§ Legislative Act Data Technology
Federal Information Technology Modernization and Accountability
Current Status
Existing Law: Federal Information Technology Acquisition Reform Act (FITARA) (2014). Modernizing Government Technology Act (2017). E-Government Act of 2002. Clinger-Cohen Act (1996)¹
Current Authority: Office of Management and Budget (OMB) sets policy. Agency CIOs hold implementation authority. General Services Administration (GSA) provides shared services. Cybersecurity and Infrastructure Security Agency (CISA) sets security standards.
Existing Limitations: No binding modernization timeline. No penalty for agencies that fail to modernize. Technology Modernization Fund ($1B) is vastly underfunded relative to $100B annual IT spend. OMB lacks enforcement authority over non-compliant agencies. No independent technical oversight of migration quality. Citizens have no recourse when legacy system failures delay benefits.
Problem
Specific Harm: $80 billion annually maintains systems built 1970s-1990s². Social Security Administration COBOL systems experience 300+ hours annual downtime. IRS processes 10% of returns manually due to system limitations. OPM breach (2015) exposed 22 million personnel records. Average federal IT project overrun: 27 months and 150% of budget³.
Who is Affected: 330 million Americans dependent on federal services. 2.1 million federal employees using outdated tools. Veterans, Social Security recipients, student loan borrowers, and passport applicants experience service delays averaging 45 days beyond statutory targets.
Gaps in Current Law: FITARA grades agencies but imposes no consequence for failure4. MGT Act created fund but no mandate to use it. No requirement for independent technical review of modernization contracts. No citizen complaint mechanism for service failures caused by IT systems.
Accountability Failures: Agencies self-report modernization progress to OMB (fox guarding henhouse). GAO audits are retrospective, not preventive. No independent body validates that migrations actually improve service delivery. Contractors face no penalty for failed implementations. Citizens cannot appeal service delays caused by IT failures.
Proposed Reform
Primary Policy Change: Mandate phased legacy system retirement with binding deadlines, centralized technical authority, and independent oversight separating implementation from accountability.
New Requirements:
(1) Federal Technology Service as central platform provider with FedRAMP-certified cloud infrastructure (FTS Cloud Gateway), shared service platforms for identity management, payment processing, case management, and document management, technical review boards for projects exceeding $25M, and standardized interoperability protocols (FTS Data Bridge API using OAuth 2.0 authentication and NIST-compliant encryption).
(2) Independent GAO Information Technology and Cybersecurity (ITC) team under GAO to audit migrations and adjudicate citizen complaints, headed by Director with 7-year term, with authority to halt projects failing quality thresholds, operate Citizen IT Service Complaint Portal, and issue binding arbitration decisions with compensation up to $10,000.
(3) Agency CIOs must certify annual modernization milestones or face 5% IT budget sequestration.
(4) FedRAMP+ certification for all new deployments.
(5) Contractor performance bonds of 15% for implementations exceeding $50M.
(6) Legacy System Retirement Plans identifying systems exceeding 15 years or dependent on unsupported platforms, with Tier 1 Critical Systems (5-year deadline), Tier 2 Operational Systems (7-year deadline), and Tier 3 Administrative Systems (10-year deadline).
(7) Workforce modernization requiring 60% of agency IT staff possess current certifications, contractor expenditure not to exceed 50% of IT personnel costs by year 7.
(8) Priority Tier 1 designations for IRS, SSA, VA, State Department, Education Department, and USPS systems.
New Prohibitions:
(1) New development on legacy platforms after transition deadline.
(2) Sole-source contracts exceeding $25M for modernization work.
(3) Agency self-certification of migration success.
(4) Contracts exceeding $100M without disaggregation into modular components with at least 3 prime contractors (unless FTS certifies disaggregation would compromise system integrity).
Enforcement: Budget sequestration (5% IT allocation reduction) for non-compliant agencies with sequestered funds transferred to FTS. Contractor debarment for 3 years upon GAO ITC finding of material performance failure or 2+ "Unsatisfactory" ratings. Automatic performance bond forfeiture upon milestone failure with proceeds to Technology Modernization Fund. GAO ITC binding arbitration for citizen service complaints with 45-day initial determination and 30-day agency compliance requirement. CIO personal liability for false milestone certifications under penalty of perjury with removal, 5-year debarment from federal service, and DOJ referral under 18 U.S.C. § 1001. Quarterly congressional reporting and immediate notification for halted projects exceeding $100M.
Definitions:
"Legacy System": Any federal information technology system that (i) uses a programming language for which fewer than 10,000 active practitioners exist in the United States labor market, (ii) operates on hardware no longer manufactured or supported by the original vendor, (iii) cannot exchange data via API with other federal systems without manual intervention, or (iv) has exceeded 20 years of continuous operation without major architectural revision.
"Modernization": Migration of system functionality to FedRAMP-certified cloud infrastructure, or replacement with shared service platform operated by FTS, meeting current NIST cybersecurity standards and FTS interoperability protocols.
"FTS Data Bridge API": The standardized application programming interface operated by the Federal Technology Service enabling secure, authenticated data exchange between federal systems using OAuth 2.0 authentication, TLS 1.3 encryption, and JSON data formatting compliant with Federal Data Strategy requirements.
"Service Failure": Any instance in which a citizen application, claim, or request subject to statutory processing timeline exceeds that timeline by more than 15 business days, where the delay is attributable in whole or part to IT system malfunction, downtime, or processing backlog.
"FedRAMP+ Certification": FedRAMP High baseline authorization supplemented by additional FTS requirements for federal interoperability, data portability, and vendor lock-in prevention including mandatory data export in open formats upon contract termination.
What Changes
Before: Agencies self-report modernization progress to OMB. Citizens cannot appeal IT-caused service delays. Contractors face no meaningful penalty for failed implementations. $80B annually maintains 40-year-old systems. GAO audits occur years after failures. No binding timeline for legacy retirement.
After: Independent GAO ITC validates all milestones and audits implementations in real-time. Citizens file complaints to independent body with binding arbitration authority. Contractors post performance bonds and face debarment. 5/7/10-year mandatory retirement timeline with budget sequestration for non-compliance. Centralized FTS provides shared platforms reducing redundant development. 60% federal IT workforce requirement reduces contractor dependency.
ROI
Costs:
| Item | 10-Year |
|---|---|
| Cloud infrastructure | $35B |
| Application modernization | $20B |
| Workforce training | $8B |
| Program management including GAO ITC | $7.5B |
| Contingency | $4.5B |
| Total | $75B |
Savings:
| Item | Gross | Capture | Net |
|---|---|---|---|
| Data center consolidation | $60B | 100% | $60B |
| Duplicate system elimination | $30B | 100% | $30B |
| Reduced cybersecurity incident costs | $15B | 100% | $15B |
| Contractor dependency reduction | $20B | 100% | $20B |
| Productivity improvement | $15B | 100% | $15B |
| Downtime reduction | $10B | 100% | $10B |
| Total | $150B | $150B |
Societal Benefits:
| Benefit | Annual | NPV (3%) | NPV (7%) |
|---|---|---|---|
| Service delivery time reduction | $2.5B | $21.3B | $17.5B |
| Reduced citizen opportunity costs | $1.8B | $15.3B | $12.6B |
| Enhanced security confidence | $1.2B | $10.2B | $8.4B |
| Total | $5.5B | $46.8B | $38.5B |
Summary:
| Category | 10-Year | Notes |
|---|---|---|
| Implementation Costs | -$75B | Cloud, modernization, training |
| Federal Budget Savings | +$150B | Operational efficiencies |
| Net Federal Impact | +$75B | 100% ROI |
| Societal Benefits (NPV 3%) | +$46.8B | Service improvements |
Federal Budget Impact: Net positive $75B over 10 years through operational savings exceeding implementation costs.
Societal Benefits: Citizens experience 40% faster service delivery, reduced opportunity costs from delays, and enhanced confidence in federal digital services.
Summary: Net federal savings of $75B over 10 years with additional $46.8B in societal benefits (3% NPV). Legacy system count reduced 80% by year 7. Cybersecurity incidents reduced 60%. Citizen complaint resolution within 45 days at 95% rate.
References
Federal Information Technology Acquisition Reform Act, Pub. L. 113-291 (2014); Modernizing Government Technology Act, Pub. L. 115-91 (2017); E-Government Act, Pub. L. 107-347 (2002); Clinger-Cohen Act, Pub. L. 104-106 (1996)
OMB Federal IT Dashboard Annual Reports (2020-2024)
GAO-21-86, "IT Modernization: Agencies Need to Improve Planning and Implementation" (2021)
FITARA Scorecard, House Oversight Committee (2024)
GAO-23-106594, "Federal IT: OMB Needs to Address Shortcomings" (2023)
UK Government Digital Service (GDS) model establishing centralized platform authority; Estonia X-Road interoperability framework achieving 99.9% digital service availability; Singapore GovTech centralized technical authority model; Australia Digital Transformation Agency shared services approach
Chevron U.S.A. v. NRDC (1984) regarding agency technical discretion; Mathews v. Eldridge (1976) regarding due process in benefits determinations applicable to GAO ITC arbitration authority
Change Log
Section 2(c) - Added GAO Information Technology and Cybersecurity (ITC) team: Created independent oversight body under GAO with binding arbitration authority for citizen complaints and power to halt failing projects. Red Team Reasoning: Original proposal had OMB setting policy and agencies self-reportingclassic fox-guarding-henhouse structure. Citizens experiencing passport delays or benefits denials due to IT failures had no recourse except to the same agency that failed them. GAO ITC creates structural separation between implementation (FTS/agencies) and accountability (GAO). Modeled on UK National Audit Office IT review function and Estonia's independent digital ombudsman.
Section 2(a) - Formalized "FTS Data Bridge API" with technical specifications: Replaced vague "data sharing" and "interoperability standards" with specific technical requirements (OAuth 2.0, TLS 1.3, JSON formatting, NIST compliance). Red Team Reasoning: Original text referenced "shared service platforms" and "interoperability" without technical precision. Federal IT failures often stem from undefined interface requirements. Specifying authentication protocol, encryption standard, and data format creates enforceable contract terms and enables GAO ITC to audit compliance objectively. Follows Estonia X-Road technical specification model.
Section 2(d) - Added contractor performance bonds and debarment: Required 15% performance bonds and 3-year debarment for material failures. Red Team Reasoning: Original "competitive procurement" language created no consequence for contractor failure. Healthcare.gov, FBI Sentinel, and Census 2020 IT failures demonstrate contractors face minimal penalty for cost overruns and missed deadlines. Performance bonds create immediate financial consequence. Debarment registry prevents serial failure. UK Crown Commercial Service model requires similar bonding for major digital contracts.
Section 3(a) - Established binding arbitration with explicit prohibition on agency self-appeal: Citizens appeal IT-caused service failures to GAO ITC, not the agency that caused the delay. Red Team Reasoning: Without this provision, a veteran whose benefits are delayed due to VA IT system failure would appeal to the VA. This violates basic due process and ensures no structural incentive to fix root causes. GAO ITC binding arbitration follows Administrative Conference of the United States recommendations on independent adjudication and mirrors Consumer Financial Protection Bureau complaint resolution authority.
Section 2(b) - Added 5% budget sequestration for milestone failure: Replaced voluntary "critical success factors" with automatic budget consequence. Red Team Reasoning: Original proposal listed "strong executive sponsorship" and "sustained congressional support" as success factorsaspirational language with no enforcement mechanism. Agencies have ignored FITARA grades for a decade with no consequence. Automatic sequestration creates structural incentive. Transferred funds to FTS ensure modernization continues even if individual agency leadership fails. Follows Congressional Budget Act sequestration model.
Section 4 - Added "Service Failure" and "FedRAMP+ Certification" definitions: Created legally precise definitions enabling GAO ITC jurisdiction and preventing vendor lock-in. Red Team Reasoning: Original lacked definitions enabling citizen complaints ("when is a delay actionable?") and allowed agencies to claim FedRAMP compliance while remaining locked to single vendors. "Service Failure" threshold (15 days beyond statutory timeline) creates clear GAO ITC jurisdiction trigger. "FedRAMP+" mandatory data export requirement prevents the cloud vendor lock-in that has trapped UK NHS and other government systems.
Oversight Body Consolidation (December 2025): Consolidated FITAO (Federal IT Accountability Office) into GAO Information Technology and Cybersecurity (ITC) team per Federal Oversight Consolidation Act. Red Team Reasoning: Consolidating 35 oversight bodies into 4 empowered entities reduces bureaucratic fragmentation while maintaining binding accountability.
2025-12-07 - Legislative Language Removal: Merged unique provisions into Proposed Reform. Deleted Legislative Language section.
2025-12-07 - Inline Citations: Added superscript citations. Standardized References section.
2025-12-07 - Template Standardization: Converted ROI section to standard table format. Broke semicolon chains into separate sentences. Applied consistent spacing between bullet points. Removed timeline language and speculative language. Maintained technical terminology.
- 2025-12-11 - Zero New Bodies Architecture: Updated oversight entity references per Federal Oversight Consolidation Act. Replaced proposed GAO divisions with existing infrastructure (GAO teams, DOJ OIG). No new bureaucratic entities created.