3 takeaways from FITARA 14

This post first appeared on Federal News Network. Read the original article.

House Oversight and Reform Committee members were more engaged this past Thursday on federal IT management issues than we have seen in some time.

Not only were the questions relevant, but the lawmakers did not stray into the silly, non-sequitur or totally unrelated world that could’ve easily happened during the 14th iteration of the Federal IT Acquisition Reform Act (FITARA) scorecard hearing on July 28.

While agency progress on the scorecard stagnated, mostly due to yet another disagreement between Rep. Gerry Connolly (D-Va.), the chairman of the subcommittee on government operations and the co-author of FITARA, and the Office of Management Budget. This time it’s over cybersecurity scores. The biannual hearing highlighted continued progress in several categories amid a lot more “Fs” and “Ds” than we’ve seen over the last few years.

Here are three takeaways from the 14th FITARA hearing that you may have missed.

Data centers, still?

All signs pointed to the subcommittee sunsetting the data center category after every agency received an “A” grade on FITARA 13.

But like a Washington Commanders fan, hope is easily crushed in a short amount of time.

Connolly is, indeed, terminating the data center optimization category, but reviving his pet project, data center closures as a category under FITARA 15 and beyond.

Rep. Gerry Connolly (D-Va.)
Rep. Gerry Connolly (D-Va.) wrote a letter to agency CIOs seeking more details on planned data center closures.

“It’s time to shift this metric to make it more focused and relevant. As promised, the previous methodology is sunset in this scorecard, scorecard 14,” Connolly said. “It’s our hope that focus on this category will enhance federal government’s movement to the cloud.”

The data that will help determine agency grades in this new category comes from a letter the subcommittee sent to agency CIOs on July 13, asking questions about current and future data center closure plans.

“Notwithstanding many agencies’ progress, several agencies have yet to complete their data center consolidation plans, and future closures and the savings those closures will secure are expected to drop and eventually diminish. Specifically, 17 agencies report no plans for future data center closures, and more than half of the remaining planned data center closures are slated for completion by the end of fiscal year 2022,” Connolly wrote in the letter, which Federal News Network obtained. “Given the subcommittee’s rigorous and successful oversight history of data center consolidation, we intend to continue our work until agencies realize all potential benefits.”

Agencies had until July 27 to answer three questions:

  • How many M-19-19 defined federal data centers does your agency currently operate?
  • If you are unable to answer the previous question based on the M-19-19 definition, how many federal data centers does your agency currently operate following the most up-to-date Integrated Data Collection guidance?
  • Of these operating data centers, how many are key mission facilities?
  • Since the enactment of FITARA, how many data centers have you closed?
  • Has your agency closed the maximum number of federal data centers possible?
    • If no, please explain why and provide the timeline expected to complete data center closures.
    • If yes, please justify the reasons why your remaining federal data centers are vital to your agency’s operations.

“The subcommittee plans to use these answers as part of a new methodology. The goal is to ensure agencies think strategically about their costly data center use, incentivize the closure of underutilized data centers and save taxpayer dollars,” he said at the hearing. “One of the reasons we wrote every agency as we’re re-tooling this category of the scorecard is we didn’t want to lose this metric [of closing data centers]. We’re going to continue to update that database and work with you in making sure as you said they’ve got a good reason to justify what they’ve got and what their plans are.”

Carol Harris, the director of IT and cybersecurity at the Government Accountability Office, said agencies need to have a good reason for still having data centers today versus putting workloads and applications in the cloud.

“We want to see the goal of every agency is to employ a hybrid model, where at least some of their infrastructure is cloud based. And then others are on site,” she said. “But for agencies to have, again, a large amount of their infrastructure being operated in data centers that’s a red flag.”

For the most part, experts have said there shouldn’t be too many red flags out there. Even the data on the Federal IT Dashboard shows the juice in the data center closures orange may not be worth the squeeze any more. Agencies closed 680 data centers out of a planned 734 in fiscal 2022 and still have 1,519 open. But many of those 1,519 are either on the classified side or mission critical.

“All the low hanging fruit has been picked so to get the fruit higher up on [the] tree, agencies need to buy ladders to get to them,” said one federal official familiar with the data center initiative. “Agencies will need data centers to achieve their missions and they wouldn’t consider consolidating them because of the negative impact on their mission. Optimization of those remaining data centers is tricky because getting there can be expensive.”

Since 2017, agencies have closed 4,329 data centers and saved or avoided spending more than $4.7 billion.

The Defense Department is responsible for a high percentage of the open data centers, with 601 as of June 2022.

John Sherman, the DoD chief information officer, told the subcommittee the Pentagon has closed more than 230 data centers so far this year and expects to close at least 12 before Sept. 30.

“The holdup has been moving some secret level systems that we needed to get moved over, but all the unclassified [systems], we’re basically done with that,” he said. “This has been one thing that among a number that we’ve been very grateful for FITARA to help drive the way ahead on that to get us to where we need to be as we move to cloud based technology.”

What’s ironic about the subcommittee’s decision to keep data centers as a FITARA category is there is an effort in the Senate to remove the requirement for agencies to track cost savings and do more to cyber secure their current data centers.

The Senate Homeland Security and Governmental Affairs Committee plans to markup Sen. Jacky Rosen’s (D-N.V.) bill on Aug. 3.

Specifically, it would require OMB to coordinate a governmentwide effort to develop minimum requirements for federal data centers related to cyber intrusions, data center availability, mission-critical uptime, and resilience against physical attacks, wildfires, and other natural disasters. It also strikes language in FITARA referring to data center consolidation to ensure that federal agencies focus on the cost savings and avoidances that can be achieved through optimization, given the success of past data center consolidation efforts.

There is no guarantee Rosen’s bill ever becomes law, but it’s clear that House and Senate lawmakers are not on the same page when it comes to data center closures. And the question remains why Connolly is so focused on data center closures still? It’s clear agencies still have work to do and there are remaining open ones post potential cyber risks to agencies, but given the progress over the last decade and limited oversight resources the subcommittee has, it seems like their time could be used on more pressing IT management issues.

Most agency CIOs and industry would agree too.

FISMA grades — worthless or valuable?

The argument over the value of Federal Information Security Management Act (FISMA) metrics and reports date back to the pre-historic days of the internet, or as some of us call it the late 1990s.

Going as far back to the pre-cursor to FISMA, the Government Information Security Management Act (GISRA), the question many asked was whether Congress could legislative better cybersecurity.

The answer is yes and no.

The most recent FITARA hearing demonstrates the conundrum.

While 10 agencies saw their FISMA-specific scores drop due to the lack of publicly available data, the CIOs who testified as well as some members of the committee questioned the validity of the grades.

EPA CIO Vaughn Noga (left) was one of three CIOs expressing concerns to the House on July 27 about the accuracy of the FITARA grades for cybersecurity.

“We’ve talked about cybersecurity, I would say of the areas of the scorecard, certainly, it’s not an accurate reflection. In my view of our posture relative to cybersecurity, we’ve actually spent a lot of time and focused energy on improving cyber across agency and we’ve done so since the start of the pandemic,” said Vaughn Noga, the CIO for the Environmental Protection Agency. “The pandemic really forced us to rethink how we are managing our IT remotely, how we’re protecting them, how we’re securing our patching them. So I don’t necessarily think it’s an accurate reflection, but we talked about that, it’s just one perspective, which is the IG assessment.”

GAO’s Harris added the data is by far not complete, calling the data the subcommittee used only a subset of what’s needed to measure an agency’s true cyber posture.

“There are many other inputs that should be incorporated if you want to have a comprehensive overall grade of what an organization’s cyber posture is,” she said. “I think that the challenge in this particular iteration, cyber because there was only one metric available for us to utilize, I do believe that that is not an accurate reflection of where agencies are at with cyber.”

Rep. Jody Hice (R-Ga.), ranking member of the subcommittee, asked the questions that many CIOs and other federal cyber experts believe to be true about the FISMA IG reports, “This current scorecard then as it relates to cyber relatively worthless at this point?”

Hice’s question begs a larger discussion about whether FISMA itself has outlived its usefulness. House and Senate lawmakers are updating the law, which Congress last improved in 2014.

Grant Schneider, the former federal chief information security officer, said there still is real value in having an outside third party evaluate an organization’s systems.

At the same time, FISMA evaluations are a trailing indicator on a subset of systems and that makes them less valuable.

“We would look at the IG reports and the agency self assessments to understand an agency’s cyber posture. I found the self assessments to be fair and candid. I never felt like the agencies were trying to game the system. They were being honest and accurate,” Schneider said about his tenure at OMB in an interview with Federal News Network. “The other things we would look at were the high value assets and other work in the HVA assessments from CISA. We would look at incident data as well. We also looked at goals and metrics we were putting out quarterly in addition to the annual self assessment.”

Basically, Schneider, who is now the senior director of cybersecurity services for Venable, described the potential data GAO and the subcommittee could have looked at to give a more accurate grade on the FITARA scorecard. That is if OMB had been more, let’s say, cooperative and recognized the potential brouhaha the lack of cross-agency goals would cause during the hearing.

Now the back and forth between OMB and Connolly is great for the gossip pages, and there is plenty of juice to squeeze from that orange, such as Connolly’s claim that OMB “freely expressed contrition” about the cybersecurity scores, but let’s save that for another time.

The fact is FISMA never has been an accurate reflection agency cyber posture, the federal IGs either refuse to, or just plainly can’t, understand that and change their metrics despite years of attempts to do just that, and CIOs frustration over the lack of holistic metrics all made this effort more of a checklist than a true analysis.

Schneider said there is always plenty of non-public data that OMB can share with GAO and the subcommittee to help round out an agency’s cyber posture along with the FISMA reports.

“It’s incumbent on cyber professionals to consider the sensitivity of any vulnerability or risk information that they make public, but that said, I don’t think anything we were publicly reporting on gave me any concerns or we wouldn’t have done it,” he said. “In our conversations with the Hill or with GAO, I think they always wanted more data, but they understood the need to protect the systems and some public reporting helps and some goes too far and we need to be concerned about it. There are draft FISMA reports that I took sections out of just because I was uncomfortable with data being disclosed. Some of that data I would’ve felt comfortable not to share publicly, but share with GAO and the Hill. And there was information that I would not want to share even with GAO or the Hill and just keep inside OMB.”

By the way, the IG community is once again is updating its approach to cybersecurity oversight. Hopefully some of the message from the FITARA 14 hearing gets back to them so they rethink the entire FISMA oversight process.

One of the last FITARA scorecards?

Several former and current Hill staff members brought up the fact that this may be one of the last FITARA hearings. There is both a growing feeling that after 14 scorecards, the value and impact have diminished quite a bit.

Add to that with Republicans expected to take over the House after November, would the potential leaders spend time on IT management when they have made it clear they plan to go after the Biden administration for what they deem are bigger issues?

Julie Dunne, a former House Oversight and Reform Committee staff member for the Republicans, said she expects more aggressive oversight if Republicans are in the majority.

Julie Dunne is former the commissioner of the Federal Acquisition Service at GSA and a former House staff member.

“I could see more attention focused on the fact that while FITARA helps push agencies in the right direction, federal IT acquisition has remained on GAO’s high risk list since 2015,” said Dunne, who now is principal at Monument Advocacy, in an email to Federal News Network. “Hice has been for real in the FITARA scorecard, but he’s gone after this Congress and I don’t know [Rep. Fred] Keller (R-Pa.) well. I think the FITARA scorecard will stick around, perhaps somewhat minimized because of other investigations. It’s a fun, pre-packaged hearing, and GAO likes doing it. The members also seemed to like metrics. I intend to encourage staff to continue it when I get a chance!”

Ross Nodurft, a former Senate appropriations committee staff member and chief of OMB’s cyber office, said he could see the number of FITARA hearings decrease to one time a year.

“I am confident that, if the Republicans win the majority, there will still be a significant bipartisan focus on the issues of technology modernization and cybersecurity,” said Nodurft, who now is a director of cybersecurity services at Venable. “Rep [James] Comer (R-Ky.), ranking member of the full committee, and his team on the committee understand and appreciate the important role that technology plays in agencies meeting their missions. Whether it’s protecting the homeland or providing critical services to voters, both parties are invested in moving government digital innovation forward.”

Dunne added she actually thinks IT oversight will be tougher, as will the oversight of the Technology Modernization Fund (TMF).

“They’re going to have to increase transparency about the repayment decisions and account for all that funding to the Technology Transformation Service (TTS) at GSA, those are the questions I’d ask,” she said. “The cybersecurity grade will also get lots of continued attention, especially when the next big breach hits.”

The TMF and its payback model came up during the FITARA hearing

Rep. Jake LaTurner (R-Kan.) questioned GAO’s Harris about whether it was worth attaching more conditions to the TMF funds, which could be tracked under the FITARA scorecard, to ensure agencies are using the money to update legacy systems.

“I think that agencies should be fully carrying out TMF as it was intended in the law, which is to address legacy issues. So I think that’s the criteria that the selection board utilizes that emphasis on legacy, it would be a great thing,” Harris said. “I also think that agencies need to focus on the open recommendations that we have made in TMF, relative to ensuring that they have reliable cost estimates for their projects, as well as reliable savings that they expect to achieve once those projects are fully deployed.”

Hice too expressed frustration over the TMF, saying the Biden administration is using it in a way that “amounts to a slush fund.”

“The idea behind the TMF was that agencies would create savings by retiring old systems. Those savings would then be used to repay the fund and allow for additional modernization projects. It was intended to create an efficient cycle,” he said. “But the executive director of the TMF Board gave us nonsensical answers about how the savings would be realized by the public. They’re not going to make agencies pay back the TMF funds. This is clearly ignoring the intent of the Modernizing Government Technology Act.”

It’s likely OMB, especially with the recent ruling from GAO, would disagree with Hice’s hyperbole about the TMF being a slush fund and the administration ignoring the intent of the MGT Act, but it’s a signal of how the Republicans view the effort so far.

Dunne said as the scorecard continues to evolve, the idea of using the PortfolioStat process – which, by the way, when was the last time OMB even conducted a PortfolioStat review, maybe five years, according to some – to address technical debt and legacy IT is an interesting idea that complements the goals of the MGT Act.

While few believe FITARA will go away in its entirety, the focus of the scorecard seems destined to change and the frequency of the subcommittee’s public oversight also seems likely to decrease. The question, as always, is how can lawmakers find the right balance between oversight, accountability and value without creating a checkbox exercise for agencies, which seem to quickly understand how to “game” the system to get higher grades?

Leave a Reply

Your email address will not be published. Required fields are marked *