January 27, 2022

News

News Network

Information Technology and Cybersecurity: Significant Attention Is Needed to Address High-Risk Areas

17 min read
<div>What GAO Found In its March 2021 high-risk series update, GAO reported that significant attention was needed to improve the federal government's management of information technology (IT) acquisitions and operations, and ensure the nation's cybersecurity. Regarding management of IT, overall progress in addressing this area has remained unchanged. Since 2019, GAO has emphasized that the Office of Management and Budget (OMB) and covered federal agencies need to continue to fully implement critical requirements of federal IT acquisition reform legislation, known as the Federal Information Technology Acquisition Reform Act (FITARA), to better manage tens of billions of dollars in IT investments. For example: OMB continued to demonstrate leadership commitment by issuing guidance to implement FITARA statutory provisions, but sustained leadership and expanded capacity were needed to improve agencies' management of IT. Agencies continued to make progress with reporting FITARA milestones and plans to modernize or replace obsolete IT investments, but significant work remained to complete these efforts. Agencies improved the involvement of their agency Chief Information Officers in the acquisition process, but greater cost savings could be achieved if IT acquisition shortcomings, such as reducing duplicative IT contracts, were addressed. In March 2021, GAO reiterated the need for agencies to address four major cybersecurity challenges facing the nation: (1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data. GAO identified 10 actions for agencies to take to address these challenges. However, since 2019, progress in this area has regressed—GAO's 2021 rating of leadership commitment declined from met to partially met. To help address the leadership vacuum, in January 2021, Congress enacted a statute establishing the Office of the National Cyber Director. Although the director position has not yet been filled, on April 12 the President announced his intended nominee. Overall, the federal government needs to move with a greater sense of urgency to fully address cybersecurity challenges. In particular: Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace. In September 2020, GAO reported that the cyber strategy and implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources needed. Mitigate global supply chain risks. In December 2020, GAO reported that few of the 23 civilian federal agencies it reviewed implemented foundational practices for managing information and communication technology supply chain risks. Enhance the federal response to cyber incidents. In July 2019, GAO reported that most of 16 selected federal agencies had deficiencies in at least one of the activities associated with incident response processes. Why GAO Did This Study The effective management and protection of IT has been a longstanding challenge in the federal government. Each year, the federal government spends more than $100 billion on IT and cyber-related investments; however, many of these investments have failed or performed poorly and often have suffered from ineffective management. Accordingly, GAO added improving the management of IT acquisitions and operations as a high-risk area in February 2015. Information security has been on the high-risk area since 1997. In its March 2021 high-risk update, GAO reported that significant actions were required to address IT acquisitions and operations. Further, GAO noted the urgent need for agencies to take 10 specific actions on four major cybersecurity challenges. GAO was asked to testify on federal agencies' efforts to address the management of IT and cybersecurity. For this testimony, GAO relied primarily on its March 2021 high-risk update and selected prior work across IT and cybersecurity topics.</div>

What GAO Found

In its March 2021 high-risk series update, GAO reported that significant attention was needed to improve the federal government’s management of information technology (IT) acquisitions and operations, and ensure the nation’s cybersecurity. Regarding management of IT, overall progress in addressing this area has remained unchanged. Since 2019, GAO has emphasized that the Office of Management and Budget (OMB) and covered federal agencies need to continue to fully implement critical requirements of federal IT acquisition reform legislation, known as the Federal Information Technology Acquisition Reform Act (FITARA), to better manage tens of billions of dollars in IT investments. For example:

  • OMB continued to demonstrate leadership commitment by issuing guidance to implement FITARA statutory provisions, but sustained leadership and expanded capacity were needed to improve agencies’ management of IT.
  • Agencies continued to make progress with reporting FITARA milestones and plans to modernize or replace obsolete IT investments, but significant work remained to complete these efforts.
  • Agencies improved the involvement of their agency Chief Information Officers in the acquisition process, but greater cost savings could be achieved if IT acquisition shortcomings, such as reducing duplicative IT contracts, were addressed.

In March 2021, GAO reiterated the need for agencies to address four major cybersecurity challenges facing the nation: (1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data. GAO identified 10 actions for agencies to take to address these challenges. However, since 2019, progress in this area has regressed—GAO’s 2021 rating of leadership commitment declined from met to partially met. To help address the leadership vacuum, in January 2021, Congress enacted a statute establishing the Office of the National Cyber Director. Although the director position has not yet been filled, on April 12 the President announced his intended nominee. Overall, the federal government needs to move with a greater sense of urgency to fully address cybersecurity challenges. In particular:

  • Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace. In September 2020, GAO reported that the cyber strategy and implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources needed.
  • Mitigate global supply chain risks. In December 2020, GAO reported that few of the 23 civilian federal agencies it reviewed implemented foundational practices for managing information and communication technology supply chain risks.
  • Enhance the federal response to cyber incidents. In July 2019, GAO reported that most of 16 selected federal agencies had deficiencies in at least one of the activities associated with incident response processes.

Why GAO Did This Study

The effective management and protection of IT has been a longstanding challenge in the federal government. Each year, the federal government spends more than $100 billion on IT and cyber-related investments; however, many of these investments have failed or performed poorly and often have suffered from ineffective management.

Accordingly, GAO added improving the management of IT acquisitions and operations as a high-risk area in February 2015. Information security has been on the high-risk area since 1997. In its March 2021 high-risk update, GAO reported that significant actions were required to address IT acquisitions and operations. Further, GAO noted the urgent need for agencies to take 10 specific actions on four major cybersecurity challenges.

GAO was asked to testify on federal agencies’ efforts to address the management of IT and cybersecurity. For this testimony, GAO relied primarily on its March 2021 high-risk update and selected prior work across IT and cybersecurity topics.

More from:

News Network

  • Special Operations Forces: Management Actions Are Needed to Effectively Integrate Marine Corps Forces into the U.S. Special Operations Command
    In U.S GAO News
    The Department of Defense (DOD) has relied on special operations forces to conduct military operations in Afghanistan and Iraq and to perform other tasks such as training foreign military forces. To meet the demand for these forces, DOD established a Marine Corps service component under the U.S. Special Operations Command (USSOCOM) to integrate Marine Corps forces. Under the authority of the Comptroller General, GAO assessed the extent to which (1) the Marine Corps special operations command has identified its force structure requirements, (2) the Marine Corps has developed a strategic human capital approach to manage personnel in its special operations command, and (3) USSOCOM has determined whether Marine Corps training programs are preparing its forces for assigned missions. GAO performed its work with the Marine Corps and USSOCOM and analyzed DOD plans for this new command.While the Marine Corps has made progress in establishing its special operations command (Command), the Command has not yet fully identified the force structure needed to perform its assigned missions. DOD developed initial force structure plans to establish the Command; however, it did not use critical practices of strategic planning, such as the alignment of activities and resources and the involvement of stakeholders in decision-making processes when developing these plans. As a result of limitations in the strategic planning process, the Command has identified several force structure challenges that will likely affect the Command's ability to perform its full range of responsibilities, and is working to revise its force structure. Although preliminary steps have been taken, the Marine Corps has not developed a strategic human capital approach to manage the critical skills and competencies required of personnel in its special operations command. While the Command has identified some skills needed to perform special operations missions, it has not conducted a comprehensive analysis to determine all of the critical skills and incremental training required of personnel in its special operations forces units. These analyses are critical to the Marine Corps' efforts to develop a strategic human capital approach for the management of personnel in its special operations forces units. Without the benefit of these analyses, the Marine Corps has developed an interim policy to assign some personnel to special operations forces units for extended tour lengths to account for the additional training and skills; however, the policy is inconsistent with the Command's goal for the permanent assignment of some personnel within the special operations community. Until the Command completes an analysis to identify and document the critical skills and competencies needed by its future workforce to perform its full range of special operations missions, the Marine Corps will not have a sound basis for developing or evaluating alternative strategic human capital approaches for managing personnel assigned to its special operations forces units. USSOCOM does not have a sound basis for determining whether the Command's training programs are preparing units for their missions because it has not established common training standards for many special operations skills and it has not formally evaluated whether these programs prepare units to be fully interoperable with other special operations forces. The Command is providing training to its forces that is based on training programs for conventional units that were assigned some special operations missions prior to the Command's activation and incorporates the training that USSOCOM's other service components provide to their forces. However, USSOCOM has not validated that the training for Marine Corps forces prepares them to be fully interoperable with DOD's other special operations forces. Without an evaluation, USSOCOM cannot demonstrate the needed assurances that Marine Corps forces are fully interoperable with its other forces, which may jeopardize the success of future joint missions.
    [Read More…]
  • Working Day or Night, NDMS Teams Deploy to Support Healthcare Facilities and Save Lives in Communities Overwhelmed by COVID-19: “We are NDMS…That’s What We do”
    In Human Health, Resources and Services
    On September 24, 2021, [Read More…]
  • U.S.-Europe Communiqué on Afghanistan and Peace Efforts
    In Crime Control and Security News
    Office of the [Read More…]
  • New International Ocean Satellite Completes Testing
    In Space
    A team of engineers in [Read More…]
  • Remarks at the “America Is All In” Launch Event
    In Climate - Environment - Conservation
    John Kerry, Special [Read More…]
  • Joint Statement on Serbia’s National Referendum
    In Crime Control and Security News
    Office of the [Read More…]
  • Secretary Antony J. Blinken Introductory Remarks for President Biden
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Secretary Blinken’s Call with Qatari Deputy Prime Minister and Minister of Foreign Affairs Al-Thani
    In Crime Control and Security News
    Office of the [Read More…]
  • Advancing the Human Rights of Lesbian, Gay, Bisexual, Transgender, Queer, and Intersex Persons Around the World
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Former DEA Agent and His Wife Plead Guilty for Roles in Scheme to Divert Drug Proceeds From Undercover Money Laundering Investigations
    In Crime News
    A former Drug Enforcement Administration (DEA) special agent and his wife pleaded guilty Monday to all charges in a 19-count indictment unsealed against them on Feb. 21, 2020. U.S. Magistrate Judge Thomas Wilson accepted the guilty pleas in U.S. District Court for the Middle District of Florida.
    [Read More…]
  • Secretary Antony J. Blinken and French Foreign Minister Jean-Yves Le Drian at a Joint Press Availability
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Justice Department Files Statement of Interest in Michigan Religious Schools’ Challenge to COVID-19 Closing Order
    In Crime News
    The Justice Department today filed a statement of interest in federal district court in Kalamazoo, Michigan, arguing that the Free Exercise Clause of the Constitution requires the state of Michigan to justify why it cannot provide exemptions to its school closing order for in-person instruction at religious high schools when it provides exemptions for trade and technical instruction in person, college sports teams, and other educational activities.
    [Read More…]
  • Pharmacist Charged in $4 Million Health Care Fraud and Kickback Scheme
    In Crime News
    A New York man was arrested today for his role in a conspiracy to commit health care fraud and to pay kickbacks and bribes to customers for expensive prescription orders in connection with more than $4 million in Medicare and Medicaid reimbursements.
    [Read More…]
  • Norwegian National Day
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Indian Health Service: Actions Needed to Improve Oversight of Provider Misconduct and Substandard Performance
    In U.S GAO News
    The Indian Health Service's (IHS) policies related to provider misconduct and substandard performance outline several key aspects of oversight, such as protecting children against sexual abuse by providers, ethical and professional conduct, and processes for managing an alleged case of misconduct. Although the Department of Health and Human Services (HHS) or IHS headquarters have established most of these policies, area offices that are responsible for overseeing facility operations and facilities, such as hospitals, may develop and issue their own policies as long as they are consistent with headquarters' policies, according to officials. Although some oversight activities are performed at IHS headquarters, IHS has delegated primary responsibility for oversight of provider misconduct and substandard performance to the area offices. However, GAO found some inconsistencies in oversight activities across IHS areas and facilities. For example, Although all nine area offices require that new supervisors attend mandatory supervisory training, most area offices provided additional trainings related to provider misconduct and substandard performance. The content of these additional trainings varied across area offices. For example, three area offices offered training on conducting investigations of alleged misconduct, while other area offices did not. Officials from IHS headquarters told GAO they do not systematically review trainings developed by the areas to ensure they are consistent with policy or IHS-wide training. Facility governing boards—made up of IHS area office officials, including the Area Director, and facility officials, such as the Chief Executive Officer—are responsible for overseeing each facility's quality of and access to care. They generally review information related to provider misconduct and substandard performance. However, there is no standard format used by governing boards to document their review, making it difficult to determine the extent this oversight is consistently conducted. In some cases, there was no documentation by governing boards of a discussion about provider misconduct or substandard performance. For example, none of the seven governing board meeting minutes provided from one area office documented their discussion of patient complaints. In other cases, there was detailed documentation of the governing board's review. Additionally, governing boards did not always clearly document how or why an oversight decision, such as whether to grant privileges to a provider, had been made based on their review of available information. These inconsistencies in IHS's oversight activities could limit the agency's efforts to oversee provider misconduct and substandard performance. For example, by not reviewing trainings developed by area offices, IHS headquarters may also be unable to identify gaps in staff knowledge or best practices that could be applied across area offices. Addressing these inconsistencies would better position the agency to effectively protect patients from abuse and harm resulting from provider misconduct or substandard performance. IHS provides care to American Indians and Alaska Natives (AI/AN) through a system of federally and tribally operated facilities. Recent cases of alleged and confirmed misconduct and substandard performance by IHS employees have raised questions about protecting the AI/AN population from abuse and harm. For example, in February 2020, a former IHS pediatrician was sentenced to five consecutive lifetime terms for multiple sex offenses against children. Several studies have been initiated or completed in response, and IHS has reported efforts to enhance safe and quality care for its patients. GAO was asked to review IHS oversight of misconduct and substandard performance. This report (1) describes IHS policies related to provider misconduct and substandard performance and (2) assesses IHS oversight of provider misconduct and substandard performance. GAO reviewed policies and documents, including minutes from 80 governing board meetings from January 2018 to December 2019. GAO also interviewed IHS officials from headquarters, all nine area offices with two or more federally operated facilities, and two federally operated facilities. GAO is making three recommendations, including that IHS should establish a process to review area office trainings as well as establish a standard approach for documenting governing board review of information. HHS concurred with these recommendations. For more information, contact Jessica Farb at (202) 512-7114 or farbj@gao.gov.
    [Read More…]
  • Mortgage Lending: Use of Alternative Data Is Limited but Has Potential Benefits
    In U.S GAO News
    What GAO Found To help determine a borrower's creditworthiness, mortgage lenders can use “alternative data”—consumer information not contained in a traditional credit report, such as a borrower's rent payments. But available data indicate that few mortgage loans have been underwritten with alternative data. In fiscal years 2016–2020, less than 0.1 percent of mortgages purchased by Fannie Mae and Freddie Mac (government-sponsored enterprises that purchase about half of all originated mortgages) were made to borrowers without credit scores, an indication they were underwritten using alternative data. Similarly, very few loans the Federal Housing Administration, Department of Agriculture, and Department of Veterans Affairs insured or guaranteed went to such borrowers (see table). Mortgage Loans Made to Borrowers without Credit Scores, Fiscal Years 2016–2020 Institution Total loans Loans without borrower credit scores Percent of loans without borrower credit scores Fannie Mae 5,447,753 5,023 0.09 Freddie Mac 4,813,075 2,212 0.05 Federal Housing Administration 4,109,309 12,777 0.31 Department of Agriculture 599,864 14,174 2.36 Department of Veterans Affairs 2,833,813 2,739 0.10 Source: GAO analysis of Fannie Mae, Freddie Mac, and federal agency data. | GAO-22-104380 Note: Data for Fannie Mae and Freddie Mac represent loans purchased, and for the federal agencies, loans guaranteed or insured. According to agency officials, loans made to borrowers without credit scores very likely used alternative data for underwriting. Using alternative data in mortgage lending presents benefits and risks. Underwriting with alternative data can increase mortgage access for individuals who have little credit history with the national consumer reporting agencies, including many minority and lower-income consumers, according to literature GAO reviewed and stakeholders GAO interviewed. But the extent to which the use of alternative data could increase access depends on several factors, including whether the data increase credit scores enough to qualify consumers for mortgage loans. Alternative data usage could lead to better pricing for consumers if it improved lenders' ability to predict default risks, but also could present fair lending risks. For example, if alternative data are correlated with characteristics protected under fair lending laws (such as race or gender), borrowers in protected classes may be adversely affected by underwriting models using such data. Use of alternative data also can present privacy concerns if consumers lack knowledge and control of how these data are used. Public and private entities have taken steps to encourage use of alternative data in mortgage lending. For example, in September 2021, Fannie Mae updated its automated underwriting system to allow rental payments (a form of alternative data) to be included. In December 2020, the Consumer Financial Protection Bureau issued rules that may facilitate use of alternative data. For example, one rule changed the general qualified mortgage definition to give lenders additional flexibility—which could include analyzing alternative data such as cash flows—when assessing a consumer's ability to repay. Lenders are protected from certain types of liability for loans meeting the definition. Why GAO Did This Study Roughly 45 million consumers lack a credit score from one of three major consumer reporting agencies, according to the Consumer Financial Protection Bureau, which limits their ability to qualify for a mortgage loan. To address this, an increasing number of lenders have been exploring use of alternative data—information not used in traditional credit scoring—to determine eligibility for mortgage loans. However, some policymakers and regulators have raised questions about potential risks of using such data in mortgage underwriting. GAO was asked to review the use of alternative data in mortgage lending. This report describes (1) the extent to which mortgage loans were originated using alternative data in fiscal years 2016–2020, (2) potential benefits and risks associated with using alternative data in such lending, and (3) efforts to encourage lenders' use of alternative data. GAO analyzed data provided by government-sponsored enterprises and federal agencies for fiscal years 2016–2020; reviewed studies by agencies and other researchers; and interviewed federal financial regulators, agencies with mortgage lending programs, lenders, government-sponsored enterprises, and other industry participants. For more information, contact Michael E. Clements at (202) 512-8678 or ClementsM@gao.gov.
    [Read More…]
  • Fort Bend County home health owner charged with copying and pasting doctor signatures
    In Justice News
    A 60-year-old Richmond [Read More…]
  • Former NGO Procurement Official Sentenced to Prison for Bribery
    In Crime News
    A former non-governmental organization (NGO) official was sentenced today to 40 months in prison for paying bribes to NGO officers in exchange for sensitive procurement information related to NGO contracts funded in part by the U.S. Agency for International Development (USAID).
    [Read More…]
  • Afghanistan: Actions Needed to Improve Accountability of U.S. Assistance to Afghanistan Government
    In U.S GAO News
    The U.S. Agency for International Development (USAID) and the Department of Defense (DOD) award direct assistance to Afghanistan, using bilateral agreements and multilateral trust funds that provide funds through the Afghan national budget. GAO assessed (1) the extent to which the United States, through USAID and DOD, has increased direct assistance, (2) USAID and DOD steps to ensure accountability for bilateral direct assistance, and (3) USAID and DOD steps to ensure accountability for direct assistance via multilateral trust funds for Afghanistan. GAO reviewed USAID, DOD, and multilateral documents and met with U.S. officials and staffs of multilateral trust funds in Washington, D.C., and Afghanistan.The United States more than tripled its awards of direct assistance to Afghanistan in fiscal year 2010 compared with fiscal year 2009. USAID awards of direct assistance grew from over $470 million in fiscal year 2009 to over $1.4 billion in fiscal year 2010. USAID awarded $1.3 billion to the World Bank-administered Afghanistan Reconstruction Trust Fund (ARTF) in fiscal year 2010, of which the bank has received $265 million as of July 2011. DOD direct assistance to two ministries grew from about $195 million in fiscal year 2009 to about $576 million in fiscal year 2010, including contributions to fund police salaries through the United Nations Development Program-administered (UNDP) Law and Order Trust Fund for Afghanistan (LOTFA). USAID and DOD have taken steps to help ensure the accountability of their bilateral direct assistance to Afghan ministries, but USAID has not required risk assessments in all cases before awarding these funds. For example, USAID did not complete preaward risk assessments in two of the eight cases GAO identified. Although current USAID policy does not require preaward risk assessments in all cases, these two awards were made after the USAID Administrator's July 2010 commitment to Congress that USAID would not proceed with direct assistance to an Afghan public institution before assessing its capabilities. In these two cases, USAID awarded $46 million to institutions whose financial management capacity were later assessed as "high risk." USAID has established various financial and other controls in its bilateral direct assistance agreements, such as requiring separate bank accounts and audits of the funds. USAID has generally complied with these controls, but GAO identified instances in which it did not. For example, in only 3 of 19 cases did USAID document that it had approved one ministry's prefinancing contract documents. DOD personnel in Afghanistan assess the risk of providing funds to two security ministries through quarterly reviews of each ministry's capacity. DOD officials also review records of ministry expenditures to assess whether ministries have used funds as intended. DOD established formal risk assessment procedures in June 2011, following GAO discussions with DOD about initial findings. USAID and DOD generally rely on the World Bank and UNDP to ensure accountability over U.S. direct assistance provided multilaterally through ARTF and LOTFA, but USAID has not consistently complied with its risk assessment policies in awarding funds to ARTF. During GAO's review, DOD established procedures in June 2011 requiring that it assess risks before contributing funds to LOTFA. The World Bank and UNDP use ARTF and LOTFA monitoring agents to help ensure that ministries use contributions as intended. However, security conditions and weaknesses in Afghan ministries pose challenges to their oversight. For example, the ARTF monitoring agent recently resigned due to security concerns. The World Bank is now seeking a new monitoring agent and does not anticipate a gap in monitoring. In addition, weaknesses in the Ministry of Interior's systems for paying wages to police challenge UNDP efforts to ensure that the ministry is using LOTFA funds as intended. GAO recommends that USAID (1) establish and implement policy requiring risk assessments in all cases before awarding bilateral direct assistance funds, (2) take additional steps to help ensure it implements controls for bilateral direct assistance, and (3) ensure adherence to its risk assessment policies for ARTF. In commenting on the first recommendation, USAID stated that its existing policies call for some form of risk assessment for all awards and that it has taken new steps to ensure risk assessment. GAO retained its recommendation because existing USAID policies do not require preaward risk assessments in all cases. USAID concurred with GAO's other recommendations.
    [Read More…]
  • Secretary Blinken’s Call with UK Foreign Secretary Truss
    In Crime Control and Security News
    Office of the [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.