3. eRA modernization is improving the eRA brand. eRA continues to modernize its technology, including:

• Login.gov – In close collaboration with Login.gov and NIH Login, eRA implemented 2-Factor Authentication for all external users to protect their accounts and data, and is currently working to implement it as a mandatory requirement
• Struts to Spring MVC migration – improving eRA security posture and providing better user interfaces
• Completing numerous security projects – eRA is recognized across NIH as taking security seriously and having an excellent security posture and program
• Emerging Technologies – eRA in collaboration with NIGMS developed a Natural Language Processing (NLP) framework being used in the internal referral business area, with strong potential for use in other business areas. eRA is also looking into opportunities to utilize Artificial Intelligence (AI) to possible increase the automation of business processes
• New User Experience (UX) Style Guide – eRA implemented a new standardized look and feel to improve user experience across all modules.

4. eRA performance and delivery are improving the eRA brand.

a. Continue Cloud Migration of all eRA Infrastructure

b. Implementation of the Mandatory Two-Factor authentication for eRA's modules

c. Internal Referral Module (IRM) Natural Language Processing for NIGMS and NLP algorithm experiments with NIAID and other ICs

d. Peer Review Online Critique Templates (OCT) Capabilities

f. Other Transaction Authority that are especially important given OT authorities just issued by Congress.

g. Funding Opportunity Announcement Module (FOAM) enhancements 

h. Committee Management project which supports the Optimize NIH activities

i. GM Redesign

j. Expansion of ASSIST module for Submission of Administrative Supplements

k. Numerous capabilities for NIH ICs and Agency Partners

l. Support for 100% virtual peer review meetings during covid pandemic

m. FFR/PMS Transition

n. Internet Assisted Review (IAR) Meeting Dashboard

o. Internet Explorer Browser Phaseout

p. Enhanced User Interface Updates

q. eRA and Loan Repayment (LRP) Integration

5. eRA's increased focus on security and compliance resulting in:

a. Improving technical, policy and process documentation

b. Improving compliance

c. Moving towards mandating 2-factor authentication

d. Proactively refactoring  components of eRA systems to address potential security concerns

e. Standardizing security and technical management of all OER systems

6. eRA contractors are funded through 2022. With all funding received, eRA will be able to maintain the current contractor support though FY2022. 

7. CIF and DDF O&M requirement is a model for sustainable IT funding. CIF's and DDF's requirement that proposed budgets include a line item for outyear O&M funding is a model for the sustainable funding of all NIH extramural IT.

8. OER collaboration with OCIO and CIT. OER continues collaborating with OCIO and CIT and the efforts are becoming more coordinated. eRA has been an active participant in trans-NIH technical groups (ITMC, ESWG, numerous working groups) and participated in the Optimize NIH IT Security initiative.

9. OER/eRA Collaboration with CIT on 2-factor authentication. OER/eRA has been working with CIT on implementing 2-factor authentication security requirements for both grantor and grantee staff. The mandatory grantor phase has been successfully delivered. The optional use of 2-factor authentication for grantees leveraging fed-wide Login.gov capabilities has also been delivered in collaboration with HHS, and the mandatory requirement has been rolled out to the Peer Reviewer community. To date, eRA communications and instructions have helped over 63,000 users register for Login.gov.

Negative Factors

1. Increasing Audit Burden: the audit burden on eRA has been steadily increasing, to the point of presenting a risk to the program and to NIH, as more and more time and effort are required of eRA staff to respond to auditor's requests, to the detriment of keeping the system stable and secure. In addition to A-123, FISCAM and DATA Act audits, eRA continued to participate in the GAO Cybersecurity audit, OIG Information Technology Readiness, and supported nummerous OIG audits of NIH.

a. In 2021, in addition to the A-123 and FISCAM, eRA has been involved in the wrap-up of the GAO Cybersecurity audit and is also participating in the DATA Act audit.

b. So far in 2021 eRA has produced over 75 times more documents for auditors than in 2015. Factors that contribute to increasing audit burden include:

i. Duplication of data and documentation requests across audits

ii. Deeper and broader audit scope

iii. Holding systems to different standards

iv. FISCAM no longer leveraging A-123 testing, therefore requiring eRA to respond to almost the same (but slightly different) questions

2. eRA current commitment base (SSF) only funds the first two legs of the eRA three-legged stool: Maintain, Enhance, and Refresh

a. Maintain: Keeping the lights on, includes security patching. Current commitment base covers maintenance only.

b. Enhance: Can be business enhancements or technical enhancements. Adding features to the existing platform, gradual improvements, often in a phased approach. Would be an area where eRA could use more funding to keep systems up to date. Current commitments fund enhancements on an ad hoc basis.

c. Refresh/Redesign: New platform.

i. Not only regular technical refreshes are not funded by SSF, but if a technology is no longer supported and must be replaced we must take money from elsewhere or apply for additonal funding to support the refresh/redesign.

ii. Historically, most eRA refresh and modernization efforts have been funded by one-time alternative sources of funding (DDF/CIF/Professional Judgment), which makes it difficult for eRA to develop long-term plans for modernization and ongoing refreshes.

iii. Infrastructure refreshes require substantial funds across multiple years. CIF funding for projects must be requested, reviewed, and approved by ADC each year and the formal approvals are normally communicated in Q2 of the FY. Yet, eRA must keep doing the work hoping that these funds will come through. eRA’s move to the Cloud should alleviate this substantially.

iv. There is also a dearth of funding for analyses and prototyping (i.e., enterprise architecture) that would allow eRA complete proof-of-concept with different technologies and/or approaches before embarking into large refresh efforts.

3. Increasing demand in general.

a. In addition to the fundamental need for the refresh and ongoing maintenance funding, the number of users, data, and functionalities continue to grow significantly without corresponding increases in resources. At different levels, new needs become imperative (e.g., increasing needs for security).

b. As eRA's performance and brand continues to evolve, customers are asking for additional and more complex services and new customers are interested in full and/or partial onboarding of eRA systems and services

c. If eRA does not meet increasing demand, then the brand will suffer which will undermine the opportunity to achieve greater synergies and reduce redundancies in NIH funding of extramural IT.

d. eRA will be onboarding the Department of Commerce (DOC) which will be the first time a full Department will be onboarded.  Although DOC has committed to cross bureau harmonization, we expect an increased level of support to accomplish this. .

4. Security demands.

a. Designation as a high-value asset. HHS designated eRA as a high-value asset. As a consequence, eRA is under increased oversight with increased compliance requirements and increased levels and frequency of security scanning.  Also, there will be additional requirements stemming from the President’s Executive Order 14028 on Improving the Nation’s Cybersecurity. All requiring increased resources.

b. Increased security oversight. Monitoring medium level vulnerabilities in addition to high and critical increased application security testing, and other demands will require additional resources.

c. It's imperative that eRA ensures that OER systems stay current with security patches and updates to 3rd party software and libraries in order to reduce vulnerabilities.

5. Risk with NIH-managed systems/infrastructure.

While eRA's reliance on shared NIH managed systems/infrastructure reduces costs to NIH, it also poses potential risks inherited from those shared resources. For example, email, network or NIH Login issues could cause disruptions in eRA services. This became a particular risk when eRA staff and NIH users experienced VPN reliability issues while teleworking during the covid pandemic.

6. Funding for FTEs and contractors.

a. eRA contractors are funded through 2022. With recently received additional funding, eRA will be able to maintain the current contractor support though 2022. Until eRA’s commitment base is increased, eRA will be dependent on unpredictable sources of funding. [See the table, below.]

b. Additional demands result in additional stress and pressure to the eRA federal staff who manage the work of eRA. This is causing increased level of turnover that in turn is cause the loss of institutional knowledge about NIH business and IT processes.

7. Delays in onboarding contractor and Federal staff result in:

a. Coverage gaps -- the gap between the time staff leave and their position is backfilled.

b. Overburdened staff -- existing staff tasked with handling tasks assigned to staff who've left eRA.

c. Delays in projects -- not enough staff to handle the planned work.

d. Damage to eRA Brand/NIH IT Centralization -- ICs will start developing their own capabilities again. This will negate NIH's efforts to promote centralized/enterprise IT solutions to support NIH Extramural needs. If there are delays on-boarding staff, then eRA will continue to have difficulties bringing on new staff and contractors, losing already identified candidates and will not be able to complete planned work on schedule or to have sufficient staff to maintain the integrity and security of the eRA system. In 2021, eRA lost a federal candidate who had accepted a tentative offer, and several highly qualified contractor candidates who accepted other offers while waiting to be onboarded at NIH. This situation is especially problematic in the current very competitive IT job market, where highly qualified candidates will not typically wait for more than a few weeks to start employment. In addition, when staffing levels are not sufficient, more work falls on the most capable federal and contractor staff, and it has caused and will continue causing them to find less stressful work elsewhere, further exacerbating the problem.