Mission-Critical Information Technology: Agencies Are Monitoring Selected Acquisitions for Cybersecurity and Privacy Risks
Fast Facts
Federal agencies' efforts to acquire IT have often cost more than expected, taken longer, and produced systems that failed to perform. IT acquisitions and management has been on our High Risk List since 2015.
We examined 16 IT acquisition programs critical to agency missions—including national security, public health, and more—and that are expected to cost at least $50 billion. Seven of the programs identified significant risks associated with cybersecurity and information privacy. Overall, these risks are escalating as agencies' IT infrastructure continues to age and threats and vulnerabilities become more complex.
Highlights
What GAO Found
Federal agencies are undertaking IT acquisitions that are essential to their missions. GAO identified 16 of these acquisitions as particularly critical to missions ranging from national security to public health to the economy (see table). GAO has previously reported on many of these acquisitions. As of February 2025, there were 75 open GAO IT- and cybersecurity-related recommendations pertaining to nine of the 16 acquisitions.
Essential Federal Mission-Critical Information Technology Acquisitions
|
Agency |
Acquisition |
|---|---|
|
Department of Defense
|
Joint Operational Medicine Information Systems |
|
Joint Warfighting Cloud Capability |
|
|
Department of Education
|
Free Application for Federal Student Aid Processing System |
|
Title IV Origination and Disbursement Modernization |
|
|
Department of Health and Human Services |
Health Information Technology Electronic Health Records Modernization |
|
Department of Homeland Security
|
Non-Intrusive Inspection-Integration Program |
|
Homeland Advanced Recognition Technology |
|
|
Department of Justice |
SENTRY Modernization - Centralized Inmate Case Logistics Operations and Planning System Development |
|
Department of State |
Consular Systems Modernization |
|
Department of Transportation
|
Voice Communications Systems |
|
Automatic Dependent Surveillance-Broadcast |
|
|
Department of the Treasury
|
Individual Master File Modernization |
|
Business Master File Modernization |
|
|
Department of Veterans Affairs |
Electronic Health Record Modernization |
|
Environmental Protection Agency |
Integrated Compliance Information System Modernization |
|
Small Business Administration |
MySBA Platform |
Source: GAO analysis of agency data. | GAO-25-106908
In total, the 16 acquisitions are expected to cost at least $51.7 billion. For example, the Department of Health and Human Services plans to spend approximately $6.2 billion over 10 years on its electronic health records modernization effort.
Agency officials responsible for these IT acquisitions acknowledged facing a variety of risks and challenges. Specifically, 10 of the 16 acquisitions reported that not proceeding with the acquisition would jeopardize the ability of the agency to meet customer or mission needs, improve customer service, or achieve cost savings.
Further, seven acquisitions identified high risks associated with cybersecurity and information privacy. This means that an adverse cybersecurity or privacy incident could have severe or catastrophic effects on the agency, other agencies, or the nation. For example, both Department of Education acquisitions are intended to modernize systems that (1) are critical to providing federal student aid and (2) contain a large repository of personally identifiable information. Overall, cybersecurity and privacy risks are escalating as agencies' IT infrastructures continue to age and threats and vulnerabilities become more difficult to defend.
Why GAO Did This Study
The acquisition of IT systems has presented challenges to federal agencies. Accordingly, GAO has identified IT acquisitions and management as a high-risk area since 2015.
GAO was asked to identify and report on selected federal IT acquisitions. GAO's objective was to identify essential mission-critical IT acquisitions across the federal government and their key attributes.
To select acquisitions for the review, GAO administered a survey to the 24 agencies covered by the Chief Financial Officers Act of 1990. GAO asked them to identify their top three most important mission-critical IT acquisitions that had ongoing system development activities. From a total of 72 acquisitions identified, GAO selected 16 mission-critical IT acquisitions across 11 agencies to profile in this report.
These 16 acquisitions are key to achieving the various agencies' missions across the federal government. For each of the 16 selected acquisitions, GAO obtained additional information on cost, schedule, risks, workforce, and related information; and interviewed relevant agency officials.
GAO provided a draft of this report to the 11 agencies with IT acquisitions profiled in this report and the Office of Management and Budget. In response, eight agencies provided technical comments, which we incorporated as appropriate.
For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov.