By: Tonya Mead, CHFI, CFE, PhD, MBA, M.Ed, School Psychologist

The U.S. Department of Education in 2019 received an “A” grade for its efforts to implement the Federal Information Technology Acquisition Reform Act (FITARA). In previous years, as reported here on this site, results of the agency- wide evaluation was not as stellar. Just three years ago, the agency earned a “D” FITARA score. What might CIOs of state departments of education, districts and local school sites use about this experience and apply for improved IT performance and enhanced security measures?

Before we answer the question, let’s take a look at how the federal educational agency IT efforts evolved. Incidentally, 2019 marks the “the first time in the history of the scorecard that more than one agency received the top rating, and it’s the third straight report card that no agency received an “F” grade” according to Jason Miller of Federal News Network (December 11, 2019). Why the monumental shift? It may have something to do with the changes in the FITARA scoring criteria. December 2019 marks the ninth version of the FITARA score card. To download the full 2019 OIG FITARA Scorecard Report, click here.

As a background, the Congressional Committee for Oversight and Reform, chaired by Reps. Carolyn Maloney and Jimmy Gomez (the minority ranking committee member has been vacant as of March 30, 2020) graded 25 federal agencies on these four pieces of federal legislation:

1. Federal Information Technology Acquisition Reform provisions (FITARA)
2. Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016 (MEGABYTE),
3. Modernizing Government Technology (MGT) Act, and
4. Federal Information Security Modernization Act of 2014 (FISMA).

The final grades were based upon scoring methodologies established by the committee for seven critical infrastructure areas. The operational reviews, collection of the data and initial scoring was conducted by the Government Accountability Office (GAO) under the committee’s direction.

US Department of Education FITARA Scorecard December 2019

Let’s analyze each of the scored areas and suggest how states and localities can apply the FITARA methodology to grade the performance, investments, cost savings, and security of its information technology infrastructure .

1. Incremental Development. Have you ever been pressured by your Contracting Officer on the state or district level to bundle most of your IT requirements and requisitions into one possible contracting vehicle? According to the FITARA scoring methodology, “poor-performing projects have often used a “big bang”—that is, projects that are broadly scoped and aim to deliver functionality several years after initiation.” Local Implications: (a) I have observed such results while working at one of the largest urban school districts in America. The district spent millions of dollars and at the end of the contract, the system was not functional and incompatible with the operating system in use at the time. It might be a good idea to fight back and or break contract specifications in chunks when asked to bundle long term IT work. (b) Second, as a result of my observations, when I scoped out my IT projects as a contract representative for areas in my purview, I added highly detailed milestones, which served as a checkpoint on the status of the work, daily, weekly and monthly “check-ins” and deliverables and reports to catch any possible design defect, inoperability or resource needs well before the contract clock ran out and time for delivery of the final product was at hand. As with my experience, “OMB has required agencies’ investments to deliver functionality every 6 months.”
2. Risk Management. This area of the scorecard “rewards the agencies that are reporting more risk, because the string of high-profile federal IT failures demonstrates that increased attention is needed in this area.” Local Implications: In my experience, this is a sound recommendation. I recall playing a lead role in the transition from paper based assessments to computer-based assessments for a large district. When I made the recommendation to mandate that all schools conduct infrastructure trials, there was a political push to remove the mandate and communicate to the local education agency heads that preliminary infrastructure trials were merely ‘voluntary.’ After explaining that the purpose of the trials were to mitigate the possible risk of colossal failures on the actual days of assessment, there was less kickback. However, it can not be underestimated the importance of risk management. At the time, the infrastructure trial served as a tool for assessing risk and identifying weaknesses such as (a) severed fiber optic cables, (b) internet outages, (c) limited bandwidth, (d) dead zones, (e) inadequate server storage capacity, (f) electrical circuit overloads, and (g) flawed computer algorithms to name just a few. When attempting to adopt a major transition, it is vital to assess risk and develop contingency plans.

Other articles you may find of interest

• Post- Technology and Cyber Threats in Schools
• Post- Insider Threats and Data Breaches
• Post- Hack to prove enrollment
• Post- Cyber scammers target schools
• Post- 2016 Botnet grade in education- graph
• Post- Botnets and identity theft in education
• Post- WTF? CDI says don’t worry about threat in schools
• Presentation- The exploitation of minors to gain confidential information
• Post- Internet filters and monitors in schools
• Post-  Summertime, kids and cyber threats

3. Portfolio Savings. One of the key elements of the FITARA is to require the 24 federal agencies that includes the U.S. Department of Education, “to increase efficiency and effectiveness, and identify potential waste and duplication.” Local Implications: On the state and district level, this is an area in need of a lot of attention. In my humble experience, I strongly advocated for the alignment of certain segments of district education operations so that they could operate in tandem and not at cross purposes with intra agency programs and divisions. For instance, do separate IT systems for the activities of (a) monitoring, (b) compliance, (c) teaching and learning, (d) professional development, and (e) data reporting exist that could be better designed to work together? Especially since the underlying data (i) end user, (ii) school, (iii) location, (iv) school year are roughly the same? Unfortunately as in the private sector, there exists longstanding vendor preferences, fiefdoms, turf wars and personality clashes that serve to impede the synergistic approach. On account of this, there are still certain divisions and departments within any state and local education agency that insists on using their own proprietary system which causes unnecessary inefficiencies, higher costs, waste and duplication.
4. Data Center Consolidation. FITARA requires federal agencies to develop and implement a strategy for “consolidating and optimizing the data centers (to include planned cost savings), and quarterly updates on progress made.” Local Implications: While I am somewhat critical of my experiences with IT initiatives in education on the district level for a particular district, this is one area that deserves accolades. During my experience there, on account of the identical nature of the underlying data used most often in an educational agency, this agency established an inter-agency operating agreement with the local district health and human services agency to collaborate on data sharing, collection, storage and reporting. This initiative may be of interest to other state and district CIOs looking for areas to save costs and avoid duplication, particularly as state lock downs and stay-at-home orders issued by state governors and mayors may in the future require the need to drastically cut costs due to significant declines in tax revenue.
5. Software Licenses. FITARA scoring methodology requires federal agencies to “establish a comprehensive, regularly updated inventory of software licenses and analyze software usage to make cost-effective decisions.” Local Implcations: State education agencies along with their federal counterparts could potentially save millions of dollars by tracking and managing software licenses. For instance, EdWeek reported on May 14, 2019, “on average, 67 percent of educational software product licenses go unused.” Needless to say, this may be a low hanging fruit from which to pluck for generating savings in the era of projected declines in tax revenue on account of the Coronavirus pandemic.
6. Information and Cyber Security. The Congressional Committee on Oversight and Reform stipulates that federal agencies “establish working capital funds for use in transitioning from legacy IT systems, as well as for addressing evolving threats to information security.” Local Implications. This is one area for which I am enormously interested and have written here about significant cyber security threats existing at local education agencies, schools, why schools are easy targets by scammers, general denial of the cyber threat, insider data breaches, and the threat to data privacy. As well as presented before NIST (National Institute of Standards and Technology) for FISSEA (Federal Information Systems Security Education Association) about the exploitation of student information. I am not alone in this endeavor, on October 13, 2019, EdTech reported that there were ” 712 publicly disclosed cybersecurity-related incidents involving U.S. public schools since 2016, according to the K–12 Cyber Incident Map.” And, “in 2018 alone, 122 incidents affected 119 public K–12 education agencies, a rate of about one new publicly reported incident every three days of the calendar year, according to The K–12 Cybersecurity Resource Center, which researches education, technology and public policy issues.” I’m sure that CIOs are well aware of the dangers of porous cyber security investments. Just this year, a district for which I provided contract work was impacted by ransomware that required FBI intervention. Don’t let it happen in your state or local municipality.
7. CIO Authority. The final component of the FITARA scorecard is CIO authority. The committee requires that federal CIOs (Chief Information Officers) have significant roles in agency IT decisions and report to the Agency Head. Local Implications. I’ve had personal experience with this element and have only positive comments for your to consider. For almost six months, during the heavy federal reporting requirements for state CIOs (October through March), I was tasked with serving as the point person by the CIO to gather voluminous data sets and files (that lacked prior data maps, unified formatting structures, etc) in the absence of the Director of Data and Reporting and take a lead role in ETL (extraction, transformation, and loading). activities. I was able to watch firsthand how the CIOs advanced agency goals hand-in-hand with the State Educational Agency Director/Superintendent. In my view, there is no way that any agency’s goals can be achieved without this reporting structure. And, in fact, it was without this reporting structure in place in the past, that caused poor ETL and inability to meet federal reporting deadlines by the previous CIO.

I hope that this article has been helpful for state and district level CIOs as they work to apply the FITARA scorecard methodologies at their own agencies. Without careful planning, oversight and reform, many states may remain in the “D” FITARA scoring area, as was the U.S. Department of Education in 2016. If you will recall, on May 2016, the U.S. Department of Education received an overall score of ‘D’ for its efforts to implement FITARA. Please, let us consider using this article as a basis for advancing your information technology initiatives at your state and local government.See below.

Dr. Mead, PhD, MBA, MA http://www.ishareknowldge.com is a consultant specializing in human behavior, school and social psychology. She can be contacted at: tonya at ishareknowledge dot com