The House Oversight and Government Reform Committee’s fourth hearing focusing on the implementation of the Federal IT Acquisition Reform Act (FITARA) revealed few details on why most agency grades stagnated or sagged.
Even the guests of the committee, Beth Killoran, the chief information officer of the Department of Health and Human Services, and Sheila Conley, the deputy CFO of HHS, didn’t face stiff questioning about why their grade has remained a D-minus the last two quarters.
But like the last few FITARA oversight hearings, there is plenty for CIOs, CFOs and other agency leaders to read between the lines.
Here are my three takeaways from the FITARA 4.0 hearing:
Understand progress being made in the evolving cyber scorecard. Download our free Expert Edition: Cyber Exposure in DoD.
The first thing CIOs and their CXO counterparts should do as they prepare for the December scorecard is develop an inventory of all the software their agency is using on their network and develop a plan to consolidate, reduce and extract savings.
Lawmakers will add agency implementation to the Making Electronic Government Accountable by Yielding Tangible Efficiencies (MEGABYTE) Act, as part of the FITARA 5.0 scorecard. And if this past scorecard was any indication, few CXOs have started paying attention to the law.
President Barack Obama signed the bill in August 2016, requiring CIOs to be software sheriffs by developing an inventory of software licenses, tracking spending and finding opportunities for consolidations and savings.
The Government Accountability Office found in 2014 that agencies are struggling to manage software licenses and are not taking enough advantage of enterprisewide deals. In writing the MEGABYTE Act, lawmakers estimated agencies could save as much as $4 billion a year if they did a better job of managing and consolidating their software licenses.
For the latest scorecard, the committee offered a baseline set of grades and all but three agencies received an F, with the U.S. Agency for International Development and the General Services Administration receiving A’s, and the Education Department earning a C. If the committee included progress in implementing the MEGABYTE Act in this grading period, 21 agencies would have received F’s overall, as opposed to just one, the Defense Department.
“Eventually, what we want the FITARA scorecard to be is not just a scorecard on FITARA, but a scorecard on digital hygiene, and all the key elements of that legislation we had to pass in order to force to implement good digital hygiene, let’s look at all those in one metric and try to understand the state of hygiene at some of these agencies,” said Rep. Will Hurd (R-Texas), chairman of the IT subcommittee. “There is no excuse for agencies not to have an accurate inventory of the software licenses they have. That is basic IT management.”
Killoran said HHS is working toward meeting the requirements of the MEGABYTE Act.
“Over the last year, just in Microsoft alone, we had over 170 contracts that bought Microsoft products. As you go through them, you have to go through individual resellers,” she said. “To fix that problem, we are using the continuous diagnostics and mitigation capability so we can inventory ourselves.”
Killoran said this inventory capability will be in place by the end of 2017. She said HHS already has an inventory for hardware.
Conley said HHS recognizes the need to get control over software spending and a real opportunity to consolidate and have a better line-of-sight across the entire agency.
David Powner, the Government Accountability Office’s director of IT management issues, said it was difficult to explain why agencies are struggling with the MEGABYTE Act. He said when GAO issued a report in 2014, it found 20 of 24 agencies had only partial software license inventories.
“I think a key thing to why we don’t have complete inventories is the CIO authorities. I think there are pockets in these federated agencies where CIOs don’t have a good visibility to what’s going on,” he said.
The lack of software inventories is one of those problems many believe FITARA is expected to fix. Agencies have six months to make some progress.
Over the last 20 years, as federal employees have migrated to technology jobs, there has been only a high-level set of standards for what is required of the jobs — think 2210 series.
But few agencies have specific job descriptions and roadmaps for employees to move from beginner, to advanced, to expert in cyber or program management or systems engineering.
HHS decided to take on that challenge and now it could be a model for the rest of the government.
Killoran said HHS is building “true capability and roadmaps on competencies for each of these areas” for employees at the General Schedule 5 to Senior Executive Service that will include the types of skills and certifications needed for each position at each stage of their career.
“We have identified 25 different critical positions and have roadmaps for 11 of them,” she told the committee. “OMB and OPM have determined that this is a great model. We are helping the federal CIO workforce committee on this, and OPM is trying to adopt this model federalwide.”
Killoran said OPM is expected to release the first set of governmentwide IT position roadmaps in the first quarter of 2018.
HHS is in most need of cybersecurity, enterprise architecture and systems engineering skills. Killoran said HHS has about 1,400 positions in its IT shop, and a 30 percent vacancy rate.
Rep. Robin Kelly (D-Ill.), the ranking member of the IT subcommittee, said the White House’s reorganization plans and the hiring freeze were part of the reason for lower FITARA scores.
“Forcing across-the-board cuts to the workforce will make it more difficult to fulfill requirements,” she said.
Hurd added the challenge of finding enough qualified IT workers is why the idea of creating a cyber national guard appeals to him.
Hurd said after the Modernizing Government Technology Act passed the House, he would focus on legislation to have an on-call unit to address cyber attacks.
“The first step we have to do is identify what are our gaps across the federal government,” he said. “We don’t have common job descriptions within an agency, let alone across the government. We have to fix that problem first.”
Hurd said he hopes the new federal CIO will address the inconsistencies in the workforce job descriptions, as part of a 90-day sprint similar to what OMB did with the cyber sprint.
“That is critical to make sure, when we start building this cyber national guard, they have the credentials and skillsets necessary to put them immediately into the federal government,” he said.
A funny thing happened on the way to the hearing. Powner’s phone starting ringing. And over the next 24-to-48 hours, more and more agencies called, asking his office for help to improve their scorecards.
Powner said in an email to Federal News Radio that nine agencies called as of the afternoon of June 16. Of those nine, seven saw their grades stay the same, one saw their grade improve and another saw their grade drop in the recent scorecard.
“The main questions were associated with the Hill’s methodology changes to the data center and incremental grades,” he said.
Two big reasons for the call to GAO: CIOs saw the progress made by USAID, earning an A-plus after receiving a D for the last three grading periods.
The other reason is the negative press that came from the scorecard’s release.
It seems the CIOs and their staffs see an opportunity to work with GAO to improve their standing.
Killoran said HHS, for example, is working on its data center consolidation and optimization efforts with GAO.
“One problem we have is around the savings. We are investing those, so we are working with GAO on how to capture those savings as we are reinvesting to show at least we did save them in these particular areas,” Killoran said. “We are getting ready to post an $85 million savings in data centers to the [Federal IT] Dashboard [June 13].”
HHS received an F grade on the most recent scorecard for its data center efforts.
Powner said the fact that nine agencies called GAO is a good thing and encouraged the committee to “keep pushing” to improve their oversight and management efforts.