The Federal Information Technology Acquisition and Reform Act should be used to evaluate how agencies are meeting a number of government-wide cybersecurity goals, experts told Congress. (Photo by Anna Moneymaker/Getty Images)

A law originally designed to push IT modernization in the federal government should be used to evaluate how agencies are meeting a number of government-wide cybersecurity goals, from modernization and supply chain threats to implementing post-quantum encryption protocols, experts told Congress.

The Federal Information Technology Acquisition and Reform Act was passed in 2014 and serves as one of the main laws governing how federal agencies spend their technology budgets and modernize their IT. It has also served as a goal post for Congress to conduct oversight and keep tabs on how the federal government is modernizing.

At a House Oversight subcommittee hearing this week, ranking Republican Rep. Jody Hice, of Georgia, questioned whether lawmakers should drop certain metrics that have weaned in importance like data center consolidation (the federal government has closed approximately 6,800 data centers since 2010 and every agency was given top marks in the latest evaluation) and shift their oversight to focus on a more pressing matter: cybersecurity.

While FITARA “scorecards” for agencies started including cybersecurity in 2019, Hice noted that an official from the Government Accountability Office told Congress just last week that current metrics do not give an accurate picture of an agency’s cybersecurity posture.

“I think, again, that’s an indication that we need to evolve and go to the next step ... We’ve got ample illustrations as to our vulnerability, not that we need reminders, there’s plenty of them out there,” Hice said. “Security is absolutely one of the top areas for oversight and we need to keep that as our priority, we here in the subcommittee need a clearer picture as to how safe agency systems actually are.”

While FITARA was originally passed, oversight hearings almost uniformly focused on incremental developments in IT modernization and other priorities, like closing data centers to smooth the way for widespread cloud adoption and migration.

Historically, members of Congress have talked a good game around transforming the federal government’s IT, but they’ve often blanched at the prospect of a significant cash infusion to replace older systems. Last year, Michael Daniel, former White House cyber coordinator under President Barack Obama, remarked that, “It is incredibly easier to get money from Congress to keep old systems running than it is to get money to buy new systems.”

Agencies collectively spend around $100 billion every year on IT, but the majority of that spending goes to maintaining legacy systems, many of which are unsecured, expensive to maintain, and overly reliant on programming languages (like COBOL) that haven’t been widely used for decades.

“We have a major legacy IT issue in the federal government and so a large portion of those [operations and maintenance] dollars are spent towards unsecure and unstable systems,” said Carol Harris, director of information technology and cybersecurity issues at the GAO. “We need to tackle that issue … we want to see decommissioning of those legacy systems, so we free up those dollars to spend on [newer technology.]”

For years, efforts to inject billions of dollars in new, dedicated spending to address the issue have failed, often resulting in programs like the Technology Modernization Fund, which forced agencies to compete with one another and jump through numerous bureaucratic hoops to add a few more million dollars to their IT budgets.

There are signs that they are finally seeing the connection between the federal government’s cybersecurity problems and its legacy IT. Last year, Congress coronavirus relief legislation that included $1 billion in new funding for the TMF program, which program managers promptly used to invest more than $260 million in cybersecurity related projects across the government.

With more investment should come greater scrutiny through laws like FITARA. Harris said the Biden administration’s executive order issued last year should form the “basis” of future oversight, while scrutiny from Congress “should be expanded to better address the ongoing and emerging challenges facing our nation, including mitigation of global supply chain risks and improving the implementation of government-wide cybersecurity initiatives.”

Dave Powner, who audited the federal government’s IT issues at GAO before moving to MITRE in 2018, called for retiring three of the metrics Congress currently measures (data center consolidation, incremental modernization progress and IT portfolio savings) and replace them with five new measurements, including cybersecurity posture and agency progress replacing their legacy IT.

Overseers should judge agencies on how they are implementing a bevy of new cybersecurity mandates placed on them last year by Congress and the White House.

“We need to update the cyber area by using metrics that are consistent with the administration’s cyber executive order, its zero trust policy, supply chain risk management best practices and those metrics used by CISOs in industry,” Powner said.