Federal agencies have fully implemented 60 percent of IT management-related and 78 percent of security-related recommendations the Government Accountability Office (GAO) has issued since 2010, and they should continue bolstering their cybersecurity and IT acquisition and operations, according to a June 26 GAO report.
GAO has issued 1,277 IT management-related and 3,058 security-related recommendations to 24 Federal agencies since 2010. Despite the work agencies have made in resolving the cyber and IT challenges GAO has identified, GAO added in the report that agencies have not made enough progress and that the Office of Management and Budget (OMB) should implement at least 80 percent of GAO’s recommendations.
The report identified the remaining recommendations that agencies need to implement. For one, all 24 agencies had not established policies that fully addressed the role of their CIO, and agency CIOs told GAO they did not always feel effective in implementing key IT management areas.
However, GAO said that shortfalls at OMB have contributed to the ineffective role of CIOs.
“[OMB] guidance did not comprehensively address all CIO responsibilities, such as those related to assessing the extent to which personnel meet IT management knowledge and skill requirements and ensuring that personnel are held accountable for complying with the information security program,” GAO said.
GAO added that OMB guidance did not ensure that CIOs had a key role in IT planning, programming, and budgeting decisions, or in execution decisions and management, governance, and oversight of IT-related processes.
Along the lines of CIOs’ roles, GAO said that another area agencies need to improve upon is CIO authority throughout IT acquisition review and contract approval. As of January 2018, GAO found that CIOs at 22 agencies weren’t sufficiently in “reviewing billions of dollars in IT acquisitions.” As of this year, 23 of 39 GAO recommendations on this challenge have not been implemented.
Beyond the role of the CIO, agencies have also struggled to consolidate their data centers despite OMB’s 2010 initiative to reduce them.
“From July 2011 through April 2019, we made a total of 196 recommendations to OMB and 24 agencies to improve the execution and oversight of the initiative,” GAO said. “Most agencies and OMB agreed with our recommendations or had no comments. As of June 2019, 79 of these 196 recommendations had not been implemented.”
On the cybersecurity front, agencies also have a work ahead of them. Namely, GAO stressed that agencies should fully implement information security programs required by FISMA (Federal Information Security Management Act) to help complete the 22 percent of security-related recommendations agencies have not fully implemented.
GAO said that addressing the IT acquisition and operations management, as well as the cybersecurity recommendations that are still open, are key to saving billions of dollars, advancing efficient government services, managing software assets, and complying with Federal cybersecurity initiatives.