What Gets Agencies a Good Grade on FITARA?

By:

With three agencies receiving “A” grades and more seeing improvements in their scores, what do the best performers on the FITARA Scorecard get right to earn such high marks? A look at the latest edition of the scorecard shows several factors that top agencies have in common, and shared issues among the low performers as well.

The Top Performers

For the agencies that did the best on the scorecard, the main difference between FITARA 8.0 and FITARA 9.0 is the inclusion of Data Center Optimization Initiative (DCOI) scores. All agencies that scored an “A” or a “B” scored well on DCOI, which was not included in June’s version of the scorecard due to concerns over policy updates. With the policy finalized and in place, agencies like the Department of Education and the General Services Administration (GSA) are getting credit for their efforts to close down data centers.

Another common factor lies in the FISMA (Federal Information Security Modernization Act) scores of agencies that did well. FISMA is a tough area for Federal agencies, as only half of CFO Act agencies have a score of C or better. However, three out of four agencies with a “B” grade on FITARA have at least a “C” grade on FISMA, and all three agencies with an “A” on FITARA scored at least a “C” on FISMA.

Agencies that got a “B” grade on FITARA have a pretty clear path to an “A” – each of them had an area with a “D” grade or lower that could be improved. The homework assignments for the next scorecard are relatively clear-cut:

  • The Department of Veterans Affairs (VA) can make the jump to an “A” grade with an IT working capital fund, which would improve its low score on the Modernizing Government Technology (MGT) section;
  • The Small Business Administration (SBA) will need to go through the tough work of improving its cybersecurity posture for the next FISMA assessment, an area where the agency is already making progress;
  • The National Science Foundation (NSF) will need to make improvements on both MGT and its risk management assessment. NSF has been a model with a score of “B+” for four scorecards now, but saw some slippage on risk management this go-around;
  • The Department of Homeland Security (DHS) can continue its meteoric rise from a “D-“ in June 2019 and reach an “A” grade by improving its risk assessments and giving its next permanent CIO more authority enhancements.

Overall, the three agencies with an “A” on the Scorecard succeeded by not having any weak areas – none of the agencies scored anything lower than a “C” in any category.

The Low Performers

When looking at the five agencies that scored a “C-“ grade or lower on the scorecard, one thing ties them together – all of them have CIOs who don’t report to their agency’s leader or deputy leader. The reporting structure of Federal CIOs has been a point of emphasis in previous hearings, and will likely be suggested once again as a relatively simple fix for agencies looking to improve.

The two agencies that received overall “D” grades did not fail in any area of the scorecard, but had gaps across the board. The Nuclear Regulatory Commission (NRC) had backsliding on CIO authority enhancements that took a toll on the agency’s FITARA grade, while the State Department saw drops in its portfolio review and FISMA categories.

Categories

Recent