Information Technology: Implementation of Recommendations Is Needed to Strengthen Acquisitions, Operations, and Cybersecurity

Citation
Information Technology: Implementation of Recommendations Is Needed to Strengthen Acquisitions, Operations, and Cybersecurity (GAO-19-275T) (Dec. 12, 2018) (full-text).

Overview
The federal government has spent billions on information technology projects that failed or have performed poorly. These efforts often suffered from ineffective management. Agencies have also had cybersecurity failures affecting millions of people.

This testimony addresses two issues identified as high risk for the federal government: management of IT acquisitions and operations, and cybersecurity.

The GAO has made numerous recommendations on these issues since 2010:


 * 510 of its 1,242 recommendations on management and operations have not been implemented.
 * 688 of is about 3,000 recommendations on cybersecurity have not been implemented.

Even with this progress, significant actions remain to be completed:

• Managing software licenses. Effective management of software licenses can help avoid purchasing too many licenses that result in unused software. In May 2014, the GAO reported that better management of licenses was needed to achieve savings, and made 135 recommendations to improve such management. As of December 2018, 27 of the recommendations had not been implemented. • Improving the security of federal IT systems. While the government has acted to protect federal information systems, agencies need to improve security programs, cyber capabilities, and the protection of personally identifiable information. The approximately 3,000 recommendations that the GAO has made to agencies since 2010 were aimed at improving the security of federal systems and information]. Specifically, these recommendations identified actions for agencies to take to strengthen their information security programs and technical controls over their computer networks and systems. As of November 2018, 688 of the security-related recommendations had not been implemented.
 * Chief Information Officer (CIO) responsibilities. Laws such as the Federal Information Technology Acquisition Reform Act (FITARA) and related guidance assigned 35 key IT management responsibilities to CIOs to help address longstanding challenges. However, in August 2018, the GAO reported that none of the 24 selected agencies had policies that fully addressed the role of their CIO, as called for by laws and guidance. The GAO recommended that OMB and each of the 24 agencies take actions to improve the effectiveness of CIOs' implementation of their responsibilities. As of November 2018, none of the 27 recommendations had been implemented.
 * IT contract approval. According to FITARA, covered agencies' CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, the GAO reported that most of the CIOs at 22 covered agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Consequently, the GAO made 39 recommendations to improve CIO oversight over these acquisitions. As of November 2018, 27 of the recommendations had not been addressed.
 * Consolidating data centers. OMB launched an initiative in 2010 to reduce data centers. According to agencies, data center consolidation and optimization efforts have resulted in approximately $4.5 billion in cost savings through 2018. Even so, additional work remains. The GAO has made 160 recommendations to OMB and agencies to improve the reporting of related cost savings and to achieve optimization targets. However, as of November 2018, 47 of the recommendations had not been fully addressed.