Agencies still adjusting to FITARA

Agencies consistently underreport IT project funding, according to a recent oversight report, but progress is being made.

Implementing the Federal IT Acquisition Reform Act is demanding for agencies, according to experts and even the Office Management and Budget.

"Not too surprised at the finding," former Federal CIO Tony Scott said in an email to FCW.   "We knew that it would take a couple of budget cycles to get this problem corrected, and happy to see [the Government Accountability Office] pointing out the issue."

According to the new report, most of the reporting processes at the 22 agencies GAO monitored do not fully satisfy the OMB requirements that the CIO review and approve IT acquisition plans or strategies, or that the CIO participate in a governance process that reviews and approves IT acquisition plans and strategies.

The report said four basic factors were at play in the non-compliant reviews: noncompliant processes, improper delegations, approvals through acquisition documentation other than that specified by OMB  and undocumented approvals.

The audit cited the National Science Foundation and the Small Business Administration, as examples of agencies that have completely met OMB's requirement that agency CIOs review and approve each IT acquisition plan.

It said the department of Housing and Urban Development was an example of agencies that partially meet OMB's requirements for the CIO to review a subset of IT acquisitions over $500,000. It also said HUD delegated approval authority to deputy CIOs and others within the Office of the CIO, which hasn't been approved by OMB.  

The Department of Veterans Affairs, according to the report, does not yet have a process in place that satisfies OMB's requirements, but officials in VA's Office of Information and Technology stated that they are currently developing processes and procedures necessary to implement FITARA accountability and responsibilities for IT acquisitions. While the agency did not submit a documented time frame for its plans, the report said, VA officials said that they're aiming to implement the new process by the second quarter of fiscal year 2018.

In comments attached to the report, some agencies pushed back on some of GAO's recommendations and assessments of their policies. Some said they had processes in place that accomplish the same goals as OMB's guidance or were working to address the watchdog agency's recommendations.

For instance, the Department of Education told GAO that it has an internal policy in place that specifies CIO review and approval of IT acquisition strategies and plans as part of his review and approval of IT investments. Another policy calls for a statement-of-work review that adds increased rigor to the CIO's review and approval by requiring all acquisitions with IT elements to be submitted for Office of the CIO review.

In remarks to GAO for the report, OMB's liaison didn't agree or disagree with the audit's findings, but said improving coordination and collaboration between CIOs and chief acquisition officers is critical. The OMB official told GAO that such collaboration represented a "significant cultural shift for most agencies."

Rich Beutel, a former senior staffer on the House Oversight and Government Reform Committee who helped draft FITARA, told FCW that while he hadn't read the GAO report in full, the implementation model for FITARA is "rigorous." He said there has been concern at agencies that FITARA could become another rote compliance exercise, potentially blunting some of its effectiveness.

OMB's liaison noted that its Office of Federal Procurement Policy and Office of the Federal CIO are working closely with agency chief acquisition officers and CIOs through the CIO Council and CAO Council to discuss practices that agencies have found helpful in achieving this cultural change.

Scott said he hopes the report will help frame the issues for the various congressional oversight committees to be able to hold relevant agency leadership teams accountable.

"It is an issue way beyond the CIO's sole responsibility," said Scott. "The administration (through OMB) should also do a review of agency compliance during the regular agency review processes."