The Federal Information Technology Acquisition Reform Act (FITARA) was passed by Congress in December 2014. Since November 2015, the Government Accountability Office (GAO) has released two scorecards per year grading Federal agencies’ Information Technology (IT) performance. The objectives of the scorecards are to reduce costs, promote better cybersecurity, enhance IT performance, and improve customer service across the Federal government.
The most recent scorecard, FITARA 14.0, was released by the House Oversight and Reform Committee on July 28, 2022. The seven active grading categories on the new scorecard are: 1) CIO authority enhancements; 2) transparency and risk management; 3) Portfolio review; 4) Modernizing Government Technology (MGT) Act 5); Cybersecurity; 6) Progress in transitioning to the General Services Administration’s Enterprise Infrastructure Solutions communications services contract; and 7) whether the CIO reports to the agency head or deputy. Upcoming legislation will likely remove the FITARA grading categories relating to data center optimization and consolidation.
Below are the FITARA grades for the Department of Veterans Affairs (VA) Office of Information and Technology (OIT). The rows are: “WAS” – grades given in the last FITARA scorecard from December 2021, “IS” – grades given in the latest FITARA rating July 2022. I added an additional row labeled “SHOULD BE” – representing grades I feel VA/OIT currently deserves.
Agency CIO Authority Enhancements grade: FITARA assesses the degree to which agencies are using incremental or “Agile” modernization approaches, particularly in software development, rather than the poor performing “big-bang” approach. VA’s score dropped from in “A” in December 2021 scorecard to a “B” in the latest FITARA scorecard. VA’s current “B” grade for incremental/Agile development may be about right for new VA software development efforts. However, if the scorecard considered VA’s legacy systems and infrastructure modernization efforts, then VA’s grade will decline since most legacy projects are still measured in a cost, schedule and risk compliance model rather than treated as agile product developments measured by time-to-value outcomes for Veterans. VA’s grade should be a “C”.
Transparency and risk management grade: This FITARA grade is based on project cost, schedule, and performance variance data reported by VA/OIT to the Office of Management and Budget (OMB) and reflected in the Federal IT Dashboard. In this latest FITARA 14.0 scorecard, VA moved up to a “B” grade. VA/OIT has done an excellent job allocating and tracking IT infrastructure investments through a Technology Business Management framework which should be a contributing factor in the upgrade to a “B” score. However, the cost and schedule variance data that VA/OIT uploads to OMB are predominately project estimates made by VA managers supported by contractors who have a vested interest in the reported data. VA/OIT should adopt story points and other Agile-based methods to estimate costs in a more iterative collaborative approach than using traditional waterfall-based estimation techniques. VA’s grade should be a “C”.
Portfolio Review Savings: The “D” grade given to VA/OIT in FITARA 14.0 is unchanged from the “D” grade received in December 2021. This grade is given based upon the degree to which VA/OIT has been successful in driving down costs by finding unnecessary or duplicative IT spending and improve agency processes to drive mission and customer-focused IT solutions. This “PortfolioStat” has historically been focused IT commodities purchases such as internet, mobile phone, and other infrastructure products. In VA, the CIO’s spending oversight, active governance processes, dedicated work by VA/OIT’s Office of Strategic Sourcing, and thorough IT cost allocations through the Technology Business Management framework are all best practices which root out duplicative and wasteful spending. VA/OIT should be recognized and given credit for these Portfolio Review accomplishments. VA’s grade here should be “B”.
Data Center Optimization and Consolidation: This grade for data center optimization and consolidation will be retired from the FITRARA scorecard since all agencies have made significant progress. Having said that, VA/OIT still has a lot of work to move workloads out of small/medium-sized datacenters into large datacenters or into the VA Enterprise Cloud. Since these categories will be retired, I give VA no grade.
Modernizing Government Technology: VA/OIT again received a “D” grade in FITARA 14.0. A “D” grade for VA modernization should be reconsidered and dramatically improved. VA is undertaking a series of enterprise-wide modernization programs. It is simultaneously modernizing its electronic health record (EHRM), its financial systems Financial Management Business Transformation (FMBT) ), its human resource systems (HRSmart), and its supply chain systems (SCM), not to mention digging out from under a mountain of technical debt, aggressively moving to the cloud, and improving the Veteran experience with VA.gov. Each one of these modernization efforts is massive in size, scope, and complexity. VA is arguably modernizing too much simultaneously. The argument that VA deserves a “D” because it does not take advantage of the meager Technology Modernization Fund (TMF) is weak. The size of VA/OIT’s Congressionally appropriated budget and the use of VA’s own internal franchise fund make the TMF a moot point. VA deserves an “A” grade.
Cyber: In this latest FITARA 14.0 scorecard, VA’s cyber grade moved down to an “F” due to many factors, many of which were included in the Office of Inspector General (OIG) June 7, 2022 testimony before the Technology Subcommittee of the House Veterans Affairs Committee. While I disagree with some of OIG’s technical assertions, the OIG appropriately summed up VA’s cyber situation: “The recurrence of IT security concerns indicates the need for vigilance, and VA’s incremental improvements are not enough to effect meaningful change. Until proven processes are in place to ensure adequate controls across the enterprise, VA’s mission-critical systems and sensitive veterans’ data remain at risk.” In addition, VA must improve its ability to keep pace with evolving cybersecurity threats through the use of private sector innovation and Commercial Off-the-Shelf (COTS) products and technology. Fortunately, the current leadership within the VA/OIT’s Office of Information Security is entirely capable of addressing these shortcomings and the personnel issues that underlie them. The “F” grade is appropriate but is on a path to be improved.
Transition off Networx: This grade measures the progress made by agencies to transition off the old General Services Administration (GSA) Networx telecommunications contract to the new GSA Enterprise Infrastructure Solutions (EIS) contract. VA/OIT has made steady progress transitioning hundreds of thousands of telephony endpoints, circuits, and WAN/LAN components, both technically and contractually, to the EIS contract. To reflect VA/OIT’s competent management of this large and largely unrecognized modernization effort, the grade should be a “B”
CIO’s Boss – head or deputy: This grade assesses the Chief Information Officer (CIO) role in federal agencies and the degree to which the CIO has a seat at the management table and reports to the head or deputy of the agency. The VA CIO reports directly to the Secretary of the VA and has the authority and policies in place to be able to properly perform the role. The grade for this category is unchanged with a “Y” for yes.