The federal government has spent billions on information technology projects that have failed or performed poorly. Some agencies have had massive cybersecurity failures. These IT efforts often suffered from ineffective management.
The Government Accountability Office testified about 2 issues on its High Risk List: management of IT acquisitions and operations, and cybersecurity.
Since 2010, agencies have implemented:
- 61% of GAO 1,320 recommendations on IT acquisitions and operations
- 76% of GAO 3,323 recommendations on cybersecurity
Much remains to be done. For example, most agencies have not, as required, assigned key IT responsibilities to the chief information officer.
Federal agencies and the Office of Management and Budget (OMB) have taken steps to improve the management of information technology (IT) acquisitions and operations and ensure the nation’s cybersecurity through a series of initiatives. As of November 2019, federal agencies had fully implemented 61 percent of the 1,320 IT management-related recommendations that GAO has made to them since fiscal year 2010. Likewise, agencies had implemented 76 percent of the 3,323 security-related recommendations that GAO has made since fiscal year 2010. Significant actions remain to be completed to build on this progress.
- Chief Information Officer (CIO) responsibilities . Laws such as the Federal Information Technology Acquisition Reform Act (FITARA) and related guidance assign 35 key responsibilities to agency CIOs to help address longstanding IT management challenges. In August 2018, GAO reported that none of the 24 selected agencies had established policies that fully addressed the role of their CIO. GAO recommended that OMB and the 24 agencies take actions to improve the effectiveness of CIOs’ implementation of their responsibilities. Although most agencies agreed or did not comment, none of the 27 recommendations have yet been implemented.
- CIO IT acquisition review . According to FITARA, covered agencies’ CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, GAO reported that most of the CIOs at 22 covered agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Consequently, GAO made 39 recommendations to improve CIO oversight for these acquisitions. Since then, 23 of the recommendations have been implemented.
- Consolidating data centers . OMB launched an initiative in 2010 to reduce data centers. In August 2018, 22 agencies reported that they had achieved $1.94 billion in cost savings for fiscal years 2016 through 2018, while two agencies reported that they had not achieved any savings. GAO has made 196 recommendations to OMB and agencies to improve the reporting of related cost savings and to achieve optimization targets. As of November 2019, 121 of the recommendations have been implemented.
- Managing software licenses . Effective management of software licenses can help avoid purchasing too many licenses that result in unused software. In May 2014, GAO reported that better management of licenses was needed to achieve savings, and made 135 recommendations to improve such management. As of November 2019, all but 19 of the recommendations had been implemented.
- Ensuring the nation’s cybersecurity . While the government has acted to protect federal information systems, GAO has consistently identified shortcomings in the federal government’s approach to cybersecurity. The 3,323 recommendations that GAO made to agencies since 2010 have been aimed at addressing cybersecurity challenges. These recommendations have identified actions for agencies to take to fully implement aspects of their information security programs and strengthen technical security controls over their computer networks and systems. As of November 2019, 76 percent of the recommendations had been implemented.
Since fiscal year 2010, GAO has made about 1,300 recommendations to OMB and agencies to address shortcomings in IT acquisitions and operations, as well as approximately 3,300 recommendations to agencies to improve the security of federal systems. These recommendations addressed, among other things, implementation of CIO responsibilities, oversight of the data center consolidation initiative, management of software licenses, and the efficacy of security programs. Implementation of these recommendations is essential to strengthening federal agencies’ acquisitions, operations, and cybersecurity efforts.