HHS is latest agency to begin to figure FITARA out
As the House Oversight and Government Reform Committee marked the fourth anniversary of the passage of the Federal IT Acquisition Reform Act (FITARA) with the releases of the seventh iteration of its scorecard, there was plenty to celebrate.
No agency received an “F” grade for the first time. While there were no “As” either, there were 11 “Bs” and every agency either improved or stayed the course.
“The intent of the scorecard, as my colleague and original co-author of FITARA [Rep. Gerry] Connolly (D-Va.) has pointed out, is not to paint agencies with a scarlet letter. Rather, our intent is to incentivize behaviors and actions that result in better managed and more secure IT resources,” said Rep. Will Hurd, (R-Texas), chairman of the IT subcommittee, in his opening statement.
And it’s that goal of driving and incentivizing a specific set of behaviors that came through in this latest scorecard more than ever before.
The changed behaviors can be seen at the agency level whether it’s the Commerce Department’s acting CIO Rod Turk exercising his oversight muscles over the bureau’s IT spending, or the Transportation Department’s decision to freeze IT spending back in 2016 to address cybersecurity challenges and then in 2017 to add more oversight to IT spending.
For many agencies, complying with the law doesn’t mean getting all “As” and staying out of the cross-hairs of the committee. It means CIOs can stop talking about getting a “seat at the table” and start exercising their authorities to affect real change.
The bi-annual hearings, in many ways, are a reminder that at least House lawmakers are watching with high expectations.
“These hearings and our consensus on the issue of federal information technology procurement sends a message to agencies that the Oversight and Government Reform Committee is serious about agency implementation of the Federal Information Technology Acquisition Reform Act – or FITARA – and we are not going to take our foot off of the gas pedal until we achieve full implementation of the law, regardless of who is in the majority,” Connolly said in his opening statement.
Now if only the Senate Homeland Security and Governmental Affairs Committee cared as much about public accountability when it comes to FITARA — that would really help drive home the message.
In the aftermath of FITARA 7.0 scorecard and hearing, as I’ve done for the past six, here are my three takeaways:
No “A” by May, but pretty close
The Department of Health and Human Services was mired in the FITARA basement with five “Ds” before inching up to a “C-” last May. So HHS officials launched a new initiative to improve their scores, but more importantly change the culture of the agency.
Ed Simcox, the acting HHS CIO and the chief technology officer, told the committee that after the agency’s fourth straight “D” grade in June 2017, it paused to do an analytical review of the legislation, their implementation and figure out where they can improve.
Over the next 18 months, HHS focused on a three-pronged approach to improve how it manages technology, knowing that FITARA scorecard improvements would come almost as a byproduct.
Simcox said HHS termed the initiative D3:
- Data — HHS created an internal FITARA scorecard, developed a CIO work plan and refreshed its approach to transparency and risk management.
- Dialogue — Headquarters executives held bi-weekly and monthly meetings with bureau level CIOs to discuss FITARA implementation as well as monthly briefings with the Office of Management and Budget and the Government Accountability Office. Simcox said through these conversations, which also included the deputy secretary, the agency brought in more of the CXOs so FITARA wasn’t considered just an “IT law,” but one to “support mission and business operations through the effective use of technology.”
- Delivery — The agency identified and captured cost savings or avoidance through the use of shared services, cloud services and consolidation of IT acquisitions. HHS created its first-ever software inventory and found more than 4 million licenses across 12,000 software publishers.
Through the D3 initiative, HHS fell short of its goal of an “A by May” but did improve to a “B+.”
“Our rapid improvement from FITARA 4.0, where we received a ‘D-,’ to today’s FITARA 7.0, where we have a ‘B+,’ would not have been possible without broad collaboration,” Simcox told the committee. “Working in partnership with GAO, OMB and Hill staff has been critical. This committee’s advice has directly contributed to the IT improvements at HHS.”
Simcox said D3 created a common language across the agency to compare performance and take advantage of the data to address high risk areas.
“HHS’s improvements are an example of how the FITARA scorecard positively incentivizes agencies to act,” Hurd said.
HHS now is moving to the next iteration of D3, called M3: Monitor, maintain and mature.
Simcox said under M3 HHS plans to drive performance further through an internal FITARA dashboard and discussions, specifically around CIO reporting, data center optimization and cross-agency cyber priorities.
The committee specifically pushed Simcox on data center efforts. So far, HHS has closed 17 tiered data centers out of 54.
“We can do better and will continue to make progress on that,” he said. “I also would like to mention our enthusiastic support for shifting from a cloud first approach to a cloud smart approach where we are able to actually look at the subject matter that is in systems and really match that to the mission that is supported by the systems and any legislative requirements.”
The lessons learned by HHS and what the six agencies with “D” grades — the departments of Justice, Agriculture, Defense and Treasury, the Office of Personnel Management and the Nuclear Regulatory Commission — should take from their experience are clear.
And Simcox summed it up very simply: “The truth lies in the data. We achieved high scores by following instructions and using data to drive conversation, collaboration and change. FITARA has created a culture shift inside HHS. At HHS, we like to say FITARA is both a law and a lifestyle.”
Rep. Hurd’s obsession with working capital funds
Without a doubt, among the biggest frustrations Hurd is experiencing with the entire IT reform effort, which includes both FITARA and the Modernizing Government Technology (MGT) Act, is the lack of willingness for most agencies to create working capital funds to help pay for IT modernization efforts.
Only four agencies — the departments of Agriculture, Labor and Homeland Security and the Small Business Administration — plan to set up a MGT Act authorized fund.
Hurd said the working capital fund authority really is the most important part of the MGT Act, even though many others like to focus on the Technology Management Fund (TMF).
During the hearing, he specifically questioned HHS’s decision to use its nonrecurring expenses fund (NEF) instead of creating a specific IT working capital fund.
Simcox said about two-thirds of the fund is used for IT projects and one-third for capital investments.
HHS CFO Sheila Conley said since 2013, the agency has spent about $5 billion on IT and cyber projects from the fund.
But Hurd said the problem he sees with HHS’s NEF and other existing working capital funds in other agencies is the lack of control by the CIO. In HHS’s case, Simcox is part of the decision-making process, but the secretary has the final say of how the money is spent.
And that’s what frustrating him the most. The point of the MGT Act was to give the CIO the final say. Now that idea also begs the question whether any CIO really has a final say when the secretary and deputy secretary really control all spending across the agency.
At the same time, HHS is among several agencies whose general counsel determined their agency doesn’t have the legal authority to transfer money into the MGT Act working capital fund, which comes before there is even a decision on how the money is spent.
Again, Hurd questioned HHS on this issue and even asked for the general counsel to appear before the subcommittee to explain their determination.
“What legal analysis went into making the conclusion that HHS lacks the transfer authority to move money into a MGT account?” Hurd asked.
Conley responded, “As it relates to our transfer authority, we have very specific transfer authority that is provided in several instances…”
Hurd interrupted, “And that’s why we wrote and passed the MGT Act to give the authority for the CIO to have access to a working capital fund that is exclusively used by the CIO. It’s frustrating that agencies claim they lack the transfer authority when we just passed legislation to do that.”
Conley said HHS needs to be provided with explicit transfer authority to move money into the MGT Act fund. Hurd responded by asking that the law by Congress wasn’t enough?
“In the GAO’s red book, or the federal appropriations law book, they point out that the agency may transfer funds only when expressly authorized…” Conley said.
Hurd interrupted again saying the red book was last updated before the passage of the MGT Act. GAO said it last updated the red book in March 2016, which was 15 months after FITARA became law.
It seems Hurd will either work with GAO to clarify the red book or get some sort of FITARA technical correction or update into a future bill to specifically clarify how the working capital funds work. And other agencies should pay attention too and come up with a more detailed legal analysis or face being called to the carpet like HHS.
Data center definition concerns
GAO and OMB’s debate over the definition of a data center doesn’t look to be simmering down any time soon.
OMB’s draft data center policy released Nov. 26 isn’t sitting well with government auditors. In that draft policy, which is out for public comment through Dec. 26, the administration decided to remove the requirement that agencies track and close non-tier data centers as well as change how agencies measure optimization.
At the FITARA hearing, Connolly said OMB’s decision to change the definition is concerning.
Carol Harris, the director of IT management issues at GAO, said OMB’s decision to move away from fully measuring the progress to consolidate and optimize all data centers is worrisome.
“When you take a look at server utilization that is currently being reported as a percentage, which gives an idea to the degree of the servers are being utilized,” Harris said. “With OMB’s proposed change, they are looking to report only the number of underutilized servers in each data center. So without that context of the total number of servers, you lose the ability to know the progress being made in consolidating those servers. That is one example of a metric where OMB could potentially be fuzzing things up.”
Harris told Rep. Mark Meadows (R-N.C.) later in the hearing that GAO plans to meet with OMB to discuss the proposed changes.
Meadows asked Harris if the current data center metrics are working as intended.
“It’s not perfect, but we do think the current metrics that are in place are giving a pretty good picture of how the agencies are doing relative to their goals,” she said.
Meadows pressed Harris for further explanation about why the data center metrics needed to be changed whether the recommendation came from Federal CIO Suzette Kent or the CIO Council or somewhere else.
But Harris said she couldn’t answer the why and would find out more in their meeting with OMB.
“If you and your colleague [at GAO] would reach out to OMB and tell them it is of significant concern,” Meadows said. “It’s like changing the parameters for a SAT test. If you change it and it’s a different standard for high school students today versus high school students 20 years ago, you can make the scores anything they want to be,” Meadows said. “I’m concerned if you are only looking at underutilized servers and that matrix, then you have no idea how much stuff you’ve moved to the cloud. If you are truly looking at server capacity at these data centers, then it doesn’t show the whole picture.”
Data centers and the metrics around them have been a source of dispute for OMB and GAO almost since the beginning of the initiative in 2011.
Connolly said he believes the data center initiative has stalled at some agencies. GAO said in August 2018, six agencies reported that they did not plan to meet their goals for closing tiered data centers and nine agencies reported that they did not plan to meet their goals for closing non-tiered data centers by the end of fiscal 2018.
OMB’s meeting with GAO in the coming weeks will do a lot to alleviate or spark the obvious concern in Congress. The fact that OMB didn’t at least brief GAO on the draft strategy before putting it out, once again, is a missed opportunity for the federal CIO’s office to control the narrative.