CORRECTION: An earlier version of this story said State Department received a lower grade than they did. The story has been updated to reflect State’s accurate score.
The House Oversight and Reform Committee doesn’t plan to retire the data center category under the Federal IT Acquisition Reform Act (FITARA) scorecard after all.
The 14th version of the bi-annual grades released July 27 shows the committee will indeed retire the data center optimization category, but add a new one around data center consolidation. The committee is holding a hearing on Thursday about the results of the scorecard.
“From fiscal years 2016 through 2021, the Office of Management and Budget and agencies have reported on the closures of several thousand data centers and saved approximately $5 billion. However, as of July 2022, the Federal IT Dashboard reported over a hundred remaining planned data center closures between fiscal 2022 and 2025,” the committee wrote in the scorecard. “Before data center reporting requirement sunsets, demonstration that agencies have closed the maximum number of data centers possible is desired.”
The data center closure requirement is set to sunset Oct. 1, unless Congress extends it.
The decision to evolve the data center category comes after the committee and the Government Accountability Office signaled it was ready to sunset the category altogether during the FITARA 13 hearing.
In the meantime, Sen. Jacky Rosen (D-Nev.) plans to introduce the Federal Data Center Enhancement Act in the coming days that would require agencies to do more to secure their remaining data centers. The Senate Homeland Security and Governmental Affairs Committee plans to mark up the bill at its Aug. 3 business meeting.
The bill, according to a draft summary obtained by Federal News Network, would require OMB to develop minimum requirements for federal data centers related to cyber intrusions, data center availability, mission-critical uptime and resilience against physical attacks, wildfires and other natural disasters. The bill also would remove a provision in FITARA that requires agencies to focus on cost savings or cost avoidance through data center consolidation and optimization.
While Rep. Gerry Connolly (D-Va.), chairman of the government operations subcommittee and co-author of FITARA, hasn’t given up on pressing agencies to close more data centers, he is ready to wind up the CIO authorities category under the scorecard.
This one attempts to hold agencies’ secretaries and administrators accountable to ensure chief information officers have a “seat at the table” with other senior executives to influence and impact decisions.
“Of the 24 major agencies, 16 CIOs report to the head of their agency (or the deputy) and six CIOs have established agency policies that allow for direct reporting over some, but not all, IT decisions,” the committee wrote. “CIOs that do not report to the head of the agency weakens their ability to effectively manage IT. Given the history of federal IT failures, this is a concern.”
Only two agencies, from the departments of Justice and Labor, do not report directly to the secretary or deputy secretary.
The committee hasn’t said why it plans to sunset this category given 8 of 24 CIOs don’t have a direct report to agency senior leadership.
“As discussed during the January 2022 FITARA hearing, a variety of factors including changing data availability, agency resolve and an advancing IT landscape catalyzed the subcommittee to once more evolve the scorecard,” Connolly said at the hearing. “Since then, the subcommittee engaged a multitude of stakeholders and the Government Accountability Office to explore potential improvements to the scorecard’s data and methodology. These conversations have resulted in our latest effort to use the scorecard to incentivize agencies to advance their IT and acquisition priorities.”
Beyond the two category changes, the FITARA 14 scorecard shows a significant downward trend among eight agencies. Only one agency, the U.S. Agency for International Development, received an “A” grade, while the departments of Transportation and Defense dropped to “D+,” marking only the third “D” grades given since July 2020.
“Notably, many agencies’ grades were impacted by the removal of the data center optimization initiative methodology sunset and absence of available data for cybersecurity cross-agency priority goals,” the committee wrote. “If the same methodology from the prior scorecard had been used, four agencies’ grades would have increased and 20 would have remained the same.”
The committee said OMB stopped tracking the metrics under the Trump administration’s cross-agency priorities for cybersecurity. So instead, the committee relied solely on inspector general reports on the Federal Information Security Management Act (FISMA).
Based on the IG reports, 10 agencies received “F” grades for cybersecurity, while nine received “D” marks. In the December 2021 scorecard, no agency received an “F” grade and the committee handed out six “D” marks.
OMB spokeswoman Isabel Aldunate said in a statement that the Biden administration has made significant progress in transforming federal cybersecurity over the last year through the move to zero trust architecture and addressing long-standing problems.
“These grades for federal agencies are based on an outdated, compliance-oriented approach and no longer reflect the progress agencies have made, which is why we’re working with Congress to recommend an approach that reflects the rapidly evolving nature of the threats that agencies face,” she said.
Additionally, OMB is working with the Cybersecurity and Infrastructure Security Agency and the National Cyber Director in the White House to determine the cyber data can be published publicly without putting agencies at risk of exposing potential vulnerabilities.
The other reason for an agency’s scores is continued struggles with the transition to the Enterprise Infrastructure Solutions (EIS) contract.
The committee said seven agencies improved overall, but still handed out 11 “Fs” and three “Ds.”
This story will be updated.