By: David Epperson, Knox Systems Federal Advisory Board Member
Former Deputy CIO of the Executive Office of the President
First CIO & CISO of CISA
A new iteration of the Federal Information Technology Acquisition Reform Act, or FITARA 2.0, will be coming because the federal IT mission demands it. First passed in 2014, FITARA was designed to improve how federal agencies buy, manage and govern information technology. Over time, the FITARA Scorecard has become Congress’s primary oversight tool for assessing agency performance across IT management, modernization and cybersecurity. While the scorecard has evolved over the past decade, a more substantial refresh is needed to keep pace with cloud adoption, cybersecurity risk and the rise of artificial intelligence.
One of the most important reasons to pass FITARA 2.0 is to update the criteria the scorecard assesses so they are less subjective and more tangibly measurable. While its domains incorporate cost, schedule, performance and cybersecurity data, some areas still depend too heavily on process maturity and subjective risk characterization. In an era of escalating cyber threats and rapidly emerging AI systems, that is no longer sufficient.
Historically, scorecard methodologies and authorization processes have often emphasized documentation, procedure maturity and reported compliance status more than continuous, objective measurement of whether risk is actually being reduced. That gap matters. The next generation of oversight should move beyond subjective risk characterization and toward evidence-based validation, measurable control performance and continuous monitoring. This is especially important with emergent artificial intelligence technologies that lack deterministic reliability.
A Critical New Domain
Growing federal adoption of AI obliges its inclusion in any updated FITARA scorecard. Among other criteria, the scorecard will need to measure attributes such as AI accuracy, robustness, level of drift and level of bias. It will also need metrics for explainability of results, which, although harder to define, is essential for enabling confidence in an AI system’s output. That is especially relevant for agentic AI, as the government looks to adopt it for tasks traditionally performed by entry-level personnel in the name of cost reduction and mission acceleration.
A successful model for government purposes will be based on the use case to which it is applied. For example, the Federal Emergency Management Agency might value lack of bias higher than raw accuracy to help ensure emergency supplies are not distributed inequitably during a crisis. Given the nature of AI models, prioritizing bias reduction may create some minimal tradeoff with other criteria, such as accuracy. Alternatively, the Department of War would undoubtedly prioritize high accuracy to ensure any intended military targets are absolutely correct.
Whatever the use case, engendering agency trust in a model will require objective third-party validation by a new group of qualified validating organizations, likely outside of government. Because those organizations may touch highly sensitive data, the tools they use will need to meet rigorous federal cloud security requirements, often including FedRAMP Moderate or High authorization or certification, depending on the sensitivity of the data and mission. Without FedRAMP authorization or certification at the appropriate impact level, a validating entity will struggle to gain the confidence and trust of model developers or their agency customers.
Accelerating Delivery While Ensuring Security
The prospect of pursuing FedRAMP authorization can be intimidating. Since its inception, achieving authorization has often involved an expensive and lengthy process. While very large companies can sustain the effort, smaller companies often find the financial burden and years-long timeframe prohibitive. Because many authorization paths have required agency sponsorship and an associated level of effort, agency investment has also been required. For example, dedicating headcount previously designated for different projects, or contracting for outside help, can quickly cost an agency hundreds of thousands of unbudgeted dollars and lost bandwidth.
New mechanisms are becoming available to help address these challenges. Last year, GSA’s FedRAMP office introduced FedRAMP 20x, a cloud-native, automation-focused approach that uses Key Security Indicators and machine-readable evidence to accelerate authorization. The initial phase focused on Low authorizations and did not require an agency sponsor, with later phases intended to expand the model. While FedRAMP 20x is a valuable modernization path, questions remain about how consistently KSI evidence will be generated, validated and compared across providers as the model scales beyond the initial pilot phases.
An alternative is the landing zone model, a commercial platform-as-a-service where SaaS providers can deploy their applications into a pre-FedRAMP authorized cloud boundary, inheriting existing, approved security controls and authority to operate instead of having to recreate them. Integrated automation enables continuous environmental monitoring and validation to sustain compliance. This model enables both speed to mission for federal agencies and speed to market for SaaS providers, removing the sponsorship requirement while ensuring the highest levels of security. It is a cost-effective, highly streamlined option that can save providers years of time and millions of dollars.
Landing zones will not only quickly increase the number of secure SaaS applications available for mission support, they will also ensure that organizations validating FITARA 2.0 compliance have innovative, reliable and trustworthy tools to do so. In an environment where modernization and speed are imperative, this innovative approach will advance both without compromising security.