In its latest statement, the Government Accountability Office (GAO) says the federal government has spent billions (approximately $90 billion each year) on information technology projects that have failed or performed poorly.
For example, the United States Coast Guard decided to terminate its Integrated Health Information System project in 2015. As reported by the agency in August 2017, the Coast Guard spent approximately $60 million over seven years on this project, which resulted in no equipment or software that could be used for future efforts
In addition, some agencies have experienced “massive cybersecurity failures” which GAO says were often compounded by ineffective management. GAO has previously reported that some Chief Information Officers’ (CIO) roles were limited in terms of protection and prevention because they did not have the authority to review and approve the entire agency IT portfolio.
In recent months, intelligence has suggested that both Chinese and Russian hackers are targeting U.S. healthcare – including the Department of Health and Human Services – and pandemic response efforts. As well as disruption, intel officials believe the intention is to steal medical intellectual property and vaccine development research data.
Since 2010, agencies have implemented 64 percent of GAO’s 1,376 recommendations on IT acquisitions and operations, and 79 percent of the watchdog’s 3,409 recommendations on cybersecurity.
In its statement, GAO acknowledges that federal agencies and the Office of Management and Budget (OMB) have taken steps to improve the management of information technology (IT) acquisitions and operations and ensure the nation’s cybersecurity through a series of initiatives. However, it says significant actions remain to be completed to build on this progress and has identified five primary areas of concern:
CIO responsibilities. Laws such as the Federal Information Technology Acquisition Reform Act (FITARA) and related guidance assign 35 key responsibilities to agency CIOs to help address longstanding IT management challenges. In August 2018, GAO reported that none of the 24 selected agencies had established policies that fully addressed the role of their CIO. GAO recommended that OMB and the 24 agencies take actions to improve the effectiveness of CIOs’ implementation of their responsibilities. Although most agencies agreed or did not comment, only four of the 27 recommendations have been implemented.
CIO IT acquisition review. According to FITARA, covered agencies’ CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, GAO reported that most of the CIOs at 22 covered agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Since then, agencies implemented 29 out of 39 recommendations made to improve CIO oversight for these acquisitions. Implementing the remaining 10 could increase CIOs’ authority and improve the management of IT contracts.
Consolidating data centers. OMB launched an initiative in 2010 to reduce data centers. According to the 24 covered agencies, this initiative has resulted in approximately $4.7 billion in cost savings from fiscal years 2012 through 2019. Even so, additional work remains. As of July 2020, OMB and agencies implemented 133 of the 204 recommendations made to improve the reporting of related cost savings and to achieve optimization targets. Implementing the remaining recommendations could yield additional cost savings.
Managing software licenses. Effective management of software licenses can help avoid purchasing too many licenses that result in unused software. In May 2014, GAO reported that better management of licenses was needed to achieve savings and made 135 recommendations to improve such management. Agencies have implemented 123 of the 135 recommendations. Implementing the remaining 12 could reduce spending and duplication.
Ensuring the nation’s cybersecurity. GAO continues to designate information security as a government-wide high-risk area due to increasing cyber-based threats and the persistent nature of security vulnerabilities. Since fiscal year 2010, GAO has made 3,409 recommendations to agencies aimed at addressing cybersecurity challenges. As of July 2020, 79 percent of the recommendations have been implemented. Until the remaining recommendations are addressed, agencies’ information and IT systems will be increasingly susceptible to the existing multitude of cyber-related threats.