Cyber Data Gaps Lower FITARA Scores

Agency grades in the House Oversight and Reform Committee’s latest FITARA scorecard, which measures IT modernization initiatives, showed an overall decline compared to its last edition with shifting category measurements and a lack of cybersecurity posture data skewing grades lower than usual.

Compared to last December’s FITARA 13.0, the new scorecard released this week showed a decline in A and B ratings for agencies. Only one agency — the U.S. Agency for International Development (USAID) — maintained its A rating, and the number of B-rated agencies declined from 10 to seven. Eleven agencies received C+ grades, while the Treasury, Transportation, Defense, Homeland Security and Justice departments received C scores or below.

Of the 24 graded agencies, 15 remained unchanged in their scores, eight decreased and one increased.

During the committee’s FITARA hearing Thursday, Government Accountability Office IT and Cybersecurity Director Carol Harris said the sunsetting of the data center optimization initiative (DCOI) category — which all agencies received As in across FITARA 13.0 — was a significant factor.

Cyber categories across the board were also shaky, likely because of a shift in assessment methodology that reflects absent data relating to the president’s cybersecurity cross-agency priority (CAP) goals.

“What is new and must be dealt with is the lack of data transparency for agency cybersecurity performance,” Government Operations Subcommittee Chair Rep. Gerry Connolly (D-VA) said during the hearing. “The administration has only itself to blame for the grades we see in this metric today. The subcommittee looks forward to working with all stakeholders to populate the category with more robust data that captures federal agencies’ cybersecurity posture.”

Connolly said the subcommittee could only rely on Federal Information Security Management Act (FISMA) inspector general reports to grade the cyber category. Based on this one metric, the scorecard graded 10 agencies with Fs and nine with Ds. In December 2021, only six agencies received Ds in the cyber category, and none received Fs.

“The absence of cybersecurity CAP goal data is troubling, and OMB should take steps to remediate this gap immediately,” Harris said. “I think we all agree this category should be expanded to better address the ongoing and emerging challenges facing our nation, and we are working with your staff, with OMB and the agencies to identify data both public and sensitive to support a more comprehensive grade.”

The FITARA category assessing agencies’ progress transitioning to the Enterprise Infrastructure Solutions (EIS) telecommunications contract also hindered scores across the board. Although seven agencies improved overall in this category, 11 still received Fs and three Ds.

“Agencies don’t have a very good comprehensive inventory of their telecommunication services, so as they are transitioning and moving those services onto the new contracts, they could identify services that they didn’t even know they had, and that could incur a delay,” Harris said. “If there is a delay, then agencies will miss out on potential cost-savings because the services that are provided on the legacy have higher rates than the ones on EIS. … The could be missing out on hundreds of millions of dollars in savings.”

Some agencies are on their way to meeting the EIS deadlines. During the hearing, Environmental Protection Agency (EPA) CIO Vaughn Noga said his agency awarded the contract to transition to EIS in December 2021, and Defense Department CIO John Sherman said he is also meeting transition milestones.

“We’re going to get 80% by later this year, and 100% by next spring to round up all the contracts we have and get onto the new GSA platform for that,” Sherman said.

The subcommittee also plans to revise category assessments and methodology. All but two agencies — Labor and Justice — met the FITARA requirement for CIOs to report directly to their respective secretary or deputy secretary, so Connolly may sunset this category.

“When the subcommittee first added the CIO reporting structure metric to scorecard 3.0, 12 CIOs had no reporting relationship to the secretary or deputy secretary of their respective agencies,” Connolly said. “Today, 16 CIOs have direct reporting relationships, six have partial direct reporting relationships, leaving only two CIOs with no direct reporting relationships.”

Although the DCOI category sunset in FITARA 14.0, agencies and the subcommittee are still focused on data center consolidation.

“The EPA has successfully consolidated EPA data centers and localized computer rooms,” Noga said during the hearing. “In the past four years, the agency established enterprise cloud environments with two commercial cloud providers to help further expand virtualization and the cloud smart strategy. We are reaping the benefits of cloud computing capabilities, improving our agility, performance and consistency with application deployments.”

The subcommittee will continue to iterate on FITARA methodology in upcoming scorecards, which release biannually.