FITARA — Federal Information Technology Acquisition Reform
The Federal Information Technology Acquisition Reform Act (FITARA, 40 U.S.C. § 11319, enacted as part of the FY2015 NDAA) is the most significant federal IT management law since the Clinger-Cohen Act of 1996. FITARA strengthens the authority of federal Chief Information Officers (CIOs) over IT spending, giving agency CIOs direct control over the planning, programming, budgeting, and execution of IT investments — addressing the longstanding problem of IT spending decisions being made by program offices without CIO involvement or oversight. The federal government spends approximately $100 billion per year on IT, and before FITARA, much of that spending occurred outside the CIO's visibility or control. FITARA requires agency CIOs to approve the IT budget requests of all bureaus and components, mandates incremental development practices (no more than 6-month delivery cycles for major IT projects), requires portfolio reviews (TechStat sessions) for at-risk projects, and directs agencies to consolidate data centers. Congress monitors FITARA compliance through a semi-annual FITARA Scorecard that grades each agency (A through F) on IT management metrics — creating a public accountability mechanism that has driven significant improvements across government.
Current Law (2026)
| Parameter | Value |
|---|---|
| Governing law | 40 U.S.C. § 11319 (FITARA, 2014); 40 U.S.C. §§ 11301–11331 (Clinger-Cohen Act, 1996) |
| Annual federal IT spending | ~$100 billion |
| CIO authority | Agency CIOs must approve all IT budget requests; authority over hiring IT staff |
| Incremental development | Major IT investments must use development cycles of no longer than 6 months |
| Data center consolidation | Agencies must close unnecessary data centers (FDCCI/DCOI) |
| FITARA Scorecard | Semi-annual Congressional scorecard grading agencies A–F on IT management |
| Covered agencies | CFO Act agencies (24 major agencies listed in 31 U.S.C. § 901(b)) |
| Key oversight | GAO High-Risk List: Federal IT Acquisition and Operations Management |
| Portfolio review | TechStat accountability sessions for at-risk IT investments |
Legal Authority
- 40 U.S.C. § 11319 — Resources, planning, and portfolio management (agency CIOs must approve the IT budget for their entire agency; CIOs must conduct annual IT portfolio reviews; incremental development required — no more than 6 months per delivery cycle)
- 40 U.S.C. § 11315 — Agency Chief Information Officer (CIO responsibilities include IT capital planning, enterprise architecture, and information security oversight)
- 40 U.S.C. § 11302 — Capital planning and investment control (OMB Director oversees governmentwide IT investment management; must establish policies for IT capital planning and performance measurement)
- 40 U.S.C. § 11301 — Responsibility of Director (OMB Director sets IT management policies, designates standards, and oversees agency compliance)
How It Works
FITARA's most transformative provision is CIO budget authority: before the Act, program offices routinely made IT buying decisions independently, producing duplicative systems and incompatible platforms. FITARA (40 U.S.C. § 11319) requires agency heads to ensure their CIO has authority over the entire IT budget — including sub-agencies and components — and that the CIO approves IT budget requests before they go to OMB. This shifts IT from a decentralized, uncoordinated function to a centrally managed enterprise capability. Alongside this authority, FITARA codifies the shift away from massive multi-year waterfall IT projects — GAO had documented that 94% of large federal IT projects were over budget, behind schedule, or failed entirely — by requiring that major IT investments use development cycles of no longer than 6 months, delivering working functionality in increments rather than waiting years for a "big bang" deployment.
The House Oversight Committee enforces these principles through a semi-annual FITARA Scorecard grading each of the 24 CFO Act agencies on CIO authority, IT Dashboard transparency, data center consolidation, software licensing (MEGABYTE Act), cybersecurity, and incremental development — grades range from A to F, and a failing grade generates direct congressional attention and media coverage, making the scorecard one of the most effective accountability tools in federal IT oversight. FITARA and subsequent guidance also directed agencies to close unnecessary data centers through the Data Center Optimization Initiative (DCOI): the federal government operated over 12,000 data centers before consolidation began, and thousands have been closed, saving billions of dollars while agencies migrate to cloud services.
OMB Circular A-130 — Managing Federal Information as a Strategic Resource
OMB Circular A-130 ("Managing Federal Information as a Strategic Resource," July 28, 2016) is the government-wide policy framework that treats federal information — data, records, privacy, security — as an asset to be strategically managed throughout its lifecycle. Where FITARA focuses specifically on IT acquisition and CIO authority over IT investments, A-130 sets the broader policy context: why agencies collect information, how they must protect and share it, and what governance structures must exist. Together, FITARA and A-130 form the legal and policy architecture for federal information management.
The 2016 revision was the most significant update to A-130 since its original issuance in 1985. It replaced prescriptive, process-heavy rules with principles-based guidance organized around three themes:
1. Information as a Strategic Resource: Agencies must treat information as a government-wide asset — not proprietary to the collecting program office — that should be shared, reused, and made publicly available by default. The circular explicitly rejects the historical assumption that information collected by one program is irrelevant to others. It requires agencies to develop information resource management (IRM) strategies that address how information assets support mission objectives. The Chief Information Officer is responsible for coordinating IRM across the agency, in alignment with FITARA's CIO authority provisions.
2. Privacy and Civil Liberties: A-130's most substantive 2016 expansion was in privacy governance. The circular now requires:
- Senior Agency Official for Privacy (SAOP): Every agency must designate a senior official responsible for implementing the agency's privacy program, advising the agency head on privacy implications of programs and systems, and ensuring compliance with the Privacy Act and other privacy laws
- Privacy Impact Assessments (PIAs): Required before developing or procuring any information system that collects, maintains, or disseminates information in identifiable form from or about members of the public. PIAs assess what information is collected, how it is shared, and what privacy risks exist
- System of Records Notices (SORNs): Under the Privacy Act (5 U.S.C. § 552a), agencies must publish a SORN in the Federal Register whenever they create or significantly modify a system of records — a group of records from which information is retrieved by personal identifier. A-130 requires agencies to review all existing SORNs periodically and publish new or amended SORNs when systems change
- Privacy continuous monitoring: Agencies must monitor privacy controls on an ongoing basis, not just at system authorization — aligning privacy monitoring with the NIST Risk Management Framework's continuous monitoring requirements
3. Security and Risk Management: The 2016 revision deleted A-130's outdated prescriptive IT security requirements (the former Appendix III) and replaced them with a principles-based framework that defers to FISMA, NIST standards, and the RMF for technical security requirements. A-130 now establishes the governance context: information security is everyone's responsibility; security and privacy must be integrated from the beginning of system design (not retrofitted); and agencies must balance security requirements with mission needs and open government principles.
Open Government Data: A-130 establishes that openness is the default — agencies should make information publicly available unless a specific legal basis (privacy, security, confidentiality) justifies restriction. This principle was reinforced by the Open Government Data Act (2018), which codified many of A-130's data sharing principles in statute. The circular requires agencies to proactively disclose information in machine-readable formats where feasible, consistent with the Open Data policy implemented through OMB Memo M-13-13.
| Parameter | Value |
|---|---|
| Document | OMB Circular A-130 |
| Original issuance | December 12, 1985 |
| Last major revision | July 28, 2016 |
| Statutory authority | Paperwork Reduction Act (44 U.S.C. § 3506); Clinger-Cohen Act (40 U.S.C. § 11301); Privacy Act (5 U.S.C. § 552a) |
| Applies to | All executive branch agencies |
| Key appendices | Appendix I (responsibilities for protecting federal information); Appendix II (privacy program requirements) |
| Companion circulars | FITARA (A-130 policy + FITARA CIO authority = federal IT governance) |
How It Affects You
<!-- pria:personalize type="impact" -->If you're a federal CIO or senior IT official at a CFO Act agency: FITARA (40 U.S.C. § 11319) gives you statutory authority that most agency CIOs lacked before 2015 — you must approve all IT budget requests from every bureau and component before they go to OMB. This is a budget gate, not an advisory function. Use it to identify duplicative systems, enforce cloud-first strategy, and require modern agile development practices. The FITARA Scorecard — published semi-annually by the House Oversight Committee — grades your agency from A to F on CIO authority, IT Dashboard transparency, data center consolidation, software licensing (MEGABYTE Act), cybersecurity, and incremental development. A failing FITARA grade generates direct congressional attention. For at-risk investments, use TechStat accountability sessions to surface problems early — federal IT disasters (Healthcare.gov, FBI Virtual Case File, VA scheduling system) almost universally reflect failure to catch scope creep and delivery problems while there was still time to course-correct. The Technology Modernization Fund (TMF) provides centralized reimbursable funding for modernization projects that are ready to move but need upfront capital.
If you're a federal program manager or agency official who needs to buy IT for your program: Your IT spending is now subject to CIO review and approval — and engaging the CIO's office early is the path of least resistance. Before FITARA, program offices bought duplicative systems and chose incompatible platforms; FITARA routes that into a portfolio management framework. Practical implication: bring your IT requirements to the CIO's office before you finalize your acquisition strategy. The CIO's office can identify existing enterprise systems or government-wide contract vehicles that meet your needs without a new procurement. The incremental development requirement (delivery cycles of no longer than 6 months) changes how you write requirements — instead of a 5-year system delivery, define working milestones you can receive and validate quarterly. For IT investments above the OMB IT Dashboard reporting threshold ($50,000 annually), your project data will be publicly visible at itdashboard.gov — cost, schedule, and performance ratings watched by GAO and congressional staff.
If you're an IT vendor, systems integrator, or technology contractor competing for federal IT work: FITARA changed what agencies are buying. Multi-year, monolithic, fixed-price contracts for large custom systems are increasingly out of favor — iterative delivery, cloud-native architecture, and open-source components are what FITARA-compliant agencies need. The FITARA Scorecard's incremental development metric creates direct procurement pressure: agencies scoring poorly on incremental development face congressional scrutiny, creating demand for vendors demonstrating 6-month delivery cycles. Cloud contract vehicles (GSA's SEWP, NASA SEWP, DOD JWCC and successors) — procured under the Federal Acquisition Regulation — are the primary pathway to large federal IT revenue. The MEGABYTE Act creates audit pressure on software license counts — vendors whose licenses are audited face pressure to right-size. The largest near-term opportunity: the Technology Modernization Fund funds migration of legacy COBOL-era mainframes to modern platforms — there is significant pent-up demand for this work across virtually every major federal agency.
If you're a citizen tracking how the federal government spends $100 billion annually on IT: The IT Dashboard (itdashboard.gov) publicly tracks major federal IT investments — project costs, schedules, and performance ratings. Red-rated projects are in trouble; green means on track. The FITARA Scorecard (House Oversight Committee, semi-annually) grades each of the 24 largest agencies A through F on IT management — it's the most accessible public accountability tool for federal technology spending. For context: GAO documented that 94% of large federal IT projects were over budget, behind schedule, or failed to deliver before FITARA's enactment. Data center consolidation alone has saved over $2 billion since the initiative began. The broader IT accountability picture — OMB's annual report to Congress, GAO's High-Risk List, and inspector general reports on specific IT failures — is all public. GAO has kept Federal IT Acquisition and Operations Management on its High-Risk List for years, noting persistent challenges in program governance, workforce capability, and legacy system modernization that FITARA has partially but not fully addressed.
<!-- /pria:personalize -->State Variations
<!-- pria:personalize type="state-specific" -->FITARA applies only to federal agencies:
- Several states have enacted their own IT governance reform laws modeled on FITARA
- State CIO authority varies significantly — some states have strong centralized CIOs; others leave IT decisions to individual agencies
- No state has a public scorecard equivalent to the federal FITARA Scorecard
- State IT spending is not tracked by the federal IT Dashboard
Implementing Regulations
- OMB M-15-14 — Management and oversight of federal information technology (FITARA implementation guidance — CIO authority, IT portfolio review, data center optimization, incremental development)
- OMB Circular A-130 — Managing information as a strategic resource (IT governance, cybersecurity, records management)
- 40 USC 11319 — FITARA statutory framework for agency CIO authorities (codified CIO role in IT budget, procurement, and workforce decisions)
Pending Legislation
No standalone FITARA reform bills have been introduced in the 119th Congress. Federal IT provisions appear in broader technology and government operations legislation — see E-Government Act and Federal Information Security (FISMA).
Recent Developments
The FITARA Scorecard has evolved through 17+ iterations, adding new categories (cyber, software licensing, cloud) and refining grading methodologies. Most agencies have improved from Ds and Fs in early scorecards to Bs and Cs (with a few As). OMB's cloud-first/cloud-smart policies build on FITARA's foundation. The Technology Modernization Fund (TMF), created in 2017, provides centralized funding for IT modernization aligned with FITARA goals. GAO continues to list federal IT acquisition and operations management as a government-wide high-risk area, though noting significant progress since FITARA's enactment. The growing importance of AI, cybersecurity, and digital services — including compliance with FISMA security requirements — has increased the profile and authority of federal CIOs well beyond what existed before FITARA.