Information Technology and Cybersecurity: Using Scorecards to Monitor Agencies' Implementation of Statutory Requirements

What GAO Found

Since November 2015, this Subcommittee has issued scorecards as an oversight tool to monitor agencies' progress in implementing various statutory IT provisions and addressing other key IT issues. The selected provisions are from laws such as the Federal Information Technology Acquisition Reform Act (commonly referred to as FITARA), Making Electronic Government Accountable by Yielding Tangible Efficiencies Act of 2016, the Modernizing Government Technology Act, and the Federal Information Security Modernization Act of 2014. The scorecards have assigned each covered agency a letter grade (i.e., A, B, C, D, or F) based on components derived from statutory requirements and additional IT-related topics. As of July 2022, fourteen scorecards had been released (see figure).

Scorecards Release Timeline with Associated Components

As reflected above, additional important components have been added over time. Initial components were specific to FITARA provisions related to incremental development, risk management, cost savings and data centers. The scorecards then evolved to include additional statutory provisions and related IT topics, such as telecommunications.

The Subcommittee-assigned grades have shown steady improvement and resulted in the scorecards serving as effective oversight tools. For example, during 2020 and 2021, all 24 agencies received A grades for two components (software licensing and data center optimization initiative), resulting in removal of these components from the scorecard. Notwithstanding the improvements made through the use of the scorecard, the federal government's difficulties acquiring, developing, managing, and securing its IT investments remain.

GAO has long recognized the importance of addressing these difficulties by including improving the management of IT acquisitions and operations as well as ensuring the cybersecurity of the nation as areas on its high-risk list. Continued oversight by Congress to hold agencies accountable for implementing statutory provisions and addressing longstanding weaknesses is essential. Implementation of outstanding GAO recommendations can also be instrumental in delivering needed improvements.

Why GAO Did This Study

Congress has long recognized that IT systems provide essential services critical to the health, economy, and defense of the nation. In support of these systems, the federal government annually spends more than $100 billion on IT and cyber-related investments.

However, many of these investments have suffered from ineffective management. Further, recent high profile cyber incidents have demonstrated the urgency of addressing cybersecurity weaknesses.

To improve the management of IT, Congress and the President enacted FITARA in December 2014. FITARA applies to the 24 agencies subject to the Chief Financial Officers Act of 1990, although with limited applicability to the Department of Defense.

GAO was asked to provide an overview of the scorecards released by this Subcommittee. The scorecards have been used for oversight of agencies' efforts to implement statutory provisions and other IT-related topics. For this testimony, GAO relied on its previously issued products.

Since 2010, GAO has made approximately 5,300 recommendations to improve IT management and cybersecurity. As of June 2022, federal agencies have fully implemented about 77 percent of these. However, many critical recommendations have not been implemented—nearly 300 on IT management and more than 600 on cybersecurity.

For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov.