Info Expertise and Cybersecurity: Utilizing Scorecards to Monitor Companies’ Implementation of Statutory Necessities
What GAO Discovered
Since November 2015, this Subcommittee has issued scorecards as an oversight software to watch businesses’ progress in implementing numerous statutory IT provisions and addressing different key IT points. The chosen provisions are from legal guidelines such because the Federal Info Expertise Acquisition Reform Act (generally known as FITARA), Making Digital Authorities Accountable by Yielding Tangible Efficiencies Act of 2016, the Modernizing Authorities Expertise Act, and the Federal Info Safety Modernization Act of 2014. The scorecards have assigned every lined company a letter grade (i.e., A, B, C, D, or F) based mostly on parts derived from statutory necessities and extra IT-related matters. As of July 2022, fourteen scorecards had been launched (see determine).
Scorecards Launch Timeline with Related Parts
As mirrored above, further necessary parts have been added over time. Preliminary parts had been particular to FITARA provisions associated to incremental growth, danger administration, price financial savings and information facilities. The scorecards then developed to incorporate further statutory provisions and associated IT matters, similar to telecommunications.
The Subcommittee-assigned grades have proven regular enchancment and resulted within the scorecards serving as efficient oversight instruments. For instance, throughout 2020 and 2021, all 24 businesses obtained A grades for 2 parts (software program licensing and information heart optimization initiative), leading to removing of those parts from the scorecard. However the enhancements made by using the scorecard, the federal authorities’s difficulties buying, creating, managing, and securing its IT investments stay.
GAO has lengthy acknowledged the significance of addressing these difficulties by together with enhancing the administration of IT acquisitions and operations in addition to making certain the cybersecurity of the nation as areas on its high-risk listing. Continued oversight by Congress to carry businesses accountable for implementing statutory provisions and addressing longstanding weaknesses is crucial. Implementation of excellent GAO suggestions can be instrumental in delivering wanted enhancements.
Why GAO Did This Research
Congress has lengthy acknowledged that IT techniques present important providers vital to the well being, economic system, and protection of the nation. In help of those techniques, the federal authorities yearly spends greater than $100 billion on IT and cyber-related investments.
Nonetheless, many of those investments have suffered from ineffective administration. Additional, current excessive profile cyber incidents have demonstrated the urgency of addressing cybersecurity weaknesses.
To enhance the administration of IT, Congress and the President enacted FITARA in December 2014. FITARA applies to the 24 businesses topic to the Chief Monetary Officers Act of 1990, though with restricted applicability to the Division of Protection.
GAO was requested to supply an summary of the scorecards launched by this Subcommittee. The scorecards have been used for oversight of businesses’ efforts to implement statutory provisions and different IT-related matters. For this testimony, GAO relied on its beforehand issued merchandise.
Since 2010, GAO has made roughly 5,300 suggestions to enhance IT administration and cybersecurity. As of June 2022, federal businesses have absolutely carried out about 77 p.c of those. Nonetheless, many vital suggestions haven’t been carried out—practically 300 on IT administration and greater than 600 on cybersecurity.
For extra data, contact Carol C. Harris at (202) 512-4456 or [email protected].