventory.”

And the committee strongly emphasized why it places importance on the category – saying agencies could “potentially achieve hundreds of millions of dollars in government-wide savings.”  It said “federal agencies should apply better management of software licenses” and OMB “should issue a directive to assist agencies in doing so.”

CIO Authority/Reporting Structure

Among FITARA’s broad thrusts is ensuring that agency CIOs have a “significant role in agencies’ IT decisions,” the committee said, and its scoring reflects a full letter grade drop for agencies where CIOs do not report to the Secretary or Deputy Secretary.  Of the 24 agencies rated, 16 agencies have CIOs reporting to the Secretary or Deputy, and nine do not; notably, only one agency–HHS–improved its standing in this category since May, helping to drive its overall FITARA score to “B+,” from the previous level of “C-.”

Of the nine agencies without the CIO reporting to the Secretary or Deputy–USDA, DHS, DoJ, DoL, State, Treasury, NRC, and USAID–only DoL scored higher than a “C” grade, at “B-“ – while the other eight were graded between “C-“ and “D-.”

Agency CIO Authority Enhancements (Incremental Development)

Noting that FITARA requires CIOs to certify that IT investments are adequately implementing incremental development, the committee graded out 17 of the 24 agencies at 90% or better.

Of the remaining seven agencies, DoD’s rating jumped to 33 percent from just 8 percent previously; NASA rocketed to 75 percent from zero previously; and DoT crept to 58 percent from 53 percent previously.  Backsliders included: DoJ at 88 percent versus 100 percent previously; Treasury at 75 percent from 82 percent previously; and EPA at 78 percent from 92 percent previously.

The committee reminded that OMB requires agency IT investments to deliver functionality every six months because in the past agencies “have reported that poor-performing projects have often used a ‘big bang’ approach – that is, projects that are broadly scoped and aim to deliver functionality several years after initiation.”

OMB IT DASHBOARD

The committee explained that FITARA requires OMB to publicize information about federal IT investments, and requires agency CIOs to categorize major IT investments by risk.  OMB’s public itdashboard.gov website displays agency CIO assessments of risk for major IT investments, and the investment’s ability to accomplish its goals.  Thus, the committee said its grading “rewards the agencies that are reporting more risk, because the string of high-profile federal IT failures demonstrates that increased attention is needed in this area.”

With a scoring system that awards “A” grades to the five agencies with the most reported risk by dollar value (with the second group of five getting “B” grades, and so on…), larger agencies tended to report the highest at-risk totals:  DoD at $2.7 billion; HHS at $2.6 billion; VA at $782 million; DHS at $718 million; and DoC at $462 million.  By contrast, NRC received a failing grade because it reported that none of its major IT investments at risk.

Agencies with the highest percentages of reported at-risk investments included:  VA at 100% of $782 million of major IT investments; USAID at 100% of $34 million of major IT investments; DoE at 93% of $405 million of major IT investments; and HHS at 92% of $2.8 billion of major IT investments.

Portfolio Review (PortfolioStat)

The committee’s grading system is geared toward rewarding agencies that, through OMB’s PortfolioStat initiative, grade out with the highest percentage totals of cost savings and avoidances realized over a three-year period.  The PortfolioStat initiative requires agencies to conduct annual, agency-wide IT portfolio reviews aimed at reducing commodity IT spending and demonstrating how IT investments align with agency missions and business functions.

Repeating from the prior reporting period as the top five agencies (with the top five receiving “A” grades, the next five receiving “B” grades, and so on…) were: HHS with 26 percent cost savings/avoidances; DoC with 23 percent; NASA with 15.8 percent; USAID with 15.6 percent; and Treasury with 11.9 percent.

Federal Data Center Optimization Initiative

The committee’s grading metric combines data center savings, metrics, and closures, with savings and metrics each counting for half the grade, plus an upward adjustment if an agency has closed more than 50 percent of its total data centers.

Only four agencies earned “A” grades–GSA, USAID, HUD, and Education–and the latter two no longer have any agency-run data centers.  Also of note, USDA jumped two full letter grades, to a “B,” from the prior grading period, and DoL and EPA both gained one full letter grade, to “B.”  Grades of “F” saddled DoD, DoE, DoI, VA, and OPM.

The committee cited Government Accountability Office (GAO) reports in 2017 and 2018 that describe potentially billions of dollars of savings available from agency data center closures.  And it said that in a draft report GAO plans to issue in early 2019, the watchdog agency “found that agencies continue to report mixed progress toward achieving OMB’s goals for closing data centers and realizing the associated cost savings.”

MGT Act

Most agencies–19 out of 24–showed no movement for the most recent period in this category, which evaluates agency progress toward establishing–as authorized by the MGT Act–working capital funds (WCF) for use in transitioning from legacy IT systems and for addressing evolving threats to information security.  The scoring system for this category–which debuted in May 2018–awards an “A” grade if an agency has established MGT-specific WCF with a CIO in charge of decision making, a “B” grade if it plans to set up an MGT-specific WCF in 2019 or 2020, a “C” grade if it has a department WCF, a “D” grade if it has “some other IT-related funding method, and an “F” grade otherwise.

The only holder of an “A” grade for the most recent period is DoL, with “B” grades going to USDA, DHS, and SBA.  Improving from “F” grades in the prior period were:  DoC, to a “C” grade; DoD, to a “C” grade; and DoJ, to a “D” grade.

FISMA Previewed

The committee explained that the category, the only one to not count towards the overall grade, is rooted in the 2014 Federal Information Security Modernization Act (FISMA), which aims to improve Federal government cybersecurity by promoting tools for continuous monitoring and diagnosis of federal network security, providing improved oversight of security programs, and assigning duties to OMB and DHS – particularly in regard to improving civilian agency security through its Continuous Diagnostics and Mitigation (CDM) program.

The grading system used by the committee combines assessments of agency inspectors general and cross-agency priority (CAP) cybersecurity goals.

Leading the agency pack–largely on the strength of higher percentage of CAP goals met–were NSF, NRC, and USAID, each with “B” grades.  Grades of “C” were earned by Education, HUD, DoI, State, GSA, and SSA.

Recent