What To Expect From Future FITARA Scorecards


GAO’s FITARA scorecard lead offers some insight into potential additions—and subtractions—from the biannual federal IT report card.

The scorecard developed to mark agencies’ progress conforming to the Federal Information Technology Acquisition Reform Act, or FITARA, has evolved over the years to become a barometer for how well agencies are adopting modern IT practices and complying with Congressional mandates and administration policies.

Those changes will only continue, according to Kevin Walsh, a Government Accountability Office analyst who assembles the data that goes into the scorecard.

“Federal IT is a continuously evolving and changing landscape. It’s like cybersecurity: You’re never done with cyber,” Walsh said Wednesday during a FITARA-focused event hosted by ACT-IAC. “I don’t know that we’ll ever be done with the empowerment of our CIOs.”

Walsh added a caveat to all of his remarks: He does not have a crystal ball, and all decisions on how agencies are scored and by what metrics are made by the House Oversight Subcommittee on Government Operations, not GAO.

The scorecard has undergone a number of revisions since it was first issued in November 2015, when there were only four categories: data center consolidation, IT portfolio review savings, incremental development and risk assessment transparency.

As of the eighth scorecard released in June, there were eight categories, including the original four, plus software licensing, confirmation on whether the chief information officer reported directly to the department head, and compliance with the Modernizing Government Technology, or MGT, Act and Federal Information Security Management Act, or FISMA. Even those have undergone recent changes.

For instance, the incremental development category was originally based on whether agencies released code every six months. But that wording was problematic.

Maria Roat, CIO of the Small Business Administration, said her employees looked at that metric the first time around and immediately checked “no,” confirming their agency did not release on a six-month schedule. SBA’s shop releases new code every two weeks.

That metric was updated for the eighth scorecard to “reward agencies for using iterative, agile and incremental development,” according to Walsh. That metric will likely change again by the next scorecard, he said.

“If you look at OMB’s recently released capital planning guidance—which came out shortly after the last hearing—the field that we used to do this is going away,” Walsh explained. “I think the Hill will try to keep things as close to the existing methodology as possible. But I don’t know how that will change. I’m going to come up with some options to give to the Hill. Then, what they ultimately choose will be up to them.”

But before another change for incremental development, Walsh expects data centers to be the focus of the next scorecard alteration.

After the administration changed its data center policy to focus on optimization, the government operations subcommittee, which releases the scorecard, wasn’t sure how to treat that metric in the eighth iteration.

“We’re nervous ‘optimization’ gives a lot of wiggle room,” Subcommittee Chair Gerry Connolly, D-Va., said during the scorecard hearing June 26. “You’ve used this weaker word, ‘optimization,’ which doesn’t really require me to do something specific. … My experience is sometimes you’ve got to give very clear direction and set very explicit metrics in order to accomplish something.”

For the eighth scorecard, GAO included a grayed-out column for data center closures and offered two grades for four agencies, depending on whether their data center scores were included.

Walsh said GAO and Congress will have to figure out what to do with that metric before the ninth scorecard is released.

“This next go-round, data centers will have to change,” he said Wednesday. “The time after that, I suspect, incremental will have to change, as well.”

Potential additions in the near future might include compliance with the 21st Century Integrated Digital Experiences Act, or IDEA Act, and proposed updates to the Federal Risk and Authorization Management Program, or FedRAMP.

Looking beyond the couple of years, Walsh expects to see more additions and maybe even some subtractions from the scorecard.

“Looking a year or two out, I would love to see these metrics evolve to incorporate [the Technology Business Management framework], cloud ... and, again, recognize the progress agencies have made,” he said, adding that GAO is always interested in feedback from agencies on how best to move forward.

“If the scorecard were to ever eliminate an area, [software licensing] would probably be one that would be a candidate,” he said, as only four agencies didn’t get an ‘A’ in the last scorecard and are set to fix the remaining issues. “As far as we can track it, that work is done.”

Roat agreed that the scorecard should continue to evolve, but warned against too many changes too quickly or too often.

“You can’t make changes to that scorecard every six months because you’ll never have a goalpost. It just needs to evolve over time,” she said Wednesday. “It has to evolve with the maturity of the federal government. There’s just so much good work going on and a lot of modernization efforts. But take into account all the good things going on, and not just … poking holes in the small things.”