The keys to the law's success are identifying and mitigating the risks to its implementation, especially in light of the upcoming presidential transition.
The Federal IT Acquisition Reform Act is the first major legislation that can fundamentally alter how IT is managed since the passage of the Clinger-Cohen Act in 1996. Those of us who care deeply about how effectively and efficiently the federal government operates believe improving IT management is foundational, and we see FITARA as the potential catalyst for driving that improvement.
There is certainly progress to celebrate — from the passage of FITARA itself and the Office of Management and Budget's implementation guidance to the plans agencies have crafted and the poor (but largely accurate) agency grades issued by Congress. All of that is well documented, and many leaders have worked diligently to get us to this point, including a number of agency CIOs; U.S. CIO Tony Scott and his staff; Reps. Gerry Connolly (D-Va.), Darrell Issa (R-Calif.), Will Hurd (R-Texas) and Mark Meadows (R-N.C.); Sens. Jerry Moran (R-Kan.) and Tom Udall (D-N.M.); and the lawmakers' staffs.
Change is difficult for any bureaucracy, and it is fair to say that sustained change is especially difficult in the U.S. federal government, one of the largest bureaucracies in the world. That is certainly the case for an initiative that takes four to five years to yield demonstrable and significant benefits for agency operations. So while I applaud the progress, I am concerned about our government's ability to sustain the leadership required to drive this change, particularly as we enter the last year of the Obama administration.
Therefore, like any good program manager, we should identify our risks and develop plans to address them. Here is my take on the major risks and associated mitigation steps to help ensure FITARA's success.
Risk 1: The government loses momentum on FITARA implementation during the presidential transition. To avoid having good processes wiped out when new leaders arrive, two mitigation steps should be taken. First, lawmakers who have shown leadership on FITARA must keep up the pressure as the new administration takes shape. I have been pleased to hear that Connolly and Hurd plan to do just that, and I hope other congressional leaders will join them.
The second step is to establish as much of the FITARA infrastructure as possible this year. New policies should be drafted and approved that codify the tenets of FITARA at each agency. The governance frameworks, budget review processes, delegation authority and other elements should be established and operational so that new leaders will have little incentive to make changes in IT management but will instead use what is already in place to support their agendas.
Risk 2: FITARA becomes a compliance, check-the-box exercise. Like many laws before it, FITARA's intent is good, but its execution by a bureaucracy over time can build a rigid artifice that shifts to rote compliance. The Federal Information Security Management Act's intent to improve the government's IT security was admirable, but 10 years later, it was a constraining compliance exercise that had little correlation with agencies' overall IT security.
For FITARA, it is imperative that OMB, individual agencies and Congress maintain the view that the law is about improving IT management so that an agency's mission and business can be executed more effectively and efficiently. Implementing, monitoring and measuring the impact of FITARA should be revisited regularly — perhaps every two years — to keep it fresh and appropriate, particularly given the rapid changes in technology and the IT market.
Risk 3: We lose patience with FITARA. It takes four to five years of sustained management effort to make significant positive change in IT at a large federal agency. Although I get excited about such change, I recognize that most people view improvements in IT management disciplines as downright pedestrian. However, the focus on better governance, staff development, enterprise architecture, project and program management, and budget planning are foundational to success in delivering services to government customers.
To maintain that focus and not lose patience, I recommend a scorecard for agencies that is more expansive than what Congress has implemented. It should measure three things at each agency: the maturity of the IT management process, IT performance outcomes that can be benchmarked, and agency mission effectiveness and efficiency outcomes that are affected by IT systems performance.
If implemented well and used to hold agencies accountable, that type of scorecard would keep agencies' focus where it needs to be and show sustained progress over time. For instance, within a year or two, agencies could make significant improvements in process maturity, which would lead to better IT performance outcomes in years three and four and ultimately have a positive impact on agencies' effectiveness and efficiency.
None of the mitigation steps outlined above are particularly difficult, but the key will be sustained commitment on the part of administration and congressional leaders to see FITARA through the next five years.