The cyber scores were unreliable due to incomplete data, witnesses told lawmakers.
Two things can be true about the 14th Federal Information Technology Acquisition Reform Act (FITARA) scorecard at the same time: Many federal agencies are struggling to achieve their IT goals, and the removal of certain methodologies and a lack of available data impacted scores.
The House Oversight Committee discussed the latest scores on Thursday morning as grades were released for the 24 agencies featured in the biannual scorecard tracking progress on IT modernization efforts and federal cyber priorities. Only one agency earned an overall “A” grade, as eleven agencies received a "C+" score and seven landed in the "B" range. Eight agencies saw their scores decrease, while 15 remained unchanged.
Chief information officers testified the vast majority of agencies suffered low or failing marks in the cyber category in part due to a lack of available data for cybersecurity cross-agency priority goals. The latest scorecard relied on incomplete data from inspector general reports as the Office of Management Budget has failed to track the metrics since the previous White House administration.
“I want to be real clear: The issue isn't the scorecard, the issue is the data provided in order to have a score,” Rep. Gerry Connolly (D-Va.), chairman of the Subcommittee on Government Operations and an original co-sponsor of the FITARA legislation, said at the hearing. “One of the consequences, unfortunately, for the lack of data from OMB was that we had to rely only on the IG data, which is not complete.”
“As a result, every agency took a hit in the score,” he added. “But it wasn't because there was a flaw in the design of the scorecard – it was because of a lack of compliance with the data.”
Government Accountability Office Director of IT and Cybersecurity Carol Harris agreed with those remarks and noted that the rest of the scorecard reflected an accurate representation of how agencies were progressing across categories like transparency and risk management, agency CIO authority enhancements, modernizing government technology, the transition off Networx and portfolio review savings.
“I think that the challenge in this particular iteration is with cyber, because there is only one metric available for us to utilize,” she said. “I do believe that is not an accurate reflection of where agencies are at with cyber.”
Defense Department CIO John Sherman defended his agency after it received one of the lowest marks out of the entire scorecard, telling the committee: "We are better than the D+ we have on this scorecard."
Defense earned "D" scores for its agency CIO authority enhancements and portfolio review savings, and was the only agency to receive an incomplete mark for the cyber category.
OMB "acknowledged mistakes" and agreed to work with the committee, Connolly said, hinting at a September hearing featuring the agency's CIO to establish deadlines and ensure committee staff had the necessary data for the next iteration of the scorecard.
Harris and the panel of CIOs also offered recommendations for the next iteration of the scorecard throughout the hearing, including adding categories to track progress on the transition away from legacy systems. The committee also detailed a new data center consolidation methodology after previously announcing plans to sunset the Data Center Optimization Initiative methodology.
"It is time to shift this metric to make it more focused and relevant," Connolly said. "While all agencies achieved their self-determined federal data center closures, a small handful of agencies have yet to complete their planned closures—even though we are rapidly closing in on the already twice extended consolidation reporting requirement date."
The chairman added that the goal of the new metric is to "ensure agencies think strategically about their costly data center use" and "incentivize the closure of underutilized data centers."
The committee has credited the scorecard with saving taxpayers an estimated $24 billion since it was first released in November 2015, helping agencies reduce wasteful spending while tracking progress and providing accountability on government-wide IT performance and cyber posture.