IT Portfolio Management: OMB and Agencies Are Not Fully Addressing Selected Statutory Requirements
GAO-25-107041
Published: Nov 14, 2024. Publicly Released: Nov 14, 2024.
Fast Facts
The federal government invests more than $100 billion annually in IT. But these investments can be poorly managed—resulting in IT that fails to deliver needed improvements and is often late and over budget.
A law aimed at improving IT management requires agencies to review their portfolios of IT projects and high-risk IT investments. Our report shows that agencies haven't completed these reviews.
We recommended improving guidance, processes, and reporting.
Improving federal IT management is on our High Risk List.
Highlights
What GAO Found
The Office of Management and Budget (OMB) is not fully addressing eight key statutory requirements contained in the Federal Information Technology Acquisition Reform Act (FITARA). Specifically, OMB is partially following four of the five requirements on IT portfolio reviews, and not following the three requirements on high-risk IT investments (see table). Until OMB adheres to FITARA's portfolio management requirements, its oversight of agencies' IT portfolios, including potentially troubled IT investments, will be limited. As a result, the federal government will continue to expend resources on IT investments that do not meet the needs of the government or the public.
Extent to Which the Office of Management and Budget (OMB) Followed Statutory Requirements
|
Requirement |
Assessment |
|---|---|
|
IT portfolio reviews |
|
|
Implement a process to assist agencies in reviewing their IT portfolios. |
◐ |
|
Develop standardized cost savings/avoidance and performance metrics for agencies to implement the process. |
◐ |
|
Carry out the Federal Chief Information Officer's (CIO) role in being involved in an annual review of each agencies' IT portfolio in conjunction with the agency's CIO and Chief Operating Officer or Deputy Secretary (or equivalent). |
○ |
|
Submit a quarterly report on the cost savings/reductions in duplicative IT investment identified through this review process to key committees in Congress. |
◐ |
|
Submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by agencies for information systems and how the benefits relate to the accomplishment of the goals of the agencies. |
◐ |
|
High-risk IT investment reviews |
|
|
Carry out consultation responsibilities of the Federal CIO to agency CIOs and program managers of major IT investments that receive high-risk ratings for four consecutive quarters. |
○ |
|
Communicate the results of high-risk IT investment reviews to key committees in Congress. |
○ |
|
Deny any request of additional development, modernization, or enhancement funding for a major investment that has been rated high-risk for a year after the high-risk IT investment review. Additional funding should be denied until the agency CIO determines that the root causes of the risk have been addressed, and there is capability to deliver the remaining increments within the planned cost and schedule.a |
○ |
Legend: ◐ Partially followed = the agency demonstrated that it was following some, but not all, of the requirement; ○ Not followed = the agency did not demonstrate that it was following the requirement.
Source: GAO analysis based on OMB data. | GAO-25-107041
aThis requirement does not apply to investments at the Department of Defense.
Agencies have also not fully addressed FITARA requirements for IT portfolio management. Specifically, none of the 24 agencies fully met the requirements for annual IT portfolio reviews. In addition, eight agencies with major IT investments rated as high-risk for four consecutive quarters did not follow the FITARA requirements for performing high-risk IT investment reviews. Three of the eight agencies performed the reviews, but they did not address the specific requirements in law. The remaining five agencies did not perform the reviews. Not performing these required reviews can permit investments with substantial cost, schedule, and performance problems to continue unabated without necessary corrective actions.
Why GAO Did This Study
The executive branch has undertaken numerous initiatives to better manage the more than $100 billion that is annually invested in IT. However, federal IT investments too frequently fail to deliver capabilities in a timely manner. Recognizing the issues related to the government-wide management of IT, in December 2014, Congress enacted federal IT acquisition reform legislation, commonly referred to as FITARA.
GAO was asked to evaluate IT executive reviews. This report evaluates the extent to which OMB and agencies are following requirements for IT portfolio management oversight, including annual IT portfolio and high-risk investment reviews. To do so, GAO identified related requirements from FITARA. GAO then compared agency documentation from OMB and the 24 agencies to the requirements. GAO also interviewed OMB and agency officials regarding their IT portfolio management practices.
Recommendations
GAO is making 10 recommendations to OMB to improve guidance, processes, and reporting; and 36 recommendations to 24 agencies to improve their IT portfolio processes.
OMB did not agree or disagree with its recommendations but stated that it disagreed with parts of the report. As discussed in the report, GAO maintains that the recommendations are warranted. Of the 24 agencies, seven agreed with their recommendations, two agencies neither agreed nor disagreed, and 15 stated that they had no comments.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | The Director of OMB should update existing guidance or issue new guidance to agencies to implement a process to assist agencies in reviewing their IT portfolios that includes the requirements provided in FITARA. (Recommendation 1) |
The agency neither agreed nor disagreed with our recommendation. At the time of our review, OMB stated that it would continue to assess potential adjustments to the annual IT review process and evaluate our recommendation on how to further strengthen the review of agency IT portfolios. As of September 2025, OMB did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Office of Management and Budget | The Director of OMB should develop standardized performance metrics for agencies to implement the IT portfolio review process, as prescribed by FITARA. (Recommendation 2) |
The agency neither agreed nor disagreed with our recommendation. As of September 2025, the Office of Management and Budget (OMB) did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Office of Management and Budget | The Director of OMB should ensure that the Federal CIO carries out its role in annually reviewing each agency's IT portfolio that is conducted by each agency's CIO in conjunction with the Chief Operating Officer or Deputy Secretary (or equivalent) and the Federal CIO, as prescribed by FITARA. (Recommendation 3) |
The agency neither agreed nor disagreed with our recommendation. At the time of our review, the Office of Management and Budget (OMB) stated that it had adopted an alternative process to meet this requirement due to budget constraints and increased workload. Specifically, OMB stated that it had integrated IT portfolio reviews into the budget and reporting processes. However, as we discussed in our report (GAO-25-107041), these interactions did not fully meet the statutory requirements. In October 2024, OMB stated that it would continue to assess potential adjustments to the annual IT portfolio review process and evaluate our recommendations on how to further strengthen these reviews. As of September 2025, OMB did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Office of Management and Budget | The Director of OMB should direct the Federal CIO to submit a quarterly report to the FITARA-identified committees in Congress on the cost savings and reductions in duplicative IT investments identified through the IT portfolio review process, as prescribed by FITARA. (Recommendation 4) |
The agency neither agreed nor disagreed with our recommendation. At the time of our review, OMB indicated that it had plans to address this finding. Specifically, OMB stated that it would seek to add fields to the IT Dashboard to collect information on reduced duplication and net program benefits as achieved as a result of major capital investments from agencies. This would make the information accessible to Congress. As of September 2025, the OMB did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Office of Management and Budget | The Director of OMB should direct the Federal CIO to ensure that the agency cost savings on the IT Dashboard that are being used to fulfill statutory requirements to report to Congress are accurate and correctly attributed to IT portfolio review. (Recommendation 5) |
The agency did not agree or disagree with this recommendation. At the time of our report, the Office of Management and Budget (OMB) stated that it is the agencies' responsibility to ensure that the data submitted to the IT Dashboard are accurate and noted that the office does not have the resources to verify all the data entered by agencies. However, as we noted in our report, since OMB is relying on the IT Dashboard to fulfill its statutory requirement to report Congress, ensuring the accuracy of the data is of the utmost importance. As of September 2025, OMB did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Office of Management and Budget | The Director of OMB should submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by agencies for information systems and how the benefits relate to the accomplishment of the goals of the agencies, as prescribed by FITARA. (Recommendation 6) |
The agency neither agreed nor disagreed with our recommendation. At the time of our review, OMB indicated that it had plans to address this finding. Specifically, OMB stated that it would seek to add fields to the IT Dashboard to collect information on reduced duplication and net program benefits as achieved as a result of major capital investments from agencies. This would make the information accessible to Congress. As of September 2025, the OMB did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Office of Management and Budget | The Director of OMB should ensure that the Federal CIO carries out the consultation responsibilities of the Federal CIO to agency CIOs and program managers of major IT investments that receive high-risk ratings for four consecutive quarters, as prescribed by FITARA. (Recommendation 7) |
The agency neither agreed nor disagreed with our recommendation. As of September 2025, the Office of Management and Budget (OMB) did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Office of Management and Budget | The Director of OMB should direct the Federal CIO to communicate the results of high-risk IT investment reviews to committees in Congress, as prescribed by FITARA. (Recommendation 8) |
The agency neither agreed nor disagreed with our recommendation. As of September 2025, the Office of Management and Budget (OMB) did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Office of Management and Budget | The Director of OMB should deny any request of additional development, modernization, or enhancement funding for a major investment that has been rated high risk for a year after the high-risk IT investment review, as prescribed by FITARA. (Recommendation 9) |
The agency neither agreed nor disagreed with our recommendation. At the time of our review, the Office of Management and Budget (OMB) stated that stated that it disagreed with our methodology of identifying high-risk IT investments. OMB stated that it did not believe that any of the IT investments met the criteria described in the law, and therefore, no IT investments were required to lose funding. However, our methodology was consistent with OMB's own guidance. OMB acknowledged this and stated that it was taking steps to clarify its guidance on high-risk IT investment reviews. As of September 2025, OMB did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Office of Management and Budget | The Director of OMB should direct the Federal CIO to update existing guidance or issue new guidance to direct agencies' efforts on holding high-risk IT investment reviews in accordance with FITARA's requirements. (Recommendation 10) |
The agency neither agreed nor disagreed with our recommendation. As of September 2025, the Office of Management and Budget (OMB) did not have an update on the status of this recommendation. When we confirm what actions OMB has taken in response to this recommendation, we will provide updated status information.
|
| Department of Agriculture | The Secretary of Agriculture should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 11) |
The agency agreed with our recommendation. In February 2025, the Department of Agriculture stated that it plans to address this recommendation during the third quarter of the fiscal year, when the IT portfolio review is scheduled, as noted in its Statement of Actions. We will continue to monitor the implementation of this recommendation.
|
| Department of Commerce | The Secretary of Commerce should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 12) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. As of April 2025, the Department of Commerce's Office of the CIO reported that it is preparing an action plan for this recommendation but noted that coordination with its operating units is taking longer than expected. We will continue to monitor the implementation of this recommendation.
|
| Department of Defense | The Secretary of Defense should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 13) |
The department agreed with our recommendation. In February 2025, the Department of Defense (DOD) stated that once OMB provides updated annual review guidance, the DOD CIO will assess the guidance to ensure compliance, including attending and participating in scheduled OMB annual reviews. In addition, DOD noted that it currently conducts IT portfolio reviews through an existing CIO process to fulfill FITARA requirements and that the expected completion date for this recommendation is dependent on the release of updated OMB guidance. We will continue to monitor the implementation of this recommendation.
|
| Department of Education | The Secretary of Education should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO, as prescribed by FITARA. (Recommendation 14) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In June 2025, the Department of Education (Education) provided a corrective action plan stating that the recommendation should be closed because it had been addressed in May 2025. The plan stated that the department's OCIO intends to meet with OMB to ensure annual reviews of its IT portfolio when OMB is available and indicated that this action was completed in May 2025. However, Education did not provide documentation demonstrating that this action was completed nor that the Federal CIO was involved. We will continue to monitor the implementation of this recommendation.
|
| Department of Energy | The Secretary of Energy should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 15) |
The agency agreed with our recommendation. In February 2025, the Department of Energy (Energy) stated that the CIO will consult with the Federal CIO regarding its IT portfolio review process to ensure alignment with current OMB guidance and expectations for Federal CIO involvement. The CIO will consult with the incoming Deputy Secretary on the Deputy Secretary's role in future IT portfolio reviews, per FITARA requirements. In addition, Energy stated that the CIO will review and implement any necessary changes to its IT portfolio review processes by December 31, 2025. Furthermore, as of July 2025, Energy stated that due to the changes in administration and the resulting organizational changes they had to focus on other efforts while a new CIO is identified and on board. We will continue to monitor the implementation of this recommendation.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 16) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In May 2025, the Department of Health and Human Services (HHS) provided a statement of action stating that it uses a variety of mechanisms as part of its continuous efforts to ensure a comprehensive approach to IT portfolio management, which includes annual IT portfolio reviews of its operating divisions. HHS stated it will provide another update to GAO by the end of fiscal year 2025. We will continue to monitor the implementation of this recommendation.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 17) |
The agency agreed with our recommendation. In May 2025, the Department of Homeland Security (DHS) stated that its OCIO Business Management Directorate continues to coordinate with OMB to review its IT portfolio monthly. DHS also reported that it is developing a standard operating procedure to revise current or implement new processes to ensure an annual review with the necessary stakeholders, per FITARA requirements. DHS stated that this effort is expected to be completed by September 30, 2025. We will continue to monitor the implementation of this recommendation.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the department CIO to ensure that the Federal CIO is consulted in performing high-risk IT investment reviews, as prescribed by FITARA. (Recommendation 18) |
The agency agreed with our recommendation. In May 2025, the Department of Homeland Security (DHS) stated that it updated its processes, including their March 2025 "DHS TechStat Process Guide," to ensure the Federal CIO is engaged and informed about the DHS CIO's reviews of high-risk IT investments. DHS reported that the first quarter fiscal year 2025 TechStat was not necessary because the root cause of the program's low health score had been resolved, eliminating the need for a TechStat. In addition, DHS stated it anticipates demonstrating the updated process during the next TechStat review and expects to complete implementation by September 30, 2025. We will continue to monitor the implementation of this recommendation.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the department CIO, in conjunction with the project manager, to conduct high-risk IT investment reviews, as prescribed by FITARA. (Recommendation 19) |
The agency agreed with our recommendation. In May 2025, the Department of Homeland Security (DHS) stated that in March 2025 its Office of the CIO's Chief Technology Officer Directorate updated the DHS TechStat Process Guide to ensure alignment with current best practices and requirements, enhancing the CIO's ability to conduct high-risk IT investment reviews with project managers, as prescribed by FITARA. In addition, DHS reported that it reviewed DHS Directive 102-03, which governs TechStat Accountability Sessions, and stated that the directive remains current and effective. Further, according to DHS, the directive already includes guidelines for the CIO to conduct high-risk IT investment reviews and for including program managers and business owners. While DHS indicated that its actions are complete, it did not provide documentation and evidence to demonstrate that the updated guidance has been finalized and implemented. For example, we would need to review the revised TechStat Process Guide and evidence that the updated processes are being applied to a high-risk investment review. We will continue to monitor the implementation of this recommendation and review supporting evidence when it is provided.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the department CIO to work with OMB to ensure that its high-risk IT investment reviews include the extent to which these causes can be addressed (e.g., action items and due dates) and the probability of future successes (e.g., outcomes), as prescribed by FITARA. (Recommendation 20) |
The agency agreed with our recommendation. In May 2025, the Department of Homeland Security (DHS) stated that its Office of the CIO's (OCIO) Chief Technology Officer Directorate (CTOD) reviewed DHS Directive 102-03 and concluded that the directive remains current and effective in its existing form. Specifically, DHS reported that the directive includes guidelines for the CIO's communication and coordination with OMB and the Federal CIO, as well as the development of corrective action plans and reporting of outcomes. In addition, DHS stated that the OCIO CTOD reviewed and updated the DHS TechStat Process Guide (March 2025) to align with current best practices and requirements, including action items, due dates, and outcomes. DHS expects to complete these actions by September 30, 2025. While DHS indicated that its actions are complete for this recommendation, it did not provide evidence demonstrating implementation, including evidence of a completed high-risk investment review where these actions are addressed. We will continue to monitor the implementation of this recommendation.
|
| Department of Housing and Urban Development | The Secretary of Housing and Urban Development should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 21) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. As of September 2025, the department has not provided an update. We will continue to monitor the implementation of this recommendation.
|
| Department of Housing and Urban Development | The Secretary of Housing and Urban Development should direct the department CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 22) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. As of September 2025, the department has not provided an update. We will continue to monitor the implementation of this recommendation.
|
| Department of Justice | The Attorney General should direct the CIO of the Department of Justice to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 23) |
The department neither agreed nor disagreed with our recommendation. In February 2026, Justice stated that it is waiting for OMB to provide agencies with updated or new annual review guidance regarding conducting annual reviews of IT portfolios in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent). At that time, the DOJ CIO will assess the guidance to ensure DOJ compliance, including attending and participating in scheduled OMB annual reviews. We will continue to monitor the implementation of this recommendation.
|
| Department of Labor | The Secretary of Labor should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 24) |
At the time of our review, the agency did not provide comments on our recommendation. In May 2025, the Department of Labor (Labor) stated that the CIO will include a formal review of the IT portfolio as part of the semi-annual update process with OMB during the annual budget submission and passback. This process will enable the CIO to assess the state of the IT portfolio and its alignment with organizational priorities and goals. In addition, Labor stated that the CIO will collaborate with OMB, the Deputy Secretary, and the Federal CIO to conduct their annual IT portfolio review, using the semi-annual OMB update process as the platform to facilitate this review. We will continue to monitor the implementation of this recommendation.
|
| Department of Labor | The Secretary of Labor should direct the department CIO to work with OMB to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 25) |
At the time of our review, the agency did not provide comments on our recommendation. In February 2025, the Department of Labor (Labor) stated that the CIO will meet with the program manager and OMB, in consultation with the Federal CIO, on any major investments that remain high risk for four consecutive quarters. The OCIO will continue to conduct monthly reviews of all investments, communicate results to program managers, and hold meetings with program managers if an investment is rated high risk for more than three consecutive months. These meetings will provide an opportunity to discuss and address concerns surrounding the high-risk status of the investment. This will also allow Labor to identify, diagnose, and attempt to mitigate any high-risk investments before escalation to OMB and the Federal CIO. Finally, Labor's CIO plans to work closely with the program managers to develop action items with due dates to address the root causes and reduce the risk level of the investment. We will continue to monitor the implementation of this recommendation.
|
| Department of State | The Secretary of State should direct the department CIO to work with OMB to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 26) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In March 2025, the Department of State (State) stated that this recommendation should be closed, noting that its annual IT portfolio review culminates in a report shared with the Department CIO, who then shares IT portfolio details with the Deputy Secretary and the Federal CIO. However, the Department did not provide evidence, such as emails or meeting minutes, demonstrating that the CIO, Deputy Secretary, and Federal CIO have held an annual IT portfolio review. We will continue to monitor the implementation of this recommendation.
|
| Department of State | The Secretary of State should direct the department CIO to work with OMB to ensure that the Federal CIO is consulted in performing high-risk IT investment reviews, as prescribed by FITARA. (Recommendation 27) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In March 2025, the Department of State (State) stated that the recommendation should be closed, noting that the Department CIO meets regularly with the Federal CIO and their high-risk IT investments are discussed. However, the Department did not provide evidence, such as emails or meeting minutes, demonstrating that the CIO consulted with the Federal CIO in performing high-risk IT investment reviews. In addition, our review of State's current IT Dashboard data found that historical CIO ratings are missing. All investments were last rated on February 14, 2025 and previous ratings are no longer available, thus making it difficult to determine which of its investments meet FITARA's requirement to hold a TechStat. We will continue to monitor the implementation of this recommendation.
|
| Department of State | The Secretary of State should direct the department CIO to work with OMB to ensure that its high-risk IT investment reviews include a root cause analysis of the high level of risk and the probability of future successes (e.g., outcomes), as prescribed by FITARA. (Recommendation 28) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In March 2025, the Department of State (State) stated that, effective immediately, all IT Program Reviews will include a root cause analysis with associated documentation and an assessment of the probability of future successes. However, State did not provide evidence, such as meeting minutes or outcomes, demonstrating that the CIO worked with OMB to ensure that high-risk IT investment reviews include this analysis. We will continue to monitor the implementation of this recommendation.
|
| Department of the Interior | The Secretary of the Interior should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 29) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In February 2025, the Department of the Interior (Interior) stated that it had updated and issued its annual Information Management and Technology (IMT) Portfolio Management Requirements in January 2025. This document provides guidance to all bureaus and offices on fulfilling CPIC and IMT portfolio management requirements, including investment planning, budgeting, and investment control, as well as requirements for triannual IMT portfolio reviews and quarterly PortfolioStat reporting. While the document provides guidance and requirements for a number of IT portfolio governance mechanisms, it does not require any of these activities to be conducted in conjunction with the Federal CIO and the Deputy Secretary. Further, Interior did not provide evidence, such as meeting attendee lists or meeting minutes, demonstrating that the CIO conducted an annual IT portfolio review with the Deputy Secretary and the Federal CIO. We will continue to monitor the implementation of this recommendation.
|
| Department of the Interior | The Secretary of the Interior should direct the department CIO to ensure that the Federal CIO is consulted in performing high-risk IT investment reviews, as prescribed by FITARA. (Recommendation 30) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In February 2025, the Department of the Interior (Interior) stated that this recommendation should be closed, stating that it held multiple high-risk investment reviews after the cutoff date for our review and has continued to conduct such reviews since the report's issuance. They also noted that their IMT Portfolio Management Requirements state that, regardless of whether a TechStat is internal or OMB-facing, the OCIO will consult with Interior's OMB desk officer and share details regarding the TechStat status; however, its guidance does not specify consultation with the Federal CIO. Interior also provided action item documents from TechStats held in October and December 2024 and January 2025, which included attendance information and addressed each investment's risks, proposed activities, and remediation timelines. While there was evidence of OMB's participation, Interior did not demonstrate the involvement or consultation with the Federal CIO. We will continue to monitor the implementation of this recommendation.
|
| Department of the Interior | The Secretary of the Interior should direct the department CIO to ensure that its high-risk IT investment reviews document the extent to which these causes can be addressed (e.g., action items with due dates), as prescribed by FITARA. (Recommendation 31) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. As of February 2025, the Department of the Interior (Interior) had provided evidence that it fully implemented this recommendation. Specifically, Interior's Office of the Chief Information Officer (OCIO) improved its process for conducting high-risk IT investment reviews by requiring all action items to include due dates that are tracked through completion or closeout. For example, Interior's Annual IMT Portfolio Management Guidance now requires high-risk reviews to document action items and due dates as part of their standard procedure. Furthermore, Interior provided action item documents from TechStats held in October and December 2024 and January 2025. These documents included proposed activities, assignments, status updates, and due dates. Interior also provided updates on two TechStats that included action items with planned completion dates, which are being tracked with the goal of improving their risk ratings, so they no longer require a TechStat session. Ensuring that its high-risk IT investment reviews document required elements will allow Interior to realize the benefits of implementing FITARA, including getting ahead of critical problems in an investment, turning around underperforming investments, or terminating investments, if appropriate.
|
| Department of the Treasury | The Secretary of the Treasury should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 32) |
The department neither agreed nor disagreed with the recommendation. As of September 2025, the department has not provided an update. We will continue to monitor the implementation of this recommendation.
|
| Department of Transportation | The Secretary of Transportation should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 33) |
The department had no comments on the report or its recommendations. In May 2025, the Department of Transportation stated that it partially concurred with the recommendation, though the agency did not say which part of the recommendation it did not agree with. In particular, it stated that it will continue to comply with OMB's budget and reporting processes to review agency IT portfolios, programs, and risks. The department stated it has already begun efforts to address agency IT spending and outcomes through multiple initiatives, but remaining department-specific actions are expected to be completed by September 30, 2026. We will continue to monitor the implementation of this recommendation.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 34) |
The department agreed with the recommendation. In May 2025 the Department of Veterans Affairs (VA) stated its Chief Information Officer or designee will continue to provide annual information technology reviews to OMB in fiscal year 2025. In addition, VA's Office of Information and Technology (OIT) will continue the established cadence of joint OIT and OMB monthly budget update and program review engagements. We will continue to monitor the implementation of this recommendation.
|
| Environmental Protection Agency | The Administrator of the Environmental Protection Agency should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 35) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In May 2025, the Environmental Protection Agency (EPA) provided a response to GAO's recommendation in which it agreed with the recommendation. The agency stated that it conducts annual IT portfolio reviews internally through governance processes, working with all major programs and regions. In addition, the EPA obtains annual approval of its IT portfolio through its CIO-Senior Advisory Council. The agency also stated that once the OMB provides updated annual review guidance, the EPA will assess the guidance to ensure the agency is compliant. We will continue to monitor the implementation of this recommendation.
|
| General Services Administration | The Administrator of the General Services Administration should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO, as prescribed by FITARA. (Recommendation 36) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In January 2025, the General Services Administration (GSA) provided a response to GAO's recommendation in which it agreed with the recommendation. In addition, the agency stated that it has a plan to address it. Specifically, the agency plans to add language to the Capital Planning and Investment Control Annual Budget Submission Playbook detailing the process for review of the IT investments with the Federal CIO. We will continue to monitor the implementation of this recommendation.
|
| National Aeronautics and Space Administration | The Administrator of the National Aeronautics and Space Administration should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 37) |
The agency agreed with our recommendations. In April 2025, the National Aeronautics and Space Administration (NASA) provided its plan of action to address the recommendation, which includes updating and implementing the agency's IT portfolio review process to better reflect FITARA compliance. The agency anticipates completing this by December 31, 2025. We will continue to monitor the implementation of this recommendation.
|
| National Science Foundation | The Director of the National Science Foundation should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 38) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In May 2025, the National Science Foundation (NSF) provided a response in which it agreed with GAO's recommendation. The agency stated that it plans to direct the agency CIO to work with the assigned OMB Desk Officer to ensure annual reviews of the NSF IT portfolio, and also in conjunction with the Federal CIO and CIO or Deputy Secretary as mandated in FITARA. The agency plans to address this by December 2025. We will continue to monitor the implementation of this recommendation.
|
| Nuclear Regulatory Commission | The Chairman of the Nuclear Regulatory Commission should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 39) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In March 2025, the Nuclear Regulatory Commission (NRC) stated that it is committed to ensuring that annual reviews of the agency IT portfolio are conducted in conjunction with the Federal CIO and the Executive Director for Operations (this agency's equivalent of the Chief Operating Officer or Deputy Secretary). The NRC staff has reached out to connect with the Federal CIO through OMB and looks forward to identifying next steps. We will continue to monitor the implementation of this recommendation.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO, as prescribed by FITARA. (Recommendation 40) |
At the time of our review, the agency provided comments too late to be included in the report but agreed with the recommendations. In May 2025, the Office of Personnel Management (OPM) stated that the OCIO recently submitted the draft of the OPM IT Portfolio Management policy for clearance. The policy is intended to indicate that the CIO will perform an annual IT portfolio review including representatives from the Office of the Director (OD) and OMB in conjunction with OPM's annual budget request submission to ensure consideration of the best mix of proposed and continuing IT investments during the formulation of OPM's budget request. The OCIO will schedule an annual IT portfolio review in preparation for the Budget Year (BY) 2027 IT submission. We will continue to monitor the implementation of this recommendation.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should direct its agency CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 41) |
At the time of our review, the agency provided comments too late to be included in the report but agreed with the recommendations. In May 2025, the Office of Personnel Management (OPM) stated that it continues to review major IT investments' cost, schedule, performance, and cybersecurity risks per FITARA's requirements. The OCIO is revising the CIO Risk Rating evaluation criteria to enhance OMB's requirements. The revised criteria will consider evidence-based input from IT investment owners and managers to enhance the risk assessment of the IT investment's ability to accomplish the goals of the investment. We will continue to monitor the implementation of this recommendation.
|
| Small Business Administration | The Administrator of the Small Business Administration should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 42) |
The agency stated that it had no comments on the report or the recommendations. In May 2025, the Small Business Administration (SBA) stated that SBA OCIO conducts annual reviews for all major IT investments with the Chief Information Officer and Chief Financial Officer. SBA established the Business Technology Investment Council (BTIC) to serve as the principal governance body in managing IT investments and is responsible for implementing key provisions as stated in FITARA. We will continue to monitor the implementation of this recommendation.
|
| Small Business Administration | The Administrator of the Small Business Administration should direct its agency CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 43) |
The agency stated that it had no comments on the report or the recommendations. In May 2025, the Small Business Administration (SBA) provided a response to GAO's recommendation. The agency stated that if a TechStat is performed, OCIO reports outcomes and outputs of all TechStat sessions quarterly to include root cause analysis of performance issues and corrective action plans which address these causes, and a timeline for implementing corrective action plans. We will continue to monitor the implementation of this recommendation.
|
| Social Security Administration | The Commissioner of the Social Security Administration should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 44) |
At the time of our review, the agency deferred to OMB to provide a response on behalf of the agency. In May 2025, the Social Security Administration provided a response to GAO's recommendation in which it stated that it disagrees with the recommendation. The response stated that OMB's guidance, M-15-14, does not specifically require the agency Chief Operating Officer or equivalent and the Federal Chief Information Officer to be in attendance. While that may be true, FITARA, the law on which this review was based, does require the aforementioned individuals to attend the annual portfolio review. We will continue to monitor the implementation of this recommendation.
|
| U.S. Agency for International Development | The Administrator of the U.S. Agency for International Development should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 45) |
The agency agreed with the recommendation. In December 2024, the United Stated Agency for International Development (USAID) provided a response to GAO's recommendation. The agency requested that the recommendation be closed. While USAID has taken steps toward addressing the recommendation, the evidence provided does not demonstrate the actions needed to close the recommendation. Specifically, USAID provided updated guidance for the agency's annual IT portfolio review meetings. However, it did not provide documentation demonstrating it held a portfolio review meeting as required by FITARA. If USAID is able to demonstrate it is following its guidance, we will be able to close the recommendation. We will continue to monitor the implementation of this recommendation.
|
| U.S. Agency for International Development | The Administrator of the U.S. Agency for International Development should direct its agency CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 46) |
In December 2024, the United Stated Agency for International Development (USAID) provided a response to GAO's recommendation. The agency requested that the recommendation be closed. While USAID has taken steps toward addressing the recommendation, the evidence provided does not demonstrate the actions needed to close the recommendation. Specifically, USAID provided updated guidance for the agency's High-Risk IT Investment reviews. However, it did not provide documentation demonstrating it held a High-Risk IT investment review meeting as required by FITARA. If USAID is able to demonstrate it is following its guidance, we will be able to close the recommendation.We will continue to monitor the implementation of this recommendation.
|
Full Report
GAO Contacts
Public Inquiries
Topics
Acquisition reformChief information officersCompliance oversightCost savingsHigh-risk issuesHomeland securityIT investment managementIT investmentsInformation technologySmall business