Federal IT leaders suggested changing statute to improve the procurement of cloud services for the federal government and creating consistency across cybersecurity performance metrics in a meeting with Rep. Gerry Connolly, D-Va.
The suggestions were among those that seemed to generate interest at a Tuesday roundtable on Capitol Hill, including some legislative interest in fixing cloud procurement from Connolly, the ranking member of the House Committee on Oversight and Reform’s subcommittee focused on cybersecurity and IT.
The roundtable discussion followed the release of the latest Federal IT Acquisition Reform Act (FITARA) scorecard, which measures agency progress in meeting that statute’s requirements and centered on how agencies are progressing with cybersecurity improvements in government.
Those in attendance included IT and cyber officials from the departments of Commerce, Veterans Affairs and State, Social Security Administration, Government Accountability Office, and General Services Administration.
Among the challenges for the government procuring cloud services is an absence of the definition of “cloud” in the Federal Acquisition Regulation (FAR), Carol Harris, a director for GAO’s IT and cybersecurity team, noted at the meeting. Harris said the GAO is currently looking into the main challenges for cloud procurement.
“In addition, there’s not a type of contract available that covers a consumption-based pricing model, which is what you do when you procure cloud,” Harris said. “And so because of these outdated requirements in the FAR, these agencies are having to do these workarounds, and that’s a major problem.”
Harris suggested there’s an opportunity for congressional action.
“I have to admit, I did not know, and neither did GAO until recently, that the FAR – the major procurement vehicle of the federal government — has no definition of cloud,” Connolly told FedScoop after the meeting.
He added: “We’re going to fix that.”
Harris also noted that there are challenges for agencies in how to effectively hire employees with cloud expertise, and agencies are awaiting requirements and deadlines from the Office of Management and Budget on the application rationalization component of the government’s cloud computing strategy “Cloud Smart.”
Another suggestion on the performance metrics themselves came from Kelly Fletcher, chief information officer for the State Department, who pointed to the volume of cybersecurity scores agencies are given, including FITARA and Performance.gov metrics.
“In no way to impugn any of the scores, I think they’re all really valuable, but the problem is when I try to explain to my leadership ‘how are we doing on cybersecurity,’ frankly, I can pick and choose,” Fletcher said.
She added: “I think some consistency across these public metrics would be very helpful.”
Connolly, in response, noted that FITARA is tied to the elements in the statute it stems from, but said he wasn’t sure if lawmakers were aware there were competing scores when they created the scorecard. “I think it’s good feedback for us to try to at least stay cognizant of those other measurements,” Connolly said.