The federal government spends more than $100 billion on IT and cyber-related investments annually—but many of them have failed or performed poorly, have been poorly managed, and have security weaknesses.
Improving IT acquisitions and operations management and ensuring cybersecurity have been on the Government Accountability Office’s High Risk List since 2015 and 1997, respectively. GAO testified that little progress has been made.
The federal government and agencies must take action. For example, the government should develop and execute a comprehensive cybersecurity strategy.
Agencies have yet to implement many of our critical recommendations in these areas.
In its March 2021 high-risk series update, GAO reported that significant attention was needed to improve the federal government’s management of information technology (IT) acquisitions and operations, and ensure the nation’s cybersecurity. Regarding management of IT, overall progress in addressing this area has remained unchanged. Since 2019, GAO has emphasized that the Office of Management and Budget (OMB) and covered federal agencies need to continue to fully implement critical requirements of federal IT acquisition reform legislation, known as the Federal Information Technology Acquisition Reform Act (FITARA), to better manage tens of billions of dollars in IT investments. For example:
- OMB continued to demonstrate leadership commitment by issuing guidance to implement FITARA statutory provisions, but sustained leadership and expanded capacity were needed to improve agencies’ management of IT.
- Agencies continued to make progress with reporting FITARA milestones and plans to modernize or replace obsolete IT investments, but significant work remained to complete these efforts.
- Agencies improved the involvement of their agency Chief Information Officers in the acquisition process, but greater cost savings could be achieved if IT acquisition shortcomings, such as reducing duplicative IT contracts, were addressed.
In March 2021, GAO reiterated the need for agencies to address four major cybersecurity challenges facing the nation: (1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data. GAO identified 10 actions for agencies to take to address these challenges. However, since 2019, progress in this area has regressed—GAO’s 2021 rating of leadership commitment declined from met to partially met. To help address the leadership vacuum, in January 2021, Congress enacted a statute establishing the Office of the National Cyber Director. Although the director position has not yet been filled, on April 12 the President announced his intended nominee. Overall, the federal government needs to move with a greater sense of urgency to fully address cybersecurity challenges. In particular:
- Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace. In September 2020, GAO reported that the cyber strategy and implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources needed.
- Mitigate global supply chain risks. In December 2020, GAO reported that few of the 23 civilian federal agencies it reviewed implemented foundational practices for managing information and communication technology supply chain risks.
- Enhance the federal response to cyber incidents. In July 2019, GAO reported that most of 16 selected federal agencies had deficiencies in at least one of the activities associated with incident response processes.