FITARA Pt. 2 – Senate Links Funding and IT Program Risk

Last week, I looked at some of the major differences in CIO authorities and requirements that currently exist between the House and Senate versions of FITARA. This week I want to look at how these bills address IT program risk.

The House and Senate both have provisions for reporting and data quality for major IT investments, including investment risk:

“… the agency Chief Information Officer and the program manager of the investment within the agency shall certify, at least once every quarter, that the information is current, accurate, and reflects the risks associated with each listed investment. The Director shall conduct quarterly reviews and publicly identify agencies with an incomplete certification or with significant data quality issues.” (House Sec. 505; Senate Sec. 102.) 

So both versions make federal CIOs responsible for quarterly updates to the information on the IT Dashboard, addressing any risks or data quality issues associated with each investment. But the Senate bill goes beyond this language to tie IT program risk directly to effective program management and future budgets.

Future Funding Tied to IT Program Risk Management

For each major information technology investment, Section 102 of the current Senate bill would require the Chief Information Officer to categorize the investment according to level of risk, with the following parameters:

• A risk rating may not be lower than the higher of the cost rating and schedule risk rating of the investment, as determined in accordance with guidance issued by OMB; and
  
  
• The level of risk may not be lower than medium risk for any investment determined by the CIO and program manager to not employ incremental development, as determined in accordance with capital planning guidance issued by OMB.
  
  

Further, for any investment that is rated as "high risk" for four consecutive quarters, the agency CIO and OMB must determine why the investment continues to be considered "high risk," determine how the CIO and OMB can address those risks, and whether the project is likely to succeed. Results of these reviews are to be sent to the relevant Congressional committees. 

If within one year of the date of completion of the review the investment is still evaluated as “high risk,” the Senate bill would require the OMB Director to deny any request for future development, modernization, and enhancement (DME) funding until the agency CIO certifies that the root causes have been addressed and there exists sufficient capability to deliver on the investment within the planned cost and schedule.

Supposing that the Senate language survives the reconciliation process and eventually becomes law, this would put a two-year window on IT programs that remain in “high risk” status before their DME funding would be disrupted. Yet, this does seem to provide plenty of leeway to avoid the funding disruption. If a program has any one quarter in the four-quarter window where it falls from “high risk” status then the clock would reset. Further, it is possible that struggling programs could be deemed worthy of funding increases to overcome short-term challenges and get back on track. So it is conceivable that struggling programs could avoid the scrutiny of Congress and funding disruptions with some creative effort.