Information Technology and Cybersecurity: Using Scorecards to Monitor Agencies’ Implementation of Statutory Requirements

What GAO Discovered

Considering the fact that November 2015, this Subcommittee has issued scorecards as an oversight device to keep an eye on agencies’ progress in applying numerous statutory IT provisions and addressing other key IT problems. The selected provisions are from regulations this kind of as the Federal Facts Engineering Acquisition Reform Act (usually referred to as FITARA), Creating Electronic Federal government Accountable by Yielding Tangible Efficiencies Act of 2016, the Modernizing Federal government Know-how Act, and the Federal Information and facts Stability Modernization Act of 2014. The scorecards have assigned just about every covered company a letter quality (i.e., A, B, C, D, or F) dependent on factors derived from statutory demands and more IT-associated subject areas. As of July 2022, fourteen scorecards experienced been launched (see figure).

Scorecards Release Timeline with Involved Components

As reflected higher than, additional critical factors have been added over time. Preliminary components were particular to FITARA provisions linked to incremental development, chance administration, value savings and details facilities. The scorecards then evolved to involve more statutory provisions and associated IT subjects, this kind of as telecommunications.

The Subcommittee-assigned grades have shown continual advancement and resulted in the scorecards serving as efficient oversight resources. For example, during 2020 and 2021, all 24 companies acquired A grades for two components (software program licensing and information centre optimization initiative), ensuing in removal of these parts from the scorecard. Notwithstanding the enhancements created through the use of the scorecard, the federal government’s problems getting, producing, handling, and securing its IT investments continue to be.

GAO has prolonged recognized the significance of addressing these troubles by such as enhancing the administration of IT acquisitions and functions as very well as making sure the cybersecurity of the nation as areas on its large-threat listing. Continued oversight by Congress to hold businesses accountable for employing statutory provisions and addressing longstanding weaknesses is vital. Implementation of exceptional GAO tips can also be instrumental in offering desired advancements.

Why GAO Did This Examine

Congress has extended acknowledged that IT methods deliver necessary services critical to the wellness, overall economy, and defense of the nation. In guidance of these units, the federal federal government each year spends a lot more than $100 billion on IT and cyber-relevant investments.

However, lots of of these investments have suffered from ineffective management. More, latest substantial profile cyber incidents have shown the urgency of addressing cybersecurity weaknesses.

To boost the management of IT, Congress and the President enacted FITARA in December 2014. FITARA applies to the 24 businesses subject to the Chief Economic Officers Act of 1990, while with confined applicability to the Office of Defense.

GAO was asked to deliver an overview of the scorecards unveiled by this Subcommittee. The scorecards have been utilized for oversight of agencies’ efforts to employ statutory provisions and other IT-related topics. For this testimony, GAO relied on its beforehand issued products and solutions.

Because 2010, GAO has designed around 5,300 suggestions to boost IT management and cybersecurity. As of June 2022, federal businesses have totally implemented about 77 per cent of these. Nevertheless, many essential tips have not been implemented—nearly 300 on IT administration and additional than 600 on cybersecurity.

For additional details, call Carol C. Harris at (202) 512-4456 or [email protected]