FITARA scores mostly stay firm, with TMF and cyber EO changes looming

A total of 18 agencies maintained their grades, four improved them and two saw downgrades, but the next scorecard could get a facelift.
Rep. Gerry Connolly, Virginia Democrat
Rep. Gerry Connolly. (House Oversight Democrats / Flickr)

Editor’s Note: This story has been updated with information from the 2 p.m. FITARA 12.0 hearing of the House Oversight and Reform Subcommittee on Government Operations.

Most agencies’ FITARA grades stayed the same on the 12th biannual scorecard released Wednesday — but big shifts could be coming as they begin new Technology Modernization Fund (TMF) projects and meeting the mandates of the president’s recent cybersecurity executive order.

Among the 24 Chief Financial Officer Act agencies analyzed, 18 maintained their grades, four improved them and two saw downgrades — with the General Services Administration restoring its sole A+ status from two scorecards ago.


Much of the stagnation can be attributed to agencies’ focus on change management to accommodate increased telework during the pandemic. But an influx of TMF funding — coupled with aggressive timelines to improve federal cyber preparedness — could prompt the House Oversight and Reform Subcommittee on Government Operations to tweak the expectations of agencies for the FITARA 13.0 scorecard.

“You can view this scorecard as really the baseline for the implementation of TMF and the [cyber] executive order,” Joe Flynn, public sector chief technology officer at Boomi, told FedScoop. “The modernization and cybersecurity things are really going to take front and center regarding upcoming work.”

The American Rescue Plan Act infused $1 billion into the TMF in March, and the TMF Board has received 108 project proposals, worth more than $2.1 billion in requested funds, from 43 agencies. Proposals continue coming in to the TMF Board, which spends about 10 hours a week reviewing them, as most agencies have “pretty significant” project backlogs and need flexible IT modernization funding, said Clare Martorana, federal chief information officer, during the subcommittee’s FITARA 12.0 hearing.

But the final version of the Financial Services and General Government appropriations bill for 2022, produced by the House Appropriations Committee on Monday, only included an additional $50 million for the TMF — well shy of the White House’s request for $500 million.

“The Administration appreciates the funding provided in the bill for the TMF and urges the Congress to provide the full $500 million requested in the FY 2022 Budget, which would support a more rapid transition of legacy systems and the adoption of more secure commercial technology,” reads a statement released by the Office of Management and Budget later that day.


Even so, TMF funds will have a “significant impact” on future FITARA scorecards as the money begins to flow — especially with OMB having released guidance relaxing repayment requirements for agencies, Flynn said.

During the FITARA hearing, Rep. Jody Hice, R-Ga., suggested the subcommittee consider adding a component grading agencies’ use of TMF funds for IT modernization.

“Those funds are spread around, but what’s their impact?” Hice asked. “What are we really getting in relation to modernization? Is it happening?”

Hice also wondered aloud if more cyber components should be added to the scorecard or spun off into a separate one.

The cyber executive order, issued by President Biden in May, contains tight deadlines — including a 60-day cutoff for all executive branch agencies to update their cloud adoption plans and develop zero-trust architecture implementation plans.


Martorana said cybersecurity was her “immediate priority,” and the FITARA 12.0 scorecard confirmed it’s a place where agencies continue to lag.

“Cybersecurity continues to be an area of struggle for the agencies,” said Carol Harris, IT and cybersecurity director at the Government Accountability Office, during the hearing. “One-third have a D or F, and another third are getting by with a C.”

The FISMA component of the FITARA scorecard is but one dimension of federal cyber, and GAO is open to adding more, or creating a separate scorecard, at the subcommittee’s discretion — provided agencies’ vulnerabilities aren’t publicly disclosed, Harris said.

Rep. Gerry Connolly, D-Va., who chairs the subcommittee, said he’s open to evolving the scorecard but is hesitant to add more components currently.

“I definitely see the FITARA scorecard as always a work in progress,” Connolly said. “The only caution is, as you can see from the grades in front of us, we have not yet succeeded in full implementation, so we don’t want to lose sight of that.”


The departments of the Interior and State and the Social Security Administration were the three other agencies to improve their FITARA 12.0 grades, while the departments of Justice and Veterans Affairs saw the only downgrades.

DOJ now holds the worst overall FITARA grade with a D-. A C or higher is considered a passing grade.

Agency transitions to the $50 billion Enterprise Infrastructure Solutions contract for network and telecommunications modernization, a component of the FITARA scorecard, continue to advance slowly. Two agencies — SSA and the U.S. Agency for International Development — received As for being at least 50% transitioned off the legacy Networx contract.

While NASA and SSA appointed CIOs since FITARA 11.0, the Department of Health and Human Services CIO continues to serve in an acting capacity. And the Department of Defense, DOI, Department of Transportation, VA, and Office of Personnel Management all have acting CIOs as of FITARA 12.0 — though OPM just recently named Guy Cavallo, who’d been acting in the role, its permanent CIO.

Latest Podcasts