Connolly releases new FITARA scores without usual committee hearing

Rep. Gerry Connolly, D-Va., released the latest Federal IT Acquisition Reform Act scorecards for agencies in an unusual forum on Tuesday, hosting a roundtable discussion with agency representatives rather than via an official subcommittee hearing. 

The scorecard dates back to 2015 — though it has been updated since then — and agencies are graded on their progress toward IT modernization standards by the Government Accountability Office.

Connolly, the ranking member of the subcommittee on cybersecurity, IT and government innovation in the House Oversight Committee, held a roundtable with agency representatives from the General Services Administration, Social Security Administration and Departments of State, Veterans Affairs and Commerce, as well as the Government Accountability Office. 

In a written statement, Connolly said that “while the [subcommittee chairwoman Nancy Mace, R-S.C.], has an ambitious agenda this Congress, we could not allow a lapse in having a scorecard, and we remain committed to working with Chairwoman Mace on the evolution of the FITARA scorecard.”

The scorecard is generally issued near the middle and end of each year. September is the latest the first FITARA scores of the year have ever been released since the scorecards were introduced as an oversight mechanism.

“FITARA is not a niche issue. To the contrary it is an essential function of this subcommittee… intended to drive IT modernization through public accountability,” the same written statement says. “While I look forward to our subcommittee FITARA oversight hearing later this year, we cannot abandon our traditional biannual oversight cadence of FITARA.”

In this sixteenth iteration of the biannual FITARA scorecard, eight agencies saw their scores increase and 16 had no changes. None received lower scores than the last scorecard, issued last December. 

Three agencies were given “A” scores — up from only one agency in the last scorecard. The number of “B” scores also increased to 16, up from the 12 agencies awarded that grade in the last scorecard. The remaining five agencies received a “C” grade.

All agencies received either an “A” or “B” in the data center consolidation category, which has been on the scorecard since the original November 2015 release. Cybersecurity — a newer category that was added to the scorecard in 2019 — featured only one “A” from the Nuclear Regulatory Commission.

The scorecard also includes a pass/fail section for the mandatory transition off of the Networx telecommunications contract vehicle and onto the Enterprise Infrastructure Solutions or another vehicle. Fourteen agencies got a failing grade for that, including the General Services Administration, which is in charge of overseeing the whole transition.

Exactly how the scorecard looks has evolved over time. This latest iteration previews two new categories: cloud and CIO reporting structure, budget and acquisitions.

The IT workforce is also something to consider as an addition, said Carol Harris, IT and cybersecurity director at GAO, who added that cloud procurement is a big challenge area for agencies given outdated language and pricing models in the Federal Acquisition Regulation, which serves as the primary policy for government acquisitions.

Overall, the scorecard effort has yielded $25.5 billion in savings, she said.

During the roundtable, Connolly and agency representatives discussed the efficacy of the scorecard in pushing progress at agencies, as well as the exact metrics agencies are measured against and how they are evaluated. 

“We created a scorecard as part of the implementation of FITARA so that we could use it as a implement to incentivize the update and the modernization of IT in federal agencies and frankly to empower decision-makers — CIO’s in particular — to be able to push change,” Connolly said during the roundtable.

There have been “dramatic improvements” in the grades for whether or not CIOs report directly to agency leadership, said Harris, attributing that progress to “that constant drumbeat from the scorecard.”

“The FITARA scoring is a mechanism that really allows us to keep ourselves accountable,” said André Mendes, CIO at the Commerce Department.

Some also had suggestions for improvements, particularly in how agencies are graded for cybersecurity, where the methodology has evolved over time. The latest scorecard uses a composite scoring of both cyber data from the Office of Management and Budget and data from inspectors general, according to a committee aide.

“I have a lot of cybersecurity scores… I think some consistency across these public [cybersecurity] metrics would be very helpful,” said State Department CIO Kelly Fletcher, who also suggested that agencies be graded on whether they’re implementing operational cybersecurity directives. 

“I do think FITARA has really fundamentally changed how department leadership sees IT and cybersecurity,” she added.