Information Technology and Cybersecurity: Evolving the Scorecard Remains Important for Monitoring Agencies' Progress
The federal government annually spends more than $100 billion on IT and cyber investments—many of which have been ineffectively managed. Congress passed laws to address these issues, including provisions such as the Federal Information Technology Acquisition Reform Act (FITARA).
We testified that, since 2015, Congress has issued scorecards to monitor agencies' implementation of FITARA and key IT topics. The scorecards have evolved and served as effective oversight tools.
Both IT management and cybersecurity are on our High Risk list. About 76% of the 5,400 recommendations we've made in these areas since 2010 have been implemented.
Planned FY 2023 Federal Spending on Information Technology Investments
What GAO Found
Since November 2015, the scorecards issued by this Subcommittee have served as effective oversight tools for monitoring agencies' implementation of various statutory IT provisions and addressing other key IT issues. The selected provisions are from laws such as the Federal Information Technology Acquisition Reform Act (commonly referred to as FITARA) and the Federal Information Security Modernization Act of 2014. The scorecards have assigned each covered agency a letter grade (i.e., A, B, C, D, or F) based on components derived from statutory requirements and additional IT-related topics.
As of December 2022, fifteen scorecards had been released (see figure).
Scorecards Release Timeline with Associated Components
The Subcommittee-assigned grades have shown steady improvement as demonstrated by the removal (or sunset) of components. For example, during 2020 and 2021, all 24 agencies received A grades for software licensing and data center optimization, resulting in removal of these components.
Notwithstanding the improvements made by using the scorecard, the federal government's difficulties acquiring, developing, managing, and securing its IT investments persist. Continued oversight by Congress to hold agencies accountable for implementing statutory provisions and addressing longstanding weaknesses is essential. Evolving the components of the scorecard to adapt to changes in the federal landscape also remains important.
Toward this end, GAO provided input to this Subcommittee regarding additional measures that could be added, including topics related to IT legacy system modernization and customer experience. GAO also provided input on ways to enhance the cybersecurity component.
Considering ways to evolve scorecard components is critical to increasing Congress' ability to monitor agencies' implementation of statutory IT provisions and address other key IT topics. Agency attention to implementing GAO recommendations can also be instrumental in delivering needed improvements.
Why GAO Did This Study
Federal IT systems provide essential services that are critical to the health, economy, and defense of the nation. For fiscal year 2023, the federal government plans to spend over $122 billion on IT investments.
However, many of these investments have suffered from ineffective management. Further, recent high profile cyber incidents have demonstrated the urgency of addressing cybersecurity weaknesses.
GAO has long recognized the importance of addressing these difficulties by including the management of IT acquisitions and operations as well as the cybersecurity of the nation as areas on its high-risk list.
To improve the management of IT, Congress and the President enacted FITARA in December 2014. FITARA applies to the 24 agencies subject to the Chief Financial Officers Act of 1990, although with limited applicability to the Department of Defense.
GAO was asked to provide an overview of the scorecards released by this Subcommittee and the importance of evolving the components. For this testimony, GAO relied on its previously issued products.
Since 2010, GAO has made approximately 5,400 recommendations to improve IT management and cybersecurity. As of December 2022, federal agencies have fully implemented about 76 percent of these. However, many critical recommendations have not been implemented—nearly 300 on IT management and more than 700 on cybersecurity.
For more information, contact Carol C. Harris at (202) 512-4456 or firstname.lastname@example.org or Jennifer R. Franks at (404) 679-1831 or email@example.com.