By bringing in a baker’s dozen of current and former federal IT experts, the Government Accountability Office’s Dave Powner likely knew what he was getting into. There would be no shortage of passion and strong opinions about what’s going right and wrong with the Federal IT Acquisition Reform Act (FITARA).
Let me put it this way: With the likes of Karen Evans, Vivek Kundra, both former federal chief information officers — I know Karen never officially held that title, but work with me here — Roger Baker, Dave McClure, Dan Chenok, Richard Spires and Tom Davis, the former Virginia congressman who wrote the first major cyber bill update in the early 2000s, the room didn’t include any shrinking violets.
Amazingly, however, the FITARA party didn’t turn into a complain-fest of what one administration did or didn’t do, or why Congress failed this time. Rather, this motley group gave GAO quite a cogent and cohesive earful, which hopefully will lead to an improved FITARA scorecard and, more importantly, a more effective implementation of the law.
GAO’s forum and report highlight a series of recommendations from the experts on how to further improve FITARA and make sure it’s implemented to the greatest extent possible.
Next-level cybersecurity. Download our free Expert Edition: Cyber Exposure in DoD to understand cybersecurity in a connected landscape.
“If GAO wrote the report about CIO authorities, I don’t think it would have the same impact if they didn’t include the people who were in the jobs,” said Baker, the former CIO at the departments of Veterans Affairs and Commerce. “It was an open and collegial discussion. It was a non-partisan discussion about how we can do IT management better. I give credit to Dave Powner and [Comptroller General] Gene Dodaro, who was there most of the day, for bringing us all together.”
Baker said the wide-ranging discussion actually stayed away from the idea that CIOs should run everything, and spent more time on what’s realistically possible.
“The underlying theme was the CIO is a business partner, because there is a business rationale for everything that needs to occur. That is why there was a lot of realism, especially when comparing the government to the private sector,” Baker said. “We started out explaining different drivers and why the CIO in government is not like a CIO in the private sector.”
Spires, who is the former Homeland Security Department and IRS CIO and now the CEO of Learning Tree International, also picked up on these similar themes.
He said the notion that FITARA is mainly about CIO authorities was overtaken by the reality of the CIOs’ need to have a highly collaborative relationship with other CXOs.
“The CIO needs to work with the CFO, the chief acquisition officer, the chief human capital officer and others as a team to drive forward this progress,” Spires said. “We talked a lot about how culturally CIOs can make this happen.”
GAO reported that participants highlighted the success of the TechStat programs to fix struggling projects and the Y2K initiative back in 1999 as examples of the type of collaboration that is needed more broadly.
“The forum participants pointed to the importance of the Office of Management and Budget and specifically, the role of the federal CIO, to help ensure effective IT governance,” the report stated. “They saw this role as continuing to grow in importance, noting for example, that the federal CIO has provided important leadership on cybersecurity, acquisition and operations initiatives.”
Spires said a second theme that came from the discussion about governance and collaboration was the importance of using cybersecurity as a wedge issue, not only to bring people together, but to create the urgency for IT modernization.
“It’s so important and it’s going to be something that will dominate agendas, especially at the secretary’s level. There was agreement that cyber is a way to modernize IT,” he said.
Baker said OMB took quite a bit of heat about what some say was a need to be more aggressive with FITARA oversight. Additionally, participants railed against the fact that the Defense Department was exempt from FITARA.
“There was a general consensus that half of the government is exempt from this and how can you do that?” Baker said. “The participants were like, ‘And don’t tell us that DoD doesn’t need this worse than everyone else.’ It was pretty interesting.”
During the day-long event, Reps. Will Hurd (R-Texas), the chairman of the Oversight and Government Reform subcommittee on IT, and Gerry Connolly (D-Va.), the ranking member of the subcommittee on Government Operations, both spoke at the forum and stayed to listen to the discussion.
Spires and Baker said they thought Hurd and Connolly’s participation was an important sign that they will continue their oversight of FITARA — a much-discussed mistake made back in the 1990s, when lawmakers dropped the ball with oversight of the Clinger-Cohen Act.
“The committee has been calling for increased accountability of agency heads since the last scorecard, and we are happy to see that many of our recommendations have been included in this summary of highlights from the forum,” Hurd said in a statement to Federal News Radio. “We will continue to hold agencies accountable with scorecard hearings to ensure that FITARA is implemented to the fullest extent possible and CIOs have the authority to properly execute their jobs. In addition, we must work with academia and the private sector to develop a pipeline of cybersecurity talent for agency IT jobs. That is the only way we can combat systemic government IT failures and improve efficiency long-term.”
To that end, many of the panelists agreed that more than just the agency CIOs need to be held accountable for FITARA.
Baker said there was broad agreement among the forum participants that bringing agency secretaries to testify would be a good way to further spur FITARA efforts.
“There would be 10 meetings held inside the agency to make sure the cabinet secretary will have right answers and if answers were not right, they will fix it before going to testify,” Baker said. “It’s that easy to get more attention to FITARA because there is nothing like looking bad in public.”
The goal, of course, is not to make any CIO or Cabinet secretary look bad in public, but rather to recognize and respect the role of the agency CIO to have the final say over IT investments and oversight over technology projects.
Spires said many of the forum participants agreed that the FITARA scorecard wasn’t measuring the right areas.
“You need to get measures and report on things that are talked about. Do you have the right governance model? Are you collaborating correctly across the organization? It’s less so about data center consolidation, which is important, but it’s more important to rationalize IT in the right way,” he said. “It’s about setting plans around doing that and executing those plans. Those notions were talked a lot about.”
It’s unclear what GAO will do with the information from the forum — there was no mention of it in the report. Hopefully, auditors will work with Hurd, Connolly and their staff members to improve the scorecard and other oversight mechanisms and the Trump administration’s new federal CIO —whoever that person ends up being — will apply some, or all, of the recommendations to their policy and operational initiatives.
“For me at VA, it was the law, but [former VA Secretary Eric] Shinseki made the difference,” Baker said. “People can find a way to get around the law, but it’s harder to get around the secretary. That is the kind of boss every CIO needs. Once in a while, a boss like that comes in and you see a difference. I think that did resonate with Hurd and Connolly. I got the sense that it’s definitely on their agenda to bring in CFOs or department secretaries or deputy secretaries so they understand the value of FITARA.”