Information technology efforts directly account for three of 29 areas of federal agency undertakings designated by the Government Accountability Office as "high risk."

The GAO updates the list biennially near the start of every new Congress; for this round, released Feb. 16, it removed Defense Department processing of personnel security clearances and Census Bureau management of the 2010 decennial census. But, it added one new area of concern, that of the Interior Department's management of federal oil and gas resources.

As for the three IT efforts, all of them are issues of long standing. Namely:

• DoD business system modernization (on the list since 1995);
• Internal Revenue Service tax processing system modernization (a return item also since 1995); and,
• protection of the government's information system and the nation's cyber critical infrastructures (the GAO treats this as one high risk area and information systems have been on the list since 1997 while cyber critical infrastructure was added in 2003).

When it comes to agency information systems security, the GAO notes that "serious and widespread information security control deficiencies" were a governmentwide material weakness in the watchdog agency's audit of fiscal 2010 federal financial statements. Agencies have yet to implement key elements of agencywide cybersecurity programs, the GAO adds, repeating a refrain that's a near constant in any GAO cybersecurity report.

The GAO also faults the government for lacking a comprehensive national strategy for "global cybersecurity and governance" and a prioritized agenda for funding federal research and development into improving cybersecurity.

Meanwhile, DoD difficulties with modernizing its estimated 2,300 business systems persist despite some progress, the GAO high risk list states. The pace of recent improvements has slowed and the massive enterprise resource planning systems the Pentagon and the military services want to replace have experienced cost overruns ranging from $530 million to $2.4 billion and schedule delays ranging from two to 12 years, the GAO adds.

The GAO says that a federated architecture encompassing component modernization plans would help the DoD manage its ERP projects better.

As for the IRS, with its multi-decade quest to replace it's Kennedy-era magnetic tape Master File system holding the data of U.S. taxpayers with a relational database, the GAO says the tax agency should further define its strategy for managing individual taxpayer accounts after a current technology phase concludes in January 2014.

Although not strictly an information technology problem, but nonetheless of related interest, is the GAO's continued inclusion of terrorism-related information sharing. The GAO first identified information sharing as a high risk area in 2005, and has since monitored federal efforts to resolve that problem through creation of an Information Sharing Environment.

That ISE is still not fully-functioning, the GAO says, and faults the ISE program manager for not having a "comprehensive corrective action plan" that would remove barriers to information sharing.

The program manager and agencies "have not yet defined their vision of how the Environment should fully function and what results it should achieve; determined the next set of information sharing initiatives beyond the initial framework that must be implement and ensured that agencies have fully inventoried what information they own that could have a possible link to terrorism and determined share it within the Environment," the GAO says.

For more:
- download the 2011 GAO high risk update (.pdf)
- catch up on our coverage of GAO reports you may have missed

Related Articles:
Cybersecurity runs deep in fiscal 2012 budget request 
DoD will spend at least $6.9 billion more on ERPs 
TIGTA: 'Significant' risks remain with IRS modernization 
Intelligence community collaboration efforts underway