Skip to main content

Image

Information Technology

Jump To:

Image

Open Recommendations

Information Technology: Government-Wide Guidance on Handling Data Could Improve Civil Rights and Civil Liberties Protections

GAO-25-106057
Nov 19, 2024
Show
1 Open Recommendations
Agency Affected Recommendation Status
Congress To assist federal agencies with consistently implementing civil rights and civil liberties protections when collecting, sharing, and using data, we suggest that Congress direct an appropriate federal entity to issue government-wide guidance or regulations addressing this matter. In its direction, Congress should consider delegating to such entity the explicit authority to make needed technical and policy choices or explicitly stating Congress's own choices.
Open
As of February 2025, legislative action has not yet occurred to address this matter.

IT Portfolio Management: OMB and Agencies Are Not Fully Addressing Selected Statutory Requirements

GAO-25-107041
Nov 14, 2024
Show
46 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should update existing guidance or issue new guidance to agencies to implement a process to assist agencies in reviewing their IT portfolios that includes the requirements provided in FITARA. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should develop standardized performance metrics for agencies to implement the IT portfolio review process, as prescribed by FITARA. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should ensure that the Federal CIO carries out its role in annually reviewing each agency's IT portfolio that is conducted by each agency's CIO in conjunction with the Chief Operating Officer or Deputy Secretary (or equivalent) and the Federal CIO, as prescribed by FITARA. (Recommendation 3)
Open
OMB did not explicitly agree or disagree with this recommendation. It stated that it had adopted an alternative process to meet this requirement due to budget constraints and increased workload. Specifically, OMB stated that it had integrated IT portfolio reviews into the budget and reporting processes. However, as we discussed in the report, these interactions did not fully meet the statutory requirements. In October 2024, OMB stated that it would continue to assess potential adjustments to the annual IT portfolio review process and evaluate our recommendations on how to further strengthen these reviews. As of March 2025, OMB did not have an update on the status of this recommendation.
Office of Management and Budget The Director of OMB should direct the Federal CIO to submit a quarterly report to the FITARA-identified committees in Congress on the cost savings and reductions in duplicative IT investments identified through the IT portfolio review process, as prescribed by FITARA. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should direct the Federal CIO to ensure that the agency cost savings on the IT Dashboard that are being used to fulfill statutory requirements to report to Congress are accurate and correctly attributed to IT portfolio review. (Recommendation 5)
Open
The agency did not agree or disagree with this recommendation. At the time of our report, OMB stated that it is the agencies' responsibility to ensure that the data submitted to the IT Dashboard are accurate and noted that the office does not have the resources to verify all the data entered by agencies. As of March 2025, OMB did not have an update on the status of this recommendation.
Office of Management and Budget The Director of OMB should submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by agencies for information systems and how the benefits relate to the accomplishment of the goals of the agencies, as prescribed by FITARA. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cloud Computing: Selected Agencies Need to Implement Updated Guidance for Managing Restrictive Licenses

GAO-25-107114
Nov 13, 2024
Show
12 Open Recommendations
Agency Affected Recommendation Status
Department of Justice The Attorney General should update and implement Department of Justice guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 1)
Open
We will update the status of this recommendation when DOJ provides its 180-day letter (expected May 2025).
Department of Justice The Attorney General should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 2)
Open
We will update the status of this recommendation when DOJ provides its 180-day letter (expected May 2025).
Department of Transportation The Secretary of Transportation should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 3)
Open
We will update the status of this recommendation when DOT provides its 180-day letter (expected May 2025).
Department of Transportation The Secretary of Transportation should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 4)
Open
We will update the status of this recommendation when DOT provides its 180-day letter (expected May 2025).
Department of Veterans Affairs The Secretary of Veterans Affairs should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 5)
Open
We will update the status of this recommendation when VA provides its 180-day letter (expected May 2025).
Department of Veterans Affairs The Secretary of Veterans Affairs should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 6)
Open
We will update the status of this recommendation when VA provides its 180-day letter (expected May 2025).

IT Modernization: SBA Urgently Needs to Address Risks on Newly Deployed System

GAO-25-106963
Nov 13, 2024
Show
14 Open Recommendations
3 Priority
Agency Affected Recommendation Status
Small Business Administration
Priority Rec.
The Administrator of SBA should direct the Associate Administrator of SBA's Office of Government Contracting and Business Development to expeditiously address critical UCP project risk management issues, including developing a project risk management strategy and risk mitigation plan. (Recommendation 1)
Open
SBA partially agreed with this recommendation. In its October 2024 comments on the draft report, SBA noted that it intends to document a UCP project-level risk management strategy and risk management plan; expand the risk register to ensure risks are appropriately categorized, prioritized, and evaluated; and determine appropriate mitigation strategies for the risks. In February 2025, SBA stated that new senior leaders were being onboarded and briefed on key audit reports and recommendations. SBA also noted that it would provide an official update regarding its progress on this recommendation in May 2025. To fully implement this recommendation, SBA would need to document a risk management strategy and risk mitigation plan that specifies key details, such as responsible parties and required tasks, resources, and timelines. Without such a strategy and plan, SBA will be unable to quickly or effectively address risks as it simultaneously operates the system and develops its more complex functionality.
Small Business Administration
Priority Rec.
The Administrator of SBA should direct the Associate Administrator of SBA's Office of Government Contracting and Business Development to expeditiously address critical UCP project cybersecurity issues, including developing a plan for managing project cybersecurity risks and documenting a traceability analysis for project security requirements. (Recommendation 2)
Open
SBA partially agreed with this recommendation. In its October 2024 comments on the draft report, SBA outlined its planned process for assessing UCP security through testing and addressing critical findings. SBA also planned to document traceability between security requirements and how the system satisfies the requirements. In February 2025, SBA stated that new senior leaders were being onboarded and briefed on key audit reports and recommendations. SBA also noted that it would provide an official update regarding its progress on this recommendation in May 2025. To fully implement this recommendation, SBA would need to document a plan for managing UCP project cybersecurity risks and document traceability between the security requirements and how UCP satisfies the requirements. Without such a plan and traceability, SBA faces an increased risk of operating an insecure system and likely will be unprepared to address the impacts of a cybersecurity incident.
Small Business Administration
Priority Rec.
The Administrator of SBA should direct the Chief Information Officer to consider the probability and impact of accepted UCP deployment risks if deciding to issue a final authorization to operate for the system. (Recommendation 3)
Open
SBA partially agreed with this recommendation. In its October 2024 comments on the draft report, SBA outlined its procedures for approving an authorization to operate for IT systems and agreed that additional security measures would enhance the deployment risk assessment and validation for the UCP system. In February 2025, SBA stated that new senior leaders were being onboarded and briefed on key audit reports and recommendations. SBA also noted that it would provide an official update regarding its progress on this recommendation in May 2025. To implement this recommendation, SBA would need to document that it had fully considered the impact of deployment risks when authorizing the system. Establishing such procedures would help SBA better ensure that such risks do not affect small business certification services.
Small Business Administration The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that risk registers or equivalent risk documentation explicitly state risk sources for IT modernization projects. (Recommendation 4)
Open
We will update the status of this recommendation when SBA provides its 180-day letter (expected in summer 2025).
Small Business Administration The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that parameters to categorize or analyze risks are clearly defined at the project level for IT modernization projects. (Recommendation 5)
Open
We will update the status of this recommendation when SBA provides its 180-day letter (expected in summer 2025).
Small Business Administration The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that project risk management strategies are established and maintained for IT modernization projects. (Recommendation 6)
Open
We will update the status of this recommendation when SBA provides its 180-day letter (expected in summer 2025).

GAO Contacts