Finding FITARA Success with Better Governance 1

FINDING

FITARA SUCCESSWITH BETTER GOVERNANCE

RESEARCH BRIEF

1 Research Brief

Government experts agree there is waste, duplication and fragmentation in federal acquisition spending. Lots of it. Rough estimates put the price tag for that waste in the billions, if not tens of billions, of dollars annually.

The scale of the problem is reflected in a Government Account-ability Office annual report that details scores of practices and programs that are considered among the most wasteful. For example, the most recent of those reports, released in April 2016, found that the Department of Defense could save more than $4 billion by better leveraging strategically sourced contracts for the biggest procurement categories. Billions more could be saved, the report states, if agencies consolidated more federal data centers, better planned their cloud-based computing solutions, imposed stronger investment oversight of information technology opera-tions and maintenance, and better managed their IT investment portfolios.*

So what’s driving the problem? In two words: poor governance. Fragmented and stovepiped approaches to acquisition, resource planning and utilization, data tracking and reporting, compliance, and other management activities riddle agencies. As a result, agencies often lack cohesive governance structures and internal cross-communication. These foundations are necessary to ensure that officials make smart decisions and that they sync and align IT management and acquisition activities across the federal agency enterprise with organizational priorities for greatest efficiency and effectiveness.

Concerns over this problem — and its resulting waste, duplication and fragmentation of resources — prompted Congress to pass the landmark Federal Information Technology Acquisition Reform Act (FITARA) in 2014 as a way to rein in the amount of tax dollars

lost to wasteful acquisitions. FITARA basically outlines a broad framework for agencies to create better governance structures. These new structures are intended to:

• Better align IT resources with agency missions, goals, priori-ties, and statutory requirements.

• Establish governmentwide IT management controls to meet FITARA requirements.

• Establish a “Common Baseline” for roles, responsibilities and authorities of Chief Information Officers and other senior executives.

• Provide transparency of IT resources across entire agencies and programs.

• Support implementation of cybersecurity policies.

As departments and agencies scramble to stand up these new governance structures to comply with FITARA, many managers find themselves charting new terrain. Accustomed to stovepiped and fragmented approaches to governance, they are unsure about how to suddenly impose structure and synchronization to the IT resource management activities occurring across their enterprises.

To better explore the problem and what government agencies can do about it, GovLoop has partnered with Four Points Tech-nology, an RSA Platinum Partner, and RSA, a leader in governance, risk management and compliance (GRC) solutions, to bring you this research brief. We will study the challenges, strategies and tools that apply as federal agencies seek to overhaul their IT management approaches in the era of FITARA. Specifically, this brief will:

INTRODUCTION:

Addressing waste and redundancy in acquisition

Finding FITARA Success with Better Governance 2

• Share results from a survey of 138 public-sector professionals — mostly federal — on the issues and challenges of imple-menting FITARA.

• Identify common challenges agencies face in tackling waste, duplication and fragmentation in IT acquisition.

• Explain how understanding GRC is central to understanding how agencies can achieve FITARA goals.

• Explore how RSA can assist agencies in strengthening their GRC regimes for better IT management outcomes.

• Allow multiple agencies within a department to share information

• Support common baseline controls and governance processes across a department

The narrative surrounding FITARA is really about agencies being able to recognize shortfalls in their GRC regimes and then taking steps to mature them, said Chris Hoover, a GRC Strategist at RSA. At the agency level, root causes of many of today’s problems often trace back to poor GRC management. GRC is a discipline that aims to synchronize and coordinate information and activity enterprisewide to enhance organizational governance, risk man-agement and compliance. The ultimate goals are better resource alignment with priority objectives, greater efficiency, more effec-tive information sharing, fewer stovepipes, better compliance and reporting activities, and less waste.

Without an effective GRC regime, department managers suffer from fragmented visibility into what their operating units are doing. Lacking a consolidated top-level governance structure and view, they cannot effectively synchronize activities at their many

bureaus and components, either to meet organizational goals or avoid duplication and waste.

RSA has a maturity model to gauge where organizations are in terms of their GRC regimes, and many federal agencies are at the bottom — or “siloed” — level when it comes to visibility into acqui-sitions, implementation and performance metrics, Hoover said.

“The siloed level defines the maturity of an organization when they do not communicate well because their tools don’t en-able sharing of data and its culture does not prioritize effective cross-enterprise communication. The government experiences this both at the inter- and intra-organizational levels,” said Hoover, who, prior to RSA, spent his entire career within the Department of Defense, the intelligence community, and the civilian side of the federal government.

The GovLoop survey results reflect RSA’s and Four Points’ find-ings. Large percentages of respondents said they are unaware of how well their agencies track IT assets and acquisitions or how they track progress toward FITARA compliance. Large percentages said their agencies are behind in implementing FITARA and face significant challenges in meeting the law’s requirements.

So let’s explore further the nature of the problem and how agencies can better manage the challenges they face in meeting FITARA’s goals.

* “2016 Annual Report: Additional Opportunities to Reduce Fragmentation, Overlap, and Duplication and Achieve Other Financial Benefits,” GAO, April 2016, GAO-16-375SP

- Chris Hoover, GRC Strategist, RSA

“The siloed level defines the maturity of an organization

when they do not communicate well because their tools don’t

enable sharing of data and its culture does not prioritize

effective cross-enterprise communication.”

3 Research Brief

The Federal Information Technology Acquisition Reform Act (FITARA) was enacted in December 2014 to clarify executive re-sponsibilities and establish accountability for the acquisition and management of IT resources at federal agencies. The act’s overall goals are more effective management of IT assets, improved delivery of citizen services, more successful federal technology programs and greater innovation.

To achieve these goals, the law and its implementing guidance — which the Office of Management and Budget provided — sets out numerous objectives, including:

• Establishing management practices that align IT resources with agency missions, goals, programmatic priorities and statutory requirements.

• Establishing governmentwide IT management controls that meet FITARA requirements while providing agencies with the flexibility to adapt to agency processes and unique mission requirements.

• Establishing a “Common Baseline” for roles, responsibilities and authorities of the agency Chief Information Officer and the roles and responsibilities of other applicable senior agen-cy officials in managing IT as a strategic resource.

• Strengthening agency CIO accountability for IT cost, schedule, performance and security.

• Strengthening the relationship between agency CIOs and bureau CIOs.

• Establishing a governance process for effective planning, pro-gramming, budgeting and execution of IT resources.

• Providing transparency on IT resources across agencies and programs.

What is FITARA?

In addition, FITARA outlines specific requirements related to:

• Agency CIO authority enhancements.

• Enhanced transparency and improved risk management in IT investments.

• Portfolio review.

• The Federal Data Center Consolidation Initiative.

• Expansion of training and use of IT cadres.

• Maximizing the benefit of the Federal Strategic Sourcing Initiative.

• The governmentwide software purchasing program.

A critical component of FITARA is the requirement that agencies develop a Common Baseline that serves as a framework to imple-ment the specific authorities that FITARA provides for agency CIOs and other senior agency officials engaged in IT investments and management. Specifically, the Common Baseline calls on agencies to delineate responsibilities for visibility, planning, governance, program collaboration, and certifications and approvals in four key areas: budget formulation, budget execution, acquisition, and organization and workforce.

Agencies submitted FITARA implementation plans to OMB for approval in August 2015 and will present annual implementation review plans and updates every April.

Finding FITARA Success with Better Governance 4

A quick examination of the GovLoop survey results will help illus-trate why agencies are struggling so much with acquisition waste, duplication and, ultimately, poor governance.

Poor visibility into acquisitions

When asked, “Does your agency have adequate visibility, tracking and analysis of IT assets and acquisition activities?” only about a third said yes. (See Figure 1.) Almost 22 percent said no. But almost half said they didn’t know. This is telling because at an organization where IT assets and acquisitions are tracked, visible enterprisewide and analyzed, everyone associated with IT man-agement would necessarily know the adequacy because decisions are based on that information. It is at organizations that are fragmented and stovepiped that employees would not be aware of what other operating units are doing.

“From a GRC perspective, this is not surprising,” Hoover said of the survey results. “It is a question of organizational GRC maturity, combined with the fact that FITARA is relatively new, that a lot of people don’t know what they don’t know.”

When asked to rate the scale of acquisition waste at their agen-cies, survey respondents were fairly split. (See Figure 2.) Roughly a third said they thought there was only a “minimal amount” or “little to none.” A far larger percentage (43 percent) guessed it was “average,” while a quarter of respondents said their agencies were suffering “quite a bit” or “high levels” of acquisition waste.

Although these questions offer broad insights into government employee perceptions of acquisition waste, the results are hardly telling given the subjective nature of how one might define low, average or high amounts of acquisition waste. Hoover points out that federal organizations can estimate waste only if they have effective data and visibility into that data. “If organizations were good at estimating waste, there wouldn’t be a FITARA,” he said. “As stated earlier, it is an organizational maturity issue, and cross-do-main, cross-enterprise visibility is not a hallmark of less-mature organizations, and this is one of the main ways waste happens.” Overall, there is a lack of information sharing and knowledge across the enterprise which makes it difficult see where there is waste or redundancy.

Figure 1

Figure 2

Does your agency have adequate visibility, tracking and analysis of IT assets and acquisition activities?

What is your assessment of the IT acquisition waste within your agency?

22% NO

13% LITTLE TO NONE

32% YES

19% MINIMAL

46% UNSURE

43% AVERAGE

19% QUITE A BIT

6% HIGH

A CLOSER LOOK:

The problem of weak governance

5 Research Brief

Answers to Question 6 of the survey support Hoover’s observa-tion. It asked respondents whether their agencies have ways to track and compare acquisitions to better understand waste and redundancy. (See Figure 3.) Only a quarter of respondents said yes, while one in eight said no; the remaining 63 percent were unsure. Of the respondents who said their agencies can track and analyze acquisitions to identify waste, only a quarter said that capability was fully automated. (See Figure 4.) The rest said it was manual or a combination of manual and automated.

Taken together, these responses point to minimal cross-enter-prise visibility into IT acquisitions or inventories. Hoover said a typ-ical federal agency may have tens of thousands — perhaps even hundreds of thousands — of IT assets that different people in different offices bought from different vendors at different times over many years. Yet it is rare to find an agency that keeps that in-formation in one database or tool. “From what I’ve seen, as often as not, it’s like each individual office might log their acquisitions and asset data in Excel spreadsheets on SharePoint,” Hoover said. “It comes back to the GRC maturity problem. It’s a sign that they’re stuck in that siloed model.”

Weak vendor governance

Another set of responses suggests that agencies do a poor job of sharing information about vendors they work with or are consid-ering working with, which can lead to poor sourcing and vendor management decisions.

Almost two-thirds of respondents said they were unsure how well their agencies are able to gather performance data on vendors and their projects and services. (See Figure 5.) Only 15 percent said their agencies didn’t have this challenge.

Asked if their agencies would benefit from having scorecard-type data about vendors and their performance, 44 percent of respon-dents said yes, while 46 percent said they didn’t know. (See Figure 6.) And 54 percent of respondents said their agencies would benefit from having a central view of available vendors along with their Contractor Performance Assessment Reporting System and other performance information. (See Figure 7.) Forty-two percent said they were unsure if it would help.

Figure 3

Figure 4

Figure 5

Figure 7Figure 6

Does your agency have a way to track and compare acquisitions to better understand waste and redundancy?

If yes, is it automated or manual in nature?

Is your agency challenged in gathering performance data on vendors and their projects and services?

Would your agency benefit from having a central view of available vendors along with their C-PARs and otherperformance information?

Would your agency benefit from having more “scorecard”-type data about the vendors it is working with or considering doing business with, based on other federal agencies experiences?

25% YES

24% AUTOMATED

21% YES

54% YES44% YES

12% NO

12% MANUAL

15% NO

4% NO6% NO

63% UNSURE

64% A BIT OF BOTH

64% UNSURE

42% UNSURE46% UNSURE

4% OTHER

Finding FITARA Success with Better Governance 6

Finally, only 18 percent of respondents said their agencies take a proactive approach when it comes to vendor assessment and ac-quisition (See Figure 8.) The remainder was roughly split between saying their agencies take a reactive approach and being unsure.

Compliance challenges

Other survey results point to another big problem: meeting priority compliance directives, including FITARA, and tracking their compliance progress.

Respondents were widely unsure about whether their agencies were challenged in meeting FITARA mandates. (See Figure 9.) Only roughly one in 10 said their agencies were not facing chal-lenges. And when asked to cite the sources of FITARA challenges they faced, roughly three-quarters said budget constraints, culture or a lack of understanding of FITARA’s requirements. (See Figure 10.)

Asked where their agencies were in terms of implementing FITARA, the vast majority (83 percent) said they either have not yet begun or were only in the very early stages of implementation. (See Figure 11.) Hoover attributes this to the fact that FITARA is still fairly new — implementing guidance was issued June 2015 — and agencies have many other management challenges on their plates, including other compliance directives and budget constraints.

Similarly, when asked whether their agencies are struggling to track progress toward meeting mandates under the Data Center Optimization Initiative, almost a quarter of respondents said yes and two-thirds were unsure.

Figure 8

Figure 9

Figure 11Figure 10

Overall, does your department take a more reactive or proactive approach when it comes to vendor assessment and acquisition?

Is your agency facing challenges in meeting FITARA mandates?

Where is your agency in the process of FITARA implementation?

Where is your agency in the process of FITARA implementation?

18% PROACTIVE

28% YES

31% HAVEN’T BEGUN39% BUDGET

38% REACTIVE

11% NO

52% VERY EARLY STAGES18% CULTURE

43% UNSURE

62% UNSURE

15% MAKING STRONG PROGRESS

17% UNDERSTANDING REQUIREMENTS

3% IMPLENTOR ALL-STARS11% LEADERSHIP BUY-IN

4% UNDERSTANDING YOUR BASELINE

12% OTHER

7 Research Brief

1. SILOED: This is where baseline activities are in place to man-age risk but are isolated and fragmented.

2. TRANSITION: This is where activities focused on improving effectiveness are under way to stabilize processes and expand scope.

3. MANAGED: This is where operational processes have evolved into a steady state and are now effective, repeatable and sustainable.

4. TRANSFORM: This is where transformative initiatives are exe-cuted to build a better connection between risk management and business.

5. ADVANTAGED: This is where processes are optimized and balanced by business context and risk priorities.

And although FITARA provides a high-level impetus for agencies to adopt better governance structures, it is left to each agency to figure out how to do that. Industry partners can offer tools to help them create GRC programs to implement FITARA mandates and set up governance structures. These GRC tools can help agencies:

• Automate processes.

• Meet FITARA mandates by leveraging best practices.

• Track progress against Office of Management and Budget-de-fined standards and practices.

• Track agency progress against IT program waste and abuse.

• Better understand their IT acquisition risk metrics from mul-tiple perspectives, including vendor risks, program risks, cost overruns and more.

The road to better governance and visibility

These survey responses make clear that agencies are ham-pered by poor cross-enterprise visibility into IT acquisitions and resources, a lack of information sharing about the vendors they work with or may work with, and an inability to track progress in meeting priority compliance directives, including FITARA. It is not hard to understand how these problems can translate into waste, duplication and poor decisions.

Ultimately, GRC is about fixing these problems by installing tools and management approaches that reduce a wide variety of or-ganizational risk, whether it’s risk of financial waste, poor mission outcomes, cyber breaches or poor compliance. Core components of a GRC program are:

• Operational Risk Management.

• Regulatory and Corporate Compliance.

• Third Party Governance.

• Business Resiliency.

• Audit Management.

• Assessment & Authorization/Continuous Monitoring.

Hoover said it is instructive to understand that there is a spec-trum of GRC maturity that organizations fall within, as defined by RSA Archer’s Maturity Model. The five levels, from least to most mature, are:

Finding FITARA Success with Better Governance 8

How RSA can help

Clearly, these survey results demonstrate that government managers are not alone in facing challenges as they strive to meet FITARA mandates. But solutions are available that can help automate critical governance and information-sharing processes, create governance and compliance structures, and track progress toward FITARA compliance and toward reducing wasteful IT spending.

Automating the connection of data enterprisewide — and ulti-mately automating governance more broadly — is a critical piece to achieving better results. As mentioned, many government organizations are operating in highly fragmented and siloed envi-ronments when it comes to governance and collecting data. “Being in the siloed phase, that is where you’re going to feel the most pain,” Hoover said. “If none of your tools communicate, you’re not going to see the big picture because the big picture is broken into 100 pieces that are stashed in 100 distinct IT systems. And if you want to get to them, it’s going to take you a long time — you’ve got to find out who owns each one and get a special login, special permission to go to each one. And then, even when you get that data, it’s in a proprietary format, and you have to export it and import it and reformat it and whatever. So that’s what I’m talking about with silos between tools.”

By uniting data and governance structures into a single tool that spans the enterprise, organizations can break through those silos, he said. “You’re improving communication. You are saving people time. And you can start making your processes easier to accomplish and make them more repeatable. It saves time and it saves burnout, and you’re making your environment more secure, more efficient. As you move your way up the Maturity Model, there are different benefits that are realized. It becomes more about making better security decisions because you have better information.”

RSA offers a suite of solutions to assist public-sector agencies in building stronger governance programs. At the core of its offerings is the RSA Archer GRC Platform, which empowers orga-nizations to manage multiple dimensions of risk on one configu-rable, integrated platform. The platform supports business-level management of enterprise GRC and serves as the foundation for all RSA Archer GRC solutions.

The platform allows agencies to adapt a broad range of solutions to suit their specific requirements, build new applications and integrate with external systems without changing a single line of code. Many Fortune 500 companies have embraced RSA’s flexible strategy because it enables them to make RSA solutions their own and to model additional business processes in a fraction of the time it would take to develop traditional custom applications.

The platform enables the creation of GRC applications through point-and-click configuration that tailor to an agency’s unique methodologies. Pre-built reports and dashboards and a custom-izable user-friendly web interface make the platform easy to use. And it defines and automates business processes for streamlining the management of content, tasks, statuses and approvals.

Many common applications are rolled in to most RSA solu-tions that capture data on hardware and software inventories, stakeholders, organization structure, missions, and business processes. These common applications not only define all of the entities that FITARA wants to track and analyze, but also their relationships. What’s more, they enable advanced reporting on them. These attributes include information such as the cost of a particular piece of hardware, who bought it, who approved the purchase, what mission it supports and more. In this way, Hoover said, the GRC Platform captures the information that agencies would need to manage their FITARA goals and include in an Exhibit 53 or 300 — the budget documents that agencies use to track and justify IT investments.

9 Research Brief

Hoover said the RSA Archer Third Party Governance solution is especially applicable within a FITARA context because it vets vendors and measures their risk in addition to measuring perfor-mance metrics of projects and implementations. The RSA Archer Third Party Governance solution monitors supplier engagement performance in four categories: quality, innovation, performance and relationship. The solution:

• Provides performance metrics for third parties.

• Tracks contractual service-level agreement metrics.

• Uncovers deteriorating third-party relationships by monitoring performance metrics.

• Creates performance metrics and associates them with indi-vidual products and service engagements.

• Scores third-party performance based on the ongoing capture of performance metric data.

• Rolls up individual engagement-level performance data into an overall performance profile of each supplier.

Taken together, these solutions can enable federal agency CIOs to far better understand their IT acquisition risk metrics from multiple perspectives and track their progress in managing those risks to better outcomes.

“You’re improving communication. You

are saving people time. And you can start making your processes easier

to accomplish and make them more

repeatable.”- Chris Hoover, GRC Strategist, RSA

Finding FITARA Success with Better Governance 10

About RSA

About Four Points Technology

About GovLoop

From cyberrisk to regulations, the higher velocity and broader na-ture of risks from globalization and market competition, risks are changing dramatically and increasingly more complex. RSA Archer empowers you to manage digital risk, financial controls, regula-tory compliance, business resiliency, third party and operational and enterprise risk on one configurable platform with a common framework in the context of your business with access to the largest GRC community of partners, experts and peers. With RSA Archer, you can build your GRC program on the most configu-rable software in the industry. As the risk landscape changes, you can add new use cases and modify business processes all while maintaining the same taxonomies that were set up from the start. Learn more here.

Four Points Technology is a CVE verified Service Disabled Veteran Owned Small Business (SDVOSB) dedicated to providing IT Prod-ucts and Professional Services to the Federal Government. Four Points Technology offers solutions that support a wide variety of business initiatives specifically suited for Government organi-zations. Four Points Technology supplies services and products meeting numerous Cybersecurity, Data Center, Mobility, and Medical IT challenges within the Federal customer market. As an RSA Platinum partner, Four Points Technology evaluates cus-tomer challenges and helps to bring solutions that solve those problems cost effectively and with exceptional service.

GovLoop’s mission is to “connect government to improve govern-ment.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collabora-tion, solving common problems and advancing government ca-reers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.

For more information about this report, please reach out to info@govloop.com.

1152 15th Street NW, Suite 800 Washington, DC 20005Phone: (202) 407-7421 | Fax: (202) 407-7501

www.govloop.com@GovLoop