Image

Information Technology

Recent Reports

Chief Information Officer Open Recommendations: Nuclear Regulatory Commission

Published: Jun 26, 2025

Publicly Released: Jul 03, 2025

Veterans Health: Improvements Needed to Achieve Successful Appointment Scheduling Modernization

Published: May 22, 2025

Publicly Released: Jun 23, 2025

IT Systems Annual Assessment: DOD Needs to Improve Performance Reporting and Cybersecurity Planning

Published: Jun 12, 2025

Publicly Released: Jun 12, 2025

Taxpayer Identity Verification: IRS Should Strengthen Oversight of Its Identity-Proofing Program

Published: Jun 11, 2025

Publicly Released: Jun 11, 2025

Chief Information Officer Open Recommendations: Department of Defense

Published: May 29, 2025

Publicly Released: Jun 05, 2025

Chief Information Officer Open Recommendations: Department of Energy

Published: May 29, 2025

Publicly Released: Jun 05, 2025

View More Reports

Open Recommendations

IT Systems Annual Assessment: DOD Needs to Improve Performance Reporting and Cybersecurity Planning

Show

1 Open Recommendations

Agency Affected	Recommendation	Status Sort ascending
Department of Defense	The Secretary of Defense should direct the Chief Information Officer and Under Secretary of Defense for Acquisition and Sustainment to ensure that IT business programs identify and report results data on the minimum number of performance metrics in each category, as appropriate, as part of the department's submission to the Federal IT Dashboard. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Information Technology: Government-Wide Guidance on Handling Data Could Improve Civil Rights and Civil Liberties Protections

Show

1 Open Recommendations

Agency Affected	Recommendation	Status Sort ascending
Congress	To assist federal agencies with consistently implementing civil rights and civil liberties protections when collecting, sharing, and using data, we suggest that Congress direct an appropriate federal entity to issue government-wide guidance or regulations addressing this matter. In its direction, Congress should consider delegating to such entity the explicit authority to make needed technical and policy choices or explicitly stating Congress's own choices.	Open As of February 2025, legislative action has not yet occurred to address this matter.

IT Portfolio Management: OMB and Agencies Are Not Fully Addressing Selected Statutory Requirements

Show

46 Open Recommendations

Agency Affected	Recommendation	Status Sort ascending
Department of Housing and Urban Development	The Secretary of Housing and Urban Development should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 21)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Treasury	The Secretary of the Treasury should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 32)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture	The Secretary of Agriculture should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 11)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration	The Administrator of the Small Business Administration should direct its agency CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 43)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Housing and Urban Development	The Secretary of Housing and Urban Development should direct the department CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 22)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget	The Director of OMB should update existing guidance or issue new guidance to agencies to implement a process to assist agencies in reviewing their IT portfolios that includes the requirements provided in FITARA. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

IT Modernization: SBA Urgently Needs to Address Risks on Newly Deployed System

Show

14 Open Recommendations

3 Priority

Agency Affected	Recommendation	Status Sort ascending
Small Business Administration	The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that a traceability analysis is performed and documented for IT modernization projects to show the traceability of the security requirements to the design of the proposed IT system solution. (Recommendation 11)	Open We will update the status of this recommendation when SBA provides its 180-day letter (expected in summer 2025).
Small Business Administration	Priority Rec. The Administrator of SBA should direct the Associate Administrator of SBA's Office of Government Contracting and Business Development to expeditiously address critical UCP project risk management issues, including developing a project risk management strategy and risk mitigation plan. (Recommendation 1)	Open SBA partially agreed with this recommendation. In its October 2024 comments on the draft report, SBA noted that it intends to document a UCP project-level risk management strategy and risk management plan; expand the risk register to ensure risks are appropriately categorized, prioritized, and evaluated; and determine appropriate mitigation strategies for the risks. In February 2025, SBA stated that new senior leaders were being onboarded and briefed on key audit reports and recommendations. SBA also noted that it would provide an official update regarding its progress on this recommendation in May 2025. To fully implement this recommendation, SBA would need to document a risk management strategy and risk mitigation plan that specifies key details, such as responsible parties and required tasks, resources, and timelines. Without such a strategy and plan, SBA will be unable to quickly or effectively address risks as it simultaneously operates the system and develops its more complex functionality.
Small Business Administration	The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that security-related subject matter experts are involved in the contractor selection process for IT modernization projects. (Recommendation 12)	Open We will update the status of this recommendation when SBA provides its 180-day letter (expected in summer 2025).
Small Business Administration	Priority Rec. The Administrator of SBA should direct the Associate Administrator of SBA's Office of Government Contracting and Business Development to expeditiously address critical UCP project cybersecurity issues, including developing a plan for managing project cybersecurity risks and documenting a traceability analysis for project security requirements. (Recommendation 2)	Open SBA partially agreed with this recommendation. In its October 2024 comments on the draft report, SBA outlined its planned process for assessing UCP security through testing and addressing critical findings. SBA also planned to document traceability between security requirements and how the system satisfies the requirements. In February 2025, SBA stated that new senior leaders were being onboarded and briefed on key audit reports and recommendations. SBA also noted that it would provide an official update regarding its progress on this recommendation in May 2025. To fully implement this recommendation, SBA would need to document a plan for managing UCP project cybersecurity risks and document traceability between the security requirements and how UCP satisfies the requirements. Without such a plan and traceability, SBA faces an increased risk of operating an insecure system and likely will be unprepared to address the impacts of a cybersecurity incident.
Small Business Administration	The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that integrated master schedules are developed for IT modernization projects using leading practices described in GAO's Schedule Assessment Guide. (Recommendation 13)	Open SBA agreed with this recommendation. In its October 2024 comments on our draft report, SBA stated that it planned to establish and implement policies and procedures to ensure that integrated master schedules are developed using leading practices described in GAO's Schedule Assessment Guide. However, as of March 2025, the agency had not yet provided documentation that it had established and implemented these policies and procedures. Until SBA implements this recommendation, it faces an increased risk of schedule slippages and increased project costs on its IT modernization projects.
Small Business Administration	Priority Rec. The Administrator of SBA should direct the Chief Information Officer to consider the probability and impact of accepted UCP deployment risks if deciding to issue a final authorization to operate for the system. (Recommendation 3)	Open SBA partially agreed with this recommendation. In its October 2024 comments on the draft report, SBA outlined its procedures for approving an authorization to operate for IT systems and agreed that additional security measures would enhance the deployment risk assessment and validation for the UCP system. In February 2025, SBA stated that new senior leaders were being onboarded and briefed on key audit reports and recommendations. SBA also noted that it would provide an official update regarding its progress on this recommendation in May 2025. To implement this recommendation, SBA would need to document that it had fully considered the impact of deployment risks when authorizing the system. Establishing such procedures would help SBA better ensure that such risks do not affect small business certification services.

View More Recommendations

GAO Contacts

Carol C. Harris

Director

Information Technology and Cybersecurity

harriscc@gao.gov

Nick Marinos

Managing Director

Information Technology and Cybersecurity

MarinosN@gao.gov

Jennifer Franks

Director

Information Technology and Cybersecurity

franksj@gao.gov

David (Dave) Hinchman

Director

Information Technology and Cybersecurity

HinchmanD@gao.gov

Marisol Cruz Cain

Director

Information Technology and Cybersecurity

cruzcainm@gao.gov

Sterling Thomas

Chief Scientist

Science, Technology Assessment, and Analytics

thomass2@gao.gov