The federal government plans to spend over $90 billion in fiscal year 2019 on Information Technology (IT). Increasingly sophisticated threats and frequent cyber incidents underscore the need for effective information security.
But a June 26 statement from the Government Accountability Office (GAO) says the government has already spent billions on IT projects that have failed or performed poorly. Some agencies have had massive cybersecurity failures.
The GAO statement, primarily based on its own reports issued between July 2011 and April 2019, says agencies have implemented 60% of its 1,277 recommendations on IT acquisitions and operations, and 78% of its 3,058 recommendations on cybersecurity. Most agencies have not, as required, assigned key IT responsibilities to the chief information officer.
GAO says while the Office of Management and Budget (OMB) and federal agencies have taken steps to improve the management of IT acquisitions and operations and ensure federal cybersecurity through a series of initiatives, significant actions remain to be completed:
Chief Information Officer (CIO) responsibilities. Laws such as the Federal Information Technology Acquisition Reform Act (FITARA) and related guidance assigned 35 key IT management responsibilities to CIOs to help address longstanding challenges. In August 2018, GAO reported that none of the 24 selected agencies had established policies that fully addressed the role of their CIO, as called for by laws and guidance. GAO recommended that OMB and each of the 24 agencies take actions to improve the effectiveness of CIOs’ implementation of their responsibilities. As of June 2019, none of the 27 recommendations had been implemented.
CIO IT acquisition review. According to FITARA, covered agencies’ CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, GAO reported that most of the CIOs at 22 covered agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Consequently, GAO made 39 recommendations to improve CIO oversight for these acquisitions. As of June 2019, 23 of the recommendations had not been implemented.
Consolidating data centers. OMB launched an initiative in 2010 to reduce data centers. According to 24 agencies, data center consolidation and optimization efforts had resulted in approximately $4.7 billion in cost savings through August 2018. Even so, additional work remains. GAO has made 196 recommendations to OMB and agencies to improve the reporting of related cost savings and to achieve optimization targets. As of June 2019, 79 of the recommendations had not been implemented.
Managing software licenses. Effective management of software licenses can help avoid purchasing too many licenses that result in unused software. In May 2014, GAO reported that better management of licenses was needed to achieve savings, and made 136 recommendations to improve such management. As of June 2019, 27 of the recommendations had not been implemented.
Ensuring the nation’s cybersecurity. While the government has acted to protect federal information systems, GAO has consistently identified shortcomings in the federal government’s approach to cybersecurity. The 3,058 recommendations that GAO made to agencies since 2010 have been aimed at addressing cybersecurity challenges. These recommendations have identified actions for agencies to take to fully implement aspects of their information security programs and strengthen technical security controls over their computer networks and systems. As of June 2019, 674 of the recommendations had not been implemented.
By addressing the high-risk areas on improving the management of IT acquisitions and operations and ensuring the cybersecurity of the nation, the government has the opportunity to both save billions of dollars and advance the efficiency and effectiveness of government services.
Read the full statement at GAO
