Substantial Attention Is Desired to Handle High-Hazard Locations

What GAO Located In its March 2021 superior-chance sequence update, GAO described that sizeable awareness

What GAO Located

In its March 2021 superior-chance sequence update, GAO described that sizeable awareness was desired to strengthen the federal government’s administration of facts know-how (IT) acquisitions and operations, and guarantee the nation’s cybersecurity. About management of IT, general development in addressing this place has remained unchanged. Since 2019, GAO has emphasized that the Place of work of Management and Spending plan (OMB) and protected federal agencies have to have to continue on to entirely employ essential needs of federal IT acquisition reform laws, known as the Federal Information Technological know-how Acquisition Reform Act (FITARA), to improved control tens of billions of dollars in IT investments. For illustration:

  • OMB continued to demonstrate management commitment by issuing assistance to apply FITARA statutory provisions, but sustained leadership and expanded potential ended up desired to boost agencies’ management of IT.
  • Businesses continued to make development with reporting FITARA milestones and ideas to modernize or substitute out of date IT investments, but important perform remained to finish these endeavours.
  • Agencies improved the involvement of their company Main Info Officers in the acquisition process, but higher price tag personal savings could be reached if IT acquisition shortcomings, these types of as lessening duplicative IT contracts, were being resolved.

In March 2021, GAO reiterated the need for agencies to tackle 4 major cybersecurity problems experiencing the nation: (1) setting up a complete cybersecurity method and performing powerful oversight, (2) securing federal devices and info, (3) guarding cyber crucial infrastructure, and (4) guarding privacy and sensitive information. GAO discovered 10 steps for organizations to choose to handle these difficulties. Even so, considering the fact that 2019, development in this place has regressed—GAO’s 2021 score of leadership motivation declined from achieved to partially satisfied. To aid tackle the leadership vacuum, in January 2021, Congress enacted a statute creating the Office of the Nationwide Cyber Director. Although the director placement has not nevertheless been loaded, on April 12 the President announced his supposed nominee. Overall, the federal federal government needs to transfer with a higher perception of urgency to entirely tackle cybersecurity troubles. In particular:

  • Establish and execute a much more detailed federal approach for countrywide cybersecurity and world-wide cyberspace. In September 2020, GAO described that the cyber technique and implementation program tackled some, but not all, of the appealing features of nationwide methods, these types of as goals and resources wanted.
  • Mitigate worldwide source chain threats. In December 2020, GAO reported that couple of the 23 civilian federal companies it reviewed executed foundational methods for taking care of information and interaction technologies offer chain risks.
  • Increase the federal reaction to cyber incidents. In July 2019, GAO documented that most of 16 selected federal businesses experienced deficiencies in at minimum a single of the functions involved with incident response procedures.

Why GAO Did This Study

The effective administration and security of IT has been a longstanding challenge in the federal governing administration. Just about every year, the federal govt spends much more than $100 billion on IT and cyber-relevant investments on the other hand, a lot of of these investments have failed or carried out inadequately and often have experienced from ineffective administration.

Appropriately, GAO extra bettering the administration of IT acquisitions and operations as a substantial-danger spot in February 2015. Information and facts safety has been on the substantial-chance region given that 1997. In its March 2021 higher-risk update, GAO described that significant actions ended up expected to tackle IT acquisitions and functions. Further more, GAO pointed out the urgent require for agencies to choose 10 unique actions on 4 important cybersecurity challenges.

GAO was questioned to testify on federal agencies’ attempts to deal with the administration of IT and cybersecurity. For this testimony, GAO relied largely on its March 2021 significant-chance update and selected prior perform throughout IT and cybersecurity topics.