Cyber grades bring down agencies’ scores in FITARA 14

CORRECTION: An earlier version of this story said State Department received a lower grade than they did. The story has been updated to reflect State’s accurate score.

The House Oversight and Reform Committee doesn’t plan to retire the data center category under the Federal IT Acquisition Reform Act (FITARA) scorecard after all.

The 14^th version of the bi-annual grades released July 27 shows the committee will indeed retire the data center optimization category, but add a new one around data center consolidation. The committee is holding a hearing on Thursday about the results of the scorecard.

“From fiscal years 2016 through 2021, the Office of Management and Budget and agencies have reported on the closures of several thousand data centers and saved approximately $5 billion. However, as of July 2022, the Federal IT Dashboard reported over a hundred remaining planned data center closures between fiscal 2022 and 2025,” the committee wrote in the scorecard. “Before data center reporting requirement sunsets, demonstration that agencies have closed the maximum number of data centers possible is desired.”

The data center closure requirement is set to sunset Oct. 1, unless Congress extends it.

The decision to evolve the data center category comes after the committee and the Government Accountability Office signaled it was ready to sunset the category altogether during the FITARA 13 hearing.

In the meantime, Sen. Jacky Rosen (D-Nev.) plans to introduce the Federal Data Center Enhancement Act in the coming days that would require agencies to do more to secure their remaining data centers. The Senate Homeland Security and Governmental Affairs Committee plans to mark up the bill at its Aug. 3 business meeting.

The bill, according to a draft summary obtained by Federal News Network, would require OMB to develop minimum requirements for federal data centers related to cyber intrusions, data center availability, mission-critical uptime and resilience against physical attacks, wildfires and other natural disasters. The bill also would remove a provision in FITARA that requires agencies to focus on cost savings or cost avoidance through data center consolidation and optimization.

Rep. Gerry Connolly (D-Va.), chairman of the government operations subcommittee and co-author of FITARA, said at the hearing the committee sent letters to agencies asking them to justify the need for their remaining data centers.

“The subcommittee plans to use these answers as part of a new methodology. The goal is to ensure agencies think strategically about their costly data center use, incentivize the closure of underutilized data centers and save taxpayer dollars,” he said. “One of the reasons we wrote every agency as we’re re tooling this category of the scorecard is we didn’t want to lose this metric [of closing data centers] We’re going to continue to update that database and work with you in making sure as you said they’ve got a good reason to justify what they’ve got and what their plans are.”

While Connolly  hasn’t given up on pressing agencies to close more data centers, he is ready to wind up the CIO authorities category under the scorecard.

This one attempts to hold agencies’ secretaries and administrators accountable to ensure chief information officers have a “seat at the table” with other senior executives to influence and impact decisions.

“Of the 24 major agencies, 16 CIOs report to the head of their agency (or the deputy) and six CIOs have established agency policies that allow for direct reporting over some, but not all, IT decisions,” the committee wrote. “CIOs that do not report to the head of the agency weakens their ability to effectively manage IT. Given the history of federal IT failures, this is a concern.”

Only two agencies, from the departments of Justice and Labor, do not report directly to the secretary or deputy secretary.

The committee hasn’t said why it plans to sunset this category given 8 of 24 CIOs don’t have a direct report to agency senior leadership.

Carol Harris, the director of IT and cybersecurity at the Government Accountability Office, said this metric has done a lot to ensure CIOs are on equal footing with other C suite executives.

“This emphasis in the organizational structure cannot be emphasized enough,” she said. “Our work has shown that CIOs are more fully empowered to carry out their legal authorities when they have this direct line as compared to their counterparts that do not.”

Connolly added, “As discussed during the January 2022 FITARA hearing, a variety of factors including changing data availability, agency resolve and an advancing IT landscape catalyzed the subcommittee to once more evolve the scorecard. Since then, the subcommittee engaged a multitude of stakeholders and the Government Accountability Office to explore potential improvements to the scorecard’s data and methodology. These conversations have resulted in our latest effort to use the scorecard to incentivize agencies to advance their IT and acquisition priorities.”

Beyond the two category changes, the FITARA 14 scorecard shows a significant downward trend among eight agencies. Only one agency, the U.S. Agency for International Development, received an “A” grade, while the departments of Transportation and Defense dropped to “D+,” marking only the third “D” grades given since July 2020.

“Notably, many agencies’ grades were impacted by the removal of the data center optimization initiative methodology sunset and absence of available data for cybersecurity cross-agency priority goals,” the committee wrote. “If the same methodology from the prior scorecard had been used, four agencies’ grades would have increased and 20 would have remained the same.”

The committee said OMB stopped tracking the metrics under the Trump administration’s cross-agency priorities for cybersecurity. So instead, the committee relied solely on inspector general reports on the Federal Information Security Management Act (FISMA).

Based on the IG reports, 10 agencies received “F” grades for cybersecurity, while nine received “D” marks. In the December 2021 scorecard, no agency received an “F” grade and the committee handed out six “D” marks.

OMB spokeswoman Isabel Aldunate said in a statement that the Biden administration has made significant progress in transforming federal cybersecurity over the last year through the move to zero trust architecture and addressing long-standing problems.

“These grades for federal agencies are based on an outdated, compliance-oriented approach and no longer reflect the progress agencies have made, which is why we’re working with Congress to recommend an approach that reflects the rapidly evolving nature of the threats that agencies face,” she said.

Additionally, OMB is working with the Cybersecurity and Infrastructure Security Agency and the National Cyber Director in the White House to determine the cyber data can be published publicly without putting agencies at risk of  exposing potential vulnerabilities.

The other reason for an agency’s scores is continued struggles with the transition to the Enterprise Infrastructure Solutions (EIS) contract.

The committee said seven agencies improved overall, but still handed out 11 “Fs” and three “Ds.”

GAO ‘s Harris said while 14 agencies are struggling with the transition, that is down from 17 in the December 2021 scorecard.

David Shive, the GSA CIO, said one of the reasons his agency received a “D” grade is it has spent a lot of time in the planning phase and is getting ready to “flip the switch” for a more modernized infrastructure.

“We did a lot of the work to transform from line-based communications technologies to digital voice over IP technology seven or eight years ago. As we implement EIS, now we’re using it more as a transformation play. The number of circuits that we’re moving is a much smaller denominator in that calculus,” he said. “The second part is because we’re using it as a transformation play. When we go to implement, it literally will flip overnight, a massive numbers of our lines that are measured will go from decommissioned to commissioned on the new platform. So it’s really a flip the switch type of model and so what you’re seeing now is representative of a lot of our planning work ahead of that transformation play.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.