Cybersecurity experts at the U.S. Government Accountability Office (GAO) today praised Federal agencies for their progress and cost savings as reflected in the latest FITARA Scorecard issued by the House Oversight and Reform Committee today, but said agencies need to do better in speeding their transition to Enterprise Infrastructure Solutions (EIS) communications contracts, and do more to empower their chief information officers (CIOs).
During a House Government Operations Subcommittee hearing on the latest FITARA scorecard issued today, GAO officials said seven agencies improving enough to lift their scores to the next highest letter grade was a positive development, as was the more than $25 billion in costs savings realized by agencies cumulatively over the past seven-plus years that the scorecard has been issued. GAO provides input into the scores, which are compiled by the subcommittee.
“Incremental development still appears to be strong,” said Carol C. Harris, director of Information Technology and Cybersecurity at GAO. She called the cumulative cost savings “not insignificant.”
But Harris expressed concern about most agencies getting a failing grade for their lack of progress in the transition to the General Services Administration’s (GSA) EIS communications services contracts. “Agencies need to act with tremendous urgency to move the bar here and get off those legacy contracts as soon as possible,” she said. “We just don’t want to have further delay because that’s going to cause cost overruns.”
More also needs to be done, Harris said, to empower and enhance the authorities of Federal CIOs as part of efforts to improve agency cybersecurity and IT modernization efforts. GAO has recommended that the Office of Management and Budget (OMB) provide additional guidance on CIO authorities, but those recommendations remain open, she said.
“It’s great that CIOs have a seat at the table and that direct line reporting to heads of agencies, but there are still additional responsibilities that they have that need to be fleshed out,” she told the committee.
Harris also took aim at a familiar target: the Biden administration’s failure to supply some required cybersecurity performance data for the largest Federal agencies, especially through traditional cross-agency priority (CAP) priority goals this year. She and members of the subcommittee had expressed similar concerns at a hearing in July about the previous iteration of the FITARA scorecard.
“OMB did not provide that information publicly … it’s unclear to me whether they are sitting on that information or just don’t have it,” she said today. “The law clearly states that CAP goals are to be standalone.”
At the same time, OMB today debuted a new agency cybersecurity progress report that is envisioned to fill the gap in the security-related data.
In official testimony submitted to the subcommittee today, GAO expanded on these themes, offering a mix of praise for Federal agencies, concern about the government’s overall IT practices, and suggestions for improvement.
The FITARA grades have “shown steady improvement as demonstrated by the removal (or sunset) of components,” the GAO testimony said.
It then added: “Notwithstanding the improvements made by using the scorecard, the federal government’s difficulties acquiring, developing, managing, and securing its IT investments persist. Continued oversight by Congress to hold agencies accountable for implementing statutory provisions and addressing longstanding weaknesses is essential. Evolving the components of the scorecard to adapt to changes in the federal landscape also remains important.”
GAO gave the subcommittee a number of recommendations for additional components that could be added to the scorecard, centering on IT legacy systems, modernization, and customer experience.