When FITARA was first launched in November 2015, the Department of Education received a big fat “F” on its scorecard – denoting that the agency was failing across its IT and cyber categories.
However, just five years later in December 2019, the agency rose to an “A” on FITARA 9.0 and held steady with a “B” grade for the next six iterations of the scorecard. In September 2023, the Education Department once again rose to an “A” grade for FITARA 16.0.
The latest version of the FITARA scorecard – released in January – saw the department fall two letter grades to a “C,” due at least in part to a significant reshuffling of the IT-related categories. Eleven of the 24 Federal agencies also saw their grade decline.
Steven Hernandez, the Education Department’s chief information security officer (CISO), joined the agency in 2017, and has been a key player in pushing up the agency’s FITARA score and “achieving cyber excellence in the Federal government.”
“We were at an ‘F,’ today we’re at an ‘A,’” Hernandez said during a NextGov/FCW virtual event on March 7. “This is something I get asked to talk about quite a bit because well, how do you go from an ‘F’ to an ‘A’? And obviously that wasn’t overnight. We had lots of incremental steps along the way.”
Hernandez emphasized that it’s not about the technology – though that does, of course, play a part – but instead it’s about the people and the processes.
The CISO explained that the strategy and execution is critical. “I could have showed up six years ago and said, ‘Our goal is to get an ‘A’ in FITARA,’” he said. “If that’s it … plant the flag and then hope everybody marches, we’re never going to get there.”
“If we cannot formulate, if we cannot standardize, if we cannot get folks speaking a similar language and a similar construct around the how, not just the what, but the how, it’s going to be a very challenging journey,” Hernandez said.
The CISO said that his team’s guiding vision at the department is a world where every educational journey is secure.
“The best way to focus on [cybersecurity] is really to focus on the what,” Hernandez said. “What are we actually out here to achieve, what are we trying to attain because if we can get that right, we can get everything else right. And frankly, if we do it that way, if we started with the what, and then the how, and then the personalities, the people, we’re going to find that really there’s very few challenges that we can’t overcome with frankly the folks we have and the resources we have.”
Another key to achieving cybersecurity excellence at the Department of Education involves the workforce, Hernandez said. Upskilling his current workforce has been critical, but since his team is small, the CISO said leaning on the help of Federal contractors has been a game changer.
“If I didn’t have my amazing contract support teams and my amazing partners in the industry and contracting space, there’s absolutely no way we could be at an ‘A’ grade today getting recognized for FITARA next week,” he said. “That’s absolutely impossible.”
“I have the best team in government, but there is no way there’s enough hours with that team to do what we have been able to do,” he added.
The CISO emphasized that his team started at “truly ground zero” with an “F” grade and was able to build up to an “A” on the FITARA scorecard through people, leadership, teambuilding, and technology.
“But most importantly, it’s been a journey of togetherness, and I think that’s the key,” Hernandez said. “There’s the outcomes, the how we get there, and then the people. And if we started with people as a problem, we wouldn’t be here. When we focused on the outcomes and how we get to the outcomes and then people – we build people, we grow people to fit that outcome – success was inevitable.”
Next week, MeriTalk will be recognizing the Education Department’s FITARA progress by presenting its Chief Information Officer Luis Lopez with an award at Tech Tonic – previously Cyber Smoke – at 5 p.m. on March 14 at Morton’s in D.C.
