Information Technology: Continued Implementation of High-Risk Recommendations Is Needed to Better Manage Acquisitions Operations and Cybersecurity

What GAO Found

The Office of Management and Budget (OMB) and federal agencies have taken steps to improve the management of information technology (IT) acquisitions and operations and ensure the security of federal IT through a series of initiatives. As of May 2018, agencies had fully implemented about 61 percent of the approximately 800 IT management-related recommendations that GAO made from fiscal years 2010 through 2015. Likewise, since 2010, agencies had implemented about 66 percent of the approximately 2,700 security-related recommendations as of May 2018. Even with this progress, significant actions remain to be completed.

Chief Information Officer (CIO) responsibilities. Laws such as the Federal Information Technology Acquisition Reform Act (FITARA) and related guidance assigned 35 key IT management responsibilities to CIOs to help address longstanding challenges. However, in a draft report on CIO responsibilities, GAO's preliminary results suggest that none of the 24 selected agencies have policies that fully address the role of their CIO, as called for by federal laws and guidance. GAO intends to recommend that OMB and each of the selected 24 agencies take actions to improve the effectiveness of CIO's implementation of their responsibilities.

IT contract approval. According to FITARA, covered agencies' CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, GAO reported that most of the CIOs at 22 selected agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Consequently, GAO made 39 recommendations to improve CIO oversight over IT acquisitions.

Consolidating data centers. OMB launched an initiative in 2010 to reduce data centers, which was codified and expanded in FITARA. According to agencies, data center consolidation and optimization efforts have resulted in approximately $3.9 billion of cost savings through 2018. Even so, additional work remains. GAO has made 160 recommendations to OMB and agencies to improve the reporting of related cost savings and to achieve optimization targets; however, as of May 2018, 80 of the recommendations have not been fully addressed.

Managing software licenses. Effective management of software licenses can help avoid purchasing too many licenses that result in unused software. In May 2014, GAO reported that better management of licenses was needed to achieve savings, and made 135 recommendations to improve such management. Four years later, 78 of the recommendations remained open.

Improving the security of federal IT systems. While the government has acted to protect federal information systems, agencies need to improve security programs, cyber capabilities, and the protection of personally identifiable information. Over the last several years, GAO has made about 2,700 recommendations to agencies aimed at improving the security of federal systems and information. These recommendations identified actions for agencies to take to strengthen their information security programs and technical controls over their computer networks and systems. As of May 2018, about 800 of the information security-related recommendations had not been implemented.

Why GAO Did This Study

The federal government plans to invest almost $96 billion in IT in fiscal year 2018. Historically, IT investments have too often failed or contributed little to mission-related outcomes. Further, increasingly sophisticated threats and frequent cyber incidents underscore the need for effective information security. As a result, GAO added two areas to its high-risk list: IT security in 1997 and the management of IT acquisitions and operations in 2015.

This statement summarizes agencies' progress in improving IT management and ensuring the security of federal IT. It is primarily based on GAO's prior reports issued between February 1997 and May 2018 (and an ongoing review) on (1) CIO responsibilities, (2) agency CIOs' involvement in approving IT contracts, (3) data center consolidation efforts, (4) the management of software licenses, and (5) compliance with cybersecurity requirements.