Knowledge Era and Cybersecurity: The usage of Scorecards to Track Businesses’ Implementation of Statutory Necessities

What GAO Discovered Since November 2015, this Subcommittee has issued scorecards as an oversight device…

Knowledge Era and Cybersecurity: The usage of Scorecards to Track Businesses’ Implementation of Statutory Necessities

What GAO Discovered

Since November 2015, this Subcommittee has issued scorecards as an oversight device to watch companies’ growth in imposing quite a lot of statutory IT provisions and addressing different key IT problems. The chosen provisions are from regulations such because the Federal Knowledge Era Acquisition Reform Act (frequently known as FITARA), Making Digital Govt Responsible via Yielding Tangible Efficiencies Act of 2016, the Modernizing Govt Era Act, and the Federal Knowledge Safety Modernization Act of 2014. The scorecards have assigned every coated company a letter grade (i.e., A, B, C, D, or F) in response to elements derived from statutory necessities and extra IT-related subjects. As of July 2022, fourteen scorecards were launched (see determine).

Scorecards Unencumber Timeline with Related Parts

Knowledge Era and Cybersecurity: The usage of Scorecards to Track Businesses’ Implementation of Statutory Necessities

As mirrored above, further necessary elements were added through the years. Preliminary elements had been explicit to FITARA provisions associated with incremental building, menace control, price financial savings and information facilities. The scorecards then developed to incorporate further statutory provisions and connected IT subjects, comparable to telecommunications.

The Subcommittee-assigned grades have proven stable development and resulted within the scorecards serving as efficient oversight gear. For instance, all the way through 2020 and 2021, all 24 companies gained A grades for 2 elements (device licensing and information middle optimization initiative), leading to elimination of those elements from the scorecard. However the enhancements made via using the scorecard, the government’s difficulties obtaining, creating, managing, and securing its IT investments stay.

GAO has lengthy known the significance of addressing those difficulties via together with making improvements to the control of IT acquisitions and operations in addition to making sure the cybersecurity of the country as spaces on its high-risk checklist. Persevered oversight via Congress to carry companies in control of imposing statutory provisions and addressing longstanding weaknesses is very important. Implementation of exceptional GAO suggestions will also be instrumental in handing over wanted enhancements.

Why GAO Did This Find out about

Congress has lengthy known that IT methods supply crucial services and products vital to the well being, financial system, and protection of the country. In beef up of those methods, the government yearly spends greater than $100 billion on IT and cyber-related investments.

On the other hand, many of those investments have suffered from useless control. Additional, contemporary excessive profile cyber incidents have demonstrated the urgency of addressing cybersecurity weaknesses.

To make stronger the control of IT, Congress and the President enacted FITARA in December 2014. FITARA applies to the 24 companies matter to the Leader Monetary Officials Act of 1990, even supposing with restricted applicability to the Division of Protection.

GAO used to be requested to offer an summary of the scorecards launched via this Subcommittee. The scorecards were used for oversight of companies’ efforts to put in force statutory provisions and different IT-related subjects. For this testimony, GAO depended on its in the past issued merchandise.

Since 2010, GAO has made roughly 5,300 suggestions to make stronger IT control and cybersecurity. As of June 2022, federal companies have absolutely applied about 77 p.c of those. On the other hand, many vital suggestions have no longer been applied—just about 300 on IT control and greater than 600 on cybersecurity.

For more info, touch Carol C. Harris at (202) 512-4456 or [email protected]