The federal government planned to invest more than $96 billion in information technology (IT) in fiscal year 2018. However, IT investments have often failed or contributed little to mission-related outcomes. Further, increasingly sophisticated threats and frequent cyber incidents underscore the need for effective information security. As a result, the Government Accountability Office (GAO) has added two areas to its high-risk list: cybersecurity in 1997 and the management of IT acquisitions and operations in 2015.
A GAO report published December 12 summarizes federal agencies’ progress in improving the management, and ensuring the security, of federal IT. It is primarily based on GAO’s reports issued between February 1997 and August 2018 (and an ongoing review) on CIO responsibilities, agency CIOs’ involvement in approving IT contracts, data center consolidation efforts, the management of software licenses, and compliance with cybersecurity requirements.
GAO says the Office of Management and Budget (OMB) and federal agencies have taken steps to improve the management of IT acquisitions and operations and ensure federal cybersecurity through a series of initiatives. As of November 2018, agencies had fully implemented about 59 percent of the 1,242 IT management-related recommendations that GAO has made since fiscal year 2010. Likewise, agencies had implemented about 73 percent of the approximately 3,000 security-related recommendations that GAO has made since 2010. Even with this progress, significant actions remain to be completed.
Chief Information Officer (CIO) responsibilities. Laws such as the Federal Information Technology Acquisition Reform Act (FITARA) and related guidance assigned 35 key IT management responsibilities to CIOs to help address longstanding challenges. However, in August 2018, GAO reported that none of the 24 selected agencies had policies that fully addressed the role of their CIO, as called for by laws and guidance. GAO recommended that OMB and each of the 24 agencies take actions to improve the effectiveness of CIOs’ implementation of their responsibilities. As of November 2018, none of the 27 recommendations had been implemented.
IT contract approval. According to FITARA, covered agencies’ CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, GAO reported that most of the CIOs at 22 covered agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Consequently, GAO made 39 recommendations to improve CIO oversight over these acquisitions. As of November 2018, 27 of the recommendations had not been addressed.
Consolidating data centers. OMB launched an initiative in 2010 to reduce data centers. According to agencies, data center consolidation and optimization efforts have resulted in approximately $4.5 billion in cost savings through 2018. Even so, additional work remains. GAO has made 160 recommendations to OMB and agencies to improve the reporting of related cost savings and to achieve optimization targets. However, as of November 2018, 47 of the recommendations had not been fully addressed.
Managing software licenses. Effective management of software licenses can help avoid purchasing too many licenses that result in unused software. In May 2014, GAO reported that better management of licenses was needed to achieve savings, and made 135 recommendations to improve such management. As of December 2018, 27 of the recommendations had not been implemented.
Improving the security of federal IT systems. While the government has acted to protect federal information systems, agencies need to improve security programs, cyber capabilities, and the protection of personally identifiable information. The approximately 3,000 recommendations that GAO has made to agencies since 2010 were aimed at improving the security of federal systems and information. Specifically, these recommendations identified actions for agencies to take to strengthen their information security programs and technical controls over their computer networks and systems. As of November 2018, 688 of the security-related recommendations had not been implemented.
Congress has recognized the importance of agencies’ continued implementation of FITARA provisions, and has taken legislative action to extend selected provisions beyond their original dates of expiration. Specifically, Congress and the President enacted laws to: remove the expiration dates for the enhanced transparency and improved risk management provisions, which were set to expire in 2019; remove the expiration date for portfolio review, which was set to expire in 2019; and extend the expiration date for FDCCI from 2018 to 2020.
In addition, Congress and the President enacted a law to authorize the availability of funding mechanisms to help further agencies’ efforts to modernize IT. The law, known as the Modernizing Government Technology (MGT) Act, authorizes agencies to establish working capital funds for use in transitioning from legacy IT systems, as well as for addressing evolving threats to information security. The law also creates the Technology Modernization Fund, within the Department of the Treasury, from which agencies can “borrow” money to retire and replace legacy systems, as well as acquire or develop systems.
Further, in February 2018, OMB issued guidance for agencies on implementing the MGT Act. The guidance was intended to provide agencies additional information regarding the Technology Modernization Fund, and the administration and funding of the related IT working capital funds.
Since fiscal year 2010, GAO has made 1,242 recommendations to OMB and agencies to address shortcomings in IT acquisitions and operations. Since fiscal year 2010, GAO also has made over 3,000 recommendations to federal agencies to improve the security of federal systems. These recommendations include those to improve the implementation of CIO responsibilities, the oversight of the data center consolidation initiative, software license management efforts, and the strength of security programs and technical controls. Most agencies agreed with the recommendations, and GAO will continue to monitor their implementation.
