Modernizing the modernization tool: Changes are coming for FITARA

Rep. Gerry Connolly, D-Va., is leading efforts in Congress to update and modernize FITARA.

Rep. Gerry Connolly, D-Va., is leading efforts in Congress to update and modernize FITARA. Courtesy of Gerry Connolly

A new version of FITARA will come this summer, so vendors need to line up their solutions with the new cyber requirements customers will face.

What will impending changes to the Federal Information Technology Acquisition Reform Act mean for government agencies and the OEMs that sell to them?

To understand, we need some recent context. On Jan. 20, 2022, Rep. Gerald E. Connolly, D-Va., chairman of the Subcommittee on Government Operations, held the subcommittee’s biannual hearing to discuss FITARA, as well as the Modernizing Government Technology Act, and the Federal Information Security Modernization Act of 2014. The session considered opportunities for modernizing the FITARA Scorecard, the report card that grades agencies on their implementation of FITARA categories, since many agency grades have remained stagnant.

One possible explanation for the lack of progress, as cited by Connolly, is the methodology used by Congress to calculate metrics. Connolly began the session by considering ways to hold agencies accountable for IT modernization, including transition to the cloud.

What is changing? Focus change to security

A long-time category, Data Center Optimization Initiative, will be retired as all agencies received an A grade in the latest scorecard. With so much progress being made on the data center closure front, Congress is now turning its eye to a new focus: Cybersecurity.

Suggestions were made to create FITARA goals that map to the same cyber priorities found in the administration’s executive order on cybersecurity – including addressing zero trust architecture, securing cloud computing environments, protecting high-value data and addressing supply chain incidents. There were recommendations throughout the hearing that advised Congress to move beyond the mentality of compliance checklists and, instead, adopt practices such as real-time cybersecurity monitoring.

What do these changes mean?

Congressional oversight of FITARA helps agency CIOs make progress towards IT modernization and guides financial priorities. Department of Energy CIO Ann Dunkin, for example, has previously stated that she uses DOE’s existing working capital fund for some IT acquisitions; her agency Dunkin has said, is exploring the creation of another for IT modernization.

As the FITARA scorecard becomes more granular in articulating categories in the areas of IT modernization and cybersecurity, we will likely see agency CIOs developing strategic and financial roadmaps to achieve progress against these goals. OEMs and IT solution providers need to pay close attention to these priorities and how they are funded.

Why should you care?

As Congressman Jody Hice stated prior to the hearing, the subcommittee needs a “clear picture of how safe agencies are.” OEMs and IT service providers that sell cybersecurity solutions should pay attention here.

If you have a tool or solution to help your government customer agency meet its cybersecurity goals, you will want to keep a close eye on how the FITARA methodologies and metrics evolve. In addition, technology providers want to keep an eye on congressional and agency funding mechanisms for IT modernization as priorities are further defined.

As noted in testimony by GAO, more than half of the $100 billion spent on IT annually by the federal government still goes towards maintaining legacy systems. The Technology Modernization Fund and working capital funds established by Congress are critical to helping agencies realize progress in this area.

Understanding the cyber measurements and speaking to how your solution can help an agency meet those metrics will help ensure that your project gets funding, as the next iteration of the FITARA Scorecard is due to come out this summer.