Lawmakers look to expand FITARA oversight

House legislators are considering how to inject new oversight categories into the Federal IT Acquisition Reform Act (FITARA) scorecard to monitor agency IT performance, including firmer definition of data centers and possibly high risk.

All two dozen agencies on the Government Operations subcommittee of the House Committee on Oversight and Reform's FITARA scorecard had passing grades for the first time. The subcommittee released its tenth FITARA scorecard on Aug. 3.

That progress, said subcommittee Chairman Rep. Gerry Connolly (D-Va.), "is a testimony to the hard work by agency CIOs and steady bipartisan oversight."

Agencies showed improvement with A grades for the General Services Administration and the U.S. Agency for International Development, nine Bs, and 14 Cs. There was also significant progress on one what had been a significant issue in the past, software licensing. All agencies on the list, with the exception of the Office of Personnel Management, received an A grade.

The report card, said Subcommittee Chairman Gerry Connolly, needs to evolve. Connolly noted the inclusion of a list of agencies' transition efforts for the General Services Administration's next generation Enterprise Infrastructure Solutions (EIS) telecommunications contract.

The list didn't come with a grade like the other formalized categories, said Connolly, who suggested it might become one in future report cards.

Rep. Gary Palmer (R-Ala.) asked witnesses about adding a potential supply chain security to the report card. Palmer asked for estimates on how much it would cost the federal government to shift away from Chinese-made IT gear, as has happened with subscription drugs. He also floated the idea of including a category grading agency efforts to protect their IT supply chains.

An earlier change the Office of Management Budget (OMB) made to its definition of data center last summer was also discussed at the hearing. OMB tweaked what it considered a data center under its data center optimization policy that left some smaller centers out.

That change, testified Carol Harris, director, IT Management Issues at the Government Accountability Office left out some data center facilities and opened them to cyberthreats.

"Once those are dropped, agencies stop paying attention to them," creating a potential cybersecurity gap, said Harris.

Deputy Federal CIO Maria Roat said the change was made to winnow out some facilities that weren't necessarily data centers. In making the change, OMB was working to align federal definitions with industry standards, according to Roat. "A router and a switch in a closet" somewhere in an agency, she said, isn't really a data center, since it contains communications gear.

Roat said that overall modernization efforts at agencies and addressing cybersecurity practices across agency enterprises can address risks in such systems.

Connolly told Roat he expects a firm definition of what a data center is from OMB. "We want a robust definition of a data center," he said. Shutting down data centers can save agencies money if they know what they are, said Connolly.

This article was updated Aug. 5 to reflect a correction in the FITARA scorecard made by the Government Accountability Office that changed USAID's overall FITARA score to an A.