Image

Information Technology

Recent Reports

Veterans Affairs: Actions Needed to Address Software License Challenges

Published: May 19, 2025

Publicly Released: May 16, 2025

Mission-Critical Information Technology: Agencies Are Monitoring Selected Acquisitions for Cybersecurity and Privacy Risks

Published: Mar 11, 2025

Publicly Released: Mar 11, 2025

Electronic Health Record Modernization: VA is Making Incremental Improvements, but Much More Remains to Be Done

Published: Feb 24, 2025

Publicly Released: Feb 21, 2025

High-Risk Series: Critical Actions Needed to Urgently Address IT Acquisition and Management Challenges

Published: Jan 23, 2025

Publicly Released: Jan 23, 2025

Artificial Intelligence: DHS Needs to Improve Risk Assessment Guidance for Critical Infrastructure Sectors

Published: Dec 18, 2024

Publicly Released: Dec 18, 2024

Air Traffic Control: Urgent FAA Actions Are Needed to Modernize Aging Systems

Published: Dec 12, 2024

Publicly Released: Dec 12, 2024

View More Reports

Open Recommendations

Information Technology: Government-Wide Guidance on Handling Data Could Improve Civil Rights and Civil Liberties Protections

Show

1 Open Recommendations

Agency Affected	Recommendation	Status
Congress	To assist federal agencies with consistently implementing civil rights and civil liberties protections when collecting, sharing, and using data, we suggest that Congress direct an appropriate federal entity to issue government-wide guidance or regulations addressing this matter. In its direction, Congress should consider delegating to such entity the explicit authority to make needed technical and policy choices or explicitly stating Congress's own choices.	Open As of February 2025, legislative action has not yet occurred to address this matter.

IT Portfolio Management: OMB and Agencies Are Not Fully Addressing Selected Statutory Requirements

Show

46 Open Recommendations

Agency Affected	Recommendation	Status
Office of Management and Budget	The Director of OMB should update existing guidance or issue new guidance to agencies to implement a process to assist agencies in reviewing their IT portfolios that includes the requirements provided in FITARA. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should develop standardized performance metrics for agencies to implement the IT portfolio review process, as prescribed by FITARA. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should ensure that the Federal CIO carries out its role in annually reviewing each agency's IT portfolio that is conducted by each agency's CIO in conjunction with the Chief Operating Officer or Deputy Secretary (or equivalent) and the Federal CIO, as prescribed by FITARA. (Recommendation 3)	Open OMB did not explicitly agree or disagree with this recommendation. It stated that it had adopted an alternative process to meet this requirement due to budget constraints and increased workload. Specifically, OMB stated that it had integrated IT portfolio reviews into the budget and reporting processes. However, as we discussed in the report, these interactions did not fully meet the statutory requirements. In October 2024, OMB stated that it would continue to assess potential adjustments to the annual IT portfolio review process and evaluate our recommendations on how to further strengthen these reviews. As of March 2025, OMB did not have an update on the status of this recommendation.
Office of Management and Budget	The Director of OMB should direct the Federal CIO to submit a quarterly report to the FITARA-identified committees in Congress on the cost savings and reductions in duplicative IT investments identified through the IT portfolio review process, as prescribed by FITARA. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should direct the Federal CIO to ensure that the agency cost savings on the IT Dashboard that are being used to fulfill statutory requirements to report to Congress are accurate and correctly attributed to IT portfolio review. (Recommendation 5)	Open The agency did not agree or disagree with this recommendation. At the time of our report, OMB stated that it is the agencies' responsibility to ensure that the data submitted to the IT Dashboard are accurate and noted that the office does not have the resources to verify all the data entered by agencies. As of March 2025, OMB did not have an update on the status of this recommendation.
Office of Management and Budget	The Director of OMB should submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by agencies for information systems and how the benefits relate to the accomplishment of the goals of the agencies, as prescribed by FITARA. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cloud Computing: Selected Agencies Need to Implement Updated Guidance for Managing Restrictive Licenses

Show

12 Open Recommendations

Agency Affected	Recommendation	Status
Department of Justice	The Attorney General should update and implement Department of Justice guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 1)	Open We will update the status of this recommendation when DOJ provides its 180-day letter (expected May 2025).
Department of Justice	The Attorney General should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 2)	Open We will update the status of this recommendation when DOJ provides its 180-day letter (expected May 2025).
Department of Transportation	The Secretary of Transportation should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 3)	Open We will update the status of this recommendation when DOT provides its 180-day letter (expected May 2025).
Department of Transportation	The Secretary of Transportation should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 4)	Open We will update the status of this recommendation when DOT provides its 180-day letter (expected May 2025).
Department of Veterans Affairs	The Secretary of Veterans Affairs should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 5)	Open We will update the status of this recommendation when VA provides its 180-day letter (expected May 2025).
Department of Veterans Affairs	The Secretary of Veterans Affairs should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 6)	Open We will update the status of this recommendation when VA provides its 180-day letter (expected May 2025).

IT Modernization: SBA Urgently Needs to Address Risks on Newly Deployed System

Show

14 Open Recommendations

3 Priority

Agency Affected	Recommendation	Status
Small Business Administration	Priority Rec. The Administrator of SBA should direct the Associate Administrator of SBA's Office of Government Contracting and Business Development to expeditiously address critical UCP project risk management issues, including developing a project risk management strategy and risk mitigation plan. (Recommendation 1)	Open SBA partially agreed with this recommendation. In its October 2024 comments on the draft report, SBA noted that it intends to document a UCP project-level risk management strategy and risk management plan; expand the risk register to ensure risks are appropriately categorized, prioritized, and evaluated; and determine appropriate mitigation strategies for the risks. In February 2025, SBA stated that new senior leaders were being onboarded and briefed on key audit reports and recommendations. SBA also noted that it would provide an official update regarding its progress on this recommendation in May 2025. To fully implement this recommendation, SBA would need to document a risk management strategy and risk mitigation plan that specifies key details, such as responsible parties and required tasks, resources, and timelines. Without such a strategy and plan, SBA will be unable to quickly or effectively address risks as it simultaneously operates the system and develops its more complex functionality.
Small Business Administration	Priority Rec. The Administrator of SBA should direct the Associate Administrator of SBA's Office of Government Contracting and Business Development to expeditiously address critical UCP project cybersecurity issues, including developing a plan for managing project cybersecurity risks and documenting a traceability analysis for project security requirements. (Recommendation 2)	Open SBA partially agreed with this recommendation. In its October 2024 comments on the draft report, SBA outlined its planned process for assessing UCP security through testing and addressing critical findings. SBA also planned to document traceability between security requirements and how the system satisfies the requirements. In February 2025, SBA stated that new senior leaders were being onboarded and briefed on key audit reports and recommendations. SBA also noted that it would provide an official update regarding its progress on this recommendation in May 2025. To fully implement this recommendation, SBA would need to document a plan for managing UCP project cybersecurity risks and document traceability between the security requirements and how UCP satisfies the requirements. Without such a plan and traceability, SBA faces an increased risk of operating an insecure system and likely will be unprepared to address the impacts of a cybersecurity incident.
Small Business Administration	Priority Rec. The Administrator of SBA should direct the Chief Information Officer to consider the probability and impact of accepted UCP deployment risks if deciding to issue a final authorization to operate for the system. (Recommendation 3)	Open SBA partially agreed with this recommendation. In its October 2024 comments on the draft report, SBA outlined its procedures for approving an authorization to operate for IT systems and agreed that additional security measures would enhance the deployment risk assessment and validation for the UCP system. In February 2025, SBA stated that new senior leaders were being onboarded and briefed on key audit reports and recommendations. SBA also noted that it would provide an official update regarding its progress on this recommendation in May 2025. To implement this recommendation, SBA would need to document that it had fully considered the impact of deployment risks when authorizing the system. Establishing such procedures would help SBA better ensure that such risks do not affect small business certification services.
Small Business Administration	The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that risk registers or equivalent risk documentation explicitly state risk sources for IT modernization projects. (Recommendation 4)	Open We will update the status of this recommendation when SBA provides its 180-day letter (expected in summer 2025).
Small Business Administration	The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that parameters to categorize or analyze risks are clearly defined at the project level for IT modernization projects. (Recommendation 5)	Open We will update the status of this recommendation when SBA provides its 180-day letter (expected in summer 2025).
Small Business Administration	The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that project risk management strategies are established and maintained for IT modernization projects. (Recommendation 6)	Open We will update the status of this recommendation when SBA provides its 180-day letter (expected in summer 2025).

View More Recommendations

GAO Contacts

Carol C. Harris

Director

Information Technology and Cybersecurity

harriscc@gao.gov

Nick Marinos

Managing Director

Information Technology and Cybersecurity

MarinosN@gao.gov

Jennifer Franks

Director

Information Technology and Cybersecurity

franksj@gao.gov

David (Dave) Hinchman

Director

Information Technology and Cybersecurity

HinchmanD@gao.gov

Marisol Cruz Cain

Director

Information Technology and Cybersecurity

cruzcainm@gao.gov

Sterling Thomas

Chief Scientist

Science, Technology Assessment, and Analytics

thomass2@gao.gov