Keep FITARA going

Why it's important to keep iterating on the Federal IT Acquisition Reform Act to meet today's cybersecurity challenges.

Shutterstock image: protected hardware.
 

The Senate Homeland Security and Government Affairs Committee this week passed a bill to extend key provisions of the government’s primary technology legislation, the Federal IT Acquisition Reform Act. The bill will extend by two years requirements for government agencies to consolidate and optimize data centers, joining a companion bill introduced in the House in June.

FITARA has done much to improve how the government manages its information technology, and these extensions are critical to keeping the government’s IT modernization momentum going. But to truly improve our government’s technology, Congress must build off the successes of FITARA and recognize the new IT landscape in which we live.

FITARA was first passed in 2014, but much of its original language was written as far back as 2012. Technology has changed drastically since then, and cybersecurity in particular has become an omnipresent concern for the government. We’ve learned many lessons on what works and what doesn’t.

It’s time to update our government’s IT policy to reflect this. Congress can do so by adding the comprehensive cybersecurity transparency and reporting requirements that are essential to modern IT management. With an administration focused on modernizing the government’s IT, now is the time to make these changes.

The need to bolster government cybersecurity is the linchpin of FITARA. As a political matter, failed or omitted testing during the rollout of Healthcare.gov put the winds to the sails of FITARA. Subsequent events, such as the massive Office of Personnel and Management data breach, reinforced the cybersecurity crisis within government.

Thanks to FITARA, the government is improving. Agency CIOs now have greater authority to manage all the technology within their agency -- authority most did not previously have, which led to significant problems in government IT management. Congressional oversight, from leaders like Reps. Will Hurd (R-Texas), Gerry Connolly (D-Va.), and Robin Kelly (D-Ill.), has been critical to progress in this area.

Yet even with this progress, we can do more to improve our government’s cybersecurity.

Take the seemingly simple issue of IT inventories. This was brought up during a House Oversight Committee hearing on the latest FITARA Scorecard in June and in a 2016 Government Accountability Office report that found 20 of 24 federal agencies do not have a comprehensive inventory of their IT.

The MEGABYTE Act attempted to address part of this issue by requiring agencies to inventory their software licenses. But had agencies been scored on implementing it -- which they will be on the next FITARA scorecard -- 21 of 24 would have failed.

We can do better. Agencies need continuous, real-time visibility over every endpoint they manage, not just 80 percent of them (as has become the industry standard). To achieve this level of visibility requires monitoring more than hardware and software; it requires applications and services, too. It also requires knowing which vulnerabilities are present on all agency endpoints in real time and being able to take action quickly. This gets back to the original intent of FITARA: helping government agencies better manage their IT and giving CIOs the authority to do so.

Having a constantly up-to-date inventory, even when managing a massive number of endpoints, is paramount to the government’s cybersecurity efforts. It takes only one unpatched piece of software on one endpoint for a hacker to gain access to a network.

IT inventories are also key to cutting costs. By knowing what’s on a network, who is using it, and how much is being used, agencies can make informed decisions about which technologies they need, which ones they don’t need, and which ones they need to modernize. Consolidating data centers, which currently number close to 10,000 across the government, and as FITARA aims to do, is one key area where the government can cut costs.

Accurate IT inventories also provide credible transparency into major technology projects -- another core intent of FITARA. The government uses the Office of Management and Budget’s IT Dashboard to track deployment and status of major IT systems throughout the government. But in many cases, the data has not been reliable.

The rollout of Healthcare.gov is a prime example: Project managers rated it as on-track in nearly every quarter leading up to its rollout, despite the obviously serious issues that were occurring. FITARA reinforced the Dashboard’s importance in establishing agency transparency and improved the data reported. Now it’s time to include cybersecurity reporting, reflecting today’s changing technology landscape.

In combination with the president’s cybersecurity executive order and the Modernizing Government Technology Act (which is moving forward in the National Defense Authorization Act), we have significant momentum to transform our government’s technology. With updates to our government’s IT primary policy, we can continue making progress toward protecting our nation’s most critical data.