A Commentary from Federal Business

An Insider’s Look at VA’s FITARA 15.0 Scorecard

by | Jan 3, 2023

The Federal Information Technology Acquisition Reform Act (FITARA) is an act that was passed in 2014 with the aim of improving IT acquisition processes across Federal agencies. Its goal is to ensure that agencies have effective oversight over their IT investments and are spending wisely on technology initiatives. For years, the Congress has released two scorecards per year grading Federal agencies’ Information Technology (IT) performance with the objectives to reduce costs, promote better cybersecurity, enhance IT performance, and improve customer service across the Federal government.

The most recent scorecard, FITARA 15.0, was released by the House Oversight and Reform Committee on December 15, 2022. The grading categories on the scorecard are: CIO Authority Enhancements (Incremental Development); Enhanced Transparency and Risk Management; Portfolio Review; Data Center Consolidation (Future Closures); Modernizing Government Technology (MGT) Act; Cybersecurity; Progress in transitioning to the General Services Administration’s Enterprise Infrastructure Solutions (EIS) communications services contract.

Below are the FITARA grades for the Department of Veterans Affairs (VA) Office of Information and Technology (OIT). The rows are: “WAS” – grades given in the last FITARA scorecard from July 2022, “IS” – grades given in the latest FITARA rating December 2022. I added an additional row labeled “SHOULD BE” – representing grades I feel VA/OIT currently deserves and then explain my rationale for each score.

FITARA 15.0 Scorecard

Agency CIO Authority Enhancements grade: Was: B. Is: A. Should be: B. FITARA assesses the degree to which agencies are using incremental or “Agile” modernization approaches, particularly in software development, rather than the poor performing “big-bang” approach. VA’s score improved from a “B” in July 2022 scorecard to a “A” in the latest FITARA scorecard. VA’s current “A” grade for incremental/Agile development is about right for new VA software development efforts. However, if the scorecard considered how VA’s legacy systems and infrastructure modernization efforts are managed, then VA’s grade would be lower since most legacy projects are still measured in a cost, schedule and risk compliance model rather than treated as agile product developments measured by time-to-value outcomes for Veterans. VA’s grade should be a “B”.

Transparency and risk management grade: Was: B. Is: B. Should be: C. This FITARA grade is based on project cost, schedule, and performance variance data reported by VA/OIT to the Office of Management and Budget (OMB) and reflected in the Federal IT Dashboard. In this latest FITARA 15.0 scorecard, VA remained at a “B” grade. VA/OIT has done an excellent job allocating and tracking IT infrastructure investments through a Technology Business Management (TBM) framework which should be a contributing factor in its score. However, the cost and schedule variance data that VA/OIT uploads to OMB are predominately project estimates made by VA managers and their supporting contractors who have a vested interest in the reported data. VA/OIT should adopt story points and other Agile-based methods to estimate costs in a more iterative collaborative approach than using traditional waterfall-based estimation techniques. VA’s grade should be a “C”.

Portfolio Review Savings: Was: D. Is: D. Should be: C-. The “D” grade given to VA/OIT in FITARA 15.0 is unchanged from the “D” grade received in July 2022. This grade is given based upon the degree to which VA/OIT has been successful in driving down costs by finding unnecessary or duplicative IT spending and improve agency processes to drive mission and customer-focused IT solutions. This “PortfolioStat” has historically been focused IT commodities purchases such as internet, mobile phone, and other infrastructure products. In VA, the CIO’s spending oversight, active governance processes, dedicated work by VA/OIT’s Office of Strategic Sourcing, and thorough IT cost allocations through the Technology Business Management (TBM) framework are all best practices which root out duplicative and wasteful spending. VA/OIT should be recognized and given credit for these Portfolio Review accomplishments. On the other hand, VA/OIT is lagging in its adoption of modern and available COTS products and continues to rely on tech-debt-laden legacy “home brew” solutions in critical areas such as identity. VA’s grade here should be “C-“.

Data Center Optimization and Consolidation: Was: A. Is: A. Should be: C. VA’s A grade for data center optimization and consolidation is moot since a) the calculation was based on VA’s plan for data center closures beyond Oct 2022 and b) the definition of a “datacenter” by OMB does not fully consider the mission critical need for edge computing located in VA’s vast system of medical centers and clinics. Having said that, VA/OIT still needs to continue its consolidation and improve its environmental facility management of all its datacenters. I give VA a “C” grade.

Modernizing Government Technology: Was: D. Is: D. Should be: A. VA/OIT again received a “D” grade in FITARA 15.0. A “D” grade for VA modernization should be reconsidered. VA is undertaking a series of enterprise-wide modernization programs. It is simultaneously modernizing its electronic health record (EHRM), its financial systems Financial Management Business Transformation (FMBT), its human resource systems (HRSmart), and its supply chain systems (SCM), not to mention digging out from under a mountain of technical debt, aggressively moving to the cloud, and improving the Veteran experience with VA.gov. Each one of these VA modernization efforts is massive in size, scope, and complexity. VA is arguably modernizing too much simultaneously. The argument that VA deserves a “D” because it does not use much of the Modernizing Government Technology (MGT) Act Working Capital Fund is weak because VA has its own internal Franchise Funds which can be used for the same purpose and because, unlike most other agencies, VA’s IT budget is directly appropriated and overseen by Congress. VA deserves an “A” grade.

Cybersecurity: Was: F. Is: D. Should be: D. In this latest FITARA 15.0 scorecard, VA’s cyber grade improved to a “D” due to factors such as changing the scoring methodology. OMB changed its focus from measuring cybersecurity through the lens of cross-agency priority (CAP) goals and instead relied on inspector general reports and progress with Executive Orders which is a vague scoring approach. Having said that, I believe that VA’s current Chief Information Security Officer, Lynette Sherrill, is making structural improvements in VA’s cybersecurity management and staffing which substantiates the improved score. To receive an A score, VA must a) aggressively move to a zero-trust architecture by adopting private sector COTS zero-trust and identity solutions across the enterprise, b) fund and improve its observability over critical systems, and c) deal with its “Internet of Medical Things” cyber weaknesses. VA deserves a “D” grade.

Transition off Networx: Was: C. Is: F. Should be: F. The metric for this grade was changed to a pass/fail in FITARA 15. Each agency is now measured by whether it has moved at least 90% of its telecom services off the old General Services Administration (GSA) Networx telecommunications contract to the new GSA Enterprise Infrastructure Solutions (EIS) contract. VA/OIT has made steady progress but could and should accelerate its efforts to meet the 90% goal. The grade should be a “F”.