Agencies Could Be Graded On More Than FITARA Under New Scorecard

As the government’s technology policies change, at least one lawmaker wants to ensure the tool Congress uses to make sure agencies comply also matures.

After the Federal Information Technology Acquisition Reform Act passed in 2014, lawmakers on the House Oversight and Government Reform IT subcommittee—including co-authors of the bill—wanted to ensure agencies were abiding by the new mandates. They have since issued five report cards, with five corresponding hearings. The reports have changed slightly over the years, such as the addition of a metric for managing software licenses as required by the Making Electronic Government Accountable By Yielding Tangible Efficiencies, or MEGABYTE, Act.

The library of IT legislation and guidance has grown over recent years, including the Modernizing Government Technology Act and creation of the Technology Modernization Fund Board; the new Centers of Excellence housed in the General Service Administration; new cybersecurity requirements; and the implementation of Digital Accountability and Transparency Act, or DATA Act, among others. Recognizing this, Subcommittee Chairman Will Hurd, R-Texas, wants to see the scorecard grow in kind.

“One of the things I want to do with the FITARA scorecard is transition it to a more of a digital hygiene scorecard,” Hurd said during a March 14 subcommittee hearing. “We have to continue to double-down on those issues [currently in the FITARA scorecard]. But, I think, being able to highlight at the macro level good digital hygiene is important.”

Currently, the scorecard grades agencies on compliance with the MEGABYTE Act, as well as four core principles that anchor FITARA. Agencies are given a letter grade based on whether CIOs are being granted new authorities as prescribed, the transparency and risk management efforts, accurate and timely reporting on IT projects, and data center optimization efforts.

Hurd took advantage of the hearing to ask Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communication at the Homeland Security Department, what additional metrics she believes should be added to the scorecard.

Manfra pointed to a Homeland Security binding operational directive requiring agencies to bring the time to patch vulnerabilities down to 30 days.

“In FY14, the average time to patch was somewhere in excess of 200 days for critical vulnerabilities, which is bad,” she said. “After the directive—and it continues, which shows how these things change behavior—we’re averaging in the 10 to 15 days. It’s helping them prioritize their very limited resources by focusing on known issues. And that’s what we want to continue to do.”

Hurd liked the idea, as it could be easily broken down into letter grades. He suggested patching within a week would garner an ‘A’—Manfra suggested 15 days should get an agency top marks—and all agreed 200 days or more would qualify as a ‘F.’

The congressman also asked whether penetration testing would make for a good metric, as many agencies say they are doing these tests but are really just doing perfunctory scans of their systems. Manfra said her office does not collect statistics on pen-testing at agencies but liked the idea of measuring it in the future.

A spokesperson for Hurd said conversations about what would be on a digital hygiene scorecard are in the early stages and a list of potential new metrics has not been created yet.

But while federal IT issues tend to be bipartisan, that doesn’t mean everyone is on board with changing the FITARA scorecard.

“The chairman talked about maybe broadening the FITARA scorecard at some point to a digital hygiene scorecard. I would be supportive of that once we make more substantial progress on implementation of what’s in front of us,” said Rep. Gerry Connolly, D-Va., who co-wrote FITARA with Rep. Darrell Issa, R-Calif. “Because we’ve seen some backsliding—DOD, the big kahuna, got an ‘F.’ So, we want to see more progress.”

Connolly noted that progress won’t come without leadership from the top, namely the Office of Management and Budget.

“It doesn’t matter whether it’s a Democrat or Republican administration, we want it to work,” he said.