February 22, 2024

Details Know-how and Cybersecurity: Using Scorecards to Monitor Agencies’ Implementation of Statutory Necessities

What GAO Discovered Because November 2015, this Subcommittee has issued scorecards as an oversight resource…

Details Know-how and Cybersecurity: Using Scorecards to Monitor Agencies’ Implementation of Statutory Necessities

What GAO Discovered

Because November 2015, this Subcommittee has issued scorecards as an oversight resource to keep an eye on agencies’ development in implementing different statutory IT provisions and addressing other critical IT troubles. The picked provisions are from guidelines these kinds of as the Federal Information and facts Technological know-how Acquisition Reform Act (commonly referred to as FITARA), Generating Electronic Governing administration Accountable by Yielding Tangible Efficiencies Act of 2016, the Modernizing Authorities Engineering Act, and the Federal Information Protection Modernization Act of 2014. The scorecards have assigned each and every protected company a letter grade (i.e., A, B, C, D, or F) based mostly on elements derived from statutory necessities and additional IT-related matters. As of July 2022, fourteen scorecards had been unveiled (see figure).

Scorecards Release Timeline with Affiliated Elements

As mirrored previously mentioned, further important components have been extra over time. Initial elements have been precise to FITARA provisions associated to incremental growth, risk administration, expense price savings and data centers. The scorecards then progressed to involve added statutory provisions and linked IT subject areas, this kind of as telecommunications.

The Subcommittee-assigned grades have revealed steady advancement and resulted in the scorecards serving as productive oversight instruments. For case in point, through 2020 and 2021, all 24 companies gained A grades for two factors (application licensing and info centre optimization initiative), ensuing in elimination of these elements from the scorecard. Notwithstanding the enhancements built by the use of the scorecard, the federal government’s challenges attaining, producing, handling, and securing its IT investments stay.

GAO has lengthy recognized the worth of addressing these complications by such as enhancing the administration of IT acquisitions and operations as perfectly as guaranteeing the cybersecurity of the country as places on its large-hazard record. Continued oversight by Congress to hold organizations accountable for utilizing statutory provisions and addressing longstanding weaknesses is necessary. Implementation of fantastic GAO recommendations can also be instrumental in delivering wanted advancements.

Why GAO Did This Study

Congress has very long acknowledged that IT techniques offer crucial providers crucial to the overall health, economy, and defense of the country. In assistance of these techniques, the federal authorities each year spends more than $100 billion on IT and cyber-linked investments.

Even so, numerous of these investments have suffered from ineffective administration. Additional, latest large profile cyber incidents have shown the urgency of addressing cybersecurity weaknesses.

To enhance the administration of IT, Congress and the President enacted FITARA in December 2014. FITARA applies to the 24 businesses topic to the Main Fiscal Officers Act of 1990, despite the fact that with minimal applicability to the Division of Defense.

GAO was requested to present an overview of the scorecards introduced by this Subcommittee. The scorecards have been applied for oversight of agencies’ efforts to carry out statutory provisions and other IT-similar subject areas. For this testimony, GAO relied on its formerly issued products.

Due to the fact 2010, GAO has made approximately 5,300 suggestions to boost IT management and cybersecurity. As of June 2022, federal companies have entirely executed about 77 per cent of these. On the other hand, numerous crucial tips have not been implemented—nearly 300 on IT administration and much more than 600 on cybersecurity.

For more data, speak to Carol C. Harris at (202) 512-4456 or [email protected].