Congress has long recognized that IT systems provide essential services critical to the health, economy, and defense of the nation. In support of these systems, the federal government annually spends more than $100 billion on IT and cyber-related investments.
In fiscal year 2023, the federal government plans to spend approximately $122 billion on IT investments. A large majority of these investments are to support the operation and maintenance of existing IT systems—such as those that support tax filings, Census survey information, and veterans’ health records. Additionally, these investments support system development, modernization, and enhancement activities including software upgrades, replacement of legacy IT, and new technologies. The planned fiscal year 2023 spending also includes costs for defense-related classified systems and national security-related unclassified systems, both of which support cybersecurity activities. For fiscal year 2023, the planned spending on cybersecurity is $17.1 billion.
However, many of the investments to date have suffered from ineffective management. Additionally, high profile cyber incidents have demonstrated the urgency of addressing cybersecurity weaknesses.
To improve the management of IT, Congress and the President enacted FITARA in December 2014. FITARA applies to the 24 agencies subject to the Chief Financial Officers Act of 1990, although with limited applicability to the Department of Defense.
The Government Accountability Office (GAO) was asked to provide an overview of the scorecards released by this Subcommittee. The scorecards have been used for oversight of agencies’ efforts to implement statutory provisions and other IT-related topics. For its testimony, GAO relied on its previously issued products.
The scorecards have assigned each covered agency a letter grade (i.e., A, B, C, etc) based on components derived from statutory requirements and additional IT-related topics. As of July 2022, fourteen scorecards had been released.
GAO testified that the Subcommittee-assigned grades have shown steady improvement and resulted in the scorecards serving as effective oversight tools. For example, during 2020 and 2021, all 24 agencies received A grades for two components (software licensing and data center optimization initiative), resulting in removal of these components from the scorecard.
In January, a group of CIOs told the House Oversight and Reform Subcommittee on Government Operations that the process of grading agencies under FITARA needs to reflect current challenges including strengthening cybersecurity, phasing out antiquated systems, and growing and maintaining an adequate cyber and IT workforce. For example, David Powner, former GAO director for IT and current executive director of the Center for Data-Driven Policy at MITRE, opined that three scorecard categories should be retired — incremental, portfolio stack, and data centers — and the scorecard should focus on cybersecurity, workforce, legacy modernization, budgeting, and infrastructure.
Notwithstanding the improvements made through the use of the scorecard, the federal government’s difficulties acquiring, developing, managing, and securing its IT investments remain. Updating the FITARA grading process could be an important step to addressing these difficulties.
GAO testified that the federal government faces persistent difficulties acquiring, developing, managing, and providing adequate security over its IT investments. To address longstanding weaknesses and changes in the federal landscape, the watchdog maintains that continued oversight by Congress to hold agencies accountable for implementing statutory provisions and addressing weaknesses is essential.
Implementation of outstanding GAO recommendations can also be instrumental in delivering needed improvements, the watchdog said. Since 2010, GAO has made approximately 5,300 recommendations to improve IT management and cybersecurity. As of June 2022, federal agencies have fully implemented about 77 percent of these. However, many critical recommendations have not been implemented—nearly 300 on IT management and more than 600 on cybersecurity.