The Government Accountability Office (GAO) issued a report today that shines a light on nine Federal agencies for 12 practices the agencies adopted to help them more effectively implement FITARA (Federal Information Technology Acquisition Reform Act) provisions.
GAO reviewed the Departments of Agriculture (USDA), Commerce (DoC), Health and Human Services (HHS), Homeland Security (DHS), Justice (DoJ), and Veteran’s Affairs (VA), as well as the Agency for International Development (USAID), NASA, and the General Services Administration (GSA).
GAO consolidated its review of the agencies’ practices under five areas of FITARA’s provisions: CIO authority enhancements, portfolio review, software purchasing, enhanced transparency and improved risk management, and data center consolidation. The watchdog agencies also evaluated practices that were more overarching, rather than tied to a single provision of the law.
Of the 12 practices, GAO identified four as overarching – practices that weren’t unique to any one FITARA provisions, but that better positioned agencies to implement all of the law’s provisions:
- Obtaining support from senior leadership;
- Treating FITARA implementation as an IT program;
- Establishing FITARA performance measures for component agencies; and
- Appointing an accountable executive for implementing FITARA provisions in each component agency.
Reflecting practices and feedback from the nine agencies, GAO found that FITARA implementation was more successful when senior officials highlighted the law’s importance during critical executive meetings and memorandums, and when agencies – such as Commerce – requested an executive FITARA sponsor. These and other provisions show that having program structure, leadership, and accountability are key pillars of effectively meeting FITARA standards.
The other eight practices agencies identified fit into the five specific FITARA provisions that GAO highlighted.
CIO Authority Enhancements
One practice flagged by GAO fit into this provision: developing policy to explain how authorities that FITARA provided to agency CIOs should be executed.
For instance, DoC officials said the agency established policy to ensure that major CIO-certified IT investments were adequately implementing incremental development, and DoC’s Office of the CIO (OCIO) said “the certification policies assisted them in overseeing the management of IT investments and ensuring the use of incremental development throughout the agency, as called for by FITARA.”
Enhanced Transparency and Improved Risk Management
Under this provision, agencies said they practiced implementing a risk-rating process for IT investments that incorporates risks to better meet FITARA standards.
DoC OCIO, for example, created a process to review at least the top three risks for each investment and verified that those risks were specific to investment and were managed and mitigated. DHS also had a process that reviewed investment risks and ensured risks were current and properly mitigated. USDA took a similar approach and added criteria in its processes to include an evaluation of management and risk exposure, and scoring of risks.
Agencies performed application rationalization activities to better meet FITARA’s portfolio review standard, GAO said. Specifically, GSA, Justice, DHS, and USAID said implementing these activities were key in meeting this provision.
“Application rationalization activities can include establishing a software application inventory, collecting information on each application, or evaluating an agency’s portfolio of IT investment to make decisions on applications (e.g. retire, replace, or eliminate),” GAO said.
In pursuing this strategy, DHS reported it consolidated systems and saved $202 million by FY2015. USAID decommissioned 78 old systems and identified more systems to decommission in future years, achieving cost savings of nearly $10 million since 2016.
USDA, VA, GSA, NASA, and USAID took on this provision with the practice of centralizing software license management, which GAO said they did by “establishing a software management team, creating contracts with vendors to centrally manage licenses, and establishing governance processes for software license management.”
This practice enabled GSA to consolidate licenses of one of its software products in FY2015, saving it $400,000, and avoiding over $3 million in future costs. VA saved about $65 million between 2017 and 2020 through software license consolidation.
Furthermore, USAID saved over $2.5 million between FY2016 and 2018 from this practice, and NASA realized approximately $224 million of savings from FY2014 to 2018.
Data Center Consolidation
Finally, several agencies – GSA, DoJ, NASA, USAID, and USDA – identified the last four of the 12 practices in the GAO report concerning data center consolidation that helped them realize cost savings or IT management improvements:
- Conducting site visits to all data centers;
- Transitioning to a virtual or cloud-based environment;
- Incentivizing component agencies to accelerate the pace of data center consolidation; and
- Utilizing data centers with excess capacity.
When USDA and DoJ visited their data centers, both agencies told GAO the visits “allowed them to more thoroughly document the inventory of applications and IT hardware in each of the data centers and to validate progress made toward closing data centers,” pushing data center closures and consolidation efforts forward.
Adopting cloud environments also helped eliminate duplicative applications, saving components like USDA’s Forest Service nearly $6.1 million annually. The environments allowed USDA, GSA, NASA, and USAID to save through by optimizing data center infrastructure.
DoJ and GSA took on the last two practices. DoJ incentivized a component agency to accelerate its data center consolidation by providing supplemental funding, since consolidation is often expensive, which increased the component’s cooperation. When GSA established shared service agreements with the Environmental Protection Agency’s Computer Center and NASA’s Stennis Space Center data centers, the expanded capacity allowed GSA to consolidate several data centers.