FITARA Cybersecurity Score Objectives

Most federal government IT projects (82%) are now being implemented using practices laid out in the FITARA scorecard. FITARA, enacted in 2014, has enabled government offices to save nearly $25 billion on IT projects, per a top Government Accountability Office (GAO) official (via FedScoop). However, reports say that federal agencies’ scores went down in FITARA 14, primarily due to the sunset of the data center category and a change in the cyber category. Even though FITARA requirements constantly change, its purpose remains the same: to help determine individual federal agencies’ cybersecurity posture. FITARA helps agencies focus on their security, privacy, and IT environment management by having a set of guidance from which to manage their information security and privacy programs. FITARA enables agencies to address risks at their root cause and proactively identify areas for improvement. It allows for the prioritization of resources for agencies to meet mission commitments.

FITARA has two main objectives. The first objective is to provide appropriate visibility and involvement of the agency CIO in the management and oversight of IT resources and support the successful implementation of cybersecurity policies and prevent interruption or exploitation of program services, including:

The second objective is to eliminate duplication and waste in information technology acquisition and consolidate infrastructure for the federal government. Here are the top ways to achieve this goal:

The first step is to develop a risk assessment methodology. By doing so, your organization will be able to focus on the NIST Pillars utilized for the cyber maturity model compliance, the basis for FISMA compliance, and the FITARA cybersecurity score. In this step, you should project a census with a repository of IT investments and track major and minor risks. You should also gather input that involves stakeholders and subject matter experts to determine the early indicators of a project going off track. You will also need to schedule a time to review with the GAO, as the score partially depends on their understanding and involvement. The second step is to assess and simplify the risk rating process by submitting a plan and sharing it for review within the CIO council. You should grant IT work capital funds to the CIO to enable them to retire legacy systems, remove inefficient applications, and deposit savings for modernization efforts and critical cyber programs. Part of this step is identifying the key metrics to calculate risk ratings. Build a process and tools to make risk assessment and reporting easy. You also need to schedule facilitated monthly team meetings and maintain a record of why you rated project risks as you did and the data you used to make your decision. The third step is to document and track identified risks. Evaluate data center efficiency and decrease hardware and software costs by reducing the required servers. This will dramatically mitigate the agency’s attack surface and improve your FITARA scores. You will also need to compile risks across projects into the form required for the IT dashboard and document an approach to aggregation. You must report all data and the IT dashboard to the OMB and get monthly cadence with reporting data.

Transitioning to a Zero Trust Architecture (ZTA) helps provide organizations the ability to meet FITARA cybersecurity score objectives and maintain a high score. By partnering with Alpha Omega Inc. (AOI) you will be able to transition to ZTA while achieving optimal security and keeping costs to a minimum. AOI helps federal agencies devise a clear roadmap to ZTA and achieve each milestone successfully. AOI can offer support with your agency’s score, by providing:

If you want to learn more about how AOI helps agencies transition to ZTA, achieve the objectives of FITARA scorecards, and improve their FITARA scores, feel free to reach out.