Federal agencies that spend the most on steady state information technology systems generally don't conduct annual oversight analyses on them as required by the Office of Management and Budget, says the Government Accountability Office.
In a report (.pdf) dated Oct. 16 not posted online until Nov. 15, auditors say the Defense Department in particular has never publicly assigned to IT projects a rating greater than "medium risk," eschewing an evaluation of "high risk" or even "moderately high risk." The Office of Management and Budget requires agency CIOs to assign risk scores for publication on the IT Dashboard--which the GAO has several times noted has been beset by other inaccuracies.
Dozens of cost-cutting projects at the Environmental Protection Agency could have had a greater impact if the agency's central administrative office treated them as more than just ideas, the EPA office of inspector general says. In September 2009, at the request of the EPA's Office of Administration and Resources Management, or OARM, 11 program and 10 regional offices within the agency came up with 72 projects to cut costs.
The Office of Management and Budget says it has caused $2.5 billion of savings and cost avoidances over a 3-year period through an oversight mechanism dubbed PortfolioStat.
The Office of Management and Budget has "ample legal authority to adopt reforms," say authors of the report (.pdf)--who include former OMB executives, including Karen Evans who occupied the equivalent position of federal chief information officer during much of the Bush administration and cybersecurity experts including James Andrew Lewis of CSIS.
The Defense Department is increasing its oversight of conference spending and hightening the seniority of of those involved in the approval process as federal conference-related costs come under greater scrutiny.Under the new guidelines, the secretary and deputy secretary of defense "are accountable for all of the Department's conference related activities."
The Office of Management and Budget says agencies no longer need to conduct a security reauthorization every 3 years or when an information system has undergone what it considers a significant change under OMB Circular A-130 . Agencies' continuous monitoring programs fulfill the security reauthorization requirement, making a separate reauthorization process unnecessary, according to an Oct. 2 OMB memo.
Agencies are accustomed to the waterfall process, said Tim McCrosson, a senior policy analyst within the Office of Management and Budget office of e-government and information technology. He spoke during an event put on by AFCEA-Bethesda in Rockville, Md. "Those customers have to be taught that we're not shooting for perfection with this first product," he said.
Almost all agencies have established goals for their enterprise architecture, but executing on those goals is another challenge entirely, according to a Government Accountability Office report (.pdf) published Sept. 26. All 27 agencies reviewed in the report have fully or partially-defined goals, but only 11 have fully or partially established metrics for assessing their architectures and only five have fully or partially measured outcomes and benefits, say report authors.
One of the primary reasons human capital remains on the Government Accountability Office's "high risk list" is the shortage of workers with specific critical skills, such as network analysis, computer forensics, acquisition and foreign language capabilities, said Gene Dodaro, comptroller general at GAO. "There's a real need to understand the root causes of the skill gaps," Dodaro told a Senate subcommittee.