Editor’s Note: This story has been updated to reflect that the Government Accountability Office unintentionally miscalculated the U.S. Agency for International Development’s Federal Information Security Management Act (FISMA) grade. USAID actually received a B in the FISMA metric, meaning it kept its overall A grade — rather than falling to a B.
Most agencies’ Federal Information Technology Acquisition Reform Act (FITARA) scorecard grades remained unchanged through the start of the coronavirus pandemic, which has forced them to accommodate an increasingly remote workforce.
Of the 24 Chief Financial Officers Act agencies, 14 maintained their grades, seven improved them and three saw downgrades — including the Department of Education, which had its exemplary A+ December mark reduced to a B+ — on the biannual House Oversight Committee scorecard, which Congress uses as a measure of federal digital hygiene and compliance with IT reform laws.
It was the first FITARA scorecard in which there were no agencies with failing grades, according to lawmakers.
A theme of the pandemic has been agencies accelerating IT modernization efforts as they shift to a remote work environment.
Rep. Gerry Connolly, D-Va., said in his opening statements of a House Oversight Subcommittee on Government Operations hearing on the scorecard: “At the very first FITARA hearing a witness stated that ‘IT is no longer just the business of the CIO. Rather, IT is everybody’s business.’ Never has this been clearer than in the wake of the coronavirus pandemic, where IT has saved thousands of lives by enabling people to telework and keep the government and the economy running while preserving their own health and safety and that of their loved ones. We have seen firsthand how the agencies that continued to use outdated IT during the pandemic prevented the delivery of government services when the public needed them the most. IT is truly everybody’s business.”
Cameron Chehreh, vice president of presales engineering at Dell Technologies Federal, told FedScoop, this makes sense as everyone is “moving into this remote, virtual desktop environment, which now maybe the people who before were going to be laggers — they’ve now become leaders in doing so.”
Cybersecurity grades remained low since December with the Nuclear Regulatory Commission receiving the only A; the General Services Administration, National Science Foundation and U.S. Agency for International Development getting Bs; 14 Cs; 3 Ds; and the departments of Commerce and Energy earning Fs. The Department of Defense was not scored.
U.S. adversaries have at least tripled their potential cyberattacks in an effort to capitalize on pandemic-caused IT adjustments, and agencies have done a “great job” continuing to operate given the circumstances, Chehreh said.
“There might be some areas where there are dips in the scorecard, but I think it’s a factor of policy not being able to catch up,” he said. “Generally speaking, the government has been preparing for this remote workforce solution, and cyber has always been the underpinning of every solution that they look at for a remote workforce down to device security; software-defined networking to micro-segment networks, so that you can reduce the attack surface; two-factor authentication; and the use of strong encryption everywhere.”
One agency that has been in the limelight since the start of the pandemic is the Small Business Administration, which had IT issues with its loan portals while accepting applications for economic relief. While SBA’s overall B+ FITARA grade remained unchanged since December, its C grade in portfolio review dropped to a D, and its D grade in cyber improved to a C.
While the exponential increase in loan applications SBA has received since the start of the pandemic revealed weaknesses with its E-Tran loan system, built for 20 to 30 years of “predictable” business operations, cyber hygiene is all about an agency’s “best effort,” Chehreh said.
The other agencies whose overall FITARA grades took a hit were the Department of Homeland Security going from a B to a C and the Department of Veterans Affairs going from a B+ to a C+.
GSA managed to keep what is, now, the only A+ grade. The agency can serve as a model for the others, and the Chief Information Officers Council is doing a “good job” sharing best practices to that end, Chehreh said.
“When you think of the current environment we’re under with COVID, we migrated almost the entire government to a remote workforce solution in literally less than four weeks,” he said. “And I think that’s a testament to the great work that the government has been doing — not only to improve the FITARA scorecard scores — but to annually implement the spirit behind FITARA, which really is IT modernization.”
Also of note, this scorecard is the first to track agencies’ transition to the $50 billion Enterprise Infrastructure Solutions telecommunications contract off the preceding Networx vehicle. Just a preview, the new category shows agencies’ progress but did not affect scores this time around.
Several federal CIOs are testifying during Monday’s Oversight Committee hearing, including Deputy Federal CIO Maria Roat, Office of Personnel Management CIO Clare Martorana and Education Department CIO Jason Gray.
“With the coronavirus resurging as states pursue reopening, the stakes for effectively implementing FITARA are higher than ever,” Connolly said. “When executed well, government IT modernization can ensure the efficient delivery of critical services, improve the government’s knowledge and decision-making, and save lives. When executed poorly, it can lead to outright failures in serving the American people when they need the government the most. Simply put, the fate of the world’s largest economy rises and falls with the ability of government IT systems to deliver in an emergency.”