What GAO found
Since November 2015, the scorecard issued by the subcommittee has become an effective monitoring tool for the watchdog to enforce various statutory IT provisions and address other key IT issues. The selected provisions come from laws such as the Federal Information Technology Acquisition Reform Act (commonly known as FITARA) and the Federal Information Security Modernization Act of 2014. The scorecard assigns each covered agency a letter grade (ie A, B, C, D or F) based on components derived from statutory requirements and other IT-related topics.
As of December 2022, fifteen scorecards have been published (see figure).
Scorecard release schedule with associated components
The subcommittee-assigned grades have shown a steady increase, as indicated by the removal (or sunset) of components. For example, during 2020 and 2021, all 24 institutions received an A grade for software licensing and data center optimization, so those components were removed.
Despite improvements in using scorecards, the federal government continues to struggle with acquiring, developing, managing, and protecting its IT investments. It is critical that Congress continue to hold agencies accountable for enforcing statutory provisions and addressing long-standing weaknesses. It also remains important to evolve the components of the scorecard to accommodate changes in the federal landscape.
To this end, GAO provided the subcommittee with input on additional measures that could be added, including topics related to modernizing IT legacy systems and customer experience. GAO also provided input on ways to strengthen the cybersecurity component.
Considering ways to improve the scorecard components is critical to improving the ability of congressional oversight agencies to enforce statutory IT mandates and address other critical IT topics. Agency focus on implementing GAO recommendations also helps provide needed improvements.
Why GAO is doing this study
Federal IT systems provide essential services critical to the nation’s health, economy, and defense. For FY 2023, the federal government plans to spend more than $122 billion on IT investments.
However, many of these investments have suffered due to mismanagement. Additionally, recent high-profile cyber incidents demonstrate the urgency of addressing cybersecurity weaknesses.
GAO recognized early on the importance of addressing these difficulties by including IT acquisition and operations management and national cybersecurity as areas on its high-risk list.
To improve IT governance, Congress and the President enacted FITARA in December 2014. FITARA applies to the 24 agencies that are subject to the Chief Financial Officer Act 1990, but has limited applicability to the Ministry of Defense.
GAO was asked to provide an overview of the scorecard issued by this subcommittee and the importance of the evolving components. For this testimony, GAO relied on its previously published products.
Since 2010, GAO has made approximately 5,400 recommendations to improve IT governance and cybersecurity. As of December 2022, federal agencies have fully implemented about 76 percent of them. However, many key recommendations have yet to be implemented—nearly 300 on IT management and more than 700 on network security.
For more information, please contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov or Jennifer R. Franks at (404) 679-1831 or franksj@gao.gov.