A common challenge facing federal IT leaders today is balancing the need to invest in modernization while maintaining legacy systems. A recent survey of federal CIOs found that 75% of IT spending is dedicated toward the maintenance of legacy systems, rather than IT modernization. FITARA is expected to change that by granting federal CIOs greater authority, visibility, and responsibility into IT acquisitions.
Enacted in December 2014, the Federal Information Technology Acquisition Reform Act (FITARA) is intended to improve the acquisition and management of federal IT assets. Overall, there is optimism about its impact; 84% of IT professionals believe that FITARA will improve federal IT efficiency. Chief among its expected benefits is reducing the amount of waste and duplicative IT systems and improving communication and visibility within agency IT teams.
FITARA defines new roles and responsibilities for agency chief information officers (CIO), chief financial officers (CFO) and budget officers, chief acquisition officers (CAO), and senior procurement officials. Specifically, the CIO will now oversee all IT procurement, budget, and workforce decisions. How does this impact the rest of an agency’s IT staff? As the CIO takes greater ownership of IT projects, it will be increasingly important to speak the same language as the CIO to get IT projects approved.
Since the CIO is now accountable for a wide range of new metrics, it is also important to understand these metrics and how you impact them. In other words, it is important to be well versed in FITARA even if you are not a CIO.
FITARA, FedRAMP, and CASBs
Cloud computing is expected to play a significant role in government IT. A key goal of FITARA is data center consolidation, and that objective will likely involve moving many agency processes from legacy IT systems to new cloud-based applications.
One of the primary challenges federal agencies face moving to the cloud is meeting strict security standards. A 2016 report from the Congressional Research Service found that despite programs like FedRAMP, which are designed to streamline the procurement of cloud services, cloud adoption across government agencies is being held back due to security concerns.
While IT may be waiting, agency employees are not. On the contrary, government employees are adopting cloud services as rapidly as the private sector. This is happening without the knowledge or involvement of IT, creating “shadow IT” environments across government agencies. The average agency now uses 859 cloud services, most of which have been introduced by employees, and only 3.3% of them are FedRAMP compliant.
An increasing number of government agencies use a cloud access security broker (CASB) to analyze their cloud usage while enforcing security and compliance policies. CASBs are on-premises or cloud-hosted software that act as a control point to support continuous visibility, compliance, threat protection, and security for cloud services.
We aggregated and anonymized usage data from the Skyhigh Security (formerly McAfee) customer base to show the state of cloud adoption in the U.S. federal government and found that the average agency today uses 859 cloud services, a 15.8% increase year over year.
Not surprisingly, shadow IT is pervasive across the board with many consumer and enterprise services in use. At the average agency, 26.9% of services in use last quarter were consumer services (e.g., Facebook, Twitter, LinkedIn, Evernote, etc.), the remainder were enterprise services (e.g., Office 365, Salesforce, Box, ServiceNow, etc.).
Across the 859 cloud services in use at the average agency, just 3.3% of them are FedRAMP compliant and just 4.5% of agency data in the cloud is uploaded to FedRAMP compliant services. This means that the vast majority, 95.5% of all agency data is stored outside of FedRAMP compliant services. With fewer than 100 cloud services having met compliance requirements, FedRAMP is one of the most stringent security accreditations available.
Key FITARA provisions
While some agencies have already been operating in a model similar to the one outlined by FITARA, the law codifies CIO authority to manage information technology projects and makes CIOs and agencies accountable for the success of agency IT programs. According to a June 2015 memo from OMB on implementation guidance, one of the objectives of these new requirements is to strengthen a CIO’s accountability for their agency’s IT cost, schedule, performance, and security. Another objective is to give agency CIOs visibility and involvement in the management and oversight of IT resources with a goal of supporting successful cybersecurity policies.
There are seven key provisions of FITARA:
- CIO Authority Enhancements
- Enhanced Transparency and Improved Risk Management in IT Investments
- Portfolio Review
- Federal Data Center Consolidation Initiative (FDCCI)
- Expansion of Training & Use of IT Cadres
- Maximizing Benefit of Federal Strategic Sourcing Initiative (FSSI)
- Government-wide Software Purchasing Program
Agencies are required to report their performance in four of these seven provisions to OMB via PortfolioStat on a quarterly basis: data center consolidation, IT portfolio review and savings, incremental development, and risk assessment transparency. On a regular basis, OMB will report to Congress on the progress each agency makes in cost savings, as well as the avoidance and reduction of duplicate IT investments. The House Oversight and Government Reform Committee publishes a scorecard showing how well agencies are currently doing in enacting FITARA. Today, many agencies have received D and F grades on their scorecards, indicating there is much work to be done.
When defining the scope of IT projects overseen by the CIO, FITARA guidance specifically states that it includes services, such as cloud computing. It goes on to explain that CIOs are not just responsible for official agency IT projects but “shadow IT” or “hidden IT” usage as well. It is outside the scope of this guide to describe all FITARA requirements in detail. We will focus on two provisions as they relate to the use of cloud computing: portfolio review and data center consolidation. FITARA requires that agencies procure cloud services that are consistent with FedRAMP and NIST guidelines. In the next section, we'll describe how the FedRAMP program helps streamline cloud service assessment with a centralized assessment process.
Disclaimer: McAfee products and services may provide features that support and enhance your industry’s Federal Information Technology Acquisition Reform Act compliance obligations however, they are neither designed nor intended as Federal Information Technology Acquisition Reform Act compliance solutions. The information provided herein is for information purposes only and does not constitute legal advice or advice on how to meet your compliance obligations.